IBM Security QRadar

Version 7.3.1

API Guide

IBM
 Note
Before you use this information and the product that it supports, read the information in “Notices” on page 1603.

Product information
This document applies to IBM QRadar Security Intelligence Platform V7.3.1 and subsequent releases unless
superseded by an updated version of this document.
© Copyright IBM Corporation 2014, 2017.
US Government Users Restricted Rights – Use, duplication or disclosure restricted by GSA ADP Schedule Contract
with IBM Corp.
Contents
1 What's new for developers in RESTful APIs in QRadar V7.3.1 . . . . . . . . . . . . 1
New endpoints in more detail . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1
Deprecated endpoints in more detail . . . . . . . . . . . . . . . . . . . . . . . . . . . 4

2 RESTful API overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7

Filter syntax . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
Sort syntax . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
Paging syntax . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
API error messages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
Cross-origin resource sharing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17

3 API command-line client . . . . . . . . . . . . . . . . . . . . . . . . . . . 19

4 API sample code. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21

5 Accessing the interactive API documentation page . . . . . . . . . . . . . . . . 23

6 REST API V9.0 References . . . . . . . . . . . . . . . . . . . . . . . . . . 25

Analytics endpoints . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25
GET /analytics/ade_rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25
GET /analytics/ade_rules/{id} . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26
POST /analytics/ade_rules/{id} . . . . . . . . . . . . . . . . . . . . . . . . . . . 28
DELETE /analytics/ade_rules/{id} . . . . . . . . . . . . . . . . . . . . . . . . . . 29
GET /analytics/ade_rules/{id}/dependents . . . . . . . . . . . . . . . . . . . . . . . 30
GET /analytics/ade_rules/ade_rule_delete_tasks/{task_id} . . . . . . . . . . . . . . . . . . 33
GET /analytics/ade_rules/ade_rule_dependent_tasks/{task_id} . . . . . . . . . . . . . . . . . 34
POST /analytics/ade_rules/ade_rule_dependent_tasks/{task_id} . . . . . . . . . . . . . . . . 36
GET /analytics/ade_rules/ade_rule_dependent_tasks/{task_id}/results . . . . . . . . . . . . . . 39
GET /analytics/building_blocks . . . . . . . . . . . . . . . . . . . . . . . . . . . 41
GET /analytics/building_blocks/building_block_delete_tasks/{task_id} . . . . . . . . . . . . . . 42
GET /analytics/building_blocks/building_block_dependent_tasks/{task_id} . . . . . . . . . . . . 44
POST /analytics/building_blocks/building_block_dependent_tasks/{task_id} . . . . . . . . . . . . 46
GET /analytics/building_blocks/building_block_dependent_tasks/{task_id}/results . . . . . . . . . . 49
GET /analytics/building_blocks/{id} . . . . . . . . . . . . . . . . . . . . . . . . . . 51
POST /analytics/building_blocks/{id} . . . . . . . . . . . . . . . . . . . . . . . . . 52
DELETE /analytics/building_blocks/{id} . . . . . . . . . . . . . . . . . . . . . . . . 54
GET /analytics/building_blocks/{id}/dependents . . . . . . . . . . . . . . . . . . . . . 55
GET /analytics/custom_actions/actions . . . . . . . . . . . . . . . . . . . . . . . . . 58
POST /analytics/custom_actions/actions . . . . . . . . . . . . . . . . . . . . . . . . 59
GET /analytics/custom_actions/actions/{action_id} . . . . . . . . . . . . . . . . . . . . . 61
POST /analytics/custom_actions/actions/{action_id} . . . . . . . . . . . . . . . . . . . . 62
DELETE /analytics/custom_actions/actions/{action_id} . . . . . . . . . . . . . . . . . . . 64
GET /analytics/custom_actions/interpreters . . . . . . . . . . . . . . . . . . . . . . . 64
GET /analytics/custom_actions/interpreters/{interpreter_id} . . . . . . . . . . . . . . . . . . 65
GET /analytics/custom_actions/scripts . . . . . . . . . . . . . . . . . . . . . . . . . 66
POST /analytics/custom_actions/scripts . . . . . . . . . . . . . . . . . . . . . . . . 67
GET /analytics/custom_actions/scripts/{script_id} . . . . . . . . . . . . . . . . . . . . . 68
POST /analytics/custom_actions/scripts/{script_id} . . . . . . . . . . . . . . . . . . . . . 69
DELETE /analytics/custom_actions/scripts/{script_id} . . . . . . . . . . . . . . . . . . . . 70
GET /analytics/rule_groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71
GET /analytics/rule_groups/{group_id}. . . . . . . . . . . . . . . . . . . . . . . . . 72
POST /analytics/rule_groups/{group_id} . . . . . . . . . . . . . . . . . . . . . . . . 74
DELETE /analytics/rule_groups/{group_id} . . . . . . . . . . . . . . . . . . . . . . . 76
GET /analytics/rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 77

© Copyright IBM Corp. 2014, 2017 iii

 GET /analytics/rules/rule_delete_tasks/{task_id} . . . . . . . . . . . . . . . . . . . . . 79
GET /analytics/rules/rule_dependent_tasks/{task_id} . . . . . . . . . . . . . . . . . . . . 80
POST /analytics/rules/rule_dependent_tasks/{task_id} . . . . . . . . . . . . . . . . . . . 82
GET /analytics/rules/rule_dependent_tasks/{task_id}/results . . . . . . . . . . . . . . . . . 85
GET /analytics/rules/{id} . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 87
POST /analytics/rules/{id} . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 88
DELETE /analytics/rules/{id} . . . . . . . . . . . . . . . . . . . . . . . . . . . . 90
GET /analytics/rules/{id}/dependents . . . . . . . . . . . . . . . . . . . . . . . . . 91
Ariel endpoints . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 94
GET /ariel/databases . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 94
GET /ariel/databases/{database_name} . . . . . . . . . . . . . . . . . . . . . . . . . 94
GET /ariel/event_saved_search_groups . . . . . . . . . . . . . . . . . . . . . . . . . 95
GET /ariel/event_saved_search_groups/{group_id} . . . . . . . . . . . . . . . . . . . . . 97
POST /ariel/event_saved_search_groups/{group_id} . . . . . . . . . . . . . . . . . . . . 98
DELETE /ariel/event_saved_search_groups/{group_id} . . . . . . . . . . . . . . . . . . . 100
GET /ariel/flow_saved_search_groups . . . . . . . . . . . . . . . . . . . . . . . . . 101
GET /ariel/flow_saved_search_groups/{group_id} . . . . . . . . . . . . . . . . . . . . . 103
POST /ariel/flow_saved_search_groups/{group_id} . . . . . . . . . . . . . . . . . . . . 104
DELETE /ariel/flow_saved_search_groups/{group_id} . . . . . . . . . . . . . . . . . . . 106
GET /ariel/parser_keywords . . . . . . . . . . . . . . . . . . . . . . . . . . . . 107
POST /ariel/processors/aql_metadata . . . . . . . . . . . . . . . . . . . . . . . . . 107
GET /ariel/saved_search_delete_tasks/{task_id}. . . . . . . . . . . . . . . . . . . . . . 108
GET /ariel/saved_search_dependent_tasks/{task_id} . . . . . . . . . . . . . . . . . . . . 110
POST /ariel/saved_search_dependent_tasks/{task_id} . . . . . . . . . . . . . . . . . . . . 112
GET /ariel/saved_search_dependent_tasks/{task_id}/results . . . . . . . . . . . . . . . . . 115
GET /ariel/saved_searches . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 116
GET /ariel/saved_searches/{id} . . . . . . . . . . . . . . . . . . . . . . . . . . . 118
POST /ariel/saved_searches/{id} . . . . . . . . . . . . . . . . . . . . . . . . . . . 119
DELETE /ariel/saved_searches/{id} . . . . . . . . . . . . . . . . . . . . . . . . . . 120
GET /ariel/saved_searches/{id}/dependents . . . . . . . . . . . . . . . . . . . . . . . 121
GET /ariel/searches . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 124
POST /ariel/searches. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 124
DELETE /ariel/searches/{search_id} . . . . . . . . . . . . . . . . . . . . . . . . . 126
GET /ariel/searches/{search_id} . . . . . . . . . . . . . . . . . . . . . . . . . . . 128
GET /ariel/searches/{search_id}/metadata . . . . . . . . . . . . . . . . . . . . . . . 129
POST /ariel/searches/{search_id} . . . . . . . . . . . . . . . . . . . . . . . . . . 131
GET /ariel/searches/{search_id}/results . . . . . . . . . . . . . . . . . . . . . . . . 132
POST /ariel/validators/aql . . . . . . . . . . . . . . . . . . . . . . . . . . . 134
Asset model endpoints . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 135
GET /asset_model/assets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 135
POST /asset_model/assets/{asset_id} . . . . . . . . . . . . . . . . . . . . . . . . . 136
GET /asset_model/properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . 137
GET /asset_model/saved_search_groups . . . . . . . . . . . . . . . . . . . . . . . . 138
GET /asset_model/saved_search_groups/{group_id} . . . . . . . . . . . . . . . . . . . . 139
POST /asset_model/saved_search_groups/{group_id}. . . . . . . . . . . . . . . . . . . . 141
DELETE /asset_model/saved_search_groups/{group_id}. . . . . . . . . . . . . . . . . . . 142
GET /asset_model/saved_searches . . . . . . . . . . . . . . . . . . . . . . . . . . 143
GET /asset_model/saved_searches/{saved_search_id}. . . . . . . . . . . . . . . . . . . . 144
POST /asset_model/saved_searches/{saved_search_id} . . . . . . . . . . . . . . . . . . . 145
DELETE /asset_model/saved_searches/{saved_search_id} . . . . . . . . . . . . . . . . . . 147
GET /asset_model/saved_searches/{saved_search_id}/results . . . . . . . . . . . . . . . . . 148
Authentication endpoints . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 149
POST /auth/logout . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 149
Configuration endpoints. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 149
GET /config/access/tenant_management/tenants . . . . . . . . . . . . . . . . . . . . . 150
POST /config/access/tenant_management/tenants. . . . . . . . . . . . . . . . . . . . . 151
GET /config/access/tenant_management/tenants/{tenant_id} . . . . . . . . . . . . . . . . . 152
POST /config/access/tenant_management/tenants/{tenant_id} . . . . . . . . . . . . . . . . 152
DELETE /config/access/tenant_management/tenants/{tenant_id} . . . . . . . . . . . . . . . 153
GET /config/access/user_dependent_tasks/{task_id} . . . . . . . . . . . . . . . . . . . . 154
POST /config/access/user_dependent_tasks/{task_id} . . . . . . . . . . . . . . . . . . . 156

iv QRadar API Reference Guide

GET /config/access/user_dependent_tasks/{task_id}/results . . . . . . . . . . . . . . . . . 158
GET /config/access/users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 159
GET /config/access/users/{id}/dependents . . . . . . . . . . . . . . . . . . . . . . . 160
GET /config/access/users/{id} . . . . . . . . . . . . . . . . . . . . . . . . . . . 162
GET /config/deployment/hosts . . . . . . . . . . . . . . . . . . . . . . . . . . . 162
GET /config/deployment/hosts/{id} . . . . . . . . . . . . . . . . . . . . . . . . . 165
POST /config/deployment/hosts/{id} . . . . . . . . . . . . . . . . . . . . . . . . . 167
GET /config/deployment/license_pool. . . . . . . . . . . . . . . . . . . . . . . . . 170
GET /config/domain_management/domains. . . . . . . . . . . . . . . . . . . . . . . 171
POST /config/domain_management/domains . . . . . . . . . . . . . . . . . . . . . . 173
GET /config/domain_management/domains/{domain_id} . . . . . . . . . . . . . . . . . . 174
POST /config/domain_management/domains/{domain_id}. . . . . . . . . . . . . . . . . . 175
DELETE /config/domain_management/domains/{domain_id}. . . . . . . . . . . . . . . . . 177
GET /config/event_retention_buckets . . . . . . . . . . . . . . . . . . . . . . . . . 178
GET /config/event_retention_buckets/{id} . . . . . . . . . . . . . . . . . . . . . . . 180
POST /config/event_retention_buckets/{id} . . . . . . . . . . . . . . . . . . . . . . . 181
DELETE /config/event_retention_buckets/{id} . . . . . . . . . . . . . . . . . . . . . . 182
DELETE /config/event_sources/custom_properties/calculated_properties/{calculated_property_id} . . . . 183
GET /config/event_sources/custom_properties/calculated_properties/{calculated_property_id}/dependents 184
GET /config/event_sources/custom_properties/calculated_properties/{calculated_property_id}. . . . . . 186
POST /config/event_sources/custom_properties/calculated_properties/{calculated_property_id} . . . . . 188
GET /config/event_sources/custom_properties/calculated_properties . . . . . . . . . . . . . . 190
POST /config/event_sources/custom_properties/calculated_properties . . . . . . . . . . . . . . 192
GET /config/event_sources/custom_properties/calculated_property_delete_tasks/{task_id} . . . . . . . 194
GET /config/event_sources/custom_properties/calculated_property_dependent_tasks/{task_id} . . . . . 196
POST /config/event_sources/custom_properties/calculated_property_dependent_tasks/{task_id} . . . . . 197
GET /config/event_sources/custom_properties/calculated_property_dependent_tasks/{task_id}/results . . . 200
GET /config/event_sources/custom_properties/calculated_property_operands . . . . . . . . . . . 201
GET /config/event_sources/custom_properties/property_expressions . . . . . . . . . . . . . . 202
POST /config/event_sources/custom_properties/property_expressions . . . . . . . . . . . . . . 203
GET /config/event_sources/custom_properties/property_expressions/{expression_id} . . . . . . . . . 205
POST /config/event_sources/custom_properties/property_expressions/{expression_id} . . . . . . . . 206
DELETE /config/event_sources/custom_properties/property_expressions/{expression_id} . . . . . . . 208
DELETE /config/event_sources/custom_properties/property_json_expressions/{expression_id}. . . . . . 209
GET /config/event_sources/custom_properties/property_json_expressions/{expression_id} . . . . . . . 209
POST /config/event_sources/custom_properties/property_json_expressions/{expression_id} . . . . . . . 211
GET /config/event_sources/custom_properties/property_json_expressions . . . . . . . . . . . . 213
POST /config/event_sources/custom_properties/property_json_expressions . . . . . . . . . . . . 215
GET /config/event_sources/custom_properties/regex_properties . . . . . . . . . . . . . . . . 217
POST /config/event_sources/custom_properties/regex_properties . . . . . . . . . . . . . . . 219
GET /config/event_sources/custom_properties/regex_properties/{regex_property_id} . . . . . . . . . 221
POST /config/event_sources/custom_properties/regex_properties/{regex_property_id} . . . . . . . . 222
DELETE /config/event_sources/custom_properties/regex_properties/{regex_property_id} . . . . . . . 224
GET /config/event_sources/custom_properties/regex_properties/{regex_property_id}/dependents . . . . 226
GET /config/event_sources/custom_properties/regex_property_delete_tasks/{task_id} . . . . . . . . 228
GET /config/event_sources/custom_properties/regex_property_dependent_tasks/{task_id} . . . . . . . 230
POST /config/event_sources/custom_properties/regex_property_dependent_tasks/{task_id}. . . . . . . 232
GET /config/event_sources/custom_properties/regex_property_dependent_tasks/{task_id}/results . . . . 235
GET /config/event_sources/event_collectors . . . . . . . . . . . . . . . . . . . . . . . 237
GET /config/event_sources/event_collectors/{id} . . . . . . . . . . . . . . . . . . . . . 238
GET /config/event_sources/log_source_management/autodetection/config_records/{config_id} . . . . . 239
POST /config/event_sources/log_source_management/autodetection/config_records/{config_id} . . . . . 240
GET /config/event_sources/log_source_management/autodetection/config_records . . . . . . . . . 241
GET /config/event_sources/log_source_management/log_source_extensions . . . . . . . . . . . . 242
GET /config/event_sources/log_source_management/log_source_extensions/{id} . . . . . . . . . . 243
GET /config/event_sources/log_source_management/log_source_groups . . . . . . . . . . . . . 244
GET /config/event_sources/log_source_management/log_source_groups/{id} . . . . . . . . . . . 245
GET /config/event_sources/log_source_management/log_source_languages . . . . . . . . . . . . 247
GET /config/event_sources/log_source_management/log_source_languages/{id} . . . . . . . . . . 248
GET /config/event_sources/log_source_management/log_source_types. . . . . . . . . . . . . . 248
DELETE /config/event_sources/log_source_management/log_source_types/{id} . . . . . . . . . . 250

Contents v
 GET /config/event_sources/log_source_management/log_source_types/{id} . . . . . . . . . . . . 250
POST /config/event_sources/log_source_management/log_source_types/{id} . . . . . . . . . . . 252
POST /config/event_sources/log_source_management/log_source_types . . . . . . . . . . . . . 253
GET /config/event_sources/log_source_management/log_sources . . . . . . . . . . . . . . . 255
DELETE /config/event_sources/log_source_management/log_sources/{id} . . . . . . . . . . . . 257
GET /config/event_sources/log_source_management/log_sources/{id} . . . . . . . . . . . . . . 258
POST /config/event_sources/log_source_management/log_sources/{id} . . . . . . . . . . . . . 260
POST /config/event_sources/log_source_management/log_sources . . . . . . . . . . . . . . . 264
GET /config/event_sources/log_source_management/protocol_types . . . . . . . . . . . . . . 268
GET /config/event_sources/log_source_management/protocol_types/{id} . . . . . . . . . . . . . 271
GET /config/event_sources/property_discovery_profiles . . . . . . . . . . . . . . . . . . . 274
DELETE /config/event_sources/property_discovery_profiles/{id}. . . . . . . . . . . . . . . . 275
GET /config/event_sources/property_discovery_profiles/{id} . . . . . . . . . . . . . . . . . 275
POST /config/event_sources/property_discovery_profiles/{id}. . . . . . . . . . . . . . . . . 276
POST /config/event_sources/property_discovery_profiles . . . . . . . . . . . . . . . . . . 278
GET /config/event_sources/wincollect/wincollect_agents . . . . . . . . . . . . . . . . . . 279
GET /config/event_sources/wincollect/wincollect_agents/{id} . . . . . . . . . . . . . . . . . 281
GET /config/event_sources/wincollect/wincollect_destinations . . . . . . . . . . . . . . . . 282
GET /config/event_sources/wincollect/wincollect_destinations/{id} . . . . . . . . . . . . . . . 283
GET /config/extension_management/extensions . . . . . . . . . . . . . . . . . . . . . 284
POST /config/extension_management/extensions . . . . . . . . . . . . . . . . . . . . . 287
GET /config/extension_management/extensions/{extension_id} . . . . . . . . . . . . . . . . 289
POST /config/extension_management/extensions/{extension_id}/metadata . . . . . . . . . . . . 291
POST /config/extension_management/extensions/{extension_id} . . . . . . . . . . . . . . . . 292
DELETE /config/extension_management/extensions/{extension_id} . . . . . . . . . . . . . . . 293
GET /config/extension_management/extensions_task_status/{status_id} . . . . . . . . . . . . . 294
GET /config/extension_management/extensions_task_status/{status_id}/results . . . . . . . . . . . 296
GET /config/flow_retention_buckets . . . . . . . . . . . . . . . . . . . . . . . . . 297
DELETE /config/flow_retention_buckets/{id} . . . . . . . . . . . . . . . . . . . . . . 299
GET /config/flow_retention_buckets/{id} . . . . . . . . . . . . . . . . . . . . . . . . 299
POST /config/flow_retention_buckets/{id} . . . . . . . . . . . . . . . . . . . . . . . 300
DELETE /config/flow_sources/custom_properties/calculated_properties/{calculated_property_id} . . . . 302
GET /config/flow_sources/custom_properties/calculated_properties/{calculated_property_id}/dependents 303
GET /config/flow_sources/custom_properties/calculated_properties/{calculated_property_id} . . . . . . 305
POST /config/flow_sources/custom_properties/calculated_properties/{calculated_property_id} . . . . . 307
GET /config/flow_sources/custom_properties/calculated_properties. . . . . . . . . . . . . . . 309
POST /config/flow_sources/custom_properties/calculated_properties . . . . . . . . . . . . . . 311
GET /config/flow_sources/custom_properties/calculated_property_delete_tasks/{task_id} . . . . . . . 313
GET /config/flow_sources/custom_properties/calculated_property_dependent_tasks/{task_id} . . . . . . 315
POST /config/flow_sources/custom_properties/calculated_property_dependent_tasks/{task_id} . . . . . 316
GET /config/flow_sources/custom_properties/calculated_property_dependent_tasks/{task_id}/results . . . 319
GET /config/flow_sources/custom_properties/calculated_property_operands. . . . . . . . . . . . 320
DELETE /config/flow_sources/custom_properties/property_expressions/{expression_id} . . . . . . . . 321
GET /config/flow_sources/custom_properties/property_expressions/{expression_id} . . . . . . . . . 321
POST /config/flow_sources/custom_properties/property_expressions/{expression_id}. . . . . . . . . 322
GET /config/flow_sources/custom_properties/property_expressions. . . . . . . . . . . . . . . 324
POST /config/flow_sources/custom_properties/property_expressions . . . . . . . . . . . . . . 326
GET /config/flow_sources/custom_properties/regex_properties . . . . . . . . . . . . . . . . 328
POST /config/flow_sources/custom_properties/regex_properties . . . . . . . . . . . . . . . . 329
GET /config/flow_sources/custom_properties/regex_properties/{regex_property_id} . . . . . . . . . 331
POST /config/flow_sources/custom_properties/regex_properties/{regex_property_id} . . . . . . . . . 332
DELETE /config/flow_sources/custom_properties/regex_properties/{regex_property_id} . . . . . . . . 334
GET /config/flow_sources/custom_properties/regex_properties/{regex_property_id}/dependents . . . . . 335
GET /config/flow_sources/custom_properties/regex_property_dependent_tasks/{task_id} . . . . . . . 338
POST /config/flow_sources/custom_properties/regex_property_dependent_tasks/{task_id} . . . . . . . 340
GET /config/flow_sources/custom_properties/regex_property_dependent_tasks/{task_id}/results . . . . . 343
GET /config/global_system_notifications . . . . . . . . . . . . . . . . . . . . . . . . 345
GET /config/global_system_notifications/{notification_id} . . . . . . . . . . . . . . . . . . 346
GET /config/network_hierarchy/networks . . . . . . . . . . . . . . . . . . . . . . . 347
GET /config/network_hierarchy/staged_networks . . . . . . . . . . . . . . . . . . . . . 348
PUT /config/network_hierarchy/staged_networks . . . . . . . . . . . . . . . . . . . . . 349

vi QRadar API Reference Guide

 GET /config/remote_networks . . . . . . . . . . . . . . . . . . . . . . . . . . . 351
GET /config/remote_networks/{network_id}. . . . . . . . . . . . . . . . . . . . . . . 352
GET /config/remote_services . . . . . . . . . . . . . . . . . . . . . . . . . . . . 353
GET /config/remote_services/{service_id} . . . . . . . . . . . . . . . . . . . . . . . 355
GET /config/resource_restrictions . . . . . . . . . . . . . . . . . . . . . . . . . . 356
POST /config/resource_restrictions . . . . . . . . . . . . . . . . . . . . . . . . . . 357
GET /config/resource_restrictions/{resource_restriction_id} . . . . . . . . . . . . . . . . . . 358
DELETE /config/resource_restrictions/{resource_restriction_id} . . . . . . . . . . . . . . . . 358
PUT /config/resource_restrictions/{resource_restriction_id} . . . . . . . . . . . . . . . . . . 359
GET /config/store_and_forward/policies . . . . . . . . . . . . . . . . . . . . . . . . 360
GET /config/store_and_forward/policies/{id} . . . . . . . . . . . . . . . . . . . . . . 361
POST /config/store_and_forward/policies/{id} . . . . . . . . . . . . . . . . . . . . . . 363
DELETE /config/store_and_forward/policies/{id} . . . . . . . . . . . . . . . . . . . . . 364
Data classification endpoints . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 364
GET /data_classification/dsm_event_mappings . . . . . . . . . . . . . . . . . . . . . . 365
POST /data_classification/dsm_event_mappings . . . . . . . . . . . . . . . . . . . . . 366
GET /data_classification/dsm_event_mappings/{dsm_event_mapping_id} . . . . . . . . . . . . . 367
POST /data_classification/dsm_event_mappings/{dsm_event_mapping_id} . . . . . . . . . . . . 368
GET /data_classification/high_level_categories . . . . . . . . . . . . . . . . . . . . . . 370
GET /data_classification/high_level_categories/{high_level_category_id} . . . . . . . . . . . . . 371
GET /data_classification/low_level_categories . . . . . . . . . . . . . . . . . . . . . . 372
GET /data_classification/low_level_categories/{low_level_category_id} . . . . . . . . . . . . . . 373
GET /data_classification/qid_records . . . . . . . . . . . . . . . . . . . . . . . . . 374
POST /data_classification/qid_records . . . . . . . . . . . . . . . . . . . . . . . . . 376
GET /data_classification/qid_records/{qid_record_id}. . . . . . . . . . . . . . . . . . . . 377
POST /data_classification/qid_records/{qid_record_id} . . . . . . . . . . . . . . . . . . . 378
Forensics endpoints . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 379
GET /forensics/capture/recoveries . . . . . . . . . . . . . . . . . . . . . . . . . . 380
POST /forensics/capture/recoveries. . . . . . . . . . . . . . . . . . . . . . . . . . 381
GET /forensics/capture/recoveries/{id} . . . . . . . . . . . . . . . . . . . . . . . . 383
GET /forensics/capture/recovery_tasks . . . . . . . . . . . . . . . . . . . . . . . . 384
GET /forensics/capture/recovery_tasks/{id} . . . . . . . . . . . . . . . . . . . . . . . 386
GET /forensics/case_management/case_create_tasks/{id} . . . . . . . . . . . . . . . . . . 387
GET /forensics/case_management/cases . . . . . . . . . . . . . . . . . . . . . . . . 389
POST /forensics/case_management/cases . . . . . . . . . . . . . . . . . . . . . . . . 390
GET /forensics/case_management/cases/{id} . . . . . . . . . . . . . . . . . . . . . . 391
GUI application framework endpoints . . . . . . . . . . . . . . . . . . . . . . . . . . 392
GET /gui_app_framework/application_creation_task . . . . . . . . . . . . . . . . . . . . 392
POST /gui_app_framework/application_creation_task . . . . . . . . . . . . . . . . . . . 393
GET /gui_app_framework/application_creation_task/{application_id}/auth . . . . . . . . . . . . 394
POST /gui_app_framework/application_creation_task/{application_id}/auth . . . . . . . . . . . . 395
GET /gui_app_framework/application_creation_task/{application_id} . . . . . . . . . . . . . . 396
POST /gui_app_framework/application_creation_task/{application_id} . . . . . . . . . . . . . . 397
GET /gui_app_framework/applications . . . . . . . . . . . . . . . . . . . . . . . . 397
GET /gui_app_framework/applications/{application_id} . . . . . . . . . . . . . . . . . . . 400
POST /gui_app_framework/applications/{application_id} . . . . . . . . . . . . . . . . . . 403
PUT /gui_app_framework/applications/{application_id} . . . . . . . . . . . . . . . . . . . 405
DELETE /gui_app_framework/applications/{application_id} . . . . . . . . . . . . . . . . . 407
GET /gui_app_framework/named_services . . . . . . . . . . . . . . . . . . . . . . . 407
GET /gui_app_framework/named_services/{uuid}. . . . . . . . . . . . . . . . . . . . . 409
Help endpoints . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 411
GET /help/endpoints . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 411
GET /help/endpoints/{endpoint_id} . . . . . . . . . . . . . . . . . . . . . . . . . 413
GET /help/resources . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 416
GET /help/resources/{resource_id} . . . . . . . . . . . . . . . . . . . . . . . . . . 417
GET /help/versions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 418
GET /help/versions/{version_id} . . . . . . . . . . . . . . . . . . . . . . . . . . 419
IBM Security QRadar Risk Manager endpoints . . . . . . . . . . . . . . . . . . . . . . . 420
GET /qrm/model_groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 421
GET /qrm/model_groups/{group_id} . . . . . . . . . . . . . . . . . . . . . . . . . 422
POST /qrm/model_groups/{group_id}. . . . . . . . . . . . . . . . . . . . . . . . . 423

Contents vii
 DELETE /qrm/model_groups/{group_id} . . . . . . . . . . . . . . . . . . . . . . . . 425
GET /qrm/qrm_saved_search_groups . . . . . . . . . . . . . . . . . . . . . . . . . 426
GET /qrm/qrm_saved_search_groups/{group_id} . . . . . . . . . . . . . . . . . . . . . 427
POST /qrm/qrm_saved_search_groups/{group_id} . . . . . . . . . . . . . . . . . . . . 428
DELETE /qrm/qrm_saved_search_groups/{group_id}. . . . . . . . . . . . . . . . . . . . 430
GET /qrm/question_groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . 431
GET /qrm/question_groups/{group_id} . . . . . . . . . . . . . . . . . . . . . . . . 432
POST /qrm/question_groups/{group_id} . . . . . . . . . . . . . . . . . . . . . . . . 433
DELETE /qrm/question_groups/{group_id} . . . . . . . . . . . . . . . . . . . . . . . 435
GET /qrm/simulation_groups. . . . . . . . . . . . . . . . . . . . . . . . . . . . 436
GET /qrm/simulation_groups/{group_id}. . . . . . . . . . . . . . . . . . . . . . . . 437
POST /qrm/simulation_groups/{group_id} . . . . . . . . . . . . . . . . . . . . . . . 438
DELETE /qrm/simulation_groups/{group_id} . . . . . . . . . . . . . . . . . . . . . . 440
GET /qrm/topology_saved_search_groups . . . . . . . . . . . . . . . . . . . . . . . 441
GET /qrm/topology_saved_search_groups/{group_id} . . . . . . . . . . . . . . . . . . . 442
POST /qrm/topology_saved_search_groups/{group_id} . . . . . . . . . . . . . . . . . . . 444
DELETE /qrm/topology_saved_search_groups/{group_id} . . . . . . . . . . . . . . . . . . 445
QRadar Vulnerability Manager endpoints . . . . . . . . . . . . . . . . . . . . . . . . . 446
GET /qvm/assets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 446
GET /qvm/filters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 447
GET /qvm/network . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 447
GET /qvm/openservices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 448
GET /qvm/saved_search_groups. . . . . . . . . . . . . . . . . . . . . . . . . . . 449
GET /qvm/saved_search_groups/{group_id}. . . . . . . . . . . . . . . . . . . . . . . 450
POST /qvm/saved_search_groups/{group_id} . . . . . . . . . . . . . . . . . . . . . . 452
DELETE /qvm/saved_search_groups/{group_id} . . . . . . . . . . . . . . . . . . . . . 453
GET /qvm/saved_searches. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 454
GET /qvm/saved_searches/vuln_instances/{task_id}/results/assets . . . . . . . . . . . . . . . 455
GET /qvm/saved_searches/vuln_instances/{task_id}/results/vuln_instances . . . . . . . . . . . . 457
GET /qvm/saved_searches/vuln_instances/{task_id}/results/vulnerabilities . . . . . . . . . . . . 458
GET /qvm/saved_searches/vuln_instances/{task_id}/status . . . . . . . . . . . . . . . . . 458
POST /qvm/saved_searches/vuln_instances/{task_id}/status . . . . . . . . . . . . . . . . . 459
GET /qvm/saved_searches/{saved_search_id} . . . . . . . . . . . . . . . . . . . . . . 461
POST /qvm/saved_searches/{saved_search_id} . . . . . . . . . . . . . . . . . . . . . . 462
DELETE /qvm/saved_searches/{saved_search_id} . . . . . . . . . . . . . . . . . . . . . 463
GET /qvm/saved_searches/{saved_search_id}/vuln_instances . . . . . . . . . . . . . . . . . 463
POST /qvm/tickets/assign . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 465
GET /qvm/vulns . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 465
Reference data endpoints . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 466
GET /reference_data/map_delete_tasks/{task_id} . . . . . . . . . . . . . . . . . . . . . 466
GET /reference_data/map_dependent_tasks/{task_id} . . . . . . . . . . . . . . . . . . . 467
POST /reference_data/map_dependent_tasks/{task_id} . . . . . . . . . . . . . . . . . . . 470
GET /reference_data/map_dependent_tasks/{task_id}/results . . . . . . . . . . . . . . . . . 472
GET /reference_data/map_of_sets . . . . . . . . . . . . . . . . . . . . . . . . . . 474
POST /reference_data/map_of_sets . . . . . . . . . . . . . . . . . . . . . . . . . . 475
POST /reference_data/map_of_sets/bulk_load/{name} . . . . . . . . . . . . . . . . . . . 476
GET /reference_data/map_of_sets/{name} . . . . . . . . . . . . . . . . . . . . . . . 478
POST /reference_data/map_of_sets/{name} . . . . . . . . . . . . . . . . . . . . . . . 479
DELETE /reference_data/map_of_sets/{name} . . . . . . . . . . . . . . . . . . . . . . 480
GET /reference_data/map_of_sets/{name}/dependents . . . . . . . . . . . . . . . . . . . 482
DELETE /reference_data/map_of_sets/{name}/{key} . . . . . . . . . . . . . . . . . . . . 483
GET /reference_data/map_of_sets_delete_tasks/{task_id} . . . . . . . . . . . . . . . . . . 484
GET /reference_data/map_of_sets_dependent_tasks/{task_id} . . . . . . . . . . . . . . . . . 486
POST /reference_data/map_of_sets_dependent_tasks/{task_id} . . . . . . . . . . . . . . . . 488
GET /reference_data/map_of_sets_dependent_tasks/{task_id}/results . . . . . . . . . . . . . . 491
GET /reference_data/maps. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 493
POST /reference_data/maps . . . . . . . . . . . . . . . . . . . . . . . . . . . . 494
POST /reference_data/maps/bulk_load/{name}. . . . . . . . . . . . . . . . . . . . . . 495
GET /reference_data/maps/{name} . . . . . . . . . . . . . . . . . . . . . . . . . . 496
POST /reference_data/maps/{name} . . . . . . . . . . . . . . . . . . . . . . . . . 497
DELETE /reference_data/maps/{name} . . . . . . . . . . . . . . . . . . . . . . . . 498

viii QRadar API Reference Guide

 GET /reference_data/maps/{name}/dependents . . . . . . . . . . . . . . . . . . . . . 500
DELETE /reference_data/maps/{name}/{key} . . . . . . . . . . . . . . . . . . . . . . 502
GET /reference_data/set_delete_tasks/{task_id} . . . . . . . . . . . . . . . . . . . . . . 503
GET /reference_data/set_dependent_tasks/{task_id} . . . . . . . . . . . . . . . . . . . . 504
POST /reference_data/set_dependent_tasks/{task_id} . . . . . . . . . . . . . . . . . . . . 506
GET /reference_data/set_dependent_tasks/{task_id}/results . . . . . . . . . . . . . . . . . 509
GET /reference_data/sets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 511
POST /reference_data/sets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 512
POST /reference_data/sets/bulk_load/{name} . . . . . . . . . . . . . . . . . . . . . . 513
GET /reference_data/sets/{name} . . . . . . . . . . . . . . . . . . . . . . . . . . 514
POST /reference_data/sets/{name} . . . . . . . . . . . . . . . . . . . . . . . . . . 515
DELETE /reference_data/sets/{name} . . . . . . . . . . . . . . . . . . . . . . . . . 517
DELETE /reference_data/sets/{name}/{value} . . . . . . . . . . . . . . . . . . . . . . 518
GET /reference_data/sets/{name}/dependents . . . . . . . . . . . . . . . . . . . . . . 519
GET /reference_data/tables_delete_tasks/{task_id} . . . . . . . . . . . . . . . . . . . . . 521
GET /reference_data/tables_dependent_tasks/{task_id} . . . . . . . . . . . . . . . . . . . 522
POST /reference_data/tables_dependent_tasks/{task_id} . . . . . . . . . . . . . . . . . . . 524
GET /reference_data/tables_dependent_tasks/{task_id}/results . . . . . . . . . . . . . . . . 526
POST /reference_data/tables/bulk_load/{name} . . . . . . . . . . . . . . . . . . . . . 527
GET /reference_data/tables . . . . . . . . . . . . . . . . . . . . . . . . . . . . 529
GET /reference_data/tables/{name} . . . . . . . . . . . . . . . . . . . . . . . . . . 530
POST /reference_data/tables/{name} . . . . . . . . . . . . . . . . . . . . . . . . . 531
DELETE /reference_data/tables/{name} . . . . . . . . . . . . . . . . . . . . . . . . 532
GET /reference_data/tables/{name}/dependents . . . . . . . . . . . . . . . . . . . . . 534
DELETE /reference_data/tables/{name}/{outer_key}/{inner_key} . . . . . . . . . . . . . . . . 536
POST /reference_data/tables . . . . . . . . . . . . . . . . . . . . . . . . . . . . 537
Scanner endpoints . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 538
GET /scanner/profiles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 538
POST /scanner/profiles/create . . . . . . . . . . . . . . . . . . . . . . . . . . . 539
POST /scanner/profiles/start . . . . . . . . . . . . . . . . . . . . . . . . . . . . 539
GET /scanner/scanprofiles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 540
POST /scanner/scanprofiles . . . . . . . . . . . . . . . . . . . . . . . . . . . . 542
GET /scanner/scanprofiles/{profileid} . . . . . . . . . . . . . . . . . . . . . . . . . 542
POST /scanner/scanprofiles/{profileid} . . . . . . . . . . . . . . . . . . . . . . . . 544
DELETE /scanner/scanprofiles/{profileid} . . . . . . . . . . . . . . . . . . . . . . . 545
GET /scanner/scanprofiles/{profileid}/runs . . . . . . . . . . . . . . . . . . . . . . . 545
GET /scanner/scanprofiles/{profileid}/runs/{run_id} . . . . . . . . . . . . . . . . . . . . 546
GET /scanner/scanprofiles/{profileid}/runs/{run_id}/results . . . . . . . . . . . . . . . . . 547
POST /scanner/scanprofiles/{profileid}/start . . . . . . . . . . . . . . . . . . . . . . 548
Services endpoints. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 549
POST /services/dig_lookups . . . . . . . . . . . . . . . . . . . . . . . . . . . . 549
GET /services/dig_lookups/{dig_lookup_id}. . . . . . . . . . . . . . . . . . . . . . . 550
POST /services/dns_lookups . . . . . . . . . . . . . . . . . . . . . . . . . . . . 551
GET /services/dns_lookups/{dns_lookup_id} . . . . . . . . . . . . . . . . . . . . . . 553
GET /services/geolocations . . . . . . . . . . . . . . . . . . . . . . . . . . . . 554
POST /services/port_scans . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 557
GET /services/port_scans/{port_scan_id} . . . . . . . . . . . . . . . . . . . . . . . . 558
POST /services/whois_lookups . . . . . . . . . . . . . . . . . . . . . . . . . . . 559
GET /services/whois_lookups/{whois_lookup_id} . . . . . . . . . . . . . . . . . . . . . 561
SIEM endpoints . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 562
GET /siem/local_destination_addresses . . . . . . . . . . . . . . . . . . . . . . . . 562
GET /siem/local_destination_addresses/{local_destination_address_id} . . . . . . . . . . . . . . 563
GET /siem/offense_closing_reasons . . . . . . . . . . . . . . . . . . . . . . . . . . 564
POST /siem/offense_closing_reasons . . . . . . . . . . . . . . . . . . . . . . . . . 566
GET /siem/offense_closing_reasons/{closing_reason_id} . . . . . . . . . . . . . . . . . . . 567
GET /siem/offense_saved_search_delete_tasks/{task_id} . . . . . . . . . . . . . . . . . . . 567
GET /siem/offense_saved_search_dependent_tasks/{task_id} . . . . . . . . . . . . . . . . . 569
POST /siem/offense_saved _search_dependent_tasks/{task_id} . . . . . . . . . . . . . . . . 571
GET /siem/offense_saved _search_dependent_tasks/{task_id}/results . . . . . . . . . . . . . . 574
GET /siem/offense_saved_search_groups . . . . . . . . . . . . . . . . . . . . . . . . 575
GET /siem/offense_saved_search_groups/{group_id} . . . . . . . . . . . . . . . . . . . . 577

Contents ix
 POST /siem/offense_saved_search_groups/{group_id} . . . . . . . . . . . . . . . . . . . 578
DELETE /siem/offense_saved_search_groups/{group_id} . . . . . . . . . . . . . . . . . . 580
GET /siem/offense_saved_searches . . . . . . . . . . . . . . . . . . . . . . . . . . 581
GET /siem/offense_saved_searches/{id} . . . . . . . . . . . . . . . . . . . . . . . . 582
POST /siem/offense_saved_searches/{id} . . . . . . . . . . . . . . . . . . . . . . . . 583
DELETE /siem/offense_saved_searches/{id} . . . . . . . . . . . . . . . . . . . . . . . 584
GET /siem/offense_saved_searches/{id}/dependents . . . . . . . . . . . . . . . . . . . . 586
GET /siem/offenses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 588
GET /siem/offenses/{offense_id}. . . . . . . . . . . . . . . . . . . . . . . . . . . 590
GET /siem/offenses/{offense_id}/notes . . . . . . . . . . . . . . . . . . . . . . . . 593
GET /siem/offenses/{offense_id}/notes/{note_id} . . . . . . . . . . . . . . . . . . . . . 594
POST /siem/offenses/{offense_id}/notes . . . . . . . . . . . . . . . . . . . . . . . . 595
POST /siem/offenses/{offense_id} . . . . . . . . . . . . . . . . . . . . . . . . . . 596
GET /siem/offense_types . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 599
GET /siem/offense_types/{offense_type_id} . . . . . . . . . . . . . . . . . . . . . . . 600
GET /siem/source_addresses . . . . . . . . . . . . . . . . . . . . . . . . . . . . 601
GET /siem/source_addresses/{source_address_id} . . . . . . . . . . . . . . . . . . . . . 602
Staged configuration endpoints . . . . . . . . . . . . . . . . . . . . . . . . . . . . 604
GET /staged_config/access/user_delete_tasks/{task_id} . . . . . . . . . . . . . . . . . . . 604
GET /staged_config/access/users . . . . . . . . . . . . . . . . . . . . . . . . . . 605
DELETE /staged_config/access/users/{id} . . . . . . . . . . . . . . . . . . . . . . . 606
GET /staged_config/access/users/{id} . . . . . . . . . . . . . . . . . . . . . . . . . 607
GET /staged_config/deploy_status . . . . . . . . . . . . . . . . . . . . . . . . . . 608
POST /staged_config/deploy_status. . . . . . . . . . . . . . . . . . . . . . . . . . 609
GET /staged_config/deployment/hosts . . . . . . . . . . . . . . . . . . . . . . . . 610
GET /staged_config/deployment/hosts/{id} . . . . . . . . . . . . . . . . . . . . . . . 613
GET /staged_config/global_system_notifications . . . . . . . . . . . . . . . . . . . . . 615
GET /staged_config/global_system_notifications/{notification_id}. . . . . . . . . . . . . . . . 616
POST /staged_config/global_system_notifications/{notification_id} . . . . . . . . . . . . . . . 617
GET /staged_config/remote_networks . . . . . . . . . . . . . . . . . . . . . . . . . 618
POST /staged_config/remote_networks . . . . . . . . . . . . . . . . . . . . . . . . 619
GET /staged_config/remote_networks/{network_id} . . . . . . . . . . . . . . . . . . . . 620
POST /staged_config/remote_networks/{network_id}. . . . . . . . . . . . . . . . . . . . 621
DELETE /staged_config/remote_networks/{network_id} . . . . . . . . . . . . . . . . . . . 623
GET /staged_config/remote_services . . . . . . . . . . . . . . . . . . . . . . . . . 623
POST /staged_config/remote_services . . . . . . . . . . . . . . . . . . . . . . . . . 624
GET /staged_config/remote_services/{service_id} . . . . . . . . . . . . . . . . . . . . . 625
POST /staged_config/remote_services/{service_id}. . . . . . . . . . . . . . . . . . . . . 626
DELETE /staged_config/remote_services/{service_id}. . . . . . . . . . . . . . . . . . . . 628
DELETE /staged_config/yara_rules . . . . . . . . . . . . . . . . . . . . . . . . . . 628
PUT /staged_config/yara_rules . . . . . . . . . . . . . . . . . . . . . . . . . . . 629
System endpoints . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 629
GET /system/authorization/password_policies . . . . . . . . . . . . . . . . . . . . . . 629
GET /system/authorization/password_policies/{id} . . . . . . . . . . . . . . . . . . . . 631
POST /system/authorization/password_policies/{id} . . . . . . . . . . . . . . . . . . . . 632
POST /system/authorization/password_validators. . . . . . . . . . . . . . . . . . . . . 634
GET /system/information/encodings . . . . . . . . . . . . . . . . . . . . . . . . . 636
GET /system/information/locales . . . . . . . . . . . . . . . . . . . . . . . . . . 637
GET /system/servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 638
GET /system/servers/{server_id} . . . . . . . . . . . . . . . . . . . . . . . . . . 639
POST /system/servers/{server_id} . . . . . . . . . . . . . . . . . . . . . . . . . . 640
GET /system/servers/{server_id}/firewall_rules . . . . . . . . . . . . . . . . . . . . . 641
PUT /system/servers/{server_id}/firewall_rules . . . . . . . . . . . . . . . . . . . . . 642
GET /system/servers/{server_id}/network_interfaces/bonded . . . . . . . . . . . . . . . . . 644
POST /system/servers/{server_id}/network_interfaces/bonded . . . . . . . . . . . . . . . . 646
POST /system/servers/{server_id}/network_interfaces/bonded/{device_name} . . . . . . . . . . . 647
DELETE /system/servers/{server_id}/network_interfaces/bonded/{device_name} . . . . . . . . . . 649
GET /system/servers/{server_id}/network_interfaces/ethernet . . . . . . . . . . . . . . . . 650
POST /system/servers/{server_id}/network_interfaces/ethernet/{device_name} . . . . . . . . . . . 652
GET /system/servers/{server_id}/system_time_settings . . . . . . . . . . . . . . . . . . . 653
POST /system/servers/{server_id}/system_time_settings . . . . . . . . . . . . . . . . . . 654

x QRadar API Reference Guide

 GET /system/servers/{server_id}/timezones . . . . . . . . . . . . . . . . . . . . . . . 656

7 Previous REST API versions . . . . . . . . . . . . . . . . . . . . . . . . . 659

REST API V8.0 References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 659
Analytics endpoints . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 659
GET /analytics/ade_rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . 659
GET /analytics/ade_rules/{id} . . . . . . . . . . . . . . . . . . . . . . . . . . 660
POST /analytics/ade_rules/{id} . . . . . . . . . . . . . . . . . . . . . . . . . . 661
DELETE /analytics/ade_rules/{id} . . . . . . . . . . . . . . . . . . . . . . . . . 662
GET /analytics/ade_rules/{id}/dependents . . . . . . . . . . . . . . . . . . . . . . 663
GET /analytics/ade_rules/ade_rule_delete_tasks/{task_id} . . . . . . . . . . . . . . . . . 666
GET /analytics/ade_rules/ade_rule_dependent_tasks/{task_id} . . . . . . . . . . . . . . . 667
POST /analytics/ade_rules/ade_rule_dependent_tasks/{task_id} . . . . . . . . . . . . . . . 669
GET /analytics/ade_rules/ade_rule_dependent_tasks/{task_id}/results . . . . . . . . . . . . . 672
GET /analytics/building_blocks . . . . . . . . . . . . . . . . . . . . . . . . . . 674
GET /analytics/building_blocks/building_block_delete_tasks/{task_id} . . . . . . . . . . . . . 675
GET /analytics/building_blocks/building_block_dependent_tasks/{task_id} . . . . . . . . . . . 677
POST /analytics/building_blocks/building_block_dependent_tasks/{task_id} . . . . . . . . . . . 679
GET /analytics/building_blocks/building_block_dependent_tasks/{task_id}/results . . . . . . . . 682
GET /analytics/building_blocks/{id} . . . . . . . . . . . . . . . . . . . . . . . . 683
POST /analytics/building_blocks/{id} . . . . . . . . . . . . . . . . . . . . . . . . 685
DELETE /analytics/building_blocks/{id} . . . . . . . . . . . . . . . . . . . . . . . 687
GET /analytics/building_blocks/{id}/dependents . . . . . . . . . . . . . . . . . . . . 688
GET /analytics/custom_actions/actions . . . . . . . . . . . . . . . . . . . . . . . 690
POST /analytics/custom_actions/actions . . . . . . . . . . . . . . . . . . . . . . . 692
GET /analytics/custom_actions/actions/{action_id} . . . . . . . . . . . . . . . . . . . 694
POST /analytics/custom_actions/actions/{action_id} . . . . . . . . . . . . . . . . . . . 695
DELETE /analytics/custom_actions/actions/{action_id} . . . . . . . . . . . . . . . . . . 697
GET /analytics/custom_actions/interpreters . . . . . . . . . . . . . . . . . . . . . . 697
GET /analytics/custom_actions/interpreters/{interpreter_id} . . . . . . . . . . . . . . . . 698
GET /analytics/custom_actions/scripts . . . . . . . . . . . . . . . . . . . . . . . 699
POST /analytics/custom_actions/scripts . . . . . . . . . . . . . . . . . . . . . . . 700
GET /analytics/custom_actions/scripts/{script_id} . . . . . . . . . . . . . . . . . . . . 701
POST /analytics/custom_actions/scripts/{script_id} . . . . . . . . . . . . . . . . . . . 702
DELETE /analytics/custom_actions/scripts/{script_id} . . . . . . . . . . . . . . . . . . 703
GET /analytics/rule_groups . . . . . . . . . . . . . . . . . . . . . . . . . . . 704
GET /analytics/rule_groups/{group_id} . . . . . . . . . . . . . . . . . . . . . . . 705
POST /analytics/rule_groups/{group_id} . . . . . . . . . . . . . . . . . . . . . . . 707
DELETE /analytics/rule_groups/{group_id} . . . . . . . . . . . . . . . . . . . . . . 708
GET /analytics/rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 709
GET /analytics/rules/rule_delete_tasks/{task_id} . . . . . . . . . . . . . . . . . . . . 711
GET /analytics/rules/rule_dependent_tasks/{task_id} . . . . . . . . . . . . . . . . . . 712
POST /analytics/rules/rule_dependent_tasks/{task_id} . . . . . . . . . . . . . . . . . . 714
GET /analytics/rules/rule_dependent_tasks/{task_id}/results . . . . . . . . . . . . . . . . 717
GET /analytics/rules/{id} . . . . . . . . . . . . . . . . . . . . . . . . . . . . 719
POST /analytics/rules/{id}. . . . . . . . . . . . . . . . . . . . . . . . . . . . 720
DELETE /analytics/rules/{id} . . . . . . . . . . . . . . . . . . . . . . . . . . . 722
GET /analytics/rules/{id}/dependents . . . . . . . . . . . . . . . . . . . . . . . . 723
Ariel endpoints. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 725
GET /ariel/databases . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 726
GET /ariel/databases/{database_name} . . . . . . . . . . . . . . . . . . . . . . . 726
GET /ariel/event_saved_search_groups . . . . . . . . . . . . . . . . . . . . . . . 727
GET /ariel/event_saved_search_groups/{group_id} . . . . . . . . . . . . . . . . . . . 729
POST /ariel/event_saved_search_groups/{group_id} . . . . . . . . . . . . . . . . . . . 730
DELETE /ariel/event_saved_search_groups/{group_id} . . . . . . . . . . . . . . . . . . 732
GET /ariel/flow_saved_search_groups . . . . . . . . . . . . . . . . . . . . . . . . 733
GET /ariel/flow_saved_search_groups/{group_id} . . . . . . . . . . . . . . . . . . . . 734
POST /ariel/flow_saved_search_groups/{group_id} . . . . . . . . . . . . . . . . . . . 736
DELETE /ariel/flow_saved_search_groups/{group_id} . . . . . . . . . . . . . . . . . . 738
GET /ariel/saved_search_delete_tasks/{task_id}. . . . . . . . . . . . . . . . . . . . . 739
GET /ariel/saved_search_dependent_tasks/{task_id} . . . . . . . . . . . . . . . . . . . 740

Contents xi
 POST /ariel/saved_search_dependent_tasks/{task_id}. . . . . . . . . . . . . . . . . . . 742
GET /ariel/saved_search_dependent_tasks/{task_id}/results . . . . . . . . . . . . . . . . 745
GET /ariel/saved_searches . . . . . . . . . . . . . . . . . . . . . . . . . . . . 747
GET /ariel/saved_searches/{id} . . . . . . . . . . . . . . . . . . . . . . . . . . 748
POST /ariel/saved_searches/{id}. . . . . . . . . . . . . . . . . . . . . . . . . . 749
DELETE /ariel/saved_searches/{id} . . . . . . . . . . . . . . . . . . . . . . . . . 750
GET /ariel/saved_searches/{id}/dependents . . . . . . . . . . . . . . . . . . . . . . 752
GET /ariel/searches . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 754
POST /ariel/searches. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 755
GET /ariel/searches/{search_id} . . . . . . . . . . . . . . . . . . . . . . . . . . 757
POST /ariel/searches/{search_id} . . . . . . . . . . . . . . . . . . . . . . . . . 758
DELETE /ariel/searches/{search_id} . . . . . . . . . . . . . . . . . . . . . . . . 760
GET /ariel/searches/{search_id}/results . . . . . . . . . . . . . . . . . . . . . . . 762
Asset model endpoints . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 763
GET /asset_model/assets . . . . . . . . . . . . . . . . . . . . . . . . . . . . 763
POST /asset_model/assets/{asset_id} . . . . . . . . . . . . . . . . . . . . . . . . 764
GET /asset_model/properties . . . . . . . . . . . . . . . . . . . . . . . . . . . 765
GET /asset_model/saved_search_groups . . . . . . . . . . . . . . . . . . . . . . . 766
GET /asset_model/saved_search_groups/{group_id} . . . . . . . . . . . . . . . . . . . 767
POST /asset_model/saved_search_groups/{group_id}. . . . . . . . . . . . . . . . . . . 769
DELETE /asset_model/saved_search_groups/{group_id}. . . . . . . . . . . . . . . . . . 770
GET /asset_model/saved_searches . . . . . . . . . . . . . . . . . . . . . . . . . 771
GET /asset_model/saved_searches/{saved_search_id}. . . . . . . . . . . . . . . . . . . 772
POST /asset_model/saved_searches/{saved_search_id} . . . . . . . . . . . . . . . . . . 773
DELETE /asset_model/saved_searches/{saved_search_id} . . . . . . . . . . . . . . . . . 775
GET /asset_model/saved_searches/{saved_search_id}/results . . . . . . . . . . . . . . . . 776
Authentication endpoints . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 777
POST /auth/logout . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 777
Configuration endpoints. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 777
GET /config/access/tenant_management/tenants . . . . . . . . . . . . . . . . . . . . 778
POST /config/access/tenant_management/tenants. . . . . . . . . . . . . . . . . . . . 779
GET /config/access/tenant_management/tenants/{tenant_id} . . . . . . . . . . . . . . . . 780
POST /config/access/tenant_management/tenants/{tenant_id} . . . . . . . . . . . . . . . 780
DELETE /config/access/tenant_management/tenants/{tenant_id} . . . . . . . . . . . . . . 781
GET /config/deployment/hosts . . . . . . . . . . . . . . . . . . . . . . . . . . 782
GET /config/deployment/hosts/{id} . . . . . . . . . . . . . . . . . . . . . . . . 785
POST /config/deployment/hosts/{id} . . . . . . . . . . . . . . . . . . . . . . . . 787
GET /config/deployment/license_pool. . . . . . . . . . . . . . . . . . . . . . . . 790
GET /config/domain_management/domains. . . . . . . . . . . . . . . . . . . . . . 791
POST /config/domain_management/domains . . . . . . . . . . . . . . . . . . . . . 792
GET /config/domain_management/domains/{domain_id} . . . . . . . . . . . . . . . . . 794
POST /config/domain_management/domains/{domain_id}. . . . . . . . . . . . . . . . . 795
DELETE /config/domain_management/domains/{domain_id}. . . . . . . . . . . . . . . . 797
GET /config/event_retention_buckets . . . . . . . . . . . . . . . . . . . . . . . . 798
GET /config/event_retention_buckets/{id} . . . . . . . . . . . . . . . . . . . . . . 799
POST /config/event_retention_buckets/{id} . . . . . . . . . . . . . . . . . . . . . . 801
DELETE /config/event_retention_buckets/{id} . . . . . . . . . . . . . . . . . . . . . 802
GET /config/event_sources/custom_properties/property_expressions . . . . . . . . . . . . . 802
POST /config/event_sources/custom_properties/property_expressions . . . . . . . . . . . . . 804
GET /config/event_sources/custom_properties/property_expressions/{expression_id} . . . . . . . . 806
POST /config/event_sources/custom_properties/property_expressions/{expression_id} . . . . . . . 807
DELETE /config/event_sources/custom_properties/property_expressions/{expression_id} . . . . . . 809
GET /config/event_sources/custom_properties/regex_properties . . . . . . . . . . . . . . . 809
POST /config/event_sources/custom_properties/regex_properties . . . . . . . . . . . . . . 811
GET /config/event_sources/custom_properties/regex_properties/{regex_property_id} . . . . . . . . 812
POST /config/event_sources/custom_properties/regex_properties/{regex_property_id} . . . . . . . 813
DELETE /config/event_sources/custom_properties/regex_properties/{regex_property_id} . . . . . . 815
GET /config/event_sources/custom_properties/regex_properties/{regex_property_id}/dependents . . . 817
GET /config/event_sources/custom_properties/regex_property_delete_tasks/{task_id} . . . . . . . 819
GET /config/event_sources/custom_properties/regex_property_dependent_tasks/{task_id} . . . . . . 820
POST /config/event_sources/custom_properties/regex_property_dependent_tasks/{task_id}. . . . . . 823

xii QRadar API Reference Guide

 GET /config/event_sources/custom_properties/regex_property_dependent_tasks/{task_id}/results . . . 826
GET /config/extension_management/extensions . . . . . . . . . . . . . . . . . . . . 828
POST /config/extension_management/extensions . . . . . . . . . . . . . . . . . . . . 830
GET /config/extension_management/extensions/{extension_id} . . . . . . . . . . . . . . . 832
POST /config/extension_management/extensions/{extension_id} . . . . . . . . . . . . . . . 834
DELETE /config/extension_management/extensions/{extension_id} . . . . . . . . . . . . . . 835
GET /config/extension_management/extensions_task_status/{status_id} . . . . . . . . . . . . 837
GET /config/extension_management/extensions_task_status/{status_id}/results . . . . . . . . . . 838
GET /config/flow_retention_buckets . . . . . . . . . . . . . . . . . . . . . . . . 839
GET /config/flow_retention_buckets/{id} . . . . . . . . . . . . . . . . . . . . . . . 841
POST /config/flow_retention_buckets/{id} . . . . . . . . . . . . . . . . . . . . . . 842
DELETE /config/flow_retention_buckets/{id} . . . . . . . . . . . . . . . . . . . . . 843
GET /config/flow_sources/custom_properties/property_expressions. . . . . . . . . . . . . . 844
POST /config/flow_sources/custom_properties/property_expressions . . . . . . . . . . . . . 845
GET /config/flow_sources/custom_properties/property_expressions/{expression_id} . . . . . . . . 847
POST /config/flow_sources/custom_properties/property_expressions/{expression_id}. . . . . . . . 848
DELETE /config/flow_sources/custom_properties/property_expressions/{expression_id} . . . . . . . 850
GET /config/flow_sources/custom_properties/regex_properties . . . . . . . . . . . . . . . 851
POST /config/flow_sources/custom_properties/regex_properties . . . . . . . . . . . . . . . 852
GET /config/flow_sources/custom_properties/regex_properties/{regex_property_id} . . . . . . . . 854
POST /config/flow_sources/custom_properties/regex_properties/{regex_property_id} . . . . . . . . 855
DELETE /config/flow_sources/custom_properties/regex_properties/{regex_property_id} . . . . . . . 857
GET /config/flow_sources/custom_properties/regex_properties/{regex_property_id}/dependents . . . . 858
GET /config/flow_sources/custom_properties/regex_property_dependent_tasks/{task_id} . . . . . . 861
POST /config/flow_sources/custom_properties/regex_property_dependent_tasks/{task_id} . . . . . . 863
GET /config/flow_sources/custom_properties/regex_property_dependent_tasks/{task_id}/results . . . . 866
GET /config/global_system_notifications . . . . . . . . . . . . . . . . . . . . . . . 868
GET /config/global_system_notifications/{notification_id} . . . . . . . . . . . . . . . . . 869
GET /config/network_hierarchy/networks . . . . . . . . . . . . . . . . . . . . . . 870
GET /config/network_hierarchy/staged_networks . . . . . . . . . . . . . . . . . . . . 871
PUT /config/network_hierarchy/staged_networks . . . . . . . . . . . . . . . . . . . . 872
GET /config/remote_networks . . . . . . . . . . . . . . . . . . . . . . . . . . 873
GET /config/remote_networks/{network_id}. . . . . . . . . . . . . . . . . . . . . . 875
GET /config/remote_services . . . . . . . . . . . . . . . . . . . . . . . . . . . 875
GET /config/remote_services/{service_id} . . . . . . . . . . . . . . . . . . . . . . 877
GET /config/resource_restrictions . . . . . . . . . . . . . . . . . . . . . . . . . 877
POST /config/resource_restrictions . . . . . . . . . . . . . . . . . . . . . . . . . 878
GET /config/resource_restrictions/{resource_restriction_id} . . . . . . . . . . . . . . . . . 879
DELETE /config/resource_restrictions/{resource_restriction_id} . . . . . . . . . . . . . . . 880
PUT /config/resource_restrictions/{resource_restriction_id} . . . . . . . . . . . . . . . . . 881
GET /config/store_and_forward/policies . . . . . . . . . . . . . . . . . . . . . . . 882
GET /config/store_and_forward/policies/{id} . . . . . . . . . . . . . . . . . . . . . 883
POST /config/store_and_forward/policies/{id} . . . . . . . . . . . . . . . . . . . . . 884
DELETE /config/store_and_forward/policies/{id} . . . . . . . . . . . . . . . . . . . . 886
Data classification endpoints . . . . . . . . . . . . . . . . . . . . . . . . . . . . 886
GET /data_classification/dsm_event_mappings . . . . . . . . . . . . . . . . . . . . . 886
POST /data_classification/dsm_event_mappings . . . . . . . . . . . . . . . . . . . . 888
GET /data_classification/dsm_event_mappings/{dsm_event_mapping_id} . . . . . . . . . . . . 889
POST /data_classification/dsm_event_mappings/{dsm_event_mapping_id} . . . . . . . . . . . 890
GET /data_classification/high_level_categories . . . . . . . . . . . . . . . . . . . . . 891
GET /data_classification/high_level_categories/{high_level_category_id} . . . . . . . . . . . . 893
GET /data_classification/low_level_categories . . . . . . . . . . . . . . . . . . . . . 893
GET /data_classification/low_level_categories/{low_level_category_id} . . . . . . . . . . . . . 895
GET /data_classification/qid_records . . . . . . . . . . . . . . . . . . . . . . . . 896
POST /data_classification/qid_records . . . . . . . . . . . . . . . . . . . . . . . . 897
GET /data_classification/qid_records/{qid_record_id}. . . . . . . . . . . . . . . . . . . 899
POST /data_classification/qid_records/{qid_record_id} . . . . . . . . . . . . . . . . . . 900
Forensics endpoints . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 901
GET /forensics/capture/recoveries . . . . . . . . . . . . . . . . . . . . . . . . . 901
POST /forensics/capture/recoveries. . . . . . . . . . . . . . . . . . . . . . . . . 903
GET /forensics/capture/recoveries/{id} . . . . . . . . . . . . . . . . . . . . . . . 904

Contents xiii
 GET /forensics/capture/recovery_tasks . . . . . . . . . . . . . . . . . . . . . . . 905
GET /forensics/capture/recovery_tasks/{id} . . . . . . . . . . . . . . . . . . . . . . 907
GET /forensics/case_management/case_create_tasks/{id} . . . . . . . . . . . . . . . . . 909
GET /forensics/case_management/cases . . . . . . . . . . . . . . . . . . . . . . . 910
POST /forensics/case_management/cases . . . . . . . . . . . . . . . . . . . . . . . 911
GET /forensics/case_management/cases/{id} . . . . . . . . . . . . . . . . . . . . . 913
GUI application framework endpoints . . . . . . . . . . . . . . . . . . . . . . . . . 914
GET /gui_app_framework/application_creation_task . . . . . . . . . . . . . . . . . . . 914
POST /gui_app_framework/application_creation_task . . . . . . . . . . . . . . . . . . 914
GET /gui_app_framework/application_creation_task/{application_id} . . . . . . . . . . . . . 916
POST /gui_app_framework/application_creation_task/{application_id} . . . . . . . . . . . . . 916
GET /gui_app_framework/applications . . . . . . . . . . . . . . . . . . . . . . . 917
GET /gui_app_framework/applications/{application_id} . . . . . . . . . . . . . . . . . . 920
POST /gui_app_framework/applications/{application_id} . . . . . . . . . . . . . . . . . 923
PUT /gui_app_framework/applications/{application_id} . . . . . . . . . . . . . . . . . . 926
DELETE /gui_app_framework/applications/{application_id} . . . . . . . . . . . . . . . . 927
GET /gui_app_framework/named_services . . . . . . . . . . . . . . . . . . . . . . 927
GET /gui_app_framework/named_services/{uuid}. . . . . . . . . . . . . . . . . . . . 929
Help endpoints . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 931
GET /help/endpoints . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 931
GET /help/endpoints/{endpoint_id} . . . . . . . . . . . . . . . . . . . . . . . . 933
GET /help/resources . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 936
GET /help/resources/{resource_id} . . . . . . . . . . . . . . . . . . . . . . . . . 937
GET /help/versions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 938
GET /help/versions/{version_id} . . . . . . . . . . . . . . . . . . . . . . . . . 940
IBM Security QRadar Risk Manager endpoints . . . . . . . . . . . . . . . . . . . . . . 941
GET /qrm/model_groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . 941
GET /qrm/model_groups/{group_id} . . . . . . . . . . . . . . . . . . . . . . . . 942
POST /qrm/model_groups/{group_id}. . . . . . . . . . . . . . . . . . . . . . . . 944
DELETE /qrm/model_groups/{group_id} . . . . . . . . . . . . . . . . . . . . . . . 945
GET /qrm/qrm_saved_search_groups . . . . . . . . . . . . . . . . . . . . . . . . 946
GET /qrm/qrm_saved_search_groups/{group_id} . . . . . . . . . . . . . . . . . . . . 947
POST /qrm/qrm_saved_search_groups/{group_id} . . . . . . . . . . . . . . . . . . . 949
DELETE /qrm/qrm_saved_search_groups/{group_id}. . . . . . . . . . . . . . . . . . . 950
GET /qrm/question_groups . . . . . . . . . . . . . . . . . . . . . . . . . . . 951
GET /qrm/question_groups/{group_id} . . . . . . . . . . . . . . . . . . . . . . . 953
POST /qrm/question_groups/{group_id} . . . . . . . . . . . . . . . . . . . . . . . 954
DELETE /qrm/question_groups/{group_id} . . . . . . . . . . . . . . . . . . . . . . 956
GET /qrm/simulation_groups. . . . . . . . . . . . . . . . . . . . . . . . . . . 956
GET /qrm/simulation_groups/{group_id}. . . . . . . . . . . . . . . . . . . . . . . 958
POST /qrm/simulation_groups/{group_id} . . . . . . . . . . . . . . . . . . . . . . 959
DELETE /qrm/simulation_groups/{group_id} . . . . . . . . . . . . . . . . . . . . . 961
GET /qrm/topology_saved_search_groups . . . . . . . . . . . . . . . . . . . . . . 962
GET /qrm/topology_saved_search_groups/{group_id} . . . . . . . . . . . . . . . . . . 963
POST /qrm/topology_saved_search_groups/{group_id} . . . . . . . . . . . . . . . . . . 964
DELETE /qrm/topology_saved_search_groups/{group_id} . . . . . . . . . . . . . . . . . 966
QRadar Vulnerability Manager endpoints . . . . . . . . . . . . . . . . . . . . . . . . 967
GET /qvm/assets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 967
GET /qvm/filters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 967
GET /qvm/network . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 968
GET /qvm/openservices . . . . . . . . . . . . . . . . . . . . . . . . . . . . 969
GET /qvm/saved_search_groups. . . . . . . . . . . . . . . . . . . . . . . . . . 969
GET /qvm/saved_search_groups/{group_id}. . . . . . . . . . . . . . . . . . . . . . 971
POST /qvm/saved_search_groups/{group_id} . . . . . . . . . . . . . . . . . . . . . 972
DELETE /qvm/saved_search_groups/{group_id} . . . . . . . . . . . . . . . . . . . . 974
GET /qvm/saved_searches. . . . . . . . . . . . . . . . . . . . . . . . . . . . 974
GET /qvm/saved_searches/vuln_instances/{task_id}/results/assets . . . . . . . . . . . . . . 976
GET /qvm/saved_searches/vuln_instances/{task_id}/results/vuln_instances . . . . . . . . . . . 977
GET /qvm/saved_searches/vuln_instances/{task_id}/results/vulnerabilities . . . . . . . . . . . 978
GET /qvm/saved_searches/vuln_instances/{task_id}/status . . . . . . . . . . . . . . . . 980
POST /qvm/saved_searches/vuln_instances/{task_id}/status . . . . . . . . . . . . . . . . 981

xiv QRadar API Reference Guide

 GET /qvm/saved_searches/{saved_search_id} . . . . . . . . . . . . . . . . . . . . . 982
POST /qvm/saved_searches/{saved_search_id} . . . . . . . . . . . . . . . . . . . . . 983
DELETE /qvm/saved_searches/{saved_search_id} . . . . . . . . . . . . . . . . . . . . 984
GET /qvm/saved_searches/{saved_search_id}/vuln_instances . . . . . . . . . . . . . . . . 985
POST /qvm/tickets/assign . . . . . . . . . . . . . . . . . . . . . . . . . . . . 986
GET /qvm/vulns . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 986
Reference data endpoints . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 987
GET /reference_data/map_delete_tasks/{task_id} . . . . . . . . . . . . . . . . . . . . 987
GET /reference_data/map_dependent_tasks/{task_id} . . . . . . . . . . . . . . . . . . 988
POST /reference_data/map_dependent_tasks/{task_id} . . . . . . . . . . . . . . . . . . 991
GET /reference_data/map_dependent_tasks/{task_id}/results . . . . . . . . . . . . . . . . 993
GET /reference_data/map_of_sets . . . . . . . . . . . . . . . . . . . . . . . . . 995
POST /reference_data/map_of_sets . . . . . . . . . . . . . . . . . . . . . . . . . 996
POST /reference_data/map_of_sets/bulk_load/{name} . . . . . . . . . . . . . . . . . . 997
GET /reference_data/map_of_sets/{name} . . . . . . . . . . . . . . . . . . . . . . 999
POST /reference_data/map_of_sets/{name} . . . . . . . . . . . . . . . . . . . . . . 1000
DELETE /reference_data/map_of_sets/{name} . . . . . . . . . . . . . . . . . . . . . 1001
GET /reference_data/map_of_sets/{name}/dependents . . . . . . . . . . . . . . . . . . 1003
DELETE /reference_data/map_of_sets/{name}/{key} . . . . . . . . . . . . . . . . . . 1004
GET /reference_data/map_of_sets_delete_tasks/{task_id} . . . . . . . . . . . . . . . . . 1005
GET /reference_data/map_of_sets_dependent_tasks/{task_id} . . . . . . . . . . . . . . . 1007
POST /reference_data/map_of_sets_dependent_tasks/{task_id} . . . . . . . . . . . . . . . 1009
GET /reference_data/map_of_sets_dependent_tasks/{task_id}/results . . . . . . . . . . . . . 1012
GET /reference_data/maps . . . . . . . . . . . . . . . . . . . . . . . . . . . 1013
POST /reference_data/maps . . . . . . . . . . . . . . . . . . . . . . . . . . . 1014
POST /reference_data/maps/bulk_load/{name} . . . . . . . . . . . . . . . . . . . . 1016
GET /reference_data/maps/{name} . . . . . . . . . . . . . . . . . . . . . . . . 1017
POST /reference_data/maps/{name} . . . . . . . . . . . . . . . . . . . . . . . . 1018
DELETE /reference_data/maps/{name} . . . . . . . . . . . . . . . . . . . . . . . 1019
GET /reference_data/maps/{name}/dependents . . . . . . . . . . . . . . . . . . . . 1021
DELETE /reference_data/maps/{name}/{key} . . . . . . . . . . . . . . . . . . . . . 1023
GET /reference_data/set_delete_tasks/{task_id} . . . . . . . . . . . . . . . . . . . . 1024
GET /reference_data/set_dependent_tasks/{task_id} . . . . . . . . . . . . . . . . . . . 1025
POST /reference_data/set_dependent_tasks/{task_id} . . . . . . . . . . . . . . . . . . 1027
GET /reference_data/set_dependent_tasks/{task_id}/results . . . . . . . . . . . . . . . . 1030
GET /reference_data/sets . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1032
POST /reference_data/sets . . . . . . . . . . . . . . . . . . . . . . . . . . . 1033
POST /reference_data/sets/bulk_load/{name} . . . . . . . . . . . . . . . . . . . . . 1034
GET /reference_data/sets/{name} . . . . . . . . . . . . . . . . . . . . . . . . . 1035
POST /reference_data/sets/{name}. . . . . . . . . . . . . . . . . . . . . . . . . 1036
DELETE /reference_data/sets/{name}. . . . . . . . . . . . . . . . . . . . . . . . 1037
DELETE /reference_data/sets/{name}/{value} . . . . . . . . . . . . . . . . . . . . . 1039
GET /reference_data/sets/{name}/dependents . . . . . . . . . . . . . . . . . . . . . 1040
GET /reference_data/tables . . . . . . . . . . . . . . . . . . . . . . . . . . . 1042
POST /reference_data/tables . . . . . . . . . . . . . . . . . . . . . . . . . . . 1043
POST /reference_data/tables/bulk_load/{name} . . . . . . . . . . . . . . . . . . . . 1044
GET /reference_data/tables/{name} . . . . . . . . . . . . . . . . . . . . . . . . 1045
POST /reference_data/tables/{name} . . . . . . . . . . . . . . . . . . . . . . . . 1047
DELETE /reference_data/tables/{name} . . . . . . . . . . . . . . . . . . . . . . . 1048
GET /reference_data/tables/{name}/dependents . . . . . . . . . . . . . . . . . . . . 1050
DELETE /reference_data/tables/{name}/{outer_key}/{inner_key} . . . . . . . . . . . . . . 1052
Scanner endpoints . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1053
GET /scanner/profiles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1053
POST /scanner/profiles/create . . . . . . . . . . . . . . . . . . . . . . . . . . 1053
POST /scanner/profiles/start . . . . . . . . . . . . . . . . . . . . . . . . . . 1054
GET /scanner/scanprofiles . . . . . . . . . . . . . . . . . . . . . . . . . . . 1055
POST /scanner/scanprofiles . . . . . . . . . . . . . . . . . . . . . . . . . . . 1056
GET /scanner/scanprofiles/{profileid} . . . . . . . . . . . . . . . . . . . . . . . 1057
POST /scanner/scanprofiles/{profileid} . . . . . . . . . . . . . . . . . . . . . . . 1059
DELETE /scanner/scanprofiles/{profileid} . . . . . . . . . . . . . . . . . . . . . . 1059
POST /scanner/scanprofiles/{profileid}/start . . . . . . . . . . . . . . . . . . . . . 1060

Contents xv
 Services endpoints . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1061
POST /services/dig_lookups . . . . . . . . . . . . . . . . . . . . . . . . . . . 1061
GET /services/dig_lookups/{dig_lookup_id} . . . . . . . . . . . . . . . . . . . . . 1062
POST /services/dns_lookups . . . . . . . . . . . . . . . . . . . . . . . . . . 1063
GET /services/dns_lookups/{dns_lookup_id} . . . . . . . . . . . . . . . . . . . . . 1064
POST /services/port_scans . . . . . . . . . . . . . . . . . . . . . . . . . . . 1065
GET /services/port_scans/{port_scan_id} . . . . . . . . . . . . . . . . . . . . . . 1066
POST /services/whois_lookups . . . . . . . . . . . . . . . . . . . . . . . . . . 1067
GET /services/whois_lookups/{whois_lookup_id} . . . . . . . . . . . . . . . . . . . 1068
SIEM endpoints . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1069
GET /siem/local_destination_addresses . . . . . . . . . . . . . . . . . . . . . . . 1070
GET /siem/local_destination_addresses/{local_destination_address_id} . . . . . . . . . . . . 1071
GET /siem/offense_closing_reasons . . . . . . . . . . . . . . . . . . . . . . . . 1072
POST /siem/offense_closing_reasons . . . . . . . . . . . . . . . . . . . . . . . . 1074
GET /siem/offense_closing_reasons/{closing_reason_id} . . . . . . . . . . . . . . . . . 1075
GET /siem/offense_saved_search_delete_tasks/{task_id} . . . . . . . . . . . . . . . . . 1075
GET /siem/offense_saved_search_dependent_tasks/{task_id} . . . . . . . . . . . . . . . . 1077
POST /siem/offense_saved _search_dependent_tasks/{task_id} . . . . . . . . . . . . . . . 1079
GET /siem/offense_saved _search_dependent_tasks/{task_id}/results . . . . . . . . . . . . . 1082
GET /siem/offense_saved_search_groups . . . . . . . . . . . . . . . . . . . . . . 1083
GET /siem/offense_saved_search_groups/{group_id} . . . . . . . . . . . . . . . . . . 1085
POST /siem/offense_saved_search_groups/{group_id} . . . . . . . . . . . . . . . . . . 1086
DELETE /siem/offense_saved_search_groups/{group_id} . . . . . . . . . . . . . . . . . 1088
GET /siem/offense_saved_searches . . . . . . . . . . . . . . . . . . . . . . . . 1089
GET /siem/offense_saved_searches/{id} . . . . . . . . . . . . . . . . . . . . . . . 1090
POST /siem/offense_saved_searches/{id} . . . . . . . . . . . . . . . . . . . . . . 1091
DELETE /siem/offense_saved_searches/{id} . . . . . . . . . . . . . . . . . . . . . 1092
GET /siem/offense_saved_searches/{id}/dependents . . . . . . . . . . . . . . . . . . 1094
GET /siem/offenses. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1096
GET /siem/offenses/{offense_id} . . . . . . . . . . . . . . . . . . . . . . . . . 1098
GET /siem/offenses/{offense_id}/notes . . . . . . . . . . . . . . . . . . . . . . . 1101
GET /siem/offenses/{offense_id}/notes/{note_id}. . . . . . . . . . . . . . . . . . . . 1102
POST /siem/offenses/{offense_id}/notes . . . . . . . . . . . . . . . . . . . . . . . 1103
POST /siem/offenses/{offense_id} . . . . . . . . . . . . . . . . . . . . . . . . . 1104
GET /siem/offense_types . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1107
GET /siem/offense_types/{offense_type_id}. . . . . . . . . . . . . . . . . . . . . . 1108
GET /siem/source_addresses . . . . . . . . . . . . . . . . . . . . . . . . . . 1109
GET /siem/source_addresses/{source_address_id} . . . . . . . . . . . . . . . . . . . 1111
Staged configuration endpoints . . . . . . . . . . . . . . . . . . . . . . . . . . . 1112
GET /staged_config/deploy_status . . . . . . . . . . . . . . . . . . . . . . . . . 1112
POST /staged_config/deploy_status . . . . . . . . . . . . . . . . . . . . . . . . 1113
GET /staged_config/deployment/hosts . . . . . . . . . . . . . . . . . . . . . . . 1114
GET /staged_config/deployment/hosts/{id} . . . . . . . . . . . . . . . . . . . . . 1117
GET /staged_config/global_system_notifications . . . . . . . . . . . . . . . . . . . . 1119
GET /staged_config/global_system_notifications/{notification_id} . . . . . . . . . . . . . . 1120
POST /staged_config/global_system_notifications/{notification_id} . . . . . . . . . . . . . . 1121
GET /staged_config/remote_networks . . . . . . . . . . . . . . . . . . . . . . . 1122
POST /staged_config/remote_networks . . . . . . . . . . . . . . . . . . . . . . . 1123
GET /staged_config/remote_networks/{network_id} . . . . . . . . . . . . . . . . . . . 1125
POST /staged_config/remote_networks/{network_id} . . . . . . . . . . . . . . . . . . 1125
DELETE /staged_config/remote_networks/{network_id} . . . . . . . . . . . . . . . . . 1127
GET /staged_config/remote_services . . . . . . . . . . . . . . . . . . . . . . . . 1127
POST /staged_config/remote_services . . . . . . . . . . . . . . . . . . . . . . . 1128
GET /staged_config/remote_services/{service_id} . . . . . . . . . . . . . . . . . . . . 1129
POST /staged_config/remote_services/{service_id} . . . . . . . . . . . . . . . . . . . 1130
DELETE /staged_config/remote_services/{service_id} . . . . . . . . . . . . . . . . . . 1132
DELETE /staged_config/yara_rules . . . . . . . . . . . . . . . . . . . . . . . . 1132
PUT /staged_config/yara_rules . . . . . . . . . . . . . . . . . . . . . . . . . . 1132
System endpoints. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1133
GET /system/information/locales . . . . . . . . . . . . . . . . . . . . . . . . . 1133
GET /system/servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1135

xvi QRadar API Reference Guide

 GET /system/servers/{server_id} . . . . . . . . . . . . . . . . . . . . . . . . . 1136
POST /system/servers/{server_id} . . . . . . . . . . . . . . . . . . . . . . . . . 1137
GET /system/servers/{server_id}/firewall_rules . . . . . . . . . . . . . . . . . . . . 1138
PUT /system/servers/{server_id}/firewall_rules . . . . . . . . . . . . . . . . . . . . 1139
GET /system/servers/{server_id}/network_interfaces/bonded . . . . . . . . . . . . . . . 1140
POST /system/servers/{server_id}/network_interfaces/bonded . . . . . . . . . . . . . . . 1142
POST /system/servers/{server_id}/network_interfaces/bonded/{device_name}. . . . . . . . . . 1144
DELETE /system/servers/{server_id}/network_interfaces/bonded/{device_name} . . . . . . . . . 1146
GET /system/servers/{server_id}/network_interfaces/ethernet . . . . . . . . . . . . . . . 1146
POST /system/servers/{server_id}/network_interfaces/ethernet/{device_name} . . . . . . . . . 1148
GET /system/servers/{server_id}/system_time_settings. . . . . . . . . . . . . . . . . . 1150
POST /system/servers/{server_id}/system_time_settings . . . . . . . . . . . . . . . . . 1151
GET /system/servers/{server_id}/timezones . . . . . . . . . . . . . . . . . . . . . 1153
REST API V7.0 References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1154
Analytics endpoints . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1154
GET /analytics/ade_rules DEPRECATED . . . . . . . . . . . . . . . . . . . . . . 1154
GET /analytics/ade_rules/{id} DEPRECATED . . . . . . . . . . . . . . . . . . . . . 1155
POST /analytics/ade_rules/{id} DEPRECATED . . . . . . . . . . . . . . . . . . . . 1156
DELETE /analytics/ade_rules/{id} DEPRECATED . . . . . . . . . . . . . . . . . . . 1157
GET /analytics/ade_rules/{id}/dependents DEPRECATED . . . . . . . . . . . . . . . . 1158
GET /analytics/ade_rules/ade_rule_delete_tasks/{task_id} DEPRECATED . . . . . . . . . . . 1161
GET /analytics/ade_rules/ade_rule_dependent_tasks/{task_id} DEPRECATED . . . . . . . . . . 1162
POST /analytics/ade_rules/ade_rule_dependent_tasks/{task_id} DEPRECATED . . . . . . . . . 1164
GET /analytics/ade_rules/ade_rule_dependent_tasks/{task_id}/results DEPRECATED . . . . . . . 1167
GET /analytics/building_blocks DEPRECATED . . . . . . . . . . . . . . . . . . . . 1169
GET /analytics/building_blocks/building_block_delete_tasks/{task_id} DEPRECATED . . . . . . . 1170
GET /analytics/building_blocks/building_block_dependent_tasks/{task_id} DEPRECATED. . . . . . 1171
POST /analytics/building_blocks/building_block_dependent_tasks/{task_id} DEPRECATED . . . . . 1173
GET /analytics/building_blocks/building_block_dependent_tasks/{task_id}/results DEPRECATED . . . 1176
GET /analytics/building_blocks/{id} DEPRECATED . . . . . . . . . . . . . . . . . . . 1178
POST /analytics/building_blocks/{id} DEPRECATED . . . . . . . . . . . . . . . . . . 1179
DELETE /analytics/building_blocks/{id} DEPRECATED . . . . . . . . . . . . . . . . . 1180
GET /analytics/building_blocks/{id}/dependents DEPRECATED . . . . . . . . . . . . . . 1181
GET /analytics/custom_actions/actions DEPRECATED . . . . . . . . . . . . . . . . . . 1184
POST /analytics/custom_actions/actions DEPRECATED . . . . . . . . . . . . . . . . . 1185
GET /analytics/custom_actions/actions/{action_id} DEPRECATED . . . . . . . . . . . . . . 1187
POST /analytics/custom_actions/actions/{action_id} DEPRECATED . . . . . . . . . . . . . 1188
DELETE /analytics/custom_actions/actions/{action_id} DEPRECATED . . . . . . . . . . . . 1190
GET /analytics/custom_actions/interpreters DEPRECATED . . . . . . . . . . . . . . . . 1191
GET /analytics/custom_actions/interpreters/{interpreter_id} DEPRECATED . . . . . . . . . . . 1192
GET /analytics/custom_actions/scripts DEPRECATED . . . . . . . . . . . . . . . . . . 1192
POST /analytics/custom_actions/scripts DEPRECATED . . . . . . . . . . . . . . . . . 1193
GET /analytics/custom_actions/scripts/{script_id} DEPRECATED . . . . . . . . . . . . . . 1194
POST /analytics/custom_actions/scripts/{script_id} DEPRECATED . . . . . . . . . . . . . . 1195
DELETE /analytics/custom_actions/scripts/{script_id} DEPRECATED . . . . . . . . . . . . . 1196
GET /analytics/rule_groups DEPRECATED . . . . . . . . . . . . . . . . . . . . . . 1197
GET /analytics/rule_groups/{group_id} DEPRECATED . . . . . . . . . . . . . . . . . . 1198
POST /analytics/rule_groups/{group_id} DEPRECATED . . . . . . . . . . . . . . . . . 1200
DELETE /analytics/rule_groups/{group_id} DEPRECATED . . . . . . . . . . . . . . . . 1201
GET /analytics/rules DEPRECATED . . . . . . . . . . . . . . . . . . . . . . . . 1202
GET /analytics/rules/rule_delete_tasks/{task_id} DEPRECATED . . . . . . . . . . . . . . 1204
GET /analytics/rules/rule_dependent_tasks/{task_id} DEPRECATED . . . . . . . . . . . . . 1205
POST /analytics/rules/rule_dependent_tasks/{task_id} DEPRECATED . . . . . . . . . . . . 1207
GET /analytics/rules/rule_dependent_tasks/{task_id}/results DEPRECATED . . . . . . . . . . 1210
GET /analytics/rules/{id} DEPRECATED . . . . . . . . . . . . . . . . . . . . . . 1211
POST /analytics/rules/{id} DEPRECATED . . . . . . . . . . . . . . . . . . . . . . 1212
DELETE /analytics/rules/{id} DEPRECATED . . . . . . . . . . . . . . . . . . . . . 1214
GET /analytics/rules/{id}/dependents DEPRECATED . . . . . . . . . . . . . . . . . . 1215
Ariel endpoints . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1217
GET /ariel/databases DEPRECATED . . . . . . . . . . . . . . . . . . . . . . . . 1217
GET /ariel/databases/{database_name} DEPRECATED . . . . . . . . . . . . . . . . . . 1218

Contents xvii
 GET /ariel/event_saved_search_groups DEPRECATED . . . . . . . . . . . . . . . . . . 1219
GET /ariel/event_saved_search_groups/{group_id} DEPRECATED . . . . . . . . . . . . . . 1221
POST /ariel/event_saved_search_groups/{group_id} DEPRECATED . . . . . . . . . . . . . 1222
DELETE /ariel/event_saved_search_groups/{group_id} DEPRECATED . . . . . . . . . . . . 1224
GET /ariel/flow_saved_search_groups DEPRECATED . . . . . . . . . . . . . . . . . . 1225
GET /ariel/flow_saved_search_groups/{group_id} DEPRECATED . . . . . . . . . . . . . . 1226
POST /ariel/flow_saved_search_groups/{group_id} DEPRECATED . . . . . . . . . . . . . . 1227
DELETE /ariel/flow_saved_search_groups/{group_id} DEPRECATED . . . . . . . . . . . . . 1229
GET /ariel/saved_search_delete_tasks/{task_id} DEPRECATED . . . . . . . . . . . . . . . 1230
GET /ariel/saved_search_dependent_tasks/{task_id} DEPRECATED . . . . . . . . . . . . . 1231
POST /ariel/saved_search_dependent_tasks/{task_id} DEPRECATED . . . . . . . . . . . . . 1234
GET /ariel/saved_search_dependent_tasks/{task_id}/results DEPRECATED . . . . . . . . . . . 1236
GET /ariel/saved_searches DEPRECATED . . . . . . . . . . . . . . . . . . . . . . 1238
GET /ariel/saved_searches/{id} DEPRECATED . . . . . . . . . . . . . . . . . . . . 1239
POST /ariel/saved_searches/{id} DEPRECATED . . . . . . . . . . . . . . . . . . . . 1240
DELETE /ariel/saved_searches/{id} DEPRECATED . . . . . . . . . . . . . . . . . . . 1242
GET /ariel/saved_searches/{id}/dependents DEPRECATED . . . . . . . . . . . . . . . . 1243
GET /ariel/searches DEPRECATED . . . . . . . . . . . . . . . . . . . . . . . . 1245
POST /ariel/searches DEPRECATED . . . . . . . . . . . . . . . . . . . . . . . . 1246
GET /ariel/searches/{search_id} DEPRECATED . . . . . . . . . . . . . . . . . . . . 1248
POST /ariel/searches/{search_id} DEPRECATED . . . . . . . . . . . . . . . . . . . . 1249
DELETE /ariel/searches/{search_id} DEPRECATED . . . . . . . . . . . . . . . . . . . 1251
GET /ariel/searches/{search_id}/results DEPRECATED. . . . . . . . . . . . . . . . . . 1253
Asset model endpoints . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1254
GET /asset_model/assets DEPRECATED. . . . . . . . . . . . . . . . . . . . . . . 1254
POST /asset_model/assets/{asset_id} DEPRECATED . . . . . . . . . . . . . . . . . . 1255
GET /asset_model/properties DEPRECATED . . . . . . . . . . . . . . . . . . . . . 1256
GET /asset_model/saved_search_groups DEPRECATED . . . . . . . . . . . . . . . . . 1257
GET /asset_model/saved_search_groups/{group_id} DEPRECATED . . . . . . . . . . . . . 1259
POST /asset_model/saved_search_groups/{group_id} DEPRECATED . . . . . . . . . . . . . 1260
DELETE /asset_model/saved_search_groups/{group_id} DEPRECATED . . . . . . . . . . . . 1262
GET /asset_model/saved_searches DEPRECATED . . . . . . . . . . . . . . . . . . . 1263
GET /asset_model/saved_searches/{saved_search_id} DEPRECATED . . . . . . . . . . . . . 1264
POST /asset_model/saved_searches/{saved_search_id} DEPRECATED. . . . . . . . . . . . . 1265
DELETE /asset_model/saved_searches/{saved_search_id} DEPRECATED. . . . . . . . . . . . 1266
GET /asset_model/saved_searches/{saved_search_id}/results DEPRECATED . . . . . . . . . . 1267
Authentication endpoints . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1268
POST /auth/logout DEPRECATED . . . . . . . . . . . . . . . . . . . . . . . . 1268
Configuration endpoints . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1269
GET /config/access/tenant_management/tenants DEPRECATED . . . . . . . . . . . . . . 1269
POST /config/access/tenant_management/tenants DEPRECATED . . . . . . . . . . . . . . 1270
GET /config/access/tenant_management/tenants/{tenant_id} DEPRECATED . . . . . . . . . . 1271
POST /config/access/tenant_management/tenants/{tenant_id} DEPRECATED . . . . . . . . . . 1272
DELETE /config/access/tenant_management/tenants/{tenant_id} DEPRECATED . . . . . . . . . 1273
GET /config/domain_management/domains DEPRECATED . . . . . . . . . . . . . . . . 1273
POST /config/domain_management/domains DEPRECATED . . . . . . . . . . . . . . . 1275
GET /config/domain_management/domains/{domain_id} DEPRECATED . . . . . . . . . . . 1276
POST /config/domain_management/domains/{domain_id} DEPRECATED . . . . . . . . . . . 1277
DELETE /config/domain_management/domains/{domain_id} DEPRECATED . . . . . . . . . . 1279
GET /config/event_retention_buckets DEPRECATED . . . . . . . . . . . . . . . . . . 1280
GET /config/event_retention_buckets/{id} DEPRECATED . . . . . . . . . . . . . . . . . 1281
POST /config/event_retention_buckets/{id} DEPRECATED . . . . . . . . . . . . . . . . 1283
DELETE /config/event_retention_buckets/{id} DEPRECATED . . . . . . . . . . . . . . . 1284
GET /config/event_sources/custom_properties/property_expressions DEPRECATED. . . . . . . . 1285
POST /config/event_sources/custom_properties/property_expressions DEPRECATED . . . . . . . 1286
GET /config/event_sources/custom_properties/property_expressions/{expression_id} DEPRECATED 1288
POST /config/event_sources/custom_properties/property_expressions/{expression_id} DEPRECATED 1289
DELETE /config/event_sources/custom_properties/property_expressions/{expression_id} DEPRECATED 1291
GET /config/event_sources/custom_properties/regex_properties DEPRECATED . . . . . . . . . 1291
POST /config/event_sources/custom_properties/regex_properties DEPRECATED . . . . . . . . . 1293
GET /config/event_sources/custom_properties/regex_properties/{regex_property_id} DEPRECATED 1294

xviii QRadar API Reference Guide

 POST /config/event_sources/custom_properties/regex_properties/{regex_property_id} DEPRECATED 1295
DELETE /config/event_sources/custom_properties/regex_properties/{regex_property_id} DEPRECATED 1297
GET /config/event_sources/custom_properties/regex_properties/{regex_property_id}/dependents
DEPRECATED . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1299
GET /config/event_sources/custom_properties/regex_property_delete_tasks/{task_id} DEPRECATED 1301
GET /config/event_sources/custom_properties/regex_property_dependent_tasks/{task_id}
DEPRECATED . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1302
POST /config/event_sources/custom_properties/regex_property_dependent_tasks/{task_id}
DEPRECATED . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1305
GET /config/event_sources/custom_properties/regex_property_dependent_tasks/{task_id}/results
DEPRECATED . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1308
GET /config/extension_management/extensions DEPRECATED . . . . . . . . . . . . . . . 1310
POST /config/extension_management/extensions DEPRECATED . . . . . . . . . . . . . . 1312
GET /config/extension_management/extensions/{extension_id} DEPRECATED . . . . . . . . . 1314
POST /config/extension_management/extensions/{extension_id} DEPRECATED . . . . . . . . . 1316
DELETE /config/extension_management/extensions/{extension_id} DEPRECATED . . . . . . . . 1317
GET /config/extension_management/extensions_task_status/{status_id} DEPRECATED . . . . . . . 1319
GET /config/extension_management/extensions_task_status/{status_id}/results DEPRECATED . . . . 1320
GET /config/flow_retention_buckets DEPRECATED . . . . . . . . . . . . . . . . . . . 1321
GET /config/flow_retention_buckets/{id} DEPRECATED . . . . . . . . . . . . . . . . . 1323
POST /config/flow_retention_buckets/{id} DEPRECATED . . . . . . . . . . . . . . . . . 1324
DELETE /config/flow_retention_buckets/{id} DEPRECATED . . . . . . . . . . . . . . . . 1325
GET /config/flow_sources/custom_properties/property_expressions DEPRECATED . . . . . . . . 1326
POST /config/flow_sources/custom_properties/property_expressions DEPRECATED . . . . . . . 1327
GET /config/flow_sources/custom_properties/property_expressions/{expression_id} DEPRECATED . . 1329
POST /config/flow_sources/custom_properties/property_expressions/{expression_id} DEPRECATED 1330
DELETE /config/flow_sources/custom_properties/property_expressions/{expression_id} DEPRECATED 1332
GET /config/flow_sources/custom_properties/regex_properties DEPRECATED . . . . . . . . . 1333
POST /config/flow_sources/custom_properties/regex_properties DEPRECATED . . . . . . . . . 1334
GET /config/flow_sources/custom_properties/regex_properties/{regex_property_id} DEPRECATED . . 1336
POST /config/flow_sources/custom_properties/regex_properties/{regex_property_id} DEPRECATED 1337
DELETE /config/flow_sources/custom_properties/regex_properties/{regex_property_id} DEPRECATED 1339
GET /config/flow_sources/custom_properties/regex_properties/{regex_property_id}/dependents
DEPRECATED . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1340
GET /config/flow_sources/custom_properties/regex_property_dependent_tasks/{task_id} DEPRECATED 1343
POST /config/flow_sources/custom_properties/regex_property_dependent_tasks/{task_id}
DEPRECATED . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1345
GET /config/flow_sources/custom_properties/regex_property_dependent_tasks/{task_id}/results
DEPRECATED . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1348
GET /config/global_system_notifications DEPRECATED . . . . . . . . . . . . . . . . . 1350
GET /config/global_system_notifications/{notification_id} DEPRECATED . . . . . . . . . . . 1351
GET /config/network_hierarchy/networks DEPRECATED . . . . . . . . . . . . . . . . . 1352
GET /config/network_hierarchy/staged_networks DEPRECATED . . . . . . . . . . . . . . 1353
PUT /config/network_hierarchy/staged_networks DEPRECATED . . . . . . . . . . . . . . 1354
GET /config/resource_restrictions DEPRECATED . . . . . . . . . . . . . . . . . . . . 1355
POST /config/resource_restrictions DEPRECATED . . . . . . . . . . . . . . . . . . . 1356
GET /config/resource_restrictions/{resource_restriction_id} DEPRECATED . . . . . . . . . . . 1357
DELETE /config/resource_restrictions/{resource_restriction_id} DEPRECATED . . . . . . . . . . 1358
PUT /config/resource_restrictions/{resource_restriction_id} DEPRECATED . . . . . . . . . . . 1358
GET /config/store_and_forward/policies DEPRECATED . . . . . . . . . . . . . . . . . 1359
GET /config/store_and_forward/policies/{id} DEPRECATED. . . . . . . . . . . . . . . . 1361
POST /config/store_and_forward/policies/{id} DEPRECATED . . . . . . . . . . . . . . . 1362
DELETE /config/store_and_forward/policies/{id} DEPRECATED . . . . . . . . . . . . . . 1363
Data classification endpoints . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1364
GET /data_classification/dsm_event_mappings DEPRECATED . . . . . . . . . . . . . . . 1364
POST /data_classification/dsm_event_mappings DEPRECATED . . . . . . . . . . . . . . . 1365
GET /data_classification/dsm_event_mappings/{dsm_event_mapping_id} DEPRECATED . . . . . . 1367
POST /data_classification/dsm_event_mappings/{dsm_event_mapping_id} DEPRECATED . . . . . . 1368
GET /data_classification/high_level_categories DEPRECATED . . . . . . . . . . . . . . . 1369
GET /data_classification/high_level_categories/{high_level_category_id} DEPRECATED . . . . . . . 1370
GET /data_classification/low_level_categories DEPRECATED. . . . . . . . . . . . . . . . 1371

Contents xix
 GET /data_classification/low_level_categories/{low_level_category_id} DEPRECATED . . . . . . . 1372
GET /data_classification/qid_records DEPRECATED. . . . . . . . . . . . . . . . . . . 1373
POST /data_classification/qid_records DEPRECATED . . . . . . . . . . . . . . . . . . 1375
GET /data_classification/qid_records/{qid_record_id} DEPRECATED . . . . . . . . . . . . . 1376
POST /data_classification/qid_records/{qid_record_id} DEPRECATED. . . . . . . . . . . . . 1377
Forensics endpoints . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1379
GET /forensics/capture/recoveries DEPRECATED . . . . . . . . . . . . . . . . . . . 1379
POST /forensics/capture/recoveries DEPRECATED . . . . . . . . . . . . . . . . . . . 1380
GET /forensics/capture/recoveries/{id} DEPRECATED . . . . . . . . . . . . . . . . . . 1382
GET /forensics/capture/recovery_tasks DEPRECATED . . . . . . . . . . . . . . . . . . 1383
GET /forensics/capture/recovery_tasks/{id} DEPRECATED . . . . . . . . . . . . . . . . 1385
GET /forensics/case_management/case_create_tasks/{id} DEPRECATED . . . . . . . . . . . . 1386
GET /forensics/case_management/cases DEPRECATED . . . . . . . . . . . . . . . . . 1388
POST /forensics/case_management/cases DEPRECATED . . . . . . . . . . . . . . . . . 1389
GET /forensics/case_management/cases/{id} DEPRECATED . . . . . . . . . . . . . . . . 1390
GUI application framework endpoints. . . . . . . . . . . . . . . . . . . . . . . . . 1391
GET /gui_app_framework/application_creation_task DEPRECATED . . . . . . . . . . . . . 1391
POST /gui_app_framework/application_creation_task DEPRECATED . . . . . . . . . . . . . 1392
GET /gui_app_framework/application_creation_task/{application_id} DEPRECATED. . . . . . . . 1393
POST /gui_app_framework/application_creation_task/{application_id} DEPRECATED . . . . . . . 1393
GET /gui_app_framework/applications DEPRECATED . . . . . . . . . . . . . . . . . . 1394
GET /gui_app_framework/applications/{application_id} DEPRECATED . . . . . . . . . . . . 1397
POST /gui_app_framework/applications/{application_id} DEPRECATED. . . . . . . . . . . . 1400
PUT /gui_app_framework/applications/{application_id} DEPRECATED . . . . . . . . . . . . 1403
DELETE /gui_app_framework/applications/{application_id} DEPRECATED. . . . . . . . . . . 1404
Help endpoints . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1404
GET /help/endpoints DEPRECATED . . . . . . . . . . . . . . . . . . . . . . . . 1404
GET /help/endpoints/{endpoint_id} DEPRECATED . . . . . . . . . . . . . . . . . . . 1407
GET /help/resources DEPRECATED . . . . . . . . . . . . . . . . . . . . . . . . 1409
GET /help/resources/{resource_id} DEPRECATED . . . . . . . . . . . . . . . . . . . 1411
GET /help/versions DEPRECATED . . . . . . . . . . . . . . . . . . . . . . . . 1412
GET /help/versions/{version_id} DEPRECATED . . . . . . . . . . . . . . . . . . . . 1413
IBM Security QRadar Risk Manager endpoints . . . . . . . . . . . . . . . . . . . . . . 1414
GET /qrm/model_groups DEPRECATED . . . . . . . . . . . . . . . . . . . . . . 1414
GET /qrm/model_groups/{group_id} DEPRECATED . . . . . . . . . . . . . . . . . . 1416
POST /qrm/model_groups/{group_id} DEPRECATED . . . . . . . . . . . . . . . . . . 1417
DELETE /qrm/model_groups/{group_id} DEPRECATED . . . . . . . . . . . . . . . . . 1419
GET /qrm/qrm_saved_search_groups DEPRECATED . . . . . . . . . . . . . . . . . . 1419
GET /qrm/qrm_saved_search_groups/{group_id} DEPRECATED . . . . . . . . . . . . . . 1421
POST /qrm/qrm_saved_search_groups/{group_id} DEPRECATED . . . . . . . . . . . . . . 1422
DELETE /qrm/qrm_saved_search_groups/{group_id} DEPRECATED . . . . . . . . . . . . . 1424
GET /qrm/question_groups DEPRECATED . . . . . . . . . . . . . . . . . . . . . . 1425
GET /qrm/question_groups/{group_id} DEPRECATED . . . . . . . . . . . . . . . . . . 1426
POST /qrm/question_groups/{group_id} DEPRECATED . . . . . . . . . . . . . . . . . 1427
DELETE /qrm/question_groups/{group_id} DEPRECATED . . . . . . . . . . . . . . . . 1429
GET /qrm/simulation_groups DEPRECATED . . . . . . . . . . . . . . . . . . . . . 1430
GET /qrm/simulation_groups/{group_id} DEPRECATED . . . . . . . . . . . . . . . . . 1431
POST /qrm/simulation_groups/{group_id} DEPRECATED . . . . . . . . . . . . . . . . 1432
DELETE /qrm/simulation_groups/{group_id} DEPRECATED . . . . . . . . . . . . . . . 1434
GET /qrm/topology_saved_search_groups DEPRECATED . . . . . . . . . . . . . . . . . 1435
GET /qrm/topology_saved_search_groups/{group_id} DEPRECATED . . . . . . . . . . . . . 1436
POST /qrm/topology_saved_search_groups/{group_id} DEPRECATED . . . . . . . . . . . . 1438
DELETE /qrm/topology_saved_search_groups/{group_id} DEPRECATED . . . . . . . . . . . 1439
QRadar Vulnerability Manager endpoints . . . . . . . . . . . . . . . . . . . . . . . 1440
GET /qvm/assets DEPRECATED . . . . . . . . . . . . . . . . . . . . . . . . . 1440
GET /qvm/filters DEPRECATED . . . . . . . . . . . . . . . . . . . . . . . . . 1441
GET /qvm/network DEPRECATED . . . . . . . . . . . . . . . . . . . . . . . . 1441
GET /qvm/openservices DEPRECATED . . . . . . . . . . . . . . . . . . . . . . . 1442
GET /qvm/saved_search_groups DEPRECATED . . . . . . . . . . . . . . . . . . . . 1442
GET /qvm/saved_search_groups/{group_id} DEPRECATED . . . . . . . . . . . . . . . . 1444
POST /qvm/saved_search_groups/{group_id} DEPRECATED . . . . . . . . . . . . . . . 1445

xx QRadar API Reference Guide

 DELETE /qvm/saved_search_groups/{group_id} DEPRECATED. . . . . . . . . . . . . . . 1447
GET /qvm/saved_searches DEPRECATED . . . . . . . . . . . . . . . . . . . . . . 1448
GET /qvm/saved_searches/vuln_instances/{task_id}/results/assets DEPRECATED . . . . . . . . 1449
GET /qvm/saved_searches/vuln_instances/{task_id}/results/vuln_instances DEPRECATED . . . . . 1450
GET /qvm/saved_searches/vuln_instances/{task_id}/results/vulnerabilities DEPRECATED . . . . . 1452
GET /qvm/saved_searches/vuln_instances/{task_id}/status DEPRECATED . . . . . . . . . . . 1453
POST /qvm/saved_searches/vuln_instances/{task_id}/status DEPRECATED . . . . . . . . . . 1454
GET /qvm/saved_searches/{saved_search_id} DEPRECATED. . . . . . . . . . . . . . . . 1455
POST /qvm/saved_searches/{saved_search_id} DEPRECATED . . . . . . . . . . . . . . . 1456
DELETE /qvm/saved_searches/{saved_search_id} DEPRECATED . . . . . . . . . . . . . . 1457
GET /qvm/saved_searches/{saved_search_id}/vuln_instances DEPRECATED . . . . . . . . . . 1458
POST /qvm/tickets/assign DEPRECATED . . . . . . . . . . . . . . . . . . . . . . 1459
GET /qvm/vulns DEPRECATED . . . . . . . . . . . . . . . . . . . . . . . . . 1459
Reference data endpoints . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1460
GET /reference_data/map_delete_tasks/{task_id} DEPRECATED . . . . . . . . . . . . . . 1460
GET /reference_data/map_dependent_tasks/{task_id} DEPRECATED . . . . . . . . . . . . . 1461
POST /reference_data/map_dependent_tasks/{task_id} DEPRECATED . . . . . . . . . . . . 1464
GET /reference_data/map_dependent_tasks/{task_id}/results DEPRECATED . . . . . . . . . . 1466
GET /reference_data/map_of_sets DEPRECATED. . . . . . . . . . . . . . . . . . . . 1468
POST /reference_data/map_of_sets DEPRECATED . . . . . . . . . . . . . . . . . . . 1469
POST /reference_data/map_of_sets/bulk_load/{name} DEPRECATED. . . . . . . . . . . . . 1470
GET /reference_data/map_of_sets/{name} DEPRECATED . . . . . . . . . . . . . . . . . 1472
POST /reference_data/map_of_sets/{name} DEPRECATED . . . . . . . . . . . . . . . . 1473
DELETE /reference_data/map_of_sets/{name} DEPRECATED . . . . . . . . . . . . . . . 1474
GET /reference_data/map_of_sets/{name}/dependents DEPRECATED . . . . . . . . . . . . 1476
DELETE /reference_data/map_of_sets/{name}/{key} DEPRECATED . . . . . . . . . . . . . 1477
GET /reference_data/map_of_sets_delete_tasks/{task_id} DEPRECATED . . . . . . . . . . . . 1478
GET /reference_data/map_of_sets_dependent_tasks/{task_id} DEPRECATED . . . . . . . . . . 1480
POST /reference_data/map_of_sets_dependent_tasks/{task_id} DEPRECATED . . . . . . . . . . 1482
GET /reference_data/map_of_sets_dependent_tasks/{task_id}/results DEPRECATED. . . . . . . . 1485
GET /reference_data/maps DEPRECATED . . . . . . . . . . . . . . . . . . . . . . 1487
POST /reference_data/maps DEPRECATED . . . . . . . . . . . . . . . . . . . . . 1488
POST /reference_data/maps/bulk_load/{name} DEPRECATED . . . . . . . . . . . . . . . 1489
GET /reference_data/maps/{name} DEPRECATED . . . . . . . . . . . . . . . . . . . 1490
POST /reference_data/maps/{name} DEPRECATED . . . . . . . . . . . . . . . . . . . 1491
DELETE /reference_data/maps/{name} DEPRECATED . . . . . . . . . . . . . . . . . . 1492
GET /reference_data/maps/{name}/dependents DEPRECATED . . . . . . . . . . . . . . . 1494
DELETE /reference_data/maps/{name}/{key} DEPRECATED. . . . . . . . . . . . . . . . 1496
GET /reference_data/set_delete_tasks/{task_id} DEPRECATED . . . . . . . . . . . . . . . 1497
GET /reference_data/set_dependent_tasks/{task_id} DEPRECATED . . . . . . . . . . . . . 1498
POST /reference_data/set_dependent_tasks/{task_id} DEPRECATED . . . . . . . . . . . . . 1500
GET /reference_data/set_dependent_tasks/{task_id}/results DEPRECATED . . . . . . . . . . . 1503
GET /reference_data/sets DEPRECATED . . . . . . . . . . . . . . . . . . . . . . 1505
POST /reference_data/sets DEPRECATED . . . . . . . . . . . . . . . . . . . . . . 1506
POST /reference_data/sets/bulk_load/{name} DEPRECATED . . . . . . . . . . . . . . . 1507
GET /reference_data/sets/{name} DEPRECATED . . . . . . . . . . . . . . . . . . . . 1508
POST /reference_data/sets/{name} DEPRECATED . . . . . . . . . . . . . . . . . . . 1509
DELETE /reference_data/sets/{name} DEPRECATED . . . . . . . . . . . . . . . . . . 1511
DELETE /reference_data/sets/{name}/{value} DEPRECATED . . . . . . . . . . . . . . . 1512
GET /reference_data/sets/{name}/dependents DEPRECATED . . . . . . . . . . . . . . . 1513
GET /reference_data/tables DEPRECATED . . . . . . . . . . . . . . . . . . . . . . 1515
POST /reference_data/tables DEPRECATED . . . . . . . . . . . . . . . . . . . . . 1516
POST /reference_data/tables/bulk_load/{name} DEPRECATED . . . . . . . . . . . . . . . 1517
GET /reference_data/tables/{name} DEPRECATED . . . . . . . . . . . . . . . . . . . 1518
POST /reference_data/tables/{name} DEPRECATED. . . . . . . . . . . . . . . . . . . 1520
DELETE /reference_data/tables/{name} DEPRECATED . . . . . . . . . . . . . . . . . . 1521
GET /reference_data/tables/{name}/dependents DEPRECATED . . . . . . . . . . . . . . . 1523
DELETE /reference_data/tables/{name}/{outer_key}/{inner_key} DEPRECATED . . . . . . . . . 1525
Scanner endpoints . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1526
GET /scanner/profiles DEPRECATED . . . . . . . . . . . . . . . . . . . . . . . 1526
POST /scanner/profiles/create DEPRECATED . . . . . . . . . . . . . . . . . . . . . 1526

Contents xxi
 POST /scanner/profiles/start DEPRECATED . . . . . . . . . . . . . . . . . . . . . 1527
GET /scanner/scanprofiles DEPRECATED . . . . . . . . . . . . . . . . . . . . . . 1528
POST /scanner/scanprofiles DEPRECATED . . . . . . . . . . . . . . . . . . . . . . 1529
GET /scanner/scanprofiles/{profileid} DEPRECATED . . . . . . . . . . . . . . . . . . 1530
POST /scanner/scanprofiles/{profileid} DEPRECATED . . . . . . . . . . . . . . . . . . 1532
DELETE /scanner/scanprofiles/{profileid} DEPRECATED . . . . . . . . . . . . . . . . . 1532
POST /scanner/scanprofiles/{profileid}/start DEPRECATED . . . . . . . . . . . . . . . . 1533
SIEM endpoints . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1534
GET /siem/local_destination_addresses DEPRECATED . . . . . . . . . . . . . . . . . . 1534
GET /siem/local_destination_addresses/{local_destination_address_id} DEPRECATED . . . . . . . 1535
GET /siem/offense_closing_reasons DEPRECATED . . . . . . . . . . . . . . . . . . . 1537
POST /siem/offense_closing_reasons DEPRECATED . . . . . . . . . . . . . . . . . . . 1538
GET /siem/offense_closing_reasons/{closing_reason_id} DEPRECATED . . . . . . . . . . . . 1539
GET /siem/offense_saved_search_delete_tasks/{task_id} DEPRECATED . . . . . . . . . . . . 1540
GET /siem/offense_saved_search_dependent_tasks/{task_id} DEPRECATED . . . . . . . . . . 1541
POST /siem/offense_saved _search_dependent_tasks/{task_id} DEPRECATED . . . . . . . . . . 1543
GET /siem/offense_saved _search_dependent_tasks/{task_id}/results DEPRECATED . . . . . . . . 1546
GET /siem/offense_saved_search_groups DEPRECATED . . . . . . . . . . . . . . . . . 1548
GET /siem/offense_saved_search_groups/{group_id} DEPRECATED . . . . . . . . . . . . . 1549
POST /siem/offense_saved_search_groups/{group_id} DEPRECATED . . . . . . . . . . . . . 1551
DELETE /siem/offense_saved_search_groups/{group_id} DEPRECATED . . . . . . . . . . . . 1552
GET /siem/offense_saved_searches DEPRECATED . . . . . . . . . . . . . . . . . . . 1553
GET /siem/offense_saved_searches/{id} DEPRECATED. . . . . . . . . . . . . . . . . . 1554
POST /siem/offense_saved_searches/{id} DEPRECATED . . . . . . . . . . . . . . . . . 1555
DELETE /siem/offense_saved_searches/{id} DEPRECATED . . . . . . . . . . . . . . . . 1557
GET /siem/offense_saved_searches/{id}/dependents DEPRECATED . . . . . . . . . . . . . 1558
GET /siem/offenses DEPRECATED . . . . . . . . . . . . . . . . . . . . . . . . 1561
GET /siem/offenses/{offense_id} DEPRECATED . . . . . . . . . . . . . . . . . . . . 1563
GET /siem/offenses/{offense_id}/notes DEPRECATED . . . . . . . . . . . . . . . . . . 1565
GET /siem/offenses/{offense_id}/notes/{note_id} DEPRECATED . . . . . . . . . . . . . . 1567
POST /siem/offenses/{offense_id}/notes DEPRECATED . . . . . . . . . . . . . . . . . 1568
POST /siem/offenses/{offense_id} DEPRECATED. . . . . . . . . . . . . . . . . . . . 1568
GET /siem/offense_types DEPRECATED . . . . . . . . . . . . . . . . . . . . . . 1572
GET /siem/offense_types/{offense_type_id} DEPRECATED . . . . . . . . . . . . . . . . 1573
GET /siem/source_addresses DEPRECATED . . . . . . . . . . . . . . . . . . . . . 1574
GET /siem/source_addresses/{source_address_id} DEPRECATED . . . . . . . . . . . . . . 1575
Staged configuration endpoints . . . . . . . . . . . . . . . . . . . . . . . . . . . 1577
GET /staged_config/deploy_status DEPRECATED . . . . . . . . . . . . . . . . . . . 1577
POST /staged_config/deploy_status DEPRECATED . . . . . . . . . . . . . . . . . . . 1578
GET /staged_config/global_system_notifications DEPRECATED . . . . . . . . . . . . . . . 1579
GET /staged_config/global_system_notifications/{notification_id} DEPRECATED . . . . . . . . . 1580
POST /staged_config/global_system_notifications/{notification_id} DEPRECATED . . . . . . . . 1581
DELETE /staged_config/yara_rules DEPRECATED . . . . . . . . . . . . . . . . . . . 1582
PUT /staged_config/yara_rules DEPRECATED . . . . . . . . . . . . . . . . . . . . 1582
System endpoints . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1583
GET /system/information/locales DEPRECATED. . . . . . . . . . . . . . . . . . . . 1583
GET /system/servers DEPRECATED . . . . . . . . . . . . . . . . . . . . . . . . 1585
GET /system/servers/{server_id} DEPRECATED . . . . . . . . . . . . . . . . . . . . 1586
POST /system/servers/{server_id} DEPRECATED . . . . . . . . . . . . . . . . . . . 1587
GET /system/servers/{server_id}/firewall_rules DEPRECATED . . . . . . . . . . . . . . . 1588
PUT /system/servers/{server_id}/firewall_rules DEPRECATED . . . . . . . . . . . . . . . 1589
GET /system/servers/{server_id}/network_interfaces/bonded DEPRECATED . . . . . . . . . . 1590
POST /system/servers/{server_id}/network_interfaces/bonded DEPRECATED . . . . . . . . . . 1592
POST /system/servers/{server_id}/network_interfaces/bonded/{device_name} DEPRECATED . . . . 1594
DELETE /system/servers/{server_id}/network_interfaces/bonded/{device_name} DEPRECATED . . . 1597
GET /system/servers/{server_id}/network_interfaces/ethernet DEPRECATED . . . . . . . . . . 1597
POST /system/servers/{server_id}/network_interfaces/ethernet/{device_name} DEPRECATED . . . . 1599

Notices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1603
Trademarks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1604
Terms and conditions for product documentation . . . . . . . . . . . . . . . . . . . . . . 1604

xxii QRadar API Reference Guide

IBM Online Privacy Statement . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1605

Contents xxiii
xxiv QRadar API Reference Guide
Default Applications Configuration Overview
The IBM® Security QRadar® API Reference Guide provides information on the RESTful API for how to
integrate QRadar solutions into third-party systems.

Intended audience
This guide is intended for developers with coding experience. This guide assumes that you have QRadar
access and a knowledge of your corporate network and networking technologies.

Technical documentation

For information about how to access more technical documentation, technical notes, and release notes, see
Accessing IBM Security Documentation Technical Note (http://www.ibm.com/support/docview.wss?rs=0
&uid=swg21612861).

Contacting customer support

For information about contacting customer support, see the Support and Download Technical Note
(http://www.ibm.com/support/docview.wss?rs=0&uid=swg21612861).

Statement of good security practices

IT system security involves protecting systems and information through prevention, detection and
response to improper access from within and outside your enterprise. Improper access can result in
information being altered, destroyed, misappropriated or misused or can result in damage to or misuse of
your systems, including for use in attacks on others. No IT system or product should be considered
completely secure and no single product, service or security measure can be completely effective in
preventing improper use or access. IBM systems, products and services are designed to be part of a
lawful comprehensive security approach, which will necessarily involve additional operational
procedures, and may require other systems, products or services to be most effective. IBM DOES NOT
WARRANT THAT ANY SYSTEMS, PRODUCTS OR SERVICES ARE IMMUNE FROM, OR WILL MAKE
YOUR ENTERPRISE IMMUNE FROM, THE MALICIOUS OR ILLEGAL CONDUCT OF ANY PARTY.

Please Note:

Use of this Program may implicate various laws or regulations, including those related to privacy, data
protection, employment, and electronic communications and storage. IBM Security QRadar may be used
only for lawful purposes and in a lawful manner. Customer agrees to use this Program pursuant to, and
assumes all responsibility for complying with, applicable laws, regulations and policies. Licensee
represents that it will obtain or has obtained any consents, permissions, or licenses required to enable its
lawful use of IBM Security QRadar.

© Copyright IBM Corp. 2014, 2017 xxv

xxvi QRadar API Reference Guide
1 What's new for developers in RESTful APIs in QRadar
V7.3.1
IBM Security QRadar V7.3.1 introduces version 9.0 of the API endpoints.

New endpoints

QRadar V7.3.1 introduces new categories of API endpoints and updates to existing endpoints in the
following categories:
Analytics API endpoints
Building blocks
Custom rules
Configuration API endpoints
Hosts
License pool
Remote networks
Remote services
GUI App Framework endpoints
Named services
Staged configuration API endpoints
License pool
Remote networks
Remote services
Services endpoints
DNS lookups
DIG lookups
WHOIS lookups

Learn More...

Deprecated endpoints

All version 7.0 API endpoints are marked as deprecated in QRadar V7.3.1.

Learn More...

New endpoints in more detail

V7.3.1 of IBM Security QRadar increases the number of endpoints that are available in the QRadar API.

Building block API endpoints

The building block API structure includes the following new rule performance information:
v Base Capacity (in EPS)

© Copyright IBM Corp. 2014, 2017 1

v Base Host ID
v Average Capacity (in EPS)
v Capacity Timestamp (of when the last performance update occurred)

The following endpoints were updated:

v GET /api/analytics/building_blocks
Retrieves a list of building block rules.
v GET /api/analytics/building_blocks/{id}
Retrieves a building block rule.
v POST /api/analytics/building_blocks/{id}
Updates the building block rule owner, or enabled/disabled only.

Custom rules API endpoints

The custom rule API structure includes the following new rule performance information:
v Base Capacity (in EPS)
v Base Host ID
v Average Capacity (in EPS)
v Capacity Timestamp (for the last performance update)

The following endpoints were updated:

v GET /api/analytics/rules
Retrieves a list of custom rules.
v GET /api/analytics/rules/{id}
Retrieves a rule.
v POST /api/analytics/rules/{id}
Updates the rule owner, or enabled/disabled only.

Remote networks API endpoints

Use the new remote networks API endpoints to create, update, delete, and retrieve information that is
about deployed and staged remote networks.

The following new endpoints were added:

v GET /api/config/remote_networks
Retrieves a list of deployed remote networks.
v GET /api/config/remote_networks/{network_id}
Retrieves a deployed remote network by ID.
v GET /api/staged_config/remote_networks
Retrieves a list of staged remote networks.
v POST /api/staged_config/remote_networks
Creates a staged remote network.
v GET /api/staged_config/remote_networks/{network_id}
Retrieves a staged remote network.
v POST /api/staged_config/remote_networks/{network_id}
Updates a staged remote network.
v DELETE /api/staged_config/remote_networks/{network_id}
Deletes a staged remote network.

2 QRadar API Reference Guide

Remote services API endpoints

Use the new remote services API endpoints to create, update, delete, and retrieve information that is
about deployed and staged remote services.

The following new endpoints were added:

v GET /api/config/remote_services
Retrieves a list of deployed remote services.
v GET /api/config/remote_services/{service_id}
Retrieves a deployed remote service by ID.
v GET /api/staged_config/remote_services
Retrieves a list of staged remote services.
v POST /api/staged_config/remote_services
Creates a remote service.
v GET /api/staged_config/remote_services/{service_id}
Retrieves a staged remote service by ID.
v POST /api/staged_config/remote_services/{service_id}
Updates an existing staged remote service.
v DELETE /api/staged_config/remote_services/{service_id}
Deletes an existing remote service.

GUI App Framework named services API endpoints

You can use the named services API endpoints that were introduced in V8.0 to retrieve information about
named services that are registered with QRadar GUI application framework. The following new
endpoints were added:
v GET /api/gui_app_framework/named_services
Retrieves the list of named services that are registered with the GUI App Framework.
v GET /api/gui_app_framework/named_services/{UUID}
Retrieves an individual named service by name.

Hosts API endpoints

New Host API endpoints retrieve information about deployed and staged hosts, and to update deployed
hosts.

The following new endpoints were added:

v GET /api/config/deployment/hosts
Retrieves a list of deployed hosts.
v GET /api/config/deployment/hosts/{id}
Retrieves an individual deployed host by ID.
v POST /api/config/deployment/hosts/{id}
Updates a host's fields that do not require a deploy.
v GET /api/staged_config/deployment/hosts
Retrieves a list of staged hosts.
v GET /api/staged_config/deployment/hosts/{id}
Retrieves an individual staged host by ID.

1 What's new for developers in the RESTful APIs in V7.3.1 3

License pool API endpoint

The License Pool API endpoint provides aggregated data of a deployment's licenses.

The following new endpoint was added:

v GET /api/config/deployment/license_pool
Retrieves the deployed license pool singleton.

Services API endpoints

Use the services endpoints to create and retrieve information from port scans, and DIG, DNS, and
WHOIS lookups.

The following new endpoints were added:

v POST /api/services/dig_lookups
Creates a DIG lookup.
v GET /api/services/dig_lookups/{dig_lookup_id}
Retrieves the DIG lookup status and result.
v POST /api/services/dns_lookups
Creates a DNS lookup.
v GET /api/services/dns_lookups/{dns_lookup_id}
Retrieves the DNS lookup status.
v POST /api/services/port_scans
Creates a port scan.
v GET /api/services/port_scans/{port_scan_id}
Retrieves the port scan status.
v POST /api/services/whois_lookups
Creates a WHOIS lookup.
v GET /api/services/whois_lookups/{whois_lookup_id}
Retrieves the WHOIS lookup status.

System time API endpoints

Use the system time API endpoints to set and retrieve information about a server's system time and time
zone.

The following new endpoints were added:

v GET /api/system/servers/{server_id}/system_time_settings
Retrieves the system time and time zone settings on a server host based on the supplied server ID.
v POST /api/system/servers/{server_id}/system_time_settings
Sets the system time and time zone settings on a server host.
v GET /api/system/servers/{server_id}/timezones
Retrieves all the available time zones that can be set for a server.

Deprecated endpoints in more detail

All version 7.0 API endpoints are marked as deprecated in IBM Security QRadar V7.3.1.

4 QRadar API Reference Guide

Although deprecated endpoints continue to function, they will be removed in a future release. You must
update your integration to use version 9.0, which is the most recent version of the QRadar RESTful API.
Responses to deprecated endpoint requests include a Deprecated response header that indicates that the
endpoint is deprecated.
Related concepts:
2, “RESTful API overview,” on page 7
You access the RESTful API by sending HTTPS requests to specific URLs (endpoints) on the QRadar
SIEM Console. To send these requests, use the HTTP implementation that is built in to the programming
language of your choice. Each request contains authentication information, and parameters that modify
the request.

1 What's new for developers in the RESTful APIs in V7.3.1 5

6 QRadar API Reference Guide
2 RESTful API overview
You access the RESTful API by sending HTTPS requests to specific URLs (endpoints) on the QRadar
SIEM Console. To send these requests, use the HTTP implementation that is built in to the programming
language of your choice. Each request contains authentication information, and parameters that modify
the request.

QRadar and API versions

Every QRadar version has a REST API version, as described in the following table:
Table 1. QRadar and API versions
QRadar version REST API version API version support status
V7.3.1 Version 9.0 Supported.
V7.3.0.n Version 8.n Supported.
V7.2.8.n Version 7.n Deprecated in QRadar V7.3.1.
V7.2.7 and earlier Version 6.0 and earlier No longer supported.

API endpoints

An API endpoint contains the URL of the resource that you want to access and the action that you want to
complete on that resource. The action is indicated by the HTTP method of the request: GET, POST, PUT,
or DELETE.

Required permissions to access the API

Authentication information must be included in every API request as an HTTP header. Provide the
required access credentials in one of the following ways:
v A user name and password for a QRadar user that is specified in the authorization header.
You specify the user name and password by using HTTP basic authentication. Although you can make
API requests by providing a user name and password for every request, use authorized service tokens
for all API integrations with QRadar. Only the user name and password option is supported for
viewing the Documentation Page.
For more information about creating user roles, security profiles, and users, see the IBM Security
QRadar Administration Guide.
v An authorized services token that is specified in the SEC header.
To authenticate as an authorized service, you create an authentication token that uses authorized
services. QRadar authorized services have roles and security profiles assigned that control access to the
various API resources.
The token is valid until the expiry date that you specified when you created the authorized service.
For more information about creating user roles, security profiles and authorized services, see the IBM
Security QRadar Administration Guide.

The following table highlights the required role and the security profile impacts for each API endpoint:
Table 2. Role permissions and security profile requirements
API Endpoints Roles Permissions Security Profile
/api/analytics/* Requires Admin permission. Requires Admin security profile.

© Copyright IBM Corp. 2014, 2017 7

Table 2. Role permissions and security profile requirements (continued)
API Endpoints Roles Permissions Security Profile
/api/ariel/* No permission restrictions. Data returned restricted based on
security profile assigned.
/api/asset_model/* Requires Vulnerability Management Data returned restricted based on
or Assets permission. security profile assigned.
/api/auth/* No permission restrictions. No security profile restrictions.
/api/config/access/ Requires Admin permission. Requires Admin security profile.
tenant_management
/api/config/domain_management Requires Admin permission. Requires Admin security profile.
/api/config/extension_management Requires Admin permission. Requires Admin security profile.
/api/gui_app_framework/* Requires Admin permission. Requires Admin security profile.
/api/data_classification/* Requires Admin or Saasadmin
permission for POST requests. No
permission restrictions for GET
requests.
/api/forensics/* Requires Admin or Forensics
permission.

The Forensics.Casecreation
permission is required for POST
/api/forensics/case_management/
cases.
/api/help/* No permission restrictions. No security profile restrictions.
/api/qvm/* Requires Assets permission. Requires a security profile with
access to all networks, all log sources,
and all domains.
/api/qrm/* Requires Admin permission. Requires Admin security profile.
/api/reference_data/* Requires Admin permission for POST Requires Admin security profile.
and DELETE requests. Requires View
Reference Data for GET requests.
/api/scanner/* Requires Vulnerability Management Requires a security profile with
permission. access to all networks, all log sources,
and all domains.
/api/services/* No permission restrictions. No security profile restrictions.
/api/siem/* Requires Offenses permission. Data returned restricted based on
security profile assigned.
The Manage Offense Closing
Reasons permission is required for
creating offense closing reasons (POST
/api/siem/offense_closing_reasons).
The Assign Offenses to Users
permission is required for updating
the assigned to field of an offense
(POST /api/siem/offenses/
{offense_id} when the assigned_to
parameter is supplied).
/api/staged_config/* Requires Admin permission. Requires Admin security profile.
/api/system/* Requires Admin permission. Requires Admin security profile.

8 QRadar API Reference Guide

API requests and responses

When you send an API request, the server returns an HTTP response. The HTTP response contains a
status code to indicate whether the request succeeded and the details of the response in the response
body. Most resources format this response as JavaScript Object Notation (JSON). You can use the JSON
packages or libraries that are built in to the programming language that you use to extract the data.

For a complete example of this process, see the sample code in GitHub (https://github.com/ibm-
security-intelligence/api-samples).

Version headers
You use version headers to request a specific version of the API. If you don't provide a version header,
the latest version of the API is used, which might break integrations when QRadar is upgraded. If you
provide a version header every time you use an API, it makes it easier to upgrade to newer versions of
QRadar without breaking your API clients.

The APIs use the major and minor components of semantic versioning. Natural numbers are used to
designate major versions of the API, for example, '3'. Minor versions of the API are designated with a
major and minor component, for example, '3.1'. You can set the version header to a major or a minor
version of the API. Changes that are compatible with existing versions are introduced with an
incremented minor version number. Any incompatible changes are introduced with a major version
number increment.

When a major version of the API is specified in the version header without a minor component, the
server responds with the latest minor version within the major API version. For example, if the client
requests version '3', the server responds with version '3.1'. If you want to use version 3.0, you must
request '3.0' in the version header. If you request a version greater than the latest version of an endpoint,
the latest available version of that endpoint is returned. Each endpoint is listed under every version it is
valid for, even if it's unchanged in the newer versions.

Endpoint deprecation

An API endpoint is marked as deprecated to indicate that it is not recommended for use and will be
removed in a future release. To give integrations time to use an alternative, a deprecated endpoint
continues to function for at least 1 release before it is removed. The interactive API documentation page
indicates that an endpoint is marked as deprecated. Also, the API response message for a deprecated
endpoint includes the header Deprecated. An individual API endpoint, or an entire version of API
endpoints can be marked as deprecated. The deprecated endpoints still continue to function until they are
removed.

When an API endpoint completes the deprecation process, it is removed. Endpoints that are removed no
longer respond successfully. An attempt to call a removed endpoint returns an error. An HTTP 410 Gone
response is returned for individual removed endpoints. An HTTP 422 Unprocessable Entity response is
returned for requests for a version that is no longer supported.

Include the version header in API requests to call a specific version of an API endpoint. API integrations
that do not explicitly request a particular version are not supported. If you do not specify a version, your
request is directed to the latest available version. If a release includes a new, incompatible version of an
endpoint, your integration might break. Have your request version in one location in your code to ease
upgrading as newer versions become available.

Filter syntax
To limit the results that are returned in an API retrieval request (HTTP GET), most IBM Security QRadar
API endpoints that return lists of resources support the filter parameter.

2 RESTful API overview 9

The filter parameter syntax is consistent for all endpoints that support it. Refer to the documentation
for the endpoint to determine if the filter parameter applies to it. Any limitations for the filter syntax are
included in that endpoint's description. You are reminded that query parameters must be double URL
encoded before they are sent.

Comparison Operators

The filter comparison operators table describes the comparison operators that you can use as part of the
filter parameter.
Table 3. Filter comparison operators
Operator Description Example Filter Syntax
= Equality between the identifier and To find offenses where status=CLOSED:
the specified value returned.
GET /api/siem/offenses?filter=status%3DCLOSED
> Identifier is greater than the specified To find offenses where credibility > 3:
value.
/api/siem/offenses?filter=credibility%20%3E%203
< Identifier is less than the specified To find offenses where magnitude < 9:
value.
/api/siem/offenses?filter=magnitude%20%3C%209
<= Identifier is less than or equal to the To find offenses where id <= 1004:
specified value.
/api/asset_model/properties?filter=id%20%3C%3D
%201004
>= Identifier is greater than or equal to To find offenses where scanProfileId >= 3:
the specified value.
/api/scanner/scanprofiles?filter=scanProfileId%20
%3E%3D%203
!=, Identifier is not equal to the specified The following examples filters all IDs that are not equal
value. to 5:
<>,
/api/siem/offenses?filter=id%20!%3D%205
^=
/api/siem/offenses?filter=id%20%3C%3E%205

/api/siem/offenses?filter=id%20%5E%3D%205
in Identifier is equal to at least one of id in (1001,1111,1200):
the specified values in the list.
/api/asset_model/assets?filter=id%20in%20(1001
%2C1111%2C1200)
not in Identifier is not equal to any of the id not in (1001,1002,1003):
specified values in the list.
/api/asset_model/saved_searches?filter=id%20not
%20in%20(14%2C20%2C1003)
between ... and Identifier is between 2 specified id between 0 and 3:
... values.
/api/siem/offenses?filter=id%20between%200%20and
%203
not between ... Identifier is not between 2 specified id not between 30 and 31:
and ... values.
/api/siem/offenses?filter=id%20not%20between%2030
%20and%2031
is null Identifier is null. assigned_to is null:

/api/siem/offenses?filter=assigned_to%20is%20null

10 QRadar API Reference Guide

Table 3. Filter comparison operators (continued)
Operator Description Example Filter Syntax
is not null Identifier is not null. assigned_to is not null:

/api/siem/offenses?filter=assigned_to%20is%20not
%20null

Null values and comparison operators

When the field that you filtered on has a 'null' value, comparison operators behave in the following ways:
v "=", ">", ">=", "<", "<=", "IN", and "BETWEEN" operators always return false
v "!=", "<>", "^=", "NOT BETWEEN", and "NOT IN" always return true

The best way to test for null values is to use the "is null" or "is not null" operators.

Logical operators
Use the logical operators OR, AND, and NOT to perform logical operations on subexpressions. The following
table provides examples of how to use logical operators in filters.

Operator Description Example

or Performs a logical OR assigned_to is not null OR id = 111:
operation on the 2
subexpressions. The /api/siem/offenses?filter=assigned_to%20is%20not%20null
subexpressions might be %20or%20id%20%3D%20111
comparison nodes or other
logical nodes.
and Performs a logical AND assigned_to is not null AND id = 111:
operation on the 2
sub-expressions. The /api/siem/offenses?filter=assigned_to%20is%20not%20null
sub-expressions might be %20and%20id%20%3D%20111
comparison nodes or other
logical nodes.
not Performs a logical NOT protected =true and not id in (111,112,113)
operation on the
subexpression. /api/siem/offenses?filter=protected%20%3D%20true%20and
%20not%20id%20in%20(111%2C112%2C113)

Specifying JSON fields for comparisons

The following table explains how to specify JSON fields for use with comparison operators in filters.

JSON field example Description Example

{ When you apply a filter name = "Proprietary Data"
"name": "Proprietary Data", to a field directly in the
"element_type": "ALN" object that is returned, GET /api/reference_data/sets?filter=name%20
} the field is specified by %3D%20%22Proprietary%20Data%22
name.

2 RESTful API overview 11

JSON field example Description Example
{ When you apply a filter duration(days) >= 20
"description": "String", to a field nested inside
"duration": { a sub object use GET /api/scanner/
"days": 42, brackets to specify the scanprofiles?filter=duration(days)%20%3E%3D
"hours": 42, inner field. %201
"minutes": 42,
"months": 42,
"seconds": 42.5,
"years": 42
}
}
["events","flows","simarc"] For simple JSON types .= events
where there is no field
label, such as strings, GET /api/ariel/databases?filter=.%3D
numbers or Boolean, %20events
use the . operator.

Specifying string and numeric values in filters

When you filter on string that have values with non-alphanumeric characters, you must wrap the target
string in quotation marks. When you filter on numeric values, the numeric values can follow these
conditions:
v Start with a leading + or - sign.
v Contain or start with a decimal point
v Include an exponent using e notation.

Filtering complex objects by using the CONTAINS operator

You filter complex objects by using the CONTAINS operator. You use the CONTAINS operator to test the
contents of lists or maps. On the left side of the operator, is an identifier that is in the standard format,
for example x(y(z)). The identifier must refer to an element that is a list, map, or collection. On the right
side, of the operator is an expression that specifies how the objects in the list must be matched. There are
two basic uses for the CONTAINS operator:
v The list that is examined contains simple elements like strings or numbers
v The list contains complex objects.
Lists that contain simple types
For lists that contain simple types such as strings or numbers, the expression is a value of the
same type. For single comparisons, no brackets are required
To request only asset saved searches that have ftp as the string in the filter's value field:
GET /api/asset_model/saved_searches?filter=filters%20contains%20value%20%3D%20ftp
To request assets where interfaces contains the IP address “1.2.3.4”:
GET /api/asset_model/assets?filter=interfaces%20contains%20ip_addresses%20contains
%20value%20%3D%20%221.2.3.4%22
Lists that contain complex objects
For lists that contain complex objects, the expression is a complete filter expression for the objects
within the list. This subfilter expression uses the same syntax as any other filter. You can use any
operator in the subfilter to test sublists inside the original list. Identifiers in this expression are
relative to the objects in the list that the CONTAINS operator is operating on. In complex
subfilter expressions, brackets are required.
To request only assets that have a field value = 14 and the Greater than operator , apply the
filter filters contains (value = 14 or operator = "Greater than"). This filter returns the first

12 QRadar API Reference Guide

 and the last elements in the list.
GET /api/asset_model/saved_searches?filter=filters%20contains%20(value%20%3D%2014%20and
%20operator%20%3D%20%22Greater%20than%22)
To find offenses that contain source addresses that have ID values less than 3 apply the following
filter:
GET /api/siem/offenses?filter=source_address_ids%20contains%20(.%3C3)

The LIKE operator

Use the LIKE operator to retrieve partial string matches.

The LIKE operator uses the following format: identifier like "expression". Quotation marks around
the expression is mandatory. Single and double quotation marks are supported. The LIKE keyword does
case-sensitive matching.

The following wildcard characters are supported. If you use wildcard characters in a string, you must use
escape them.

Wildcard character Description

% Matches a string of zero or more characters
_ Matches any single character

You can combine the wildcards in the same expression. For example, to find the reference set whose
name ends with Data and begins with H:
GET /api/reference_data/sets?filter=name%20like%20%22H_%25Data%22

Sort syntax
To order the results that are returned in an API retrieval request, HTTP GET, some IBM Security QRadar
API endpoints that return lists of resources support the sort parameter.

The sort parameter syntax is consistent for all endpoints that support it. Refer to the documentation for
the endpoint to determine if the sort parameter applies to it. Any limitations on the sort syntax are
included in that endpoint's description. To ensure that spaces or special characters are encoded properly,
remember that query parameters must be double URL encoded before they are sent.

Sort operators
Operator Description Example
+ Sort field is in ascending Sort add_time field in ascending order:
order.
/api/config/extension_management/extensions?sort=
%2Badd_time
- Sort field is in descending Sort version field in descending order:
order.
/api/config/extension_management/extensions?sort=-
version

Sorting multiple fields

You can sort multiple fields by separating them with a comma. In the following example, the version
field is sorted in descending order. Then, within each version group, the add_time field is sorted in
ascending order.
/api/config/extension_management/extensions?sort=-version%2C%2Badd_time

2 RESTful API overview 13

Escaping characters in sort strings

Escape any character in the sort string by preceding it with a backslash (\). If any of the following
characters are inside a field identifier, you must escape them:
v ,
v (
v )
v \

Paging syntax
To limit the results returned in an API retrieval request, HTTP GET, most IBM Security QRadar API
endpoints that return lists of resources support the Range header parameter.

The Range parameter syntax is consistent for all endpoints that support it. Refer to the documentation for
the endpoint to determine whether the Range parameter applies to it. Any limitations on the Range syntax
are included in that endpoint's description.

Note: The Range parameter is always sent as a header parameter, unlike the sort, filter, and fields
parameters. These parameters are typically query parameters.

By default, only the first 50 records are returned for the Range parameter on the interactive API
documentation page. You can alter the Range value for an endpoint. However, if you request large result
sets, it might negatively affect the performance of the interactive API documentation page.

Range header parameter

Paging requests are specified with the Range header parameter. Use the following zero-indexed syntax:
Range: items=x-y

The response to a request that employs paging includes the Content-Range header. The header indicates
the number of records that were returned within the content range in the following format:
Content-Range: items x-y/total number of records received

For example, to return the first 5 records, the request header contains the following parameter:
"Range: items= 0-4"

The response header for that request returns the following information:
Content-Range: items 0-4/5

If the requested range exceeds the number of records, all records that are within the stated range are
returned. In the following example, the first 100 records are requested:
“Range: items= 0-99”

However, there are only 12 records in total. The response returns all records within the stated range:
Content-Range: items 0-11/12

If the range requested is beyond the bounds of the amount of records, then no records are returned. In
the following example, the first records 3 to 5 records are requested:
“Range: items = 3-5”

However, there are fewer than 3 records, and so no records are returned:
Content-Range: items */3

14 QRadar API Reference Guide

API error messages
When an API request fails due to request errors or server errors, an error response message is returned in
JSON format.

An error response message is returned in JSON format even for endpoints that support other MIME
types. The error response message includes error message itself, a description of the error, a unique error
code for the endpoint, an HTTP response message, and an HTTP response code.

The error response includes following fields:

v message: the error message
v details: a field for additional information, which may or may not be populated
v description: description of the specific error
v code: Unique error response code
v http_response:
– message: HTTP response message
– code: HTTP response status code

For example, the following API request attempts to get information about a non-existent reference set that
is called “test-set”
https://<host_ip>/api/reference_data/sets/test_set

An HTTP 404 response code and the following JSON error response message are returned:
{
"message": "test_set does not exist",
"details": {},
"description": "The reference set does not exist.",
"code": 1002,
"http_response": {
"message": "We could not find the resource you requested.",
"code": 404
}
}

The following table provides more information about the HTTP response error categories returned by the
IBM Security QRadar REST API:

HTTP response
HTTP error category Code HTTP response message
MULTIPLE CHOICES 300 The requested resource corresponds to any one of a
set of representations, each with its own specific
location.
MOVED PERMANENTLY 301 The resource has moved permanently. Please refer to
the documentation.
FOUND 302 The resource has moved temporarily. Please refer to
the documentation.
SEE OTHER 303 The resource can be found under a different URI.
NOT MODIFIED 304 The resource is available and not modified.
USE PROXY 305 The requested resource must be accessed through the
proxy given by the Location field.
TEMPORARY REDIRECT 307 The resource resides temporarily under a different
URI.
BAD REQUEST 400 Invalid syntax for this request was provided.

2 RESTful API overview 15


HTTP error category
UNAUTHORIZED
FORBIDDEN
NOT FOUND
METHOD NOT ALLOWED
NOT ACCEPTABLE
PROXY AUTHENTICATION
REQUIRED
REQUEST TIMEOUT
CONFLICT
GONE
LENGTH REQUIRED
PRECONDITION FAILED
REQUEST ENTITY TOO LARGE
REQUEST-URI TOO LONG
UNSUPPORTED MEDIA TYPE
REQUESTED RANGE NOT
SATISFIABLE
EXPECTATION FAILED
MISSING ARGUMENTS
INVALID ARGUMENTS
UNPROCESSABLE ENTITY
INTERNAL SERVER ERROR
NOT IMPLEMENTED
BAD GATEWAY
SERVICE UNAVAILABLE
GATEWAY TIMEOUT
16 QRadar API Reference Guide
HTTP response
Code HTTP response message
401 You are unauthorized to access the requested
resource. Please log in.
403 Your account is not authorized to access the
requested resource.
404 We could not find the resource you requested.
Please refer to the documentation for the list of
resources.
405 This method type is not currently supported.
406 Acceptance header is invalid for this endpoint
resource.
407 Authentication with proxy is required.
408 Client did not produce a request within the time
that the server was prepared to wait.
409 The request could not be completed due to a
conflict with the current state of the resource.
410 The requested resource is no longer available and
has been permanently removed.
411 Length of the content is required, please include
it with the request.
412 The request did not match the pre-conditions of the
requested resource.
413 The request entity is larger than the server is
willing or able to process.
414 The request URI is longer than the server is
willing to interpret.
415 The requested resource does not support the media
type provided.
416 The requested range for the resource is not
available.
417 Unable to meet the expectation given in the Expect
request header.
419 The requested resource is missing required
arguments.
420 The requested resource does not support one or more
of the given parameters.
422 The request was well-formed but was unable to be
followed due to semantic errors.
500 Unexpected internal server error.
501 The requested resource is recognized but not
implemented.
502 Invalid response received when acting as a proxy or
gateway.
503 The server is currently unavailable.
504 Did not receive a timely response from upstream
server while acting as a gateway or proxy.

HTTP error category
HTTP VERSION NOT SUPPORTED
INITIALIZATION FAILURE
HTTP response
Code HTTP response message
505 The HTTP protocol version used in the request
message is not supported.
550 A failure occurred during initialization of
services. API will be unavailable.

Cross-origin resource sharing

Cross-origin resource sharing (CORS) occurs when a script on one server sends an Ajax request to
another server. Cross-origin resource sharing also occurs when a request is sent on a different protocol or
port to the same server.

Cross-origin resource sharing violates the 'same origin policy', which is in place to prevent cross-site
request forgery attacks. While the global prevention of cookies for /api/* endpoints avoids these attacks,
browsers still attempt to enforce this policy. All browsers use this convention but it does not apply to
manual request mechanisms like cURL.

Browsers detect that you are attempting to make a request to a server, and initially send a preflight
request. Preflight requests are set as an OPTION request against the same URL, but also contain the
Origin header. The server must send back other information such as allowed request types, whether to
expect headers in the actual request's response, and whether the origin is accepted.

If the 'Access-Control-Allow-Origin' header of the response of the preflight request does not match the
Origin header of the request, the browser rejects it. If the 'Access-Control-Allow-Origin' header matches,
the browser proceeds with the request. The request's response must pass the same origin check, in case
the rule changes between the preflight and actual request.

Management of allowed origins

The origin value that is sent by your browser contains the protocol followed by the host name and port,
for example:
http://1.2.3.4:8888

You can intercept requests sent by your browser to ensure that you have the correct origin value. You can
add your origin to a whitelist on the QRadar Console in the /opt/qradar/webapps/console/restapi/
allowed_origins.list file. Changes are detected and take effect immediately. This file contains a newline
separated list of allowed origins. Each entry is tested against the origin header that is sent by browsers
during pre-flight requests. If an entry matches the origin (or any entry is '*'), the browser is allowed to
make cross-origin resource sharing requests.

A common browser convention is to send null as the origin when the script is started from file:// by
adding '*' to the whitelist. This practice allows all origins and is not a good practice.

2 RESTful API overview 17

18 QRadar API Reference Guide
3 API command-line client
Use the API command-line client to make API calls when logged in to the IBM Security QRadar host as
the root user. The API command-line client is experimental and will stabilize over future QRadar releases.

You can use the API command-line client to complete the following tasks:
1. Print API endpoints. To print all endpoints and information that is required to make calls against the
endpoints, use the following command:
/opt/qradar/bin/api_client --print_api
2. Make requests to API endpoints.

Basic API calls

A basic API call is a GET request to an endpoint that requires no parameters, for example:
/opt/qradar/bin/api_client --api /help/capabilities --method GET

The following table provides the arguments that you can use for basic calls.
Table 4. Arguments for basic calls
Argument Definition
--api /api_name/endpoint The path to your API endpoint. This path appends to
https://ConsoleIPaddress/. For example:
https://ConsoleIPaddress/api/
reference_data/sets/
--method METHOD Determines whether your API request is a GET, POST, or
DELETE method. View the output of --print_api for the
required method.

Calls with path parameters

You can add path parameters to modify the endpoint that you want to call and correspond to a place in
the endpoint portion in the URL. Use the Name parameter, for example:
/referencedata/sets/{name}

To call a specific reference set in the Reference Data endpoint, place the name of the reference set in the
path to the endpoint that you want to specify. For example, to retrieve the exampleset reference set, use
the following call:
/opt/qradar/bin/api_client --api /referencedata/sets/exampleset --method GET

Calls with query parameters

Enter Query parameters with the following syntax:

--params param_name=param_value

For example, to get a list of all endpoints that use httpMethod POST, you can call /help/capabilities.
Supply the query parameters httpMethods and version. The httpMethods parameter requires a JSON
object. You can create a JSON object inside double quotation marks by using single quotation marks,
squares brackets, and commas. For example:
/opt/qradar/bin/api_client --api /help/capabilities --method GET --params
httpMethods="[’POST’]" version="0.1"

© Copyright IBM Corp. 2014, 2017 19

To determine which parameters are query or body parameters, view the output of --print_api.

Calls with body parameters

Enter body parameters in the same way that you enter query parameters, for example,
--param_name=param_value. You must specify the content type of the body that you are sending with the
--content_type TYPE argument. For example, when you load bulk data with a content type of element
type ALN to an existing reference set that is named exampleset, type:
/opt/qradar/bin/api_client --api /referencedata/sets/bulkLoad/exampleset --method POST
--content_type="application/json" --params data="[’value1’,’value2’,’value3’]"

Important: You must specify the --content_type argument. If not specified, the body is sent as a query
parameter, and the API call fails.

Calls to other consoles

You can use the REST API command-line client to make API calls to a different console from the client
you are running. Use the --hostname HOSTNAME argument to determine to which host name or IP address
you want to send calls. Use the following syntax:
/opt/qradar/bin/api_client --api /ariel/databases --method GET --hostnameIP address

Stored tokens authorization

Inputting and storing
You can generate an authorization token on the QRadar Console that you want to call. You can
then enter that authorization token into the API client to use with subsequent calls. If the
authorization token is valid, the token is saved to disk in the ~/opt/qradar/bin/api_client/
tokens folder with the following file name: hostname.token.
Overwriting tokens
To overwrite a token for a console, make an API call to the Console by using the
--overwrite_token argument, and then input a new token. If the token is valid, it is saved to
disk.

User name and password authorization

Use the --pap argument for API client to use a password-authorized protocol to authorize your API call,
and then enter a user name and password. If you do not use an authorized service token, the API client
cannot save your user name and password information for use by subsequent API calls to the same host.

API client help

Use the ./api_client -h argument to view all options for the API client.

20 QRadar API Reference Guide

4 API sample code
IBM Security QRadar API samples are stored in a GitHub repository for each version of QRadar. As new
versions of QRadar are released, a new link is posted with code samples to help customers use APIs and
features.

The samples are provided for educational use. When you download the code samples, you are presented
with theIBM developerWorks terms of use. Read the terms of use before you download the code samples.
You must agree to the terms to download the files.
v QRadar 7.2.1 Code Samples: https://github.com/ibmqradar/api-samples/tree/7.2.1
v QRadar 7.2.2 Code Samples: https://github.com/ibmqradar/api-samples/tree/7.2.2
v QRadar 7.2.3 Code Samples: https://github.com/ibm-security-intelligence/api-samples/tree/7.2.3
v QRadar 7.2.4 Code Samples: https://github.com/ibm-security-intelligence/api-samples/tree/7.2.4
v QRadar 7.2.5 Code Samples:https://github.com/ibm-security-intelligence/api-samples/tree/7.2.5
v QRadar 7.2.6 Code Samples: https://github.com/ibm-security-intelligence/api-samples/tree/7.2.6
v QRadar 7.2.7 Code Samples: https://github.com/ibm-security-intelligence/api-samples/tree/7.2.7
v QRadar 7.2.8 Code Samples: https://github.com/ibm-security-intelligence/api-samples/tree/7.2.8
v QRadar 7.3.0 Code Samples: https://github.com/ibm-security-intelligence/api-samples/tree/7.2.8
v QRadar 7.3.1 Code Samples: https://github.com/ibm-security-intelligence/api-samples/tree/7.2.8

What are the requirements to run the code samples?

The sample scripts that you download are designed to work with the relevant QRadar version. For
example, samples for QRadar 7.2.1 must be used with QRadar 7.2.1 only.

API sample scripts that are downloaded from the GitHub page must not run directly on a QRadar
appliance. They are intended to run on an external host that polls data from QRadar.

External hosts must use Python 3.3 to run the code samples. QRadar does not run Python 3.3. QRadar
cannot be upgraded to Python 3.3. Do not install RPMs on your QRadar Console unless the files come
from IBM Fix Central.

You can verify the software version on the Console from the Dashboard tab, by selecting the Help >
About. Download the appropriate code samples for the QRadar version. A branch is created for each
QRadar version in Github, and you can download the specific branch for your QRadar version.

© Copyright IBM Corp. 2014, 2017 21

22 QRadar API Reference Guide
5 Accessing the interactive API documentation page
Use the interactive API documentation page to access technical details for the RESTful APIs and
experiment with making API requests to your server.

About this task

The API documentation user interface provides descriptions and the ability to use the following REST
API interfaces:
Table 5. REST API interfaces
REST API Description
/api/analytics Create, update, and remove custom actions for rules.
/api/ariel View event and flow properties, create event and flow
searches, and manage searches.
/api/asset_model Returns a list of all assets in the model. You can also list
all available asset property types and saved searches, and
update an asset.
/api/auth Log out and invalidate the current session.
/api/config View and manage tenants, domains, and QRadar
extensions.
/api/data_classification View all high and low level categories, QRadar Identifier
(QID) records, and event mappings. You can also create
or edit QID records and mappings.
/api/forensics Manage capture recoveries and cases.
/api/gui_app_framework Install and manage applications that are created by using
the GUI Application Framework Software Development
Kit.
/api/help Returns a list of API capabilities.
/api/qrm Manage QRM saved search groups, question groups,
simulation groups, topology saved search groups, and
model groups.
/api/qvm Retrieves assets, vulnerabilities, networks, open services,
networks, and filters. You can also create or update
remediation tickets.
/api/reference_data View and manage reference data collections.
/api/scanner View, create, or start a remote scan that is related to a
scan profile.
/api/services Perform tasks such as WHOIS lookups, port scan
lookups, DNS lookups, and DIG lookups. You can also
retrieve geolocation data for an IP or set of IPs.
/api/siem View, update, and close offenses. You can also add notes
and manage offense closing reasons.
/api/staged_config Retrieve staged configuration for users, hosts,
notifications, remote networks, and remote services. You
can also initiate or see the state of a deploy action, and
update and delete Yara rules.

© Copyright IBM Corp. 2014, 2017 23

Table 5. REST API interfaces (continued)
REST API Description
/api/system Manage server hosts, network interfaces, and firewall
rules.

Procedure
1. To access the interactive API documentation interface, enter the following URL in your web browser:
https://ConsoleIPaddress/api_doc/.
2. Click the arrow icon beside the API version you want to use.
9.0 is the latest version for QRadar V7.3.1.
3. Go to the endpoint that you want to access.
4. Read the endpoint documentation and complete the request parameters.
5. Click Try it out to send the API request to your console and receive a properly formatted HTTPS
response.

Note: When you click Try it out, the action is performed on the QRadar system. Not all actions can
be reversed, for example, you cannot reopen an offense after you close it.
6. Review and gather the information that you need to integrate with QRadar.

24 QRadar API Reference Guide

6 REST API V9.0 References
Each API reference provides information about the parameters, mime type, stability, and responses for
each endpoint.

Analytics endpoints
Use the references for REST API V9.0 analytics endpoints.

GET /analytics/ade_rules
Retrieves a list of ADE rules.

Retrieves a list of ADE rules.

Table 6. GET /analytics/ade_rules resource details
MIME Type
application/json

Table 7. GET /analytics/ade_rules request parameter details

Parameter Type Optionality Data Type MIME Type Description
filter query Optional String text/plain Optional - This parameter is
used to restrict the elements in
a list base on the contents of
various fields.
Range header Optional String text/plain Optional - Use this parameter
to restrict the number of
elements that are returned in
the list to a specified range.
The list is indexed starting at
zero.
fields query Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.

Table 8. GET /analytics/ade_rules response codes

HTTP Response Code Unique Code Description
200 The ADE rules were retrieved.
422 1010 A request parameter is not valid.
500 1020 An error occurred during the attempt to retrieve the ADE rules.

© Copyright IBM Corp. 2014, 2017 25

Response Description

An array of ADE Rule objects. An ADE Rule object contains the following fields:
v id - Long - The sequence ID of the ADE rule.
v name - String - The name of the ADE rule.
v ade_rule_type - String - The type of ADE rule: ANOMALY, BEHAVIORAL, THRESHOLD.
v enabled - Boolean - True if the ADE rule is enabled.
v owner - String - The owner of the ADE rule.
v identifier - String - The unique ID of the rule. This value is typically in the form of a UUID, with the
exception of legacy system rules.
v linked_rule_identifier - String - The linked ID of the rule. This value is typically in the form of a
UUID, with the exception of legacy system rules, and varies depending on the rule's origin as follows:
– SYSTEM - The identifier value of the override rule, if one exists. If the system rule has not been
overridden, the value will be null.
– OVERRIDE - The identifier value of the system rule being overridden.
– USER - The value will be null.
v creation_date - Long - The number of milliseconds since epoch when the rule was created.
v modification_date - Long - The number of milliseconds since epoch when the rule was last modified.

Response Sample
[
{
"creation_date": 42,
"enabled": true,
"id": 42,
"identifier": "String",
"linked_rule_identifier": "String",
"modification_date": 42,
"name": "String",
"owner": "String",
"type": "String <one of: ANOMALY, BEHAVIORAL, THRESHOLD>"
}
]

GET /analytics/ade_rules/{id}
Retrieves an ADE rule.

Retrieves an ADE rule.

Table 9. GET /analytics/ade_rules/{id} resource details
MIME Type
application/json

Table 10. GET /analytics/ade_rules/{id} request parameter details

Parameter Type Optionality Data Type MIME Type Description
id path Required Number text/plain null
(Integer)

26 QRadar API Reference Guide

Table 10. GET /analytics/ade_rules/{id} request parameter details (continued)
Parameter Type Optionality Data Type MIME Type Description
fields query Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.

Table 11. GET /analytics/ade_rules/{id} response codes

HTTP Response Code Unique Code Description
200 The ADE rule was retrieved.
404 1002 The ADE rule does not exist.
500 1020 An error occurred during the attempt to retrieve the ADE rule.

Response Description

The ADE rule after it is retrieved. An ADE Rule object contains the following fields:
v id - Long - The sequence ID of the ADE rule.
v name - String - The name of the ADE rule.
v ade_rule_type - String - The type of ADE rule: ANOMALY, BEHAVIORAL, THRESHOLD.
v enabled - Boolean - True if the ADE rule is enabled.
v owner - String - The owner of the ADE rule.
v identifier - String - The unique ID of the rule. This value is typically in the form of a UUID, with the
exception of legacy system rules.
v linked_rule_identifier - String - The linked ID of the rule. This value is typically in the form of a
UUID, with the exception of legacy system rules, and varies depending on the rule's origin as follows:
– SYSTEM - The identifier value of the override rule, if one exists. If the system rule has not been
overridden, the value will be null.
– OVERRIDE - The identifier value of the system rule being overridden.
– USER - The value will be null.
v creation_date - Long - The number of milliseconds since epoch when the rule was created.
v modification_date - Long - The number of milliseconds since epoch when the rule was last modified.

Response Sample
{
"creation_date": 42,
"enabled": true,
"id": 42,
"identifier": "String",
"linked_rule_identifier": "String",
"modification_date": 42,
"name": "String",
"owner": "String",
"type": "String <one of: ANOMALY, BEHAVIORAL, THRESHOLD>"
}

6 REST API V9.0 References 27

POST /analytics/ade_rules/{id}
Updates the ADE rule owner or enabled/disabled only.

Updates the ADE rule owner or enabled/disabled only.

Table 12. POST /analytics/ade_rules/{id} resource details
MIME Type
application/json

Table 13. POST /analytics/ade_rules/{id} request parameter details

Parameter Type Optionality Data Type MIME Type Description
id path Required Number text/plain null
(Integer)
fields header Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.

Table 14. POST /analytics/ade_rules/{id} request body details

Parameter Data Type MIME Type Description Sample
ade_rule Object application/ null { "id": "1", "name": "String",
json "type": "String", "owner":
"String" }

Table 15. POST /analytics/ade_rules/{id} response codes

HTTP Response Code Unique Code Description
200 The ADE rule was updated.
403 1009 You do not have the required capabilities to update the ADE rule.
404 1002 The ADE rule does not exist.
409 1004 The provided user does not have the required capabilities to own
the ADE rule.
422 1005 A request parameter is not valid.
500 1020 An error occurred during the attempt to update the ADE rule.

Response Description

The ADE rule after it is updated. An ADE Rule object contains the following fields:
v id - Long - The sequence ID of the ADE rule.
v name - String - The name of the ADE rule.
v ade_rule_type - String - The type of ADE rule: ANOMALY, BEHAVIORAL, THRESHOLD.
v enabled - Boolean - True if the ADE rule is enabled.
v owner - String - The owner of the ADE rule.

28 QRadar API Reference Guide

v identifier - String - The unique ID of the rule. This value is typically in the form of a UUID, with the
exception of legacy system rules.
v linked_rule_identifier - String - The linked ID of the rule. This value is typically in the form of a
UUID, with the exception of legacy system rules, and varies depending on the rule's origin as follows:
– SYSTEM - The identifier value of the override rule, if one exists. If the system rule has not been
overridden, the value will be null.
– OVERRIDE - The identifier value of the system rule being overridden.
– USER - The value will be null.
v creation_date - Long - The number of milliseconds since epoch when the rule was created.
v modification_date - Long - The number of milliseconds since epoch when the rule was last modified.

Response Sample
{
"creation_date": 42,
"enabled": true,
"id": 42,
"identifier": "String",
"linked_rule_identifier": "String",
"modification_date": 42,
"name": "String",
"owner": "String",
"type": "String <one of: ANOMALY, BEHAVIORAL, THRESHOLD>"
}

DELETE /analytics/ade_rules/{id}
Deletes an ADE rule. To ensure safe deletion, a dependency check is carried out. The check might take
some time. An asynchronous task is started to do this check.

Deletes an ADE rule. To ensure safe deletion, a dependency check is carried out. The check might take
some time. An asynchronous task is started to do this check.
Table 16. DELETE /analytics/ade_rules/{id} resource details
MIME Type
application/json

Table 17. DELETE /analytics/ade_rules/{id} request parameter details

Parameter Type Optionality Data Type MIME Type Description
id path Required Number text/plain null
(Integer)
fields query Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.

Table 18. DELETE /analytics/ade_rules/{id} response codes

HTTP Response Code Unique Code Description
202 The ADE rule delete command was accepted and is in progress.
403 1009 You do not have the required capabilities to delete the ADE rule.

6 REST API V9.0 References 29

Table 18. DELETE /analytics/ade_rules/{id} response codes (continued)
HTTP Response Code Unique Code Description
404 1002 The ADE rule does not exist.
500 1020 An error occurred during the attempt to delete the ADE rule.

Response Description
A Delete Task Status object and the location header set to the task status url "/api/analytics/ade_rules/
ade_rule_delete_tasks/{task_id}". A Delete Task Status object contains the following fields:
v id - Long - The ID of the task.
v message - String - The localized task message.
v status - String - The current state that the task is in.
v name - String - The name of the task.
v created_by - String - The name of the user who started the task.
v created - Long - The time in milliseconds since epoch since the task was created.
v started - Long - The time in milliseconds since epoch since the task was started.
v modified - Long - The time in milliseconds since epoch since the task was modified.
v completed - Long - The time in milliseconds since epoch since the task was completed.

Response Sample
{
"completed": 42,
"created": 42,
"created_by": "String",
"id": 42,
"message": "String",
"modified": 42,
"name": "String",
"started": 42,
"status": "String <one of: CANCELLED,
CANCELING,
CANCEL_REQUESTED,
COMPLETED,
CONFLICT,
EXCEPTION,
INITIALIZING,
INTERRUPTED,
PAUSED,
PROCESSING,
QUEUED,
RESUMING>"
}

GET /analytics/ade_rules/{id}/dependents
Retrieves the objects that depend on the ADE rule.

Retrieves the objects that depend on the ADE rule.

Table 19. GET /analytics/ade_rules/{id}/dependents resource details
MIME Type
application/json

30 QRadar API Reference Guide

Table 20. GET /analytics/ade_rules/{id}/dependents request parameter details
Parameter Type Optionality Data Type MIME Type Description
id path Required Number text/plain null
(Integer)
fields query Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.

Table 21. GET /analytics/ade_rules/{id}/dependents response codes

HTTP Response Code Unique Code Description
202 The ADE rule dependents retrieval was accepted and is in progress.
404 1002 The ADE rule does not exist.
500 1020 An error occurred during the attempt to initiate the ADE rule
dependents retrieval task.

Response Description

A Dependents Task Status object and the location header set to the task status url "/api/analytics/
ade_rules/ade_rule_dependents_tasks/{task_id}". A Dependent Task Status object contains the following
fields:
v id - Long - The ID of the task.
v message - String - The localized task message.
v status - String - The current state of the task.
v name - String - The name of the task.
v created_by - String - The name of the user who started the task.
v cancelled_by - String - The name of the user who requested to cancel the task.
v created - Long - The time in milliseconds since epoch since the task was created.
v started - Long - The time in milliseconds since epoch since the task was started.
v modified - Long - The time in milliseconds since epoch since the task was modified.
v completed - Long - The time in milliseconds since epoch since the task was completed.
v number_of_dependents - Long - The number of dependents found. the value is null until the task
completes.
v maximum - Long - The maximum number of objects to check for dependency.
v progress - Long - The number of objects that were checked for dependency.
v task_components - Array - An array of task component objects. A task component object contains the
following fields
– message - String - The localized sub-task status message.
– status - String - The current state of the sub-task.
– sub_task_type - String - The type of the sub-task.
– maximum - Long - The maximum number of objects to check for dependency.
– progress - Long - The number of objects that were checked for dependency.
– created - Long - The time in milliseconds since epoch since the sub-task was created.

6 REST API V9.0 References 31

 – started - Long - The time in milliseconds since epoch since the sub-task was started.
– modified - Long - The time in milliseconds since epoch since the sub-task was modified.
– completed - Long - The time in milliseconds since epoch since the sub-task was completed.

Response Sample
{
"cancelled_by": "String",
"completed": 42,
"created": 42,
"created_by": "String",
"id": 42,
"maximum": 42,
"message": "String",
"modified": 42,
"name": "String",
"number_of_dependents": 42,
"progress": 42,
"started": 42,
"status": "String <one of: CANCELLED,
CANCELING,
CANCEL_REQUESTED,
COMPLETED,
CONFLICT,
EXCEPTION,
INITIALIZING,
INTERRUPTED,
PAUSED,
PROCESSING,
QUEUED,
RESUMING>",
"task_components": [
{
"completed": 42,
"created": 42,
"maximum": 42,
"message": "String",
"modified": 42,
"number_of_dependents": 42,
"progress": 42,
"started": 42,
"status": "String <one of: CANCELLED,
CANCELING,
CANCEL_REQUESTED,
COMPLETED,
CONFLICT,
EXCEPTION,
INITIALIZING,
INTERRUPTED,
PAUSED,
PROCESSING,
QUEUED,
RESUMING>",
"task_sub_type": "String <one of:
FIND_DEPENDENT_ARIEL_SAVED_SEARCHES,
FIND_DEPENDENT_OFFENSE_SAVED_SEARCHES,
FIND_DEPENDENT_ASSET_SAVED_SEARCHES,
FIND_DEPENDENT_VULNERABILITY_SAVED_SEARCHES,
FIND_DEPENDENT_ADE_RULES,
FIND_DEPENDENT_RULES,
FIND_DEPENDENT_CALCULATED_PROPERTIES,
FIND_DEPENDENT_LOG_SOURCE_GROUPS,
FIND_DEPENDENT_CUSTOM_PROPERTIES,
FIND_DEPENDENT_REPORTS,
FIND_DEPENDENT_DASHBOARDS,
FIND_DEPENDENT_STORE_AND_FORWARD_POLICIES,

32 QRadar API Reference Guide

 FIND_DEPENDENT_AUTHORIZED_SERVICES,
FIND_DEPENDENT_OFFENSE_TYPES,
FIND_DEPENDENT_ASSIGNED_OFFENSES,
FIND_DEPENDENT_VULNERABILITIES,
FIND_DEPENDENT_GROUPS,
FIND_DEPENDENT_HISTORICAL_CORRELATION_PROFILES>"
}
]
}

GET /analytics/ade_rules/ade_rule_delete_tasks/{task_id}
Retrieves the delete the ADE rule task status.

Retrieves the delete ADE rule task status.

Table 22. GET /analytics/ade_rules/ade_rule_delete_tasks/{task_id} resource details
MIME Type
application/json

Table 23. GET /analytics/ade_rules/ade_rule_delete_tasks/{task_id} request parameter details

Parameter Type Optionality Data Type MIME Type Description
task_id path Required Number text/plain null
(Integer)
fields query Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.

Table 24. GET /analytics/ade_rules/ade_rule_delete_tasks/{task_id} response codes

HTTP Response Code Unique Code Description
200 The Delete Task Status was retrieved.
404 1002 The Delete Task Status does not exist.
500 1020 An error occurred during the attempt to retrieve the Delete Task
Status.

Response Description

A Delete Task Status object and the location header set to the task status url "/api/analytics/ade_rules/
ade_rule_delete_tasks/{task_id}". A Delete Task Status object contains the following fields:
v id - Long - The ID of the task.
v message - String - The localized task message.
v status - String - The current state of the task.
v name - String - The name of the task.
v created_by - String - The name of the user who started the task.
v created - Long - The time in milliseconds since epoch since the task was created.
v started - Long - The time in milliseconds since epoch since the task was started.

6 REST API V9.0 References 33

v modified - Long - The time in milliseconds since epoch since the task was modified.
v completed - Long - The time in milliseconds since epoch since the task was completed.

Response Sample
{
"completed": 42,
"created": 42,
"created_by": "String",
"id": 42,
"message": "String",
"modified": 42,
"name": "String",
"started": 42,
"status": "String <one of: CANCELLED,
CANCELING,
CANCEL_REQUESTED,
COMPLETED,
CONFLICT,
EXCEPTION,
INITIALIZING,
INTERRUPTED,
PAUSED,
PROCESSING,
QUEUED,
RESUMING>"
}

GET /analytics/ade_rules/ade_rule_dependent_tasks/{task_id}
Retrieves the dependent the ADE rule task status.

Retrieves the dependent ADE rule task status.

Table 25. GET /analytics/ade_rules/ade_rule_dependent_tasks/{task_id} resource details
MIME Type
application/json

Table 26. GET /analytics/ade_rules/ade_rule_dependent_tasks/{task_id} request parameter details

Parameter Type Optionality Data Type MIME Type Description
task_id path Required Number text/plain null
(Integer)
fields query Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.

Table 27. GET /analytics/ade_rules/ade_rule_dependent_tasks/{task_id} response codes

HTTP Response Code Unique Code Description
200 The Delete Task Status was retrieved.
404 1002 The Delete Task Status does not exist.

34 QRadar API Reference Guide

Table 27. GET /analytics/ade_rules/ade_rule_dependent_tasks/{task_id} response codes (continued)
HTTP Response Code Unique Code Description
500 1020 An error occurred during the attempt to retrieve the Delete Task
Status.

Response Description
A Dependent Task Status object and the location header set to the task status url "/api/analytics/
ade_rules/ade_rule_dependent_tasks/{task_id}". A Dependent Task Status object contains the following
fields:
v id - Long - The ID of the task.
v message - String - The localized task message.
v status - String - The current state of the task.
v name - String - The name of the task.
v created_by - String - The name of the user who started the task.
v cancelled_by - String - The name of the user who requested to cancel the task.
v created - Long - The time in milliseconds since epoch since the task was created.
v started - Long - The time in milliseconds since epoch since the task was started.
v modified - Long - The time in milliseconds since epoch since the task was modified.
v completed - Long - The time in milliseconds since epoch since the task was completed.
v number_of_dependents - Long - The number of dependents found. The value is null until task
completes.
v maximum - Long - The maximum number of objects to check for dependency.
v progress - Long - The number of objects tha were checked for dependency.
v task_components - Array - An array of task component objects. A task component object contains the
following fields
– message - String - The localized sub-task status message.
– status - String - The current state of the sub-task.
– sub_task_type - String - The type of the sub-task.
– maximum - Long - The maximum number of objects to check for dependency.
– progress - Long - The number of objects checked for dependency.
– created - Long - The time in milliseconds since epoch since the sub-task was created.
– started - Long - The time in milliseconds since epoch since the sub-task was started.
– modified - Long - The time in milliseconds since epoch since the sub-task was modified.
– completed - Long - The time in milliseconds since epoch since the sub-task was completed.

Response Sample
{
"cancelled_by": "String",
"completed": 42,
"created": 42,
"created_by": "String",
"id": 42,
"maximum": 42,
"message": "String",
"modified": 42,
"name": "String",
"number_of_dependents": 42,
"progress": 42,
"started": 42,
"status": "String <one of: CANCELLED,

6 REST API V9.0 References 35

 CANCELING,
CANCEL_REQUESTED,
COMPLETED,
CONFLICT,
EXCEPTION,
INITIALIZING,
INTERRUPTED,
PAUSED,
PROCESSING,
QUEUED,
RESUMING>",
"task_components": [
{
"completed": 42,
"created": 42,
"maximum": 42,
"message": "String",
"modified": 42,
"number_of_dependents": 42,
"progress": 42,
"started": 42,
"status": "String <one of: CANCELLED,
CANCELING,
CANCEL_REQUESTED,
COMPLETED,
CONFLICT,
EXCEPTION,
INITIALIZING,
INTERRUPTED,
PAUSED,
PROCESSING,
QUEUED,
RESUMING>",
"task_sub_type": "String <one of:
FIND_DEPENDENT_ARIEL_SAVED_SEARCHES,
FIND_DEPENDENT_OFFENSE_SAVED_SEARCHES,
FIND_DEPENDENT_ASSET_SAVED_SEARCHES,
FIND_DEPENDENT_VULNERABILITY_SAVED_SEARCHES,
FIND_DEPENDENT_ADE_RULES,
FIND_DEPENDENT_RULES,
FIND_DEPENDENT_CALCULATED_PROPERTIES,
FIND_DEPENDENT_LOG_SOURCE_GROUPS,
FIND_DEPENDENT_CUSTOM_PROPERTIES,
FIND_DEPENDENT_REPORTS,
FIND_DEPENDENT_DASHBOARDS,
FIND_DEPENDENT_STORE_AND_FORWARD_POLICIES,
FIND_DEPENDENT_AUTHORIZED_SERVICES,
FIND_DEPENDENT_OFFENSE_TYPES,
FIND_DEPENDENT_ASSIGNED_OFFENSES,
FIND_DEPENDENT_VULNERABILITIES,
FIND_DEPENDENT_GROUPS,
FIND_DEPENDENT_HISTORICAL_CORRELATION_PROFILES>"
}
]
}

POST /analytics/ade_rules/ade_rule_dependent_tasks/{task_id}
Cancels a dependent the ADE rule task.

Cancels a dependent ADE rule task.

Table 28. POST /analytics/ade_rules/ade_rule_dependent_tasks/{task_id} resource details
MIME Type
application/json

36 QRadar API Reference Guide

Table 29. POST /analytics/ade_rules/ade_rule_dependent_tasks/{task_id} request parameter details
Parameter Type Optionality Data Type MIME Type Description
task_id path Required Number text/plain null
(Integer)
fields header Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.

Table 30. POST /analytics/ade_rules/ade_rule_dependent_tasks/{task_id} request body details

Parameter Data Type MIME Type Description Sample
task Object application/ null { "status": "String <one of:
json CANCELLED, CANCELING,
CANCEL_REQUESTED,
COMPLETED, CONFLICT,
EXCEPTION, INITIALIZING,
INTERRUPTED, PAUSED,
PROCESSING, QUEUED,
RESUMING>" }

Table 31. POST /analytics/ade_rules/ade_rule_dependent_tasks/{task_id} response codes

HTTP Response Code Unique Code Description
200 The Delete Task Status was retrieved.
404 1002 The Dependent Task Status does not exist.
409 1004 The task is in a completed state.
422 1005 A request parameter is not valid.
500 1020 An error occurred during the attempt to update the Dependent
Task Status.

Response Description

A Dependent Task Status object and the location header set to the task status url "/api/analytics/
ade_rules/ade_rule_dependent_tasks/{task_id}". A Dependent Task Status object contains the following
fields:
v id - Long - The ID of the task.
v message - String - The localized task message.
v status - String - The current state of the task.
v name - String - The name of the task.
v created_by - String - The name of the user who started the task.
v cancelled_by - String - The name of the user who requested to cancel the task.
v created - Long - The time in milliseconds since epoch since the task was created.
v started - Long - The time in milliseconds since epoch since the task was started.
v modified - Long - The time in milliseconds since epoch since the task was modified.

6 REST API V9.0 References 37

v completed - Long - The time in milliseconds since epoch since the task was completed.
v number_of_dependents - Long - The number of dependents found. The value is null until the task
completes.
v maximum - Long - The maximum number of objects to check for dependency.
v progress - Long - The number of objects that were checked for dependency.
v task_components - Array - An array of task component objects. A task component object contains the
following fields:
– message - String - The localized sub-task status message.
– status - String - The current state of the sub-task.
– sub_task_type - String - The type of the sub-task.
– maximum - Long - The maximum number of objects to check for dependency.
– progress - Long - The number of objects that were checked for dependency.
– created - Long - The time in milliseconds since epoch since the sub-task was created.
– started - Long - The time in milliseconds since epoch since the sub-task was started.
– modified - Long - The time in milliseconds since epoch since the sub-task was modified.
– completed - Long - The time in milliseconds since epoch since the sub-task was completed.

Response Sample
{
"cancelled_by": "String",
"completed": 42,
"created": 42,
"created_by": "String",
"id": 42,
"maximum": 42,
"message": "String",
"modified": 42,
"name": "String",
"number_of_dependents": 42,
"progress": 42,
"started": 42,
"status": "String <one of: CANCELLED,
CANCELING,
CANCEL_REQUESTED,
COMPLETED,
CONFLICT,
EXCEPTION,
INITIALIZING,
INTERRUPTED,
PAUSED,
PROCESSING,
QUEUED,
RESUMING>",
"task_components": [
{
"completed": 42,
"created": 42,
"maximum": 42,
"message": "String",
"modified": 42,
"number_of_dependents": 42,
"progress": 42,
"started": 42,
"status": "String <one of: CANCELLED,
CANCELING,
CANCEL_REQUESTED,
COMPLETED,
CONFLICT,
EXCEPTION,

38 QRadar API Reference Guide

 INITIALIZING,
INTERRUPTED,
PAUSED,
PROCESSING,
QUEUED,
RESUMING>",
"task_sub_type": "String <one of:
FIND_DEPENDENT_ARIEL_SAVED_SEARCHES,
FIND_DEPENDENT_OFFENSE_SAVED_SEARCHES,
FIND_DEPENDENT_ASSET_SAVED_SEARCHES,
FIND_DEPENDENT_VULNERABILITY_SAVED_SEARCHES,
FIND_DEPENDENT_ADE_RULES,
FIND_DEPENDENT_RULES,
FIND_DEPENDENT_CALCULATED_PROPERTIES,
FIND_DEPENDENT_LOG_SOURCE_GROUPS,
FIND_DEPENDENT_CUSTOM_PROPERTIES,
FIND_DEPENDENT_REPORTS,
FIND_DEPENDENT_DASHBOARDS,
FIND_DEPENDENT_STORE_AND_FORWARD_POLICIES,
FIND_DEPENDENT_AUTHORIZED_SERVICES,
FIND_DEPENDENT_OFFENSE_TYPES,
FIND_DEPENDENT_ASSIGNED_OFFENSES,
FIND_DEPENDENT_VULNERABILITIES,
FIND_DEPENDENT_GROUPS,
FIND_DEPENDENT_HISTORICAL_CORRELATION_PROFILES>"
}
]
}

GET /analytics/ade_rules/ade_rule_dependent_tasks/{task_id}/results
Retrieves the ADE rule dependent task results.

Retrieves the ADE rule dependent task results.

Table 32. GET /analytics/ade_rules/ade_rule_dependent_tasks/{task_id}/results resource details
MIME Type
application/json

Table 33. GET /analytics/ade_rules/ade_rule_dependent_tasks/{task_id}/results request parameter details

Parameter Type Optionality Data Type MIME Type Description
task_id path Required Number text/plain null
(Integer)
fields query Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.

Table 34. GET /analytics/ade_rules/ade_rule_dependent_tasks/{task_id}/results response codes

HTTP Response Code Unique Code Description
200 The ADE rule dependents were retrieved.
404 1002 The dependent task dtatus does not exist.
500 1020 An error occurred during the attempt to retrieve the ADE rules.

6 REST API V9.0 References 39

Response Description

An list of Dependent objects. A Dependent object contains the following fields:

v dependent_id - String - The ID of the dependent resource.
v dependent_name - String - The name of the dependent resource (default resources can have localized
names).
v dependent_owner - String - The owner of the dependent resource
v dependent_type - String - The type of the dependent resource
v dependent_database - String - The database of the dependent resource.
v dependent_group_ids - Array of Longs - List of groups that the dependent resource belongs to.
v user_has_edit_permissions - Boolean - The true if the user who created the task has permission to edit
this dependent resource.

Response Sample
[
{
"blocking": true,
"dependent_database": "String <one of: EVENTS, FLOWS>",
"dependent_group_ids": [
42
],
"dependent_id": "String",
"dependent_name": "String",
"dependent_owner": "String",
"dependent_type": "String <one of: ARIEL_SAVED_SEARCH,
ASSET_SAVED_SEARCH,
OFFENSE_SAVED_SEARCH,
VULNERABILITY_SAVED_SEARCH,
QRM_SAVED_SEARCH_GROUP,
ASSET_SAVED_SEARCH_GROUP,
CUSTOM_RULE_GROUP,
EVENT_ARIEL_SAVED_SEARCH_GROUP,
FLOW_ARIEL_SAVED_SEARCH_GROUP,
LOG_SOURCE_GROUP,
MODEL_GROUP,
OFFENSE_SAVED_SEARCH_GROUP,
QUESTION_GROUP,
REPORT_GROUP,
SIMULATION_GROUP,
TOPOLOGY_SAVED_SEARCH_GROUP,
VULNERABILITY_SAVED_SEARCH_GROUP,
ASSIGNED_OFFENSE,
ASSIGNED_VULNERABILITY,
AUTHORIZED_SERVICE,
BUILDING_BLOCK,
CRE_RULE,
CRE_ADE_RULE,
EVENT_REGEX_PROPERTY,
EVENT_CALCULATED_PROPERTY,
FLOW_REGEX_PROPERTY,
FLOW_CALCULATED_PROPERTY,
DASHBOARD,
GV_REFERENCE, REPORT,
REFERENCE_DATA,
REFERENCE_DATA_MAP_OF_SETS,
REFERENCE_DATA_MAPS,
REFERENCE_DATA_SETS,
REFERENCE_DATA_TABLES,
REFERENCE_DATA_RESPONSE,
REFERENCE_SET_RESPONSE,

40 QRadar API Reference Guide

 EVENT_RETENTION_BUCKET,
FLOW_RETENTION_BUCKET,
ROUTING_RULE,
STORE_AND_FORWARD_POLICY,
USER,
HISTORICAL_PROFILE,
OFFENSE_TYPE>",
"user_has_edit_permissions": true
}
]

GET /analytics/building_blocks
Retrieves a list of building block rules.

Retrieves a list of building block rules.

Table 35. GET /analytics/building_blocks resource details
MIME Type
application/json

Table 36. GET /analytics/building_blocks request parameter details

Parameter Type Optionality Data Type MIME Type Description
fields query Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.
Range header Optional String text/plain Optional - Use this parameter
to restrict the number of
elements that are returned in
the list to a specified range.
The list is indexed starting at
zero.
filter query Optional String text/plain Optional - This parameter is
used to restrict the elements in
a list base on the contents of
various fields.

Table 37. GET /analytics/building_blocks response codes

HTTP Response Code Unique Code Description
200 The building block rules were retrieved.
422 1010 A request parameter is not valid.
500 1020 An error occurred during the attempt to retrieve the building block
rules.

Response Description

An array of Building Block Rule objects. An Building Block Rule object contains the following fields:
v id - Long - The sequence ID of the building block rule.

6 REST API V9.0 References 41

v name - String - The name of the building block rule.
v building_block_type - String - The type of building block rule: EVENT, FLOW, COMMON, USER.
v enabled - Boolean - True if the building block rule is enabled.
v owner - String - The owner of the building block rule.
v origin - String - The origin of the building block rule: SYSTEM, OVERRIDE, USER.
v base_capacity - Long - The base capacity of the building block rule in events per second.
v base_host_id - Long - The ID of the host from which the building block rule's base capacity was
determined
v average_capacity - Long - The moving average capacity, in EPS, of the building block rule across all
hosts.
v capacity_timestamp - Long - The epoch timestamp, in milliseconds, since the building block's capacity
values were last updated.
v identifier - String - The unique ID of the rule. This value is typically in the form of a UUID, with the
exception of legacy system rules.
v linked_rule_identifier - String - The linked ID of the rule. This value is typically in the form of a
UUID, with the exception of legacy system rules, and varies depending on the rule's origin as follows:
– SYSTEM - The identifier value of the override rule, if one exists. If the system rule has not been
overridden, the value will be null.
– OVERRIDE - The identifier value of the system rule being overridden.
– USER - The value will be null.
v creation_date - Long - The number of milliseconds since epoch when the rule was created.
v modification_date - Long - The number of milliseconds since epoch when the rule was last modified.

Response Sample
[
{
"average_capacity": 42,
"base_capacity": 42,
"base_host_id": 42,
"capacity_timestamp": 42,
"creation_date": 42,
"enabled": true,
"id": 42,
"identifier": "String",
"linked_rule_identifier": "String",
"modification_date": 42,
"name": "String",
"origin": "String <one of: SYSTEM, OVERRIDE, USER>",
"owner": "String",
"type": "String <one of: EVENT, FLOW, COMMON, OFFENSE>"
}
]

GET /analytics/building_blocks/building_block_delete_tasks/{task_id}
Retrieves the delete the building block rule task status.

Retrieves the delete building block rule task status.

Table 38. GET /analytics/building_blocks/building_block_delete_tasks/{task_id} resource details
MIME Type
application/json

42 QRadar API Reference Guide

Table 39. GET /analytics/building_blocks/building_block_delete_tasks/{task_id} request parameter details
Parameter Type Optionality Data Type MIME Type Description
task_id path Required Number text/plain null
(Integer)
fields query Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.

Table 40. GET /analytics/building_blocks/building_block_delete_tasks/{task_id} response codes

HTTP Response Code Unique Code Description
200 The Delete Task Status was retrieved.
404 1002 The Delete Task Status does not exist.
500 1020 An error occurred during the attempt to retrieve the Delete Task
Status.

Response Description

A Delete Task Status object and the location header set to the task status url "/api/analytics/
building_blocks/building_block_delete_tasks/{task_id}". A Delete Task Status object contains the
following fields:
v id - Long - The ID of the task.
v message - String - The localized task message.
v status - String - The current state of the task.
v name - String - The name of the task.
v created_by - String - The name of the user who started the task.
v created - Long - The time in milliseconds since epoch since the task was created.
v started - Long - The time in milliseconds since epoch since the task was started.
v modified - Long - The time in milliseconds since epoch since the task was modified.
v completed - Long - The time in milliseconds since epoch since the task was completed.

Response Sample
{
"completed": 42,
"created": 42,
"created_by": "String",
"id": 42,
"message": "String",
"modified": 42,
"name": "String",
"started": 42,
"status": "String <one of: CANCELLED,
CANCELING,
CANCEL_REQUESTED,
COMPLETED,
CONFLICT,
EXCEPTION,
INITIALIZING,

6 REST API V9.0 References 43

 INTERRUPTED,
PAUSED,
PROCESSING,
QUEUED,
RESUMING>"
}

GET /analytics/building_blocks/building_block_dependent_tasks/
{task_id}
Retrieves the dependent the building block rule task status.

Retrieves the dependent building block rule task status.

Table 41. GET /analytics/building_blocks/building_block_dependent_tasks/{task_id} resource details
MIME Type
application/json

Table 42. GET /analytics/building_blocks/building_block_dependent_tasks/{task_id} request parameter details

Parameter Type Optionality Data Type MIME Type Description
task_id path Required Number text/plain null
(Integer)
fields query Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.

Table 43. GET /analytics/building_blocks/building_block_dependent_tasks/{task_id} response codes

HTTP Response Code Unique Code Description
200 The Delete Task Status was retrieved.
404 1002 The Delete Task Status does not exist.
500 1020 An error occurred during the attempt to retrieve the Delete Task
Status.

Response Description

A Dependent Task Status object and the location header set to the task status url "/api/analytics/
building_blocks/building_block_dependent_tasks/{task_id}". A Dependent Task Status object contains the
following fields:
v id - Long - The ID of the task.
v message - String - The localized task message.
v status - String - The current state of the task.
v name - String - The name of the task.
v created_by - String - The name of the user who started the task.
v cancelled_by - String - The name of the user who requested to cancel the task.
v created - Long - The time in milliseconds since epoch since the task was created.

44 QRadar API Reference Guide

v started - Long - The time in milliseconds since epoch since the task was started.
v modified - Long - The time in milliseconds since epoch since the task was modified.
v completed - Long - The time in milliseconds since epoch since the task was completed.
v number_of_dependents - Long - The number of dependents found. The value is null until the task
completes.
v maximum - Long - The maximum number of objects to check for dependency.
v progress - Long - The number of objects that were checked for dependency.
v task_components - Array - An array of task component objects. A task component object contains the
following fields
– message - String - The localized sub-task status message.
– status - String - The current state of the sub-task.
– sub_task_type - String - The type of the sub-task
– maximum - Long - The maximum number of objects to check for dependency.
– progress - Long - The number of objects that were checked for dependency.
– created - Long - The time in milliseconds since epoch since the sub-task was created.
– started - Long - The time in milliseconds since epoch since the sub-task was started.
– modified - Long - The time in milliseconds since epoch since the sub-task was modified.
– completed - Long - The time in milliseconds since epoch since the sub-task was completed.

Response Sample
{
"cancelled_by": "String",
"completed": 42,
"created": 42,
"created_by": "String",
"id": 42,
"maximum": 42,
"message": "String",
"modified": 42,
"name": "String",
"number_of_dependents": 42,
"progress": 42,
"started": 42,
"status": "String <one of: CANCELLED,
CANCELING,
CANCEL_REQUESTED,
COMPLETED,
CONFLICT,
EXCEPTION,
INITIALIZING,
INTERRUPTED,
PAUSED,
PROCESSING,
QUEUED,
RESUMING>",
"task_components": [
{
"completed": 42,
"created": 42,
"maximum": 42,
"message": "String",
"modified": 42,
"number_of_dependents": 42,
"progress": 42,
"started": 42,
"status": "String <one of: CANCELLED,
CANCELING,
CANCEL_REQUESTED,

6 REST API V9.0 References 45

 COMPLETED,
CONFLICT,
EXCEPTION,
INITIALIZING,
INTERRUPTED,
PAUSED,
PROCESSING,
QUEUED,
RESUMING>",
"task_sub_type": "String <one of:
FIND_DEPENDENT_ARIEL_SAVED_SEARCHES,
FIND_DEPENDENT_OFFENSE_SAVED_SEARCHES,
FIND_DEPENDENT_ASSET_SAVED_SEARCHES,
FIND_DEPENDENT_VULNERABILITY_SAVED_SEARCHES,
FIND_DEPENDENT_ADE_RULES,
FIND_DEPENDENT_RULES,
FIND_DEPENDENT_CALCULATED_PROPERTIES,
FIND_DEPENDENT_LOG_SOURCE_GROUPS,
FIND_DEPENDENT_CUSTOM_PROPERTIES,
FIND_DEPENDENT_REPORTS,
FIND_DEPENDENT_DASHBOARDS,
FIND_DEPENDENT_STORE_AND_FORWARD_POLICIES,
FIND_DEPENDENT_AUTHORIZED_SERVICES,
FIND_DEPENDENT_OFFENSE_TYPES,
FIND_DEPENDENT_ASSIGNED_OFFENSES,
FIND_DEPENDENT_VULNERABILITIES,
FIND_DEPENDENT_GROUPS,
FIND_DEPENDENT_HISTORICAL_CORRELATION_PROFILES>"
}
]
}

POST /analytics/building_blocks/building_block_dependent_tasks/
{task_id}
Cancels the dependent the building block rule task.

Cancels the dependent building block rule task.

Table 44. POST /analytics/building_blocks/building_block_dependent_tasks/{task_id} resource details
MIME Type
application/json

Table 45. POST /analytics/building_blocks/building_block_dependent_tasks/{task_id} request parameter details

Parameter Type Optionality Data Type MIME Type Description
task_id path Required Number text/plain null
(Integer)
fields header Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.

46 QRadar API Reference Guide

Table 46. POST /analytics/building_blocks/building_block_dependent_tasks/{task_id} request body details
Parameter Data Type MIME Type Description Sample
task Object application/ null { "status": "String <one of:
json CANCELLED, CANCELING,
CANCEL_REQUESTED,
COMPLETED, CONFLICT,
EXCEPTION, INITIALIZING,
INTERRUPTED, PAUSED,
PROCESSING, QUEUED,
RESUMING>" }

Table 47. POST /analytics/building_blocks/building_block_dependent_tasks/{task_id} response codes

HTTP Response Code Unique Code Description
200 The Delete Task Status has been retrieved.
404 1002 The Dependent Task Status does not exist.
409 1004 The task is in a completed state
422 1005 A request parameter is not valid
500 1020 An error occurred during the attempt to update the Dependent
Task Status.

Response Description

A Dependent Task Status object and the location header set to the task status url "/api/analytics/
building_blocks/building_block_dependent_tasks/{task_id}". A Dependent Task Status object contains the
following fields:
v id - Long - The ID of the task.
v message - String - The localized task message.
v status - String - The current state of the task.
v name - String - The name of the task.
v created_by - String - The name of the user who started the task.
v cancelled_by - String - The name of the user who requested the cancellation of the task.
v created - Long - The time in milliseconds since epoch since the task was created.
v started - Long - The time in milliseconds since epoch since the task was started.
v modified - Long - The time in milliseconds since epoch since the task was modified.
v completed - Long - The time in milliseconds since epoch since the task was completed.
v number_of_dependents - Long - The number of dependents found. The value is null until the task
completes.
v maximum - Long - The maximum number of objects to check for dependency.
v progress - Long - The number of objects that were checked for dependency.
v task_components - Array - An array of task component objects. A task component object contains the
following fields
– message - String - The localized sub-task status message.
– status - String - The current state of the the sub-task.
– sub_task_type - String - The type of the sub-task
– maximum - Long - The maximum number of objects to check for dependency.
– progress - Long - The number of objects that were checked for dependency.
– created - Long - The time in milliseconds since epoch since the sub-task was created.

6 REST API V9.0 References 47

 – started - Long - The time in milliseconds since epoch since the sub-task was started.
– modified - Long - The time in milliseconds since epoch since the sub-task was modified.
– completed - Long - The time in milliseconds since epoch since the sub-task was completed.

Response Sample
{
"cancelled_by": "String",
"completed": 42,
"created": 42,
"created_by": "String",
"id": 42,
"maximum": 42,
"message": "String",
"modified": 42,
"name": "String",
"number_of_dependents": 42,
"progress": 42,
"started": 42,
"status": "String <one of: CANCELLED,
CANCELING,
CANCEL_REQUESTED,
COMPLETED,
CONFLICT,
EXCEPTION,
INITIALIZING,
INTERRUPTED,
PAUSED,
PROCESSING,
QUEUED,
RESUMING>",
"task_components": [
{
"completed": 42,
"created": 42,
"maximum": 42,
"message": "String",
"modified": 42,
"number_of_dependents": 42,
"progress": 42,
"started": 42,
"status": "String <one of: CANCELLED,
CANCELING,
CANCEL_REQUESTED,
COMPLETED,
CONFLICT,
EXCEPTION,
INITIALIZING,
INTERRUPTED,
PAUSED,
PROCESSING,
QUEUED,
RESUMING>",
"task_sub_type": "String <one of:
FIND_DEPENDENT_ARIEL_SAVED_SEARCHES,
FIND_DEPENDENT_OFFENSE_SAVED_SEARCHES,
FIND_DEPENDENT_ASSET_SAVED_SEARCHES,
FIND_DEPENDENT_VULNERABILITY_SAVED_SEARCHES,
FIND_DEPENDENT_ADE_RULES,
FIND_DEPENDENT_RULES,
FIND_DEPENDENT_CALCULATED_PROPERTIES,
FIND_DEPENDENT_LOG_SOURCE_GROUPS,
FIND_DEPENDENT_CUSTOM_PROPERTIES,
FIND_DEPENDENT_REPORTS,
FIND_DEPENDENT_DASHBOARDS,
FIND_DEPENDENT_STORE_AND_FORWARD_POLICIES,

48 QRadar API Reference Guide

 FIND_DEPENDENT_AUTHORIZED_SERVICES,
FIND_DEPENDENT_OFFENSE_TYPES,
FIND_DEPENDENT_ASSIGNED_OFFENSES,
FIND_DEPENDENT_VULNERABILITIES,
FIND_DEPENDENT_GROUPS,
FIND_DEPENDENT_HISTORICAL_CORRELATION_PROFILES>"
}
]
}

GET /analytics/building_blocks/building_block_dependent_tasks/
{task_id}/results
Retrieves the building block rule dependent task results.

Retrieves the building block rule dependent task results

Table 48. GET /analytics/building_blocks/building_block_dependent_tasks/{task_id}/results resource details
MIME Type
application/json

Table 49. GET /analytics/building_blocks/building_block_dependent_tasks/{task_id}/results request parameter details

Parameter Type Optionality Data Type MIME Type Description
task_id path Required Number text/plain null
(Integer)
fields query Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.

Table 50. GET /analytics/building_blocks/building_block_dependent_tasks/{task_id}/results response codes

HTTP Response Code Unique Code Description
200 The building block rule dependents were retrieved.
404 1002 The Dependent Task Status does not exist.
500 1020 An error occurred during the attempt to retrieve the building block
rules.

Response Description

An list of Dependent objects. A Dependent object contains the following fields:

v dependent_id - String - The ID of the dependent resource.
v dependent_name - String - The name of the dependent resource (default resources can have localized
names).
v dependent_owner - String - The owner of the dependent resource.
v dependent_type - String - The type of the dependent resource.
v dependent_database - String - The database of the dependent resource.
v dependent_group_ids - Array of Longs - List of groups that the dependent resource belongs to.

6 REST API V9.0 References 49

v user_has_edit_permissions - Boolean - The true if the user who created the task has permission to edit
this dependent resource.

Response Sample
[
{
"blocking": true,
"dependent_database": "String <one of: EVENTS, FLOWS>",
"dependent_group_ids": [
42
],
"dependent_id": "String",
"dependent_name": "String",
"dependent_owner": "String",
"dependent_type": "String <one of: ARIEL_SAVED_SEARCH,
ASSET_SAVED_SEARCH,
OFFENSE_SAVED_SEARCH,
VULNERABILITY_SAVED_SEARCH,
QRM_SAVED_SEARCH_GROUP,
ASSET_SAVED_SEARCH_GROUP,
CUSTOM_RULE_GROUP,
EVENT_ARIEL_SAVED_SEARCH_GROUP,
FLOW_ARIEL_SAVED_SEARCH_GROUP,
LOG_SOURCE_GROUP,
MODEL_GROUP,
OFFENSE_SAVED_SEARCH_GROUP,
QUESTION_GROUP,
REPORT_GROUP,
SIMULATION_GROUP,
TOPOLOGY_SAVED_SEARCH_GROUP,
VULNERABILITY_SAVED_SEARCH_GROUP,
ASSIGNED_OFFENSE,
ASSIGNED_VULNERABILITY,
AUTHORIZED_SERVICE,
BUILDING_BLOCK,
CRE_RULE,
CRE_ADE_RULE,
EVENT_REGEX_PROPERTY,
EVENT_CALCULATED_PROPERTY,
FLOW_REGEX_PROPERTY,
FLOW_CALCULATED_PROPERTY,
DASHBOARD,
GV_REFERENCE, REPORT,
REFERENCE_DATA,
REFERENCE_DATA_MAP_OF_SETS,
REFERENCE_DATA_MAPS,
REFERENCE_DATA_SETS,
REFERENCE_DATA_TABLES,
REFERENCE_DATA_RESPONSE,
REFERENCE_SET_RESPONSE,
EVENT_RETENTION_BUCKET,
FLOW_RETENTION_BUCKET,
ROUTING_RULE,
STORE_AND_FORWARD_POLICY,
USER,
HISTORICAL_PROFILE,
OFFENSE_TYPE>",
"user_has_edit_permissions": true
}
]

50 QRadar API Reference Guide

GET /analytics/building_blocks/{id}
Retrieves a building block rule.

Retrieves a building block rule.

Table 51. GET /analytics/building_blocks/{id} resource details
MIME Type
application/json

Table 52. GET /analytics/building_blocks/{id} request parameter details

Parameter Type Optionality Data Type MIME Type Description
id path Required Number text/plain null
(Integer)
fields query Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.

Table 53. GET /analytics/building_blocks/{id} response codes

HTTP Response Code Unique Code Description
200 The building block rule was retrieved.
404 1002 The building block rule does not exist.
500 1020 An error occurred during the attempt to retrieve the building block
rule.

Response Description

The building block rule after it is retrieved. An Building Block Rule object contains the following fields:
v id - Long - The sequence ID of the building block rule.
v name - String - The name of the building block rule.
v building_block_type - String - The type of building block rule: EVENT, FLOW, COMMON, USER.
v enabled - Boolean - True if the building block rule is enabled.
v owner - String - The owner of the building block rule.
v origin - String - The origin of the building block rule: SYSTEM, OVERRIDE, USER.
v base_capacity - Long - The base capacity of the building block rule in events per second.
v base_host_id - Long - The ID of the host from which the building block rule's base capacity was
determined
v average_capacity - Long - The moving average capacity, in EPS, of the building block rule across all
hosts.
v capacity_timestamp - Long - The epoch timestamp, in milliseconds, since the building block's capacity
values were last updated.
v identifier - String - The unique ID of the rule. This value is typically in the form of a UUID, with the
exception of legacy system rules.

6 REST API V9.0 References 51

v linked_rule_identifier - String - The linked ID of the rule. This value is typically in the form of a
UUID, with the exception of legacy system rules, and varies depending on the rule's origin as follows:
– SYSTEM - The identifier value of the override rule, if one exists. If the system rule has not been
overridden, the value will be null.
– OVERRIDE - The identifier value of the system rule being overridden.
– USER - The value will be null.
v creation_date - Long - The number of milliseconds since epoch when the rule was created.
v modification_date - Long - The number of milliseconds since epoch when the rule was last modified.

Response Sample
{
"average_capacity": 42,
"base_capacity": 42,
"base_host_id": 42,
"capacity_timestamp": 42,
"creation_date": 42,
"enabled": true,
"id": 42,
"identifier": "String",
"linked_rule_identifier": "String",
"modification_date": 42,
"name": "String",
"origin": "String <one of: SYSTEM, OVERRIDE, USER>",
"owner": "String",
"type": "String <one of: EVENT, FLOW, COMMON, OFFENSE>"
}

POST /analytics/building_blocks/{id}
Updates the building block rule owner or enabled/disabled only.

Updates the building block rule owner or enabled/disabled only.

Table 54. POST /analytics/building_blocks/{id} resource details
MIME Type
application/json

Table 55. POST /analytics/building_blocks/{id} request parameter details

Parameter Type Optionality Data Type MIME Type Description
id path Required Number text/plain null
(Integer)
fields header Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.

52 QRadar API Reference Guide

Table 56. POST /analytics/building_blocks/{id} request body details
Parameter Data Type MIME Type Description Sample
building_block Object application/ null { "id": "1", "name": "String",
json "type": "String", "owner":
"String" }

Table 57. POST /analytics/building_blocks/{id} response codes

HTTP Response Code Unique Code Description
200 The building block rule was updated.
403 1009 You do not have the required capabilities to update the building
block rule.
404 1002 The building block rule does not exist.
409 1004 The provided user does not have the required capabilities to own
the building block rule.
422 1005 A request parameter is not valid.
500 1020 An error occurred during the attempt to update the building block
rule.

Response Description

The building block rule after it is updated. A building block rule object contains the following fields:
v id - Long - The sequence ID of the building block rule.
v name - String - The name of the building block rule.
v building_block_type - String - The type of building block rule: EVENT, FLOW, COMMON, USER.
v enabled - Boolean - True if the building block rule is enabled.
v owner - String - The owner of the building block rule.
v origin - String - The origin of the building block rule: SYSTEM, OVERRIDE, USER.
v base_capacity - Long - The base capacity of the building block rule in events per second.
v base_host_id - Long - The ID of the host from which the building block rule's base capacity was
determined
v average_capacity - Long - The moving average capacity, in EPS, of the building block rule across all
hosts.
v capacity_timestamp - Long - The epoch timestamp, in milliseconds, since the building block's capacity
values were last updated.
v identifier - String - The unique ID of the rule. This value is typically in the form of a UUID, with the
exception of legacy system rules.
v linked_rule_identifier - String - The linked ID of the rule. This value is typically in the form of a
UUID, with the exception of legacy system rules, and varies depending on the rule's origin as follows:
– SYSTEM - The identifier value of the override rule, if one exists. If the system rule has not been
overridden, the value will be null.
– OVERRIDE - The identifier value of the system rule being overridden.
– USER - The value will be null.
v creation_date - Long - The number of milliseconds since epoch when the rule was created.
v modification_date - Long - The number of milliseconds since epoch when the rule was last modified.

6 REST API V9.0 References 53

Response Sample
{
"average_capacity": 42,
"base_capacity": 42,
"base_host_id": 42,
"capacity_timestamp": 42,
"creation_date": 42,
"enabled": true,
"id": 42,
"identifier": "String",
"linked_rule_identifier": "String",
"modification_date": 42,
"name": "String",
"origin": "String <one of: SYSTEM, OVERRIDE, USER>",
"owner": "String",
"type": "String <one of: EVENT, FLOW, COMMON, OFFENSE>"
}

DELETE /analytics/building_blocks/{id}
Deletes the building block rule. To ensure safe deletion, a dependency check is carried out. This check
might take some time. An asynchronous task to do is started for this check.

Deletes the building block rule. To ensure safe deletion we check if anything depends on it, this may take
some time. Therefore we start an asynchronous task to do this.
Table 58. DELETE /analytics/building_blocks/{id} resource details
MIME Type
application/json

Table 59. DELETE /analytics/building_blocks/{id} request parameter details

Parameter Type Optionality Data Type MIME Type Description
id path Required Number text/plain null
(Integer)
fields query Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.

Table 60. DELETE /analytics/building_blocks/{id} response codes

HTTP Response Code Unique Code Description
202 The building block rule delete command was accepted and is in
progress.
403 1009 You do not have the required capabilities to delete the building
block rule.
404 1002 The building block rule does not exist.
409 1004 null
500 1020 An error occurred during the attempt to delete the building block
rule.

54 QRadar API Reference Guide

Response Description

A Delete Task Status object and the location header set to the task status url "/api/analytics/
building_blocks/building_block_delete_tasks/{task_id}". A Delete Task Status object contains the
following fields:
v id - Long - The ID of the task.
v message - String - The localized task message.
v status - String - The current state that the task is in.
v name - String - The name of the task.
v created_by - String - The name of the user who started the task.
v created - Long - The time in milliseconds since epoch since the task was created.
v started - Long - The time in milliseconds since epoch since the task was started.
v modified - Long - The time in milliseconds since epoch since the task was modified.
v completed - Long - The time in milliseconds since epoch since the task was completed.

Response Sample
{
"completed": 42,
"created": 42,
"created_by": "String",
"id": 42,
"message": "String",
"modified": 42,
"name": "String",
"started": 42,
"status": "String <one of: CANCELLED,
CANCELING,
CANCEL_REQUESTED,
COMPLETED,
CONFLICT,
EXCEPTION,
INITIALIZING,
INTERRUPTED,
PAUSED,
PROCESSING,
QUEUED,
RESUMING>"
}

GET /analytics/building_blocks/{id}/dependents
Retrieves the objects that depend on the building block rule.

Retrieves the objects that depend on the building block rule

Table 61. GET /analytics/building_blocks/{id}/dependents resource details
MIME Type
application/json

Table 62. GET /analytics/building_blocks/{id}/dependents request parameter details

Parameter Type Optionality Data Type MIME Type Description
id path Required Number text/plain null
(Integer)

6 REST API V9.0 References 55

Table 62. GET /analytics/building_blocks/{id}/dependents request parameter details (continued)
Parameter Type Optionality Data Type MIME Type Description
fields query Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.

Table 63. GET /analytics/building_blocks/{id}/dependents response codes

HTTP Response Code Unique Code Description
202 The building block rule dependents retrieval was accepted and is in
progress.
404 1002 The building block rule does not exist.
500 1020 An error occurred during the attempt to initiate the building block
rule dependents retrieval task.

Response Description

A Dependents Task Status object and the location header set to the task status url "/api/analytics/
building_blocks/building_block_dependents_tasks/{task_id}". A Dependent Task Status object contains
the following fields:
v id - Long - The ID of the task.
v message - String - The localized task message.
v status - String - The current state of the task.
v name - String - The name of the task.
v created_by - String - The name of the user who started the task.
v cancelled_by - String - The name of the user who requested to cancel the task.
v created - Long - The time in milliseconds since epoch since the task was created.
v started - Long - The time in milliseconds since epoch since the task was started.
v modified - Long - The time in milliseconds since epoch since the task was modified.
v completed - Long - The time in milliseconds since epoch since the task was completed.
v number_of_dependents - Long - The number of dependents found. the value is null until the task
completes.
v maximum - Long - The maximum number of objects to check for dependency.
v progress - Long - The number of objects that were checked for dependency.
v task_components - Array - An array of task component objects. A task component object contains the
following fields
– message - String - The localized sub-task status message.
– status - String - The current state of the sub-task.
– sub_task_type - String - The type of the sub-task
– maximum - Long - The maximum number of objects to check for dependency.
– progress - Long - The number of objects that were checked for dependency.
– created - Long - The time in milliseconds since epoch since the sub-task was created.
– started - Long - The time in milliseconds since epoch since the sub-task was started.

56 QRadar API Reference Guide

 – modified - Long - The time in milliseconds since epoch since the sub-task was modified.
– completed - Long - The time in milliseconds since epoch since the sub-task was completed.

Response Sample
{
"cancelled_by": "String",
"completed": 42,
"created": 42,
"created_by": "String",
"id": 42,
"maximum": 42,
"message": "String",
"modified": 42,
"name": "String",
"number_of_dependents": 42,
"progress": 42,
"started": 42,
"status": "String <one of: CANCELLED,
CANCELING,
CANCEL_REQUESTED,
COMPLETED,
CONFLICT,
EXCEPTION,
INITIALIZING,
INTERRUPTED,
PAUSED,
PROCESSING,
QUEUED,
RESUMING>",
"task_components": [
{
"completed": 42,
"created": 42,
"maximum": 42,
"message": "String",
"modified": 42,
"number_of_dependents": 42,
"progress": 42,
"started": 42,
"status": "String <one of: CANCELLED,
CANCELING,
CANCEL_REQUESTED,
COMPLETED,
CONFLICT,
EXCEPTION,
INITIALIZING,
INTERRUPTED,
PAUSED,
PROCESSING,
QUEUED,
RESUMING>",
"task_sub_type": "String <one of:
FIND_DEPENDENT_ARIEL_SAVED_SEARCHES,
FIND_DEPENDENT_OFFENSE_SAVED_SEARCHES,
FIND_DEPENDENT_ASSET_SAVED_SEARCHES,
FIND_DEPENDENT_VULNERABILITY_SAVED_SEARCHES,
FIND_DEPENDENT_ADE_RULES,
FIND_DEPENDENT_RULES,
FIND_DEPENDENT_CALCULATED_PROPERTIES,
FIND_DEPENDENT_LOG_SOURCE_GROUPS,
FIND_DEPENDENT_CUSTOM_PROPERTIES,
FIND_DEPENDENT_REPORTS,
FIND_DEPENDENT_DASHBOARDS,
FIND_DEPENDENT_STORE_AND_FORWARD_POLICIES,
FIND_DEPENDENT_AUTHORIZED_SERVICES,
FIND_DEPENDENT_OFFENSE_TYPES,

6 REST API V9.0 References 57

 FIND_DEPENDENT_ASSIGNED_OFFENSES,
FIND_DEPENDENT_VULNERABILITIES,
FIND_DEPENDENT_GROUPS,
FIND_DEPENDENT_HISTORICAL_CORRELATION_PROFILES>"
}
]
}

GET /analytics/custom_actions/actions
Retrieves a list of available custom actions.

Retrieves a list of available custom actions.

Table 64. GET /analytics/custom_actions/actions resource details
MIME Type
application/json

Table 65. GET /analytics/custom_actions/actions request parameter details

Parameter Type Optionality Data Type MIME Type Description
Range header Optional String text/plain Optional - Use this parameter
to restrict the number of
elements that are returned in
the list to a specified range.
The list is indexed starting at
zero.
filter query Optional String text/plain Optional - This parameter is
used to restrict the elements in
a list base on the contents of
various fields.
fields query Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.

Table 66. GET /analytics/custom_actions/actions response codes

HTTP Response Code Unique Code Description
200 The requested list of custom actions have been successfully
retrieved.
500 1020 An internal server error occurred while retrieving custom actions.

Response Description

Array of available custom actions which in turn contain the following fields:
v id - Number - Unique ID of the custom action within the QRadar deployment.
v name - String - Unique name of the custom action within the QRadar deployment.
v description - String - Optional description attached to the custom action.
v interpreter - Number - Unique ID of the custom action interpreter used by the custom action.

58 QRadar API Reference Guide

v script - Number - Unique ID of the custom action script used by the custom action.
v parameters - Array - Array of custom action parameters contained within the custom action. Each
Custom action parameter has the following fields:
– name - String - Name of the custom action parameter. Unique in the context of the parent custom
action.
– parameter_type - String - Custom action parameter type. Can be either fixed or dynamic.
– encrypted - Boolean - Designates whether the custom action parameter value field is stored in an
encrypted state.True if encrypted, false otherwise.
– value - String - Value of the custom action parameter.

Response Sample
[
{
"description": "String",
"id": 42,
"interpreter": 42,
"name": "String",
"parameters": [
{
"encrypted": true,
"name": "String",
"parameter_type": "String",
"value": "String"
}
],
"script": 42
}
]

POST /analytics/custom_actions/actions
Creates a new custom action with the supplied fields.

Creates a new custom action with the supplied fields. The custom action must contain the following
fields:
v name - Required - String - Unique name of the custom action within the QRadar deployment.
v description - Optional - String - Description of the custom action.
v interpreter - Required - Number - Unique ID of the custom action interpreter used by the custom
action.
v script - Required - Number - Unique ID of the custom action script used by the custom action.
v parameters - Required - Array - Array of custom action parameters contained within the custom action.
Each Custom action parameter must have the following fields:
– name - Required - String - Name of the custom action parameter. Unique in the context of the parent
custom action.
– parameter_type - Required - String - Custom action parameter type. Can be either fixed or dynamic.
– encrypted - Required - Boolean - Designates whether the custom action parameter value field is
stored in an encrypted state.True if encrypted, false otherwise.
– value - Required - String - Value of the custom action parameter. Custom action parameters with
parameter_type fixed can have any value. Custom action parameters with parameter_type dynamic
must have values corresponding to column names in an Ariel database, for example sourceip. Ariel
database column names are available through the /api/ariel/databases/{database_name} endpoint.
Table 67. POST /analytics/custom_actions/actions resource details
MIME Type
application/json

6 REST API V9.0 References 59

Table 68. POST /analytics/custom_actions/actions request parameter details
Parameter Type Optionality Data Type MIME Type Description
fields header Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.

Table 69. POST /analytics/custom_actions/actions request body details

Parameter Data Type MIME Type Description Sample
custom_action Object application/ Custom action JSON object { "description": "String",
json containing the supplied "interpreter": 42, "name":
fields (see above for more "String", "parameters": [ {
details). "encrypted": true, "name":
"String", "parameter_type":
"String", "value": "String" } ],
"script": 42 }

Table 70. POST /analytics/custom_actions/actions response codes

HTTP Response Code Unique Code Description
201 A new custom action has been successfully created.
422 1005 One or more parameters are invalid in request.
500 1020 An internal server error occurred while posting custom action.

Response Description

The newly created custom action with the following fields:

v id - Number - Unique ID of the custom action within the QRadar deployment.
v name - String - Unique name of the custom action within the QRadar deployment.
v description - String - Optional description attached to the custom action.
v interpreter - Number - Unique ID of the custom action interpreter used by the custom action.
v script - Number - Unique ID of the custom action script used by the custom action.
v parameters - Array - Array of custom action parameters contained within the custom action. Each
Custom action parameter has the following fields:
– name - String - Name of the custom action parameter. Unique in the context of the parent custom
action.
– parameter_type - String - Custom action parameter type. Can be either fixed or dynamic.
– encrypted - Boolean - Designates whether the custom action parameter value field is stored in an
encrypted state.True if encrypted, false otherwise.
– value - String - Value of the custom action parameter.

Response Sample
{
"description": "String",
"id": 42,

60 QRadar API Reference Guide

 "interpreter": 42,
"name": "String",
"parameters": [
{
"encrypted": true,
"name": "String",
"parameter_type": "String",
"value": "String"
}
],
"script": 42
}

GET /analytics/custom_actions/actions/{action_id}
Retrieves a custom action based on the supplied action_id.

Retrieves a custom action based on the supplied action_id.

Table 71. GET /analytics/custom_actions/actions/{action_id} resource details
MIME Type
application/json

Table 72. GET /analytics/custom_actions/actions/{action_id} request parameter details

Parameter Type Optionality Data Type MIME Type Description
action_id path Required Number text/plain Long id of the custom action
(Integer) to be retrieved.
fields query Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.

Table 73. GET /analytics/custom_actions/actions/{action_id} response codes

HTTP Response Code Unique Code Description
200 The requested custom action has been successfully retrieved.
404 1002 The requested custom action could not be found.
500 1020 An internal server error occurred while retrieving custom action
with supplied action_id.

Response Description

A custom action with containing following fields:

v id - Number - Unique ID of the custom action within the QRadar deployment.
v name - String - Unique name of the custom action within the QRadar deployment.
v description - String - Optional description attached to the custom action.
v interpreter - Number - Unique ID of the custom action interpreter used by the custom action.
v script - Number - Unique ID of the custom action script used by the custom action.

6 REST API V9.0 References 61

v parameters - Array - Array of custom action parameters contained within the custom action. Each
Custom action parameter has the following fields:
– name - String - Name of the custom action parameter. Unique in the context of the parent custom
action.
– parameter_type - String - Custom action parameter type. Can be either fixed or dynamic.
– encrypted - Boolean - Designates whether the custom action parameter value field is stored in an
encrypted state.True if encrypted, false otherwise.
– value - String - Value of the custom action parameter.

Response Sample
{
"description": "String",
"id": 42,
"interpreter": 42,
"name": "String",
"parameters": [
{
"encrypted": true,
"name": "String",
"parameter_type": "String",
"value": "String"
}
],
"script": 42
}

POST /analytics/custom_actions/actions/{action_id}
Updates an existing custom action.

Updates an existing custom action. The custom action should contain the following fields:
v id - Required - Number - Unique ID of the custom action within the QRadar deployment.
v name - Optional - String - Unique name of the custom action within the QRadar deployment.
v description - Optional - String - Description of the custom action.
v interpreter - Required - Number - Unique ID of the custom action interpreter used by the custom
action.
v script - Required - Number - Unique ID of the custom action script used by the custom action.
v parameters - Required - Array - Array of custom action parameters contained within the custom action.
Each Custom action parameter must have the following fields:
– name - Required - String - Name of the custom action parameter. Unique in the context of the parent
custom action.
– parameter_type - Optional - String - Custom action parameter type. Can be either fixed or dynamic.
– encrypted - Optional - Boolean - Designates whether the custom action parameter value field is
stored in an encrypted state.True if encrypted, false otherwise.
– value - Optional - String - Value of the custom action parameter. Custom action parameters with
parameter_type fixed can have any value. Custom action parameters with parameter_type dynamic
must have values corresponding to column names in an Ariel database, for example sourceip. Ariel
database column names are available through the /api/ariel/databases/{database_name} endpoint.
Table 74. POST /analytics/custom_actions/actions/{action_id} resource details
MIME Type
application/json

62 QRadar API Reference Guide

Table 75. POST /analytics/custom_actions/actions/{action_id} request parameter details
Parameter Type Optionality Data Type MIME Type Description
action_id path Required Number text/plain Number id of the custom
(Integer) action to be updated.
fields header Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.

Table 76. POST /analytics/custom_actions/actions/{action_id} request body details

Parameter Data Type MIME Type Description Sample
custom_action Object application/ Custom action JSON object { "description": "String", "id":
json which can contain the 42, "interpreter": 42, "name":
supplied fields (see above for "String", "parameters": [ {
more details). "encrypted": true, "name":
"String", "parameter_type":
"String", "value": "String" } ],
"script": 42 }

Table 77. POST /analytics/custom_actions/actions/{action_id} response codes

HTTP Response Code Unique Code Description
200 The custom action has been updated.
404 1002 The requested custom action could not be found.
422 1005 One or more parameters are invalid in request.
500 1020 An internal server error occurred while updating custom action
with supplied action_id.

Response Description
The updated custom action with the following fields:
v id - Number - Unique ID of the custom action within the QRadar deployment.
v name - String - Unique name of the custom action within the QRadar deployment.
v description - String - Optional description attached to the custom action.
v interpreter - Number - Unique ID of the custom action interpreter used by the custom action.
v script - Number - Unique ID of the custom action script used by the custom action.
v parameters - Array - Array of custom action parameters contained within the custom action. Each
Custom action parameter has the following fields:
– name - String - Name of the custom action parameter. Unique in the context of the parent custom
action.
– parameter_type - String - Custom action parameter type. Can be either fixed or dynamic.
– encrypted - Boolean - Designates whether the custom action parameter value field is stored in an
encrypted state.True if encrypted, false otherwise.
– value - String - Value of the custom action parameter.

6 REST API V9.0 References 63

Response Sample
{
"description": "String",
"id": 42,
"interpreter": 42,
"name": "String",
"parameters": [
{
"encrypted": true,
"name": "String",
"parameter_type": "String",
"value": "String"
}
],
"script": 42
}

DELETE /analytics/custom_actions/actions/{action_id}
Deletes an existing custom action.

Deletes an existing custom action.

Table 78. DELETE /analytics/custom_actions/actions/{action_id} resource details
MIME Type
text/plain

Table 79. DELETE /analytics/custom_actions/actions/{action_id} request parameter details

Parameter Type Optionality Data Type MIME Type Description
action_id path Required Number text/plain Number id of the custom
(Integer) action you wish to delete.

Table 80. DELETE /analytics/custom_actions/actions/{action_id} response codes

HTTP Response Code Unique Code Description
204 The custom action has been deleted.
404 1002 The requested custom action could not be found.
500 1020 An internal server error occurred while deleting custom action with
supplied action_id.

Response Description

Empty response with 204 successful response code.

Response Sample

GET /analytics/custom_actions/interpreters
Retrieves a list of available custom action interpreters.

Retrieves a list of available custom action interpreters.

Table 81. GET /analytics/custom_actions/interpreters resource details
MIME Type
application/json

64 QRadar API Reference Guide

Table 82. GET /analytics/custom_actions/interpreters request parameter details
Parameter Type Optionality Data Type MIME Type Description
Range header Optional String text/plain Optional - Use this parameter
to restrict the number of
elements that are returned in
the list to a specified range.
The list is indexed starting at
zero.
filter query Optional String text/plain Optional - This parameter is
used to restrict the elements in
a list base on the contents of
various fields.
fields query Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.

Table 83. GET /analytics/custom_actions/interpreters response codes

HTTP Response Code Unique Code Description
200 The requested list of custom action interpreters have been retrieved.
500 1020 An internal server error occurred while retrieving available custom
action interpreters.

Response Description

Array of available custom action interpreters, each with the following fields:
v id - Number - Unique ID of the custom action interpreter within the QRadar deployment.
v name - String - Name of the custom action interpreter.

Response Sample
[
{
"id": 42,
"name": "String"
}
]

GET /analytics/custom_actions/interpreters/{interpreter_id}
Retrieves a custom action interpreter based on supplied interpreter_id.

Retrieves a custom action interpreter based on supplied interpreter_id.

Table 84. GET /analytics/custom_actions/interpreters/{interpreter_id} resource details
MIME Type
application/json

6 REST API V9.0 References 65

Table 85. GET /analytics/custom_actions/interpreters/{interpreter_id} request parameter details
Parameter Type Optionality Data Type MIME Type Description
interpreter_id path Required Number text/plain Number id of custom action
(Integer) interpreter to be retrieved.
fields query Optional String text/plain Optional - Use this
parameter to specify which
fields you would like to get
back in the response. Fields
that are not named are
excluded. Specify subfields
in brackets and multiple
fields in the same object are
separated by commas.

Table 86. GET /analytics/custom_actions/interpreters/{interpreter_id} response codes

HTTP Response Code Unique Code Description
200 The requested custom action interpreter has been retrieved.
404 1002 The requested custom action interpreter could not be found.
500 1020 An internal server error occurred while retrieving custom action
interpreter with supplied interpreter_id.

Response Description

A custom action interpreter with the following fields:

v id - Number - Unique ID of the custom action interpreter within the QRadar deployment.
v name - String - Name of the custom action interpreter.

Response Sample
{
"id": 42,
"name": "String"
}

GET /analytics/custom_actions/scripts
Retrieves a list of meta-data for available custom action script files.

Retrieves a list of meta-data for available custom action script files.

Table 87. GET /analytics/custom_actions/scripts resource details
MIME Type
application/json

Table 88. GET /analytics/custom_actions/scripts request parameter details

Parameter Type Optionality Data Type MIME Type Description
Range header Optional String text/plain Optional - Use this parameter
to restrict the number of
elements that are returned in
the list to a specified range.
The list is indexed starting at
zero.

66 QRadar API Reference Guide

Table 88. GET /analytics/custom_actions/scripts request parameter details (continued)
Parameter Type Optionality Data Type MIME Type Description
filter query Optional String text/plain Optional - This parameter is
used to restrict the elements in
a list base on the contents of
various fields.
fields query Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.

Table 89. GET /analytics/custom_actions/scripts response codes

HTTP Response Code Unique Code Description
200 The requested custom action script file has been retrieved.
500 1020 An internal server error occurred while retrieving available custom
action script file meta-data.

Response Description

Array of available custom action script file meta-data, each with the following fields:
v id - Number - Unique ID of the custom action script file within the QRadar deployment.
v name - String - Name of the custom action script file.

Response Sample
[
{
"file_name": "String",
"id": 42
}
]

POST /analytics/custom_actions/scripts
Creates a new custom action script file. Newly created custom action script files require a deployment
before using.

Creates a new custom action script file. Newly created custom action script files require a deployment
before using. Users can include an optional HTTP header file_name containing the custom action script
file name. If not specified this is defaulted to the script id of the uploaded file.
Table 90. POST /analytics/custom_actions/scripts resource details
MIME Type
application/json

6 REST API V9.0 References 67

Table 91. POST /analytics/custom_actions/scripts request parameter details
Parameter Type Optionality Data Type MIME Type Description
fields header Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.

Table 92. POST /analytics/custom_actions/scripts request body details

Parameter Data Type MIME Type Description Sample
file File application/ Required. The custom action File
octet-stream script file. Must be supplied
with MIME type
application/octet-stream.

Table 93. POST /analytics/custom_actions/scripts response codes

HTTP Response Code Unique Code Description
201 A custom action script file has been created.
500 1020 An internal server error occurred while posting custom action script
file.

Response Description

Custom action script file meta-data with the following fields:

v id - Number - Unique ID of the custom action script within the QRadar deployment.
v name - String - Name of the custom action script.

Response Sample
{
"file_name": "String",
"id": 42
}

GET /analytics/custom_actions/scripts/{script_id}
Retrieves meta-data of a custom action script file based on supplied script_id.

Retrieves meta-data of a custom action script file based on supplied script_id.

Table 94. GET /analytics/custom_actions/scripts/{script_id} resource details
MIME Type
application/json

Table 95. GET /analytics/custom_actions/scripts/{script_id} request parameter details

Parameter Type Optionality Data Type MIME Type Description
script_id path Required Number text/plain Number id of the custom
(Integer) action script file.

68 QRadar API Reference Guide

Table 95. GET /analytics/custom_actions/scripts/{script_id} request parameter details (continued)
Parameter Type Optionality Data Type MIME Type Description
fields query Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.

Table 96. GET /analytics/custom_actions/scripts/{script_id} response codes

HTTP Response Code Unique Code Description
200 The requested custom action script file has been retrieved.
404 1002 The requested custom action script file could not be found.
500 1020 An internal server error occurred while retrieving custom action
script file meta-data with supplied script_id.

Response Description

Custom action script file meta-data with the following fields:

v id - Number - Unique ID of the custom action script file within the QRadar deployment.
v name - String - Name of the custom action script file.

Response Sample
{
"file_name": "String",
"id": 42
}

POST /analytics/custom_actions/scripts/{script_id}
Updates an existing custom action script file. Updated custom action script files require a deployment
before using.

Updates an existing custom action script file. Updated custom action script files require a deployment
before using. Users can include an optional HTTP header file_name containing the custom action script
file name. If not specified this is defaulted to the script id of the uploaded file.
Table 97. POST /analytics/custom_actions/scripts/{script_id} resource details
MIME Type
application/json

Table 98. POST /analytics/custom_actions/scripts/{script_id} request parameter details

Parameter Type Optionality Data Type MIME Type Description
script_id path Required Number text/plain Number id of the custom
(Integer) action script file to be updated.

6 REST API V9.0 References 69

Table 98. POST /analytics/custom_actions/scripts/{script_id} request parameter details (continued)
Parameter Type Optionality Data Type MIME Type Description
fields header Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.

Table 99. POST /analytics/custom_actions/scripts/{script_id} request body details

Parameter Data Type MIME Type Description Sample
file File application/ Required. The custom action File
octet-stream script file. Must be supplied
with MIME type
application/octet-stream.

Table 100. POST /analytics/custom_actions/scripts/{script_id} response codes

HTTP Response Code Unique Code Description
200 The custom action script file has been updated.
404 1002 The requested custom action script file could not be found.
500 1020 An internal server error occurred while updating custom action
script file with supplied script_id.

Response Description
Custom action script file meta-data with the following fields:
v id - Number - Unique ID of the custom action script file within the QRadar deployment.
v name - String - Name of the custom action script file.

Response Sample
{
"file_name": "String",
"id": 42
}

DELETE /analytics/custom_actions/scripts/{script_id}
Deletes an existing custom action script file.

Deletes an existing custom action script file.

Table 101. DELETE /analytics/custom_actions/scripts/{script_id} resource details
MIME Type
text/plain

70 QRadar API Reference Guide

Table 102. DELETE /analytics/custom_actions/scripts/{script_id} request parameter details
Parameter Type Optionality Data Type MIME Type Description
script_id path Required Number text/plain Number id of the custom
(Integer) action script file to be deleted.

Table 103. DELETE /analytics/custom_actions/scripts/{script_id} response codes

HTTP Response Code Unique Code Description
204 The custom action script file has been deleted.
404 1002 The requested custom action script file could not be found.
422 1005 The requested custom action script file is tied to an existing custom
action.
500 1020 An internal server error occurred while deleting custom action
script file with supplied script_id.

Response Description

Empty response with a 204 successful response code.

Response Sample

GET /analytics/rule_groups
Retrieves a list of the rule groups.

Retrieves a list of the rule groups.

Table 104. GET /analytics/rule_groups resource details
MIME Type
application/json

Table 105. GET /analytics/rule_groups request parameter details

Parameter Type Optionality Data Type MIME Type Description
Range header Optional String text/plain Optional - Use this parameter
to restrict the number of
elements that are returned in
the list to a specified range.
The list is indexed starting at
zero.
filter query Optional String text/plain Optional - This parameter is
used to restrict the elements in
a list base on the contents of
various fields.
fields query Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.

6 REST API V9.0 References 71

Table 106. GET /analytics/rule_groups response codes
HTTP Response Code Unique Code Description
200 The rule rroups were returned.
500 1020 An error occurred during the attempt to retrieve the rule groups.

Response Description
List of the Group objects. A Group object contains the following fields:
v id - Long - The ID of the group.
v parent_id - Long - The ID of the parent group (default resources can have localized names).
v type - String - The type of the group.
v level - Long - The depth of the group in the group hierarchy.
v name - String - The name of the group (default resources can have localized names).
v description - String - The description of the group (default resources can have localized names).
v owner - String - The owner of the group.
v modified_time - Long - The time in milliseconds since epoch since the group was last modified.
v child_group_ids - Array of Longs - List of the child group IDs.

Response Sample
[
{
"child_groups": [
42
],
"child_items": [
"String"
],
"description": "String",
"id": 42,
"level": 42,
"modified_time": 42,
"name": "String",
"owner": "String",
"parent_id": 42,
"type": "String <one of: LOG_SOURCE_GROUP,
REPORT_GROUP,
RULE_GROUP,
EVENT_SAVED_SEARCH_GROUP,
FLOW_SAVED_SEARCH_GROUP,
OFFENSE_SAVED_SEARCH_GROUP,
QRM_SAVED_SEARCH_GROUP,
MODEL_SAVED_SEARCH_GROUP,
QUESTION_SAVED_SEARCH_GROUP,
SIMULATION_SAVED_SEARCH_GROUP,
TOPOLOGY_SAVED_SEARCH_GROUP,
ASSET_SAVED_SEARCH_GROUP,
VULNERABILITY_SAVED_SEARCH_GROUP>"
}
]

GET /analytics/rule_groups/{group_id}
Retrieves a rule group.

Retrieves a rule group.

72 QRadar API Reference Guide

Table 107. GET /analytics/rule_groups/{group_id} resource details
MIME Type
application/json

Table 108. GET /analytics/rule_groups/{group_id} request parameter details

Parameter Type Optionality Data Type MIME Type Description
group_id path Required Number text/plain null
(Integer)
fields query Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.

Table 109. GET /analytics/rule_groups/{group_id} response codes

HTTP Response Code Unique Code Description
200 The rule group was retrieved.
404 1002 The rule group does not exist.
500 1020 An error occurred during the attempt to retrieve the rule group.

Response Description

A single Group object. A Group object contains the following fields:

v id - Long - The ID of the group.
v parent_id - Long - The ID of the parent group (default resources can have localized names).
v type - String - The type of the group.
v level - Long - The depth of the group in the group hierarchy.
v name - String - The name of the group (default resources can have localized names).
v description - String - The description of the group (default resources can have localized names).
v owner - String - The owner of the group.
v modified_time - Long - The time in milliseconds since epoch since the group was last modified.
v child_group_ids - Array of Longs - List of the child group IDs.

Response Sample
{
"child_groups": [
42
],
"child_items": [
"String"
],
"description": "String",
"id": 42,
"level": 42,
"modified_time": 42,
"name": "String",
"owner": "String",
"parent_id": 42,

6 REST API V9.0 References 73

 "type": "String <one of:
LOG_SOURCE_GROUP,
REPORT_GROUP,
RULE_GROUP,
EVENT_SAVED_SEARCH_GROUP,
FLOW_SAVED_SEARCH_GROUP,
OFFENSE_SAVED_SEARCH_GROUP,
QRM_SAVED_SEARCH_GROUP,
MODEL_SAVED_SEARCH_GROUP,
QUESTION_SAVED_SEARCH_GROUP,
SIMULATION_SAVED_SEARCH_GROUP,
TOPOLOGY_SAVED_SEARCH_GROUP,
ASSET_SAVED_SEARCH_GROUP,
VULNERABILITY_SAVED_SEARCH_GROUP>"
}

POST /analytics/rule_groups/{group_id}
Updates the owner of a rule group.

Updates the owner of a rule group.

Table 110. POST /analytics/rule_groups/{group_id} resource details
MIME Type
application/json

Table 111. POST /analytics/rule_groups/{group_id} request parameter details

Parameter Type Optionality Data Type MIME Type Description
group_id path Required Number text/plain null
(Integer)
fields header Optional String text/plain Optional - Use this parameter to specify which
fields you would like to get back in the
response. Fields that are not named are
excluded. Specify subfields in brackets and
multiple fields in the same object are
separated by commas.

74 QRadar API Reference Guide

Table 112. POST /analytics/rule_groups/{group_id} request body details
Parameter Data Type MIME Type Description Sample
group Object application/json Required - Group object with {
the owner set to a valid "child_groups": [ 42 ],
deployed user.
"child_items": [ "String" ],
"description": "String",
"id": 42,
"level": 42,
"name": "String",
"owner": "String",
"parent_id": 42,
"type": "String <one of:
LOG_SOURCE_GROUP,
REPORT_GROUP,
RULE_GROUP,
EVENT_SAVED_SEARCH _GROUP,
FLOW_SAVED_SEARCH _GROUP,
OFFENSE_SAVED_SEARCH _GROUP,
QRM_SAVED_SEARCH _GROUP,
MODEL_SAVED_SEARCH_GROUP,
QUESTION_SAVED_SEARCH _GROUP,
SIMULATION_SAVED_SEARCH _GROUP,
TOPOLOGY_SAVED_SEARCH _GROUP,
ASSET_SAVED_SEARCH_GROUP,
VULNERABILITY_SAVED _SEARCH _GROUP>" }

Table 113. POST /analytics/rule_groups/{group_id} response codes

HTTP Response Code Unique Code Description
200 The rule group was updated.
404 1002 The rule group does not exist.
409 1004 The provided user does not have the required capabilities to own
the rule group.
422 1005 A request parameter is not valid.
500 1020 An error occurred during the attempt to update the rule group.

Response Description

The updated Group object. A Group object contains the following fields:
v id - Long - The ID of the group.
v parent_id - Long - The ID of the parent group (default resources can have localized names).
v type - String - The type of the group.
v level - Long - The depth of the group in the group hierarchy.
v name - String - The name of the group (default resources can have localized names).
v description - String - The description of the group (default resources can have localized names).
v owner - String - The owner of the group.
v modified_time - Long - The time in milliseconds since epoch since the group was last modified.
v child_group_ids - Array of Longs - List of the child group IDs.

6 REST API V9.0 References 75

Response Sample
{
"child_groups": [
42
],
"child_items": [
"String"
],
"description": "String",
"id": 42,
"level": 42,
"modified_time": 42,
"name": "String",
"owner": "String",
"parent_id": 42,
"type": "String <one of: LOG_SOURCE_GROUP,
REPORT_GROUP,
RULE_GROUP,
EVENT_SAVED_SEARCH_GROUP,
FLOW_SAVED_SEARCH_GROUP,
OFFENSE_SAVED_SEARCH_GROUP,
QRM_SAVED_SEARCH_GROUP,
MODEL_SAVED_SEARCH_GROUP,
QUESTION_SAVED_SEARCH_GROUP,
SIMULATION_SAVED_SEARCH_GROUP,
TOPOLOGY_SAVED_SEARCH_GROUP,
ASSET_SAVED_SEARCH_GROUP,
VULNERABILITY_SAVED_SEARCH_GROUP>"
}

DELETE /analytics/rule_groups/{group_id}
Deletes a rule. To ensure safe deletion, a dependency check is carried out. This check might take some
time. An asynchronous task to do is started for this check.

Deletes a rule. To ensure safe deletion, a dependency check is carried out. This check might take some
time. An asynchronous task to do is started for this check.
Table 114. DELETE /analytics/rule_groups/{group_id} resource details
MIME Type
text/plain

Table 115. DELETE /analytics/rule_groups/{group_id} request parameter details

Parameter Type Optionality Data Type MIME Type Description
group_id path Required Number text/plain null
(Integer)

Table 116. DELETE /analytics/rule_groups/{group_id} response codes

HTTP Response Code Unique Code Description
202 The rule delete command was accepted and is in progress.
404 1002 The rule does not exist.
409 1004 null
500 1020 An error occurred during the attempt to delete the rule.

76 QRadar API Reference Guide

Response Description

A Delete Task Status object and the location header set to the task status url "/api/analytics/rules/
rule_delete_tasks/{task_id}". A Delete Task Status object contains the following fields:
v id - Long - The ID of the task.
v message - String - The localized task message.
v status - String - The current state of the task.
v name - String - The name of the task.
v created_by - String - The name of the user who started the task.
v created - Long - The time in milliseconds since epoch since the task was created.
v started - Long - The time in milliseconds since epoch since the task was started.
v modified - Long - The time in milliseconds since epoch since the task was modified.
v completed - Long - The time in milliseconds since epoch since the task was completed.

Response Sample

GET /analytics/rules
Retrieves a list of rules.

Retrieves a list of rules

Table 117. GET /analytics/rules resource details
MIME Type
application/json

Table 118. GET /analytics/rules request parameter details

Parameter Type Optionality Data Type MIME Type Description
fields query Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.
Range header Optional String text/plain Optional - Use this parameter
to restrict the number of
elements that are returned in
the list to a specified range.
The list is indexed starting at
zero.
filter query Optional String text/plain Optional - This parameter is
used to restrict the elements in
a list base on the contents of
various fields.

Table 119. GET /analytics/rules response codes

HTTP Response Code Unique Code Description
200 The rules were retrieved.
422 1010 A request parameter is not valid.

6 REST API V9.0 References 77

Table 119. GET /analytics/rules response codes (continued)
HTTP Response Code Unique Code Description
500 1020 An error occurred during the attempt to retrieve the rules.

Response Description

An array of rule objects. A rule object contains the following fields:

v id - Long - The sequence ID of the rule.
v name - String - The name of the rule.
v type - String - The type of rule: EVENT, FLOW, COMMON, USER.
v enabled - Boolean - True if the rule is enabled.
v owner - String - The owner of the rule.
v origin - String - The origin of the rule: SYSTEM, OVERRIDE, USER.
v base_capacity - Long - The base capacity of the rule in events per second.
v base_host_id - Long - The ID of the host from which the rule's base capacity was determined
v average_capacity - Long - The moving average capacity, in EPS, of the rule across all hosts.
v capacity_timestamp - Long - The epoch timestamp, in milliseconds, since the rule's capacity values
were last updated.
v identifier - String - The unique ID of the rule. This value is typically in the form of a UUID, with the
exception of legacy system rules.
v linked_rule_identifier - String - The linked ID of the rule. This value is typically in the form of a
UUID, with the exception of legacy system rules, and varies depending on the rule's origin as follows:
– SYSTEM - The identifier value of the override rule, if one exists. If the system rule has not been
overridden, the value will be null.
– OVERRIDE - The identifier value of the system rule being overridden.
– USER - The value will be null.
v creation_date - Long - The number of milliseconds since epoch when the rule was created.
v modification_date - Long - The number of milliseconds since epoch when the rule was last modified.

Response Sample
[
{
"average_capacity": 42,
"base_capacity": 42,
"base_host_id": 42,
"capacity_timestamp": 42,
"creation_date": 42,
"enabled": true,
"id": 42,
"identifier": "String",
"linked_rule_identifier": "String",
"modification_date": 42,
"name": "String",
"origin": "String <one of: SYSTEM, OVERRIDE, USER>",
"owner": "String",
"type": "String <one of: EVENT, FLOW, COMMON, OFFENSE>"
}
]

78 QRadar API Reference Guide

GET /analytics/rules/rule_delete_tasks/{task_id}
Retrieves the delete the rule task status.

Retrieves the delete rule task status.

Table 120. GET /analytics/rules/rule_delete_tasks/{task_id} resource details
MIME Type
application/json

Table 121. GET /analytics/rules/rule_delete_tasks/{task_id} request parameter details

Parameter Type Optionality Data Type MIME Type Description
task_id path Required Number text/plain null
(Integer)
fields query Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.

Table 122. GET /analytics/rules/rule_delete_tasks/{task_id} response codes

HTTP Response Code Unique Code Description
200 The delete task status was retrieved.
404 1002 The delete task status does not exist.
500 1020 An error occurred during the attempt to retrieve the delete task
status.

Response Description

A Delete Task Status object and the location header set to the task status url "/api/analytics/rules/
rule_delete_tasks/{task_id}". A Delete Task Status object contains the following fields:
v id - Long - The ID of the task.
v message - String - The localized task message.
v status - String - The current state of the task.
v name - String - The name of the task.
v created_by - String - The name of the user who started the task.
v created - Long - The time in milliseconds since epoch since the task was created.
v started - Long - The time in milliseconds since epoch since the task was started.
v modified - Long - The time in milliseconds since epoch since the task was modified.
v completed - Long - The time in milliseconds since epoch since the task was completed.

Response Sample
{
"completed": 42,
"created": 42,
"created_by": "String",
"id": 42,

6 REST API V9.0 References 79

 "message": "String",
"modified": 42,
"name": "String",
"started": 42,
"status": "String <one of: CANCELLED,
CANCELING,
CANCEL_REQUESTED,
COMPLETED,
CONFLICT,
EXCEPTION,
INITIALIZING,
INTERRUPTED,
PAUSED,
PROCESSING,
QUEUED,
RESUMING>"
}

GET /analytics/rules/rule_dependent_tasks/{task_id}
Retrieves the dependent rule task status.

Retrieves the dependent rule task status.

Table 123. GET /analytics/rules/rule_dependent_tasks/{task_id} resource details
MIME Type
application/json

Table 124. GET /analytics/rules/rule_dependent_tasks/{task_id} request parameter details

Parameter Type Optionality Data Type MIME Type Description
task_id path Required Number text/plain null
(Integer)
fields query Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.

Table 125. GET /analytics/rules/rule_dependent_tasks/{task_id} response codes

HTTP Response Code Unique Code Description
200 The delete task status was retrieved.
404 1002 The delete task status does not exist.
500 1020 An error occurred during the attempt to retrieve the delete task
status.

Response Description

A Dependent Task Status object and the location header set to the task status url "/api/analytics/rules/
rule_dependent_tasks/{task_id}". A Dependent Task Status object contains the following fields:
v id - Long - The ID of the task.
v message - String - The localized task message.

80 QRadar API Reference Guide

v status - String - The current state of the task.
v name - String - The name of the task.
v created_by - String - The name of the user who started the task.
v cancelled_by - String - The name of the user who requested the cancellation of the task.
v created - Long - The time in milliseconds since epoch since the task was created.
v started - Long - The time in milliseconds since epoch since the task was started.
v modified - Long - The time in milliseconds since epoch since the task was modified.
v completed - Long - The time in milliseconds since epoch since the task was completed.
v number_of_dependents - Long - The number of dependents found. the value is null until the task
completes.
v maximum - Long - The maximum number of objects to check for dependency.
v progress - Long - The number of objects that were checked for dependency.
v task_components - Array - An array of task component objects. A task component object contains the
following fields:
– message - String - The localized sub-task status message.
– status - String - The current state of the sub-task.
– sub_task_type - String - The type of the sub-task
– maximum - Long - The maximum number of objects to check for dependency.
– progress - Long - The number of objects that were checked for dependency.
– created - Long - The time in milliseconds since epoch since the sub-task was created.
– started - Long - The time in milliseconds since epoch since the sub-task was started.
– modified - Long - The time in milliseconds since epoch since the sub-task was modified.
– completed - Long - The time in milliseconds since epoch since the sub-task was completed.

Response Sample
{
"cancelled_by": "String",
"completed": 42,
"created": 42,
"created_by": "String",
"id": 42,
"maximum": 42,
"message": "String",
"modified": 42,
"name": "String",
"number_of_dependents": 42,
"progress": 42,
"started": 42,
"status": "String <one of: CANCELLED,
CANCELING,
CANCEL_REQUESTED,
COMPLETED,
CONFLICT,
EXCEPTION,
INITIALIZING,
INTERRUPTED,
PAUSED,
PROCESSING,
QUEUED,
RESUMING>",
"task_components": [
{
"completed": 42,
"created": 42,
"maximum": 42,
"message": "String",

6 REST API V9.0 References 81

 "modified": 42,
"number_of_dependents": 42,
"progress": 42,
"started": 42,
"status": "String <one of: CANCELLED,
CANCELING,
CANCEL_REQUESTED,
COMPLETED,
CONFLICT,
EXCEPTION,
INITIALIZING,
INTERRUPTED,
PAUSED,
PROCESSING,
QUEUED,
RESUMING>",
"task_sub_type": "String <one of:
FIND_DEPENDENT_ARIEL_SAVED_SEARCHES,
FIND_DEPENDENT_OFFENSE_SAVED_SEARCHES,
FIND_DEPENDENT_ASSET_SAVED_SEARCHES,
FIND_DEPENDENT_VULNERABILITY_SAVED_SEARCHES,
FIND_DEPENDENT_ADE_RULES,
FIND_DEPENDENT_RULES,
FIND_DEPENDENT_CALCULATED_PROPERTIES,
FIND_DEPENDENT_LOG_SOURCE_GROUPS,
FIND_DEPENDENT_CUSTOM_PROPERTIES,
FIND_DEPENDENT_REPORTS,
FIND_DEPENDENT_DASHBOARDS,
FIND_DEPENDENT_STORE_AND_FORWARD_POLICIES,
FIND_DEPENDENT_AUTHORIZED_SERVICES,
FIND_DEPENDENT_OFFENSE_TYPES,
FIND_DEPENDENT_ASSIGNED_OFFENSES,
FIND_DEPENDENT_VULNERABILITIES,
FIND_DEPENDENT_GROUPS,
FIND_DEPENDENT_HISTORICAL_CORRELATION_PROFILES>"
}
]
}

POST /analytics/rules/rule_dependent_tasks/{task_id}
Cancels the dependent the rule task.

Cancels the dependent rule task.

Table 126. POST /analytics/rules/rule_dependent_tasks/{task_id} resource details
MIME Type
application/json

Table 127. POST /analytics/rules/rule_dependent_tasks/{task_id} request parameter details

Parameter Type Optionality Data Type MIME Type Description
task_id path Required Number text/plain null
(Integer)

82 QRadar API Reference Guide

Table 127. POST /analytics/rules/rule_dependent_tasks/{task_id} request parameter details (continued)
Parameter Type Optionality Data Type MIME Type Description
fields header Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.

Table 128. POST /analytics/rules/rule_dependent_tasks/{task_id} request body details

Parameter Data Type MIME Type Description Sample
task Object application/ null { "status": "String <one of: CANCELLED,
json CANCELING, CANCEL_REQUESTED,
COMPLETED, CONFLICT, EXCEPTION,
INITIALIZING, INTERRUPTED, PAUSED,
PROCESSING, QUEUED, RESUMING>" }

Table 129. POST /analytics/rules/rule_dependent_tasks/{task_id} response codes

HTTP Response Code Unique Code Description
200 The dependent task status was retrieved.
404 1002 The dependent task status does not exist.
409 1004 The task is in a completed state.
422 1005 A request parameter is not valid.
500 1020 An error occurred during the attempt to update the dependent task
status.

Response Description

A Dependent Task Status object and the location header set to the task status url "/api/analytics/rules/
rule_dependent_tasks/{task_id}". A Dependent Task Status object contains the following fields:
v id - Long - The ID of the task.
v message - String - The localized task message.
v status - String - The current state of the task.
v name - String - The name of the task.
v created_by - String - The name of the user who started the task.
v cancelled_by - String - The name of the user who requested cancellation of the task.
v created - Long - The time in milliseconds since epoch since the task was created.
v started - Long - The time in milliseconds since epoch since the task was started.
v modified - Long - The time in milliseconds since epoch since the task was modified.
v completed - Long - The time in milliseconds since epoch since the task was completed.
v number_of_dependents - Long - The number of dependents found. The value is null until the task
completes.
v maximum - Long - The maximum number of objects to check for dependency.
v progress - Long - The number of objects that were checked for dependency.

6 REST API V9.0 References 83

v task_components - Array - An array of task component objects. A task component object contains the
following fields:
– message - String - The localized sub-task status message.
– status - String - The current state of the sub-task.
– sub_task_type - String - The type of the sub-task
– maximum - Long - The maximum number of objects to check for dependency.
– progress - Long - The number of objects that were checked for dependency.
– created - Long - The time in milliseconds since epoch since the sub-task was created.
– started - Long - The time in milliseconds since epoch since the sub-task was started.
– modified - Long - The time in milliseconds since epoch since the sub-task was modified.
– completed - Long - The time in milliseconds since epoch since the sub-task was completed.

Response Sample
{
"cancelled_by": "String",
"completed": 42,
"created": 42,
"created_by": "String",
"id": 42,
"maximum": 42,
"message": "String",
"modified": 42,
"name": "String",
"number_of_dependents": 42,
"progress": 42,
"started": 42,
"status": "String <one of: CANCELLED,
CANCELING,
CANCEL_REQUESTED,
COMPLETED,
CONFLICT,
EXCEPTION,
INITIALIZING,
INTERRUPTED,
PAUSED,
PROCESSING,
QUEUED,
RESUMING>",
"task_components": [
{
"completed": 42,
"created": 42,
"maximum": 42,
"message": "String",
"modified": 42,
"number_of_dependents": 42,
"progress": 42,
"started": 42,
"status": "String <one of: CANCELLED,
CANCELING,
CANCEL_REQUESTED,
COMPLETED,
CONFLICT,
EXCEPTION,
INITIALIZING,
INTERRUPTED,
PAUSED,
PROCESSING,
QUEUED,
RESUMING>",
"task_sub_type": "String <one of:
FIND_DEPENDENT_ARIEL_SAVED_SEARCHES,

84 QRadar API Reference Guide

 FIND_DEPENDENT_OFFENSE_SAVED_SEARCHES,
FIND_DEPENDENT_ASSET_SAVED_SEARCHES,
FIND_DEPENDENT_VULNERABILITY_SAVED_SEARCHES,
FIND_DEPENDENT_ADE_RULES,
FIND_DEPENDENT_RULES,
FIND_DEPENDENT_CALCULATED_PROPERTIES,
FIND_DEPENDENT_LOG_SOURCE_GROUPS,
FIND_DEPENDENT_CUSTOM_PROPERTIES,
FIND_DEPENDENT_REPORTS,
FIND_DEPENDENT_DASHBOARDS,
FIND_DEPENDENT_STORE_AND_FORWARD_POLICIES,
FIND_DEPENDENT_AUTHORIZED_SERVICES,
FIND_DEPENDENT_OFFENSE_TYPES,
FIND_DEPENDENT_ASSIGNED_OFFENSES,
FIND_DEPENDENT_VULNERABILITIES,
FIND_DEPENDENT_GROUPS,
FIND_DEPENDENT_HISTORICAL_CORRELATION_PROFILES>"
}
]
}

GET /analytics/rules/rule_dependent_tasks/{task_id}/results
Retrieves the rule dependent task results.

Retrieves the rule dependent task results.

Table 130. GET /analytics/rules/rule_dependent_tasks/{task_id}/results resource details
MIME Type
application/json

Table 131. GET /analytics/rules/rule_dependent_tasks/{task_id}/results request parameter details

Parameter Type Optionality Data Type MIME Type Description
task_id path Required Number text/plain null
(Integer)
fields query Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.

Table 132. GET /analytics/rules/rule_dependent_tasks/{task_id}/results response codes

HTTP Response Code Unique Code Description
200 The rule dependents were retrieved.
404 1002 The dependent task status does not exist.
500 1020 An error occurred during the attempt to retrieve the rules.

Response Description

An list of Dependent objects. A Dependent object contains the following fields:

v dependent_id - String - The ID of the dependent resource.

6 REST API V9.0 References 85

v dependent_name - String - The name of the dependent resource (default resources can have localized
names).
v dependent_owner - String - The owner of the dependent resource.
v dependent_type - String - The type of the dependent resource.
v dependent_database - String - The database of the dependent resource.
v dependent_group_ids - Array of Longs - List of groups that the dependent resource belongs to.
v user_has_edit_permissions - Boolean - The true if the user who created the task has permission to edit
this dependent resource.

Response Sample
[
{
"blocking": true,
"dependent_database": "String <one of: EVENTS, FLOWS>",
"dependent_group_ids": [
42
],
"dependent_id": "String",
"dependent_name": "String",
"dependent_owner": "String",
"dependent_type": "String <one of:
ARIEL_SAVED_SEARCH,
ASSET_SAVED_SEARCH,
OFFENSE_SAVED_SEARCH,
VULNERABILITY_SAVED_SEARCH,
QRM_SAVED_SEARCH_GROUP,
ASSET_SAVED_SEARCH_GROUP,
CUSTOM_RULE_GROUP,
EVENT_ARIEL_SAVED_SEARCH_GROUP,
FLOW_ARIEL_SAVED_SEARCH_GROUP,
LOG_SOURCE_GROUP,
MODEL_GROUP,
OFFENSE_SAVED_SEARCH_GROUP,
QUESTION_GROUP,
REPORT_GROUP,
SIMULATION_GROUP,
TOPOLOGY_SAVED_SEARCH_GROUP,
VULNERABILITY_SAVED_SEARCH_GROUP,
ASSIGNED_OFFENSE,
ASSIGNED_VULNERABILITY,
AUTHORIZED_SERVICE,
BUILDING_BLOCK,
CRE_RULE,
CRE_ADE_RULE,
EVENT_REGEX_PROPERTY,
EVENT_CALCULATED_PROPERTY,
FLOW_REGEX_PROPERTY,
FLOW_CALCULATED_PROPERTY,
DASHBOARD,
GV_REFERENCE, REPORT,
REFERENCE_DATA,
REFERENCE_DATA_MAP_OF_SETS,
REFERENCE_DATA_MAPS,
REFERENCE_DATA_SETS,
REFERENCE_DATA_TABLES,
REFERENCE_DATA_RESPONSE,
REFERENCE_SET_RESPONSE,
EVENT_RETENTION_BUCKET,
FLOW_RETENTION_BUCKET,
ROUTING_RULE,
STORE_AND_FORWARD_POLICY,
USER,
HISTORICAL_PROFILE,

86 QRadar API Reference Guide

 OFFENSE_TYPE>",
"user_has_edit_permissions": true
}
]

GET /analytics/rules/{id}
Retrieves a rule.

Retrieves a rule.
Table 133. GET /analytics/rules/{id} resource details
MIME Type
application/json

Table 134. GET /analytics/rules/{id} request parameter details

Parameter Type Optionality Data Type MIME Type Description
id path Required Number text/plain null
(Integer)
fields query Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.

Table 135. GET /analytics/rules/{id} response codes

HTTP Response Code Unique Code Description
200 The rule was retrieved.
404 1002 The rule does not exist.
500 1020 An error occurred during the attempt to retrieve the rule.

Response Description

The rule after it is retrieved. A rule object contains the following fields:
v id - Long - The sequence ID of the rule.
v name - String - The name of the rule.
v type - String - The type of rule: EVENT, FLOW, COMMON, USER.
v enabled - Boolean - True if the rule is enabled.
v owner - String - The owner of the rule.
v origin - String - The origin of the rule: SYSTEM, OVERRIDE, USER.
v base_capacity - Long - The base capacity of the rule in events per second.
v base_host_id - Long - The ID of the host from which the rule's base capacity was determined
v average_capacity - Long - The moving average capacity, in EPS, of the rule across all hosts.
v capacity_timestamp - Long - The epoch timestamp, in milliseconds, since the rule's capacity values
were last updated.
v identifier - String - The unique ID of the rule. This value is typically in the form of a UUID, with the
exception of legacy system rules.

6 REST API V9.0 References 87

v linked_rule_identifier - String - The linked ID of the rule. This value is typically in the form of a
UUID, with the exception of legacy system rules, and varies depending on the rule's origin as follows:
– SYSTEM - The identifier value of the override rule, if one exists. If the system rule has not been
overridden, the value will be null.
– OVERRIDE - The identifier value of the system rule being overridden.
– USER - The value will be null.
v creation_date - Long - The number of milliseconds since epoch when the rule was created.
v modification_date - Long - The number of milliseconds since epoch when the rule was last modified.

Response Sample
{
"average_capacity": 42,
"base_capacity": 42,
"base_host_id": 42,
"capacity_timestamp": 42,
"creation_date": 42,
"enabled": true,
"id": 42,
"identifier": "String",
"linked_rule_identifier": "String",
"modification_date": 42,
"name": "String",
"origin": "String <one of: SYSTEM, OVERRIDE, USER>",
"owner": "String",
"type": "String <one of: EVENT, FLOW, COMMON, OFFENSE>"
}

POST /analytics/rules/{id}
Updates the rule owner or enabled/disabled only.

Updates the rule owner or enabled/disabled only.

Table 136. POST /analytics/rules/{id} resource details
MIME Type
application/json

Table 137. POST /analytics/rules/{id} request parameter details

Parameter Type Optionality Data Type MIME Type Description
id path Required Number text/plain null
(Integer)
fields header Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.

88 QRadar API Reference Guide

Table 138. POST /analytics/rules/{id} request body details
Parameter Data Type MIME Type Description Sample
rule Object application/ Required - Rule object. { "average_capacity": 42,
json "base_capacity": 42,
"base_host_id": 42,
"capacity_timestamp": 42,
"creation_date": 42, "enabled":
true, "id": 42, "identifier":
"String",
"linked_rule_identifier":
"String", "modification_date":
42, "name": "String", "origin":
"String <one of: SYSTEM,
OVERRIDE, USER>", "owner":
"String", "type": "String <one
of: EVENT, FLOW, COMMON,
OFFENSE>" }

Table 139. POST /analytics/rules/{id} response codes

HTTP Response Code Unique Code Description
200 The rule was updated.
403 1009 You do not have the required capabilities to update the rule.
404 1002 The rule does not exist.
409 1004 The provided user does not have the required capabilities to own
the rule.
422 1005 A request parameter is not valid.
500 1020 An error occurred during the attempt to update the rule.

Response Description

The rule after it is updated. An Rule object contains the following fields:
v id - Long - The sequence ID of the rule.
v name - String - The name of the rule.
v type - String - The type of rule: EVENT, FLOW, COMMON, USER.
v enabled - Boolean - True if the rule is enabled.
v owner - String - The owner of the rule.
v origin - String - The origin of the rule: SYSTEM, OVERRIDE, USER.
v base_capacity - Long - The base capacity of the rule in events per second.
v base_host_id - Long - The ID of the host from which the rule's base capacity was determined
v average_capacity - Long - The moving average capacity, in EPS, of the rule across all hosts.
v capacity_timestamp - Long - The epoch timestamp, in milliseconds, since the rule's capacity values
were last updated.
v identifier - String - The unique ID of the rule. This value is typically in the form of a UUID, with the
exception of legacy system rules.
v linked_rule_identifier - String - The linked ID of the rule. This value is typically in the form of a
UUID, with the exception of legacy system rules, and varies depending on the rule's origin as follows:
– SYSTEM - The identifier value of the override rule, if one exists. If the system rule has not been
overridden, the value will be null.
– OVERRIDE - The identifier value of the system rule being overridden.

6 REST API V9.0 References 89

 – USER - The value will be null.
v creation_date - Long - The number of milliseconds since epoch when the rule was created.
v modification_date - Long - The number of milliseconds since epoch when the rule was last modified.

Response Sample
{
"average_capacity": 42,
"base_capacity": 42,
"base_host_id": 42,
"capacity_timestamp": 42,
"creation_date": 42,
"enabled": true,
"id": 42,
"identifier": "String",
"linked_rule_identifier": "String",
"modification_date": 42,
"name": "String",
"origin": "String <one of: SYSTEM, OVERRIDE, USER>",
"owner": "String",
"type": "String <one of: EVENT, FLOW, COMMON, OFFENSE>"
}

DELETE /analytics/rules/{id}
Delete the rule. To ensure safe deletion, a dependency check is carried out. This check might take some
time. An asynchronous task to do is started for this check.

Deletes a rule. To ensure safe deletion, a dependency check is carried out. This check might take some
time. An asynchronous task to do is started for this check.
Table 140. DELETE /analytics/rules/{id} resource details
MIME Type
application/json

Table 141. DELETE /analytics/rules/{id} request parameter details

Parameter Type Optionality Data Type MIME Type Description
id path Required Number text/plain null
(Integer)
fields query Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.

Table 142. DELETE /analytics/rules/{id} response codes

HTTP Response Code Unique Code Description
202 The rule delete command was accepted and is in progress.
403 1009 You do not have the required capabilities to delete the rule.
404 1002 The rule does not exist.
409 1004 null

90 QRadar API Reference Guide

Table 142. DELETE /analytics/rules/{id} response codes (continued)
HTTP Response Code Unique Code Description
500 1020 An error occurred during the attempt to delete the rule.

Response Description

A Delete Task Status object and the location header set to the task status url "/api/analytics/rules/
rule_delete_tasks/{task_id}". A Delete Task Status object contains the following fields:
v id - Long - The ID of the task.
v message - String - The localized task message.
v status - String - The current state of the task.
v name - String - The name of the task.
v created_by - String - The name of the user who started the task.
v created - Long - The time in milliseconds since epoch since the task was created.
v started - Long - The time in milliseconds since epoch since the task was started.
v modified - Long - The time in milliseconds since epoch since the task was modified.
v completed - Long - The time in milliseconds since epoch since the task was completed.

Response Sample
{
"completed": 42,
"created": 42,
"created_by": "String",
"id": 42,
"message": "String",
"modified": 42,
"name": "String",
"started": 42,
"status": "String <one of: CANCELLED,
CANCELING,
CANCEL_REQUESTED,
COMPLETED,
CONFLICT,
EXCEPTION,
INITIALIZING,
INTERRUPTED,
PAUSED,
PROCESSING,
QUEUED,
RESUMING>"
}

GET /analytics/rules/{id}/dependents
Retrieves the objects that depend on the rule.

Retrieves the objects that depend on the rule.

Table 143. GET /analytics/rules/{id}/dependents resource details
MIME Type
application/json

6 REST API V9.0 References 91

Table 144. GET /analytics/rules/{id}/dependents request parameter details
Parameter Type Optionality Data Type MIME Type Description
id path Required Number text/plain null
(Integer)
fields query Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.

Table 145. GET /analytics/rules/{id}/dependents response codes

HTTP Response Code Unique Code Description
202 The rule dependents retrieval was accepted and is in progress.
403 1009 null
404 1002 The rule does not exist.
500 1020 An error occurred during the attempt to initiate the rule
dependents retrieval task.

Response Description

A Dependents Task Status object and the location header set to the task status url "/api/analytics/rules/
rule_dependents_tasks/{task_id}". A Dependent Task Status object contains the following fields:
v id - Long - The ID of the task.
v message - String - The localized task message.
v status - String - The current state of the task.
v name - String - The name of the task.
v created_by - String - The name of the user who started the task.
v cancelled_by - String - The name of the user who requested the cancellation of the task.
v created - Long - The time in milliseconds since epoch since the task was created.
v started - Long - The time in milliseconds since epoch since the task was started.
v modified - Long - The time in milliseconds since epoch since the task was modified.
v completed - Long - The time in milliseconds since epoch since the task was completed.
v number_of_dependents - Long - The number of dependents found. the value is null until the task
completes.
v maximum - Long - The maximum number of objects to check for dependency.
v progress - Long - The number of objects that were checked for dependency.
v task_components - Array - An array of Task Component objects. A Task Component object contains the
following fields:
– message - String - The localized sub-task status message.
– status - String - The current state of the sub-task.
– sub_task_type - String - The type of the sub-task
– maximum - Long - The maximum number of objects to check for dependency.
– progress - Long - The number of objects that were checked for dependency.
– created - Long - The time in milliseconds since epoch since the sub-task was created.

92 QRadar API Reference Guide

 – started - Long - The time in milliseconds since epoch since the sub-task was started.
– modified - Long - The time in milliseconds since epoch since the sub-task was modified.
– completed - Long - The time in milliseconds since epoch since the sub-task was completed.

Response Sample
{
"cancelled_by": "String",
"completed": 42,
"created": 42,
"created_by": "String",
"id": 42,
"maximum": 42,
"message": "String",
"modified": 42,
"name": "String",
"number_of_dependents": 42,
"progress": 42,
"started": 42,
"status": "String <one of: CANCELLED,
CANCELING,
CANCEL_REQUESTED,
COMPLETED,
CONFLICT,
EXCEPTION,
INITIALIZING,
INTERRUPTED,
PAUSED,
PROCESSING,
QUEUED,
RESUMING>",
"task_components": [
{
"completed": 42,
"created": 42,
"maximum": 42,
"message": "String",
"modified": 42,
"number_of_dependents": 42,
"progress": 42,
"started": 42,
"status": "String <one of: CANCELLED,
CANCELING,
CANCEL_REQUESTED,
COMPLETED,
CONFLICT,
EXCEPTION,
INITIALIZING,
INTERRUPTED,
PAUSED,
PROCESSING,
QUEUED,
RESUMING>",
"task_sub_type": "String <one of:
FIND_DEPENDENT_ARIEL_SAVED_SEARCHES,
FIND_DEPENDENT_OFFENSE_SAVED_SEARCHES,
FIND_DEPENDENT_ASSET_SAVED_SEARCHES,
FIND_DEPENDENT_VULNERABILITY_SAVED_SEARCHES,
FIND_DEPENDENT_ADE_RULES,
FIND_DEPENDENT_RULES,
FIND_DEPENDENT_CALCULATED_PROPERTIES,
FIND_DEPENDENT_LOG_SOURCE_GROUPS,
FIND_DEPENDENT_CUSTOM_PROPERTIES,
FIND_DEPENDENT_REPORTS,
FIND_DEPENDENT_DASHBOARDS,
FIND_DEPENDENT_STORE_AND_FORWARD_POLICIES,

6 REST API V9.0 References 93

 FIND_DEPENDENT_AUTHORIZED_SERVICES,
FIND_DEPENDENT_OFFENSE_TYPES,
FIND_DEPENDENT_ASSIGNED_OFFENSES,
FIND_DEPENDENT_VULNERABILITIES,
FIND_DEPENDENT_GROUPS,
FIND_DEPENDENT_HISTORICAL_CORRELATION_PROFILES>"
}
]
}

Ariel endpoints
Use the references for REST API V9.0 Ariel endpoints.

GET /ariel/databases
Retrieves a list of available Ariel database names

Retrieves a list of available Ariel databases.

Table 146. GET /ariel/databases resource details
MIME Type
application/json

Table 147. GET /ariel/databases request parameter details

Parameter Type Optionality Data Type MIME Type Description
filter query Optional String text/plain Optional - This parameter is
used to restrict the elements in
a list base on the contents of
various fields.
Range header Optional String text/plain Optional - Use this parameter
to restrict the number of
elements that are returned in
the list to a specified range.
The list is indexed starting at
zero.

Table 148. GET /ariel/databases response codes

HTTP Response Code Unique Code Description
200 The database list was retrieved.

Response Description

The names of the available Ariel databases.

Response Sample
[
"String"
]

GET /ariel/databases/{database_name}
Retrieves the columns that are defined for a specific Ariel database.

94 QRadar API Reference Guide

Retrieves the columns that are defined for the specified Ariel database. This is the set of columns that can
be explicitly named in the column list of a SELECT query.
Table 149. GET /ariel/databases/{database_name} resource details
MIME Type
application/json

Table 150. GET /ariel/databases/{database_name} request parameter details

Parameter Type Optionality Data Type MIME Type Description
database_name path Required String text/plain Required. The name of the Ariel
database that contains the
columns that you want to
retrieve.
fields query Optional String text/plain Optional - Use this parameter to
specify which fields you would
like to get back in the response.
Fields that are not named are
excluded. Specify subfields in
brackets and multiple fields in
the same object are separated by
commas.
filter query Optional String text/plain Optional - This parameter is
used to restrict the elements in a
list base on the contents of
various fields.
Range header Optional String text/plain Optional - Use this parameter to
restrict the number of elements
that are returned in the list to a
specified range. The list is
indexed starting at zero.

Table 151. GET /ariel/databases/{database_name} response codes

HTTP Response Code Unique Code Description
200 The database columns were retrieved.
404 1002 The database does not exist.

Response Description

A list of columns that are defined for the specified database. Multiple properties of each column are
returned. For example, the column name or an indication that the column is indexable.

Response Sample
{
"columns": [
{
"argument_type": "String",
"indexable": true,
"name": "String"
}
]
}

GET /ariel/event_saved_search_groups
Retrieves a list the event Ariel saved search groups.

Retrieves a list the event Ariel saved search groups.

6 REST API V9.0 References 95

Table 152. GET /ariel/event_saved_search_groups resource details
MIME Type
application/json

Table 153. GET /ariel/event_saved_search_groups request parameter details

Parameter Type Optionality Data Type MIME Type Description
fields query Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.
filter query Optional String text/plain Optional - This parameter is
used to restrict the elements in
a list base on the contents of
various fields.
Range header Optional String text/plain Optional - Use this parameter
to restrict the number of
elements that are returned in
the list to a specified range.
The list is indexed starting at
zero.

Table 154. GET /ariel/event_saved_search_groups response codes

HTTP Response Code Unique Code Description
200 The event Ariel saved search groups were returned.
500 1020 An error occurred during the attempt to retrieve the event Ariel
saved search groups.

Response Description

List of the Group objects. A Group object contains the following fields:
v id - Long - The ID of the group.
v parent_id - Long - The ID of the parent group (default resources can have localized names).
v type - String - The type of the group.
v level - Long - The depth of the group in the group hierarchy.
v name - String - The name of the group (default groups can have localized names).
v description - String - The description of the group (default groups can have localized names).
v owner - String - The owner of the group.
v modified_time - Long - The time in milliseconds since epoch since the group was last modified.
v child_group_ids - Array of Longs - List of the child group ids.

Response Sample
[
{
"child_groups": [
42
],

96 QRadar API Reference Guide

 "child_items": [
"String"
],
"description": "String",
"id": 42,
"level": 42,
"modified_time": 42,
"name": "String",
"owner": "String",
"parent_id": 42,
"type": "String <one of:
LOG_SOURCE_GROUP,
REPORT_GROUP,
RULE_GROUP,
EVENT_SAVED_SEARCH_GROUP,
FLOW_SAVED_SEARCH_GROUP,
OFFENSE_SAVED_SEARCH_GROUP,
QRM_SAVED_SEARCH_GROUP,
MODEL_SAVED_SEARCH_GROUP,
QUESTION_SAVED_SEARCH_GROUP,
SIMULATION_SAVED_SEARCH_GROUP,
TOPOLOGY_SAVED_SEARCH_GROUP,
ASSET_SAVED_SEARCH_GROUP,
VULNERABILITY_SAVED_SEARCH_GROUP>"
}
]

GET /ariel/event_saved_search_groups/{group_id}
Retrieves an event Ariel saved search group.

Retrieves an event Ariel saved search group.

Table 155. GET /ariel/event_saved_search_groups/{group_id} resource details
MIME Type
application/json

Table 156. GET /ariel/event_saved_search_groups/{group_id} request parameter details

Parameter Type Optionality Data Type MIME Type Description
group_id path Required Number text/plain null
(Integer)
fields query Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.

Table 157. GET /ariel/event_saved_search_groups/{group_id} response codes

HTTP Response Code Unique Code Description
200 The event Ariel saved search group was retrieved.
404 1002 The vent Ariel saved search group does not exist.
500 1020 An error occurred during the attempt to retrieve the event Ariel
saved search groups.

6 REST API V9.0 References 97

Response Description

A single Group object. A Group object contains the following fields:

v id - Long - The ID of the group.
v parent_id - Long - The ID of the parent group (default resources can have localized names).
v type - String - The type of the group.
v level - Long - The depth of the group in the group hierarchy.
v name - String - The name of the group (default resources can have localized names).
v description - String - The description of the group (default resources can have localized names).
v owner - String - The owner of the group.
v modified_time - Long - The time in milliseconds since epoch since the group was last modified.
v child_group_ids - Array of Longs - List of the child group IDs.

Response Sample
{
"child_groups": [
42
],
"child_items": [
"String"
],
"description": "String",
"id": 42,
"level": 42,
"modified_time": 42,
"name": "String",
"owner": "String",
"parent_id": 42,
"type": "String <one of:
LOG_SOURCE_GROUP,
REPORT_GROUP,
RULE_GROUP,
EVENT_SAVED_SEARCH_GROUP,
FLOW_SAVED_SEARCH_GROUP,
OFFENSE_SAVED_SEARCH_GROUP,
QRM_SAVED_SEARCH_GROUP,
MODEL_SAVED_SEARCH_GROUP,
QUESTION_SAVED_SEARCH_GROUP,
SIMULATION_SAVED_SEARCH_GROUP,
TOPOLOGY_SAVED_SEARCH_GROUP,
ASSET_SAVED_SEARCH_GROUP,
VULNERABILITY_SAVED_SEARCH_GROUP>"
}

POST /ariel/event_saved_search_groups/{group_id}
Updates the owner of an event Ariel saved search group.

Updates the owner of an event Ariel saved search group.

Table 158. POST /ariel/event_saved_search_groups/{group_id} resource details
MIME Type
application/json

98 QRadar API Reference Guide

Table 159. POST /ariel/event_saved_search_groups/{group_id} request parameter details
Parameter Type Optionality Data Type MIME Type Description
group_id path Required Number text/plain null
(Integer)
fields header Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.

Table 160. POST /ariel/event_saved_search_groups/{group_id} request body details

Parameter Data Type MIME Type Description Sample
group Object application/ Required - Group object {
json with the owner set to a "child_groups": [ 42 ],
valid deployed user.
"child_items": [ "String" ],
"description": "String",
"id": 42,
"level": 42,
"name": "String",
"owner": "String",
"parent_id": 42,
"type": "String <one of:
LOG_SOURCE_GROUP,
REPORT_GROUP,
RULE_GROUP,
EVENT_SAVED_SEARCH _GROUP,
FLOW_SAVED_SEARCH _GROUP,
OFFENSE_SAVED_SEARCH _GROUP,
QRM_SAVED_SEARCH _GROUP,
MODEL_SAVED_SEARCH_GROUP,
QUESTION_SAVED_SEARCH _GROUP,
SIMULATION_SAVED_SEARCH _GROUP,
TOPOLOGY_SAVED_SEARCH _GROUP,
ASSET_SAVED_SEARCH_GROUP,
VULNERABILITY_SAVED _SEARCH _GROUP>" }

Table 161. POST /ariel/event_saved_search_groups/{group_id} response codes

HTTP Response Code Unique Code Description
200 The event Ariel saved search group was updated.
404 1002 The event Ariel saved search group does not exist.
409 1004 The provided user does not have the required capabilities to own
the Eevent Ariel saved search group.
422 1005 A request parameter is not valid.
500 1020 An error occurred during the attempt to update the event Ariel
saved search group.

6 REST API V9.0 References 99

Response Description

The updated Group object. A Group object contains the following fields:
v id - Long - The ID of the group.
v parent_id - Long - The id of the parent group (default resources can have localized names).
v type - String - The type of the group.
v level - Long - The depth of the group in the group hierarchy.
v name - String - The name of the group (default resources can have localized names).
v description - String - The description of the group (default resources can have localized names).
v owner - String - The owner of the group.
v modified_time - Long - The time in milliseconds since epoch since the group was last modified.
v child_group_ids - Array of Longs - List of the child group ids.

Response Sample
{
"child_groups": [
42
],
"child_items": [
"String"
],
"description": "String",
"id": 42,
"level": 42,
"modified_time": 42,
"name": "String",
"owner": "String",
"parent_id": 42,
"type": "String <one of:
LOG_SOURCE_GROUP,
REPORT_GROUP,
RULE_GROUP,
EVENT_SAVED_SEARCH_GROUP,
FLOW_SAVED_SEARCH_GROUP,
OFFENSE_SAVED_SEARCH_GROUP,
QRM_SAVED_SEARCH_GROUP,
MODEL_SAVED_SEARCH_GROUP,
QUESTION_SAVED_SEARCH_GROUP,
SIMULATION_SAVED_SEARCH_GROUP,
TOPOLOGY_SAVED_SEARCH_GROUP,
ASSET_SAVED_SEARCH_GROUP,
VULNERABILITY_SAVED_SEARCH_GROUP>"
}

DELETE /ariel/event_saved_search_groups/{group_id}
Deletes an event Ariel saved search group.

Deletes an event Ariel saved search group.

Table 162. DELETE /ariel/event_saved_search_groups/{group_id} resource details
MIME Type
text/plain

100 QRadar API Reference Guide

Table 163. DELETE /ariel/event_saved_search_groups/{group_id} request parameter details
Parameter Type Optionality Data Type MIME Type Description
group_id path Required Number text/plain null
(Integer)

Table 164. DELETE /ariel/event_saved_search_groups/{group_id} response codes

HTTP Response Code Unique Code Description
204 The event Ariel saved search group was deleted.
404 1002 The event Ariel saved search group does not exist.
409 1004 null
500 1020 An error occurred during the attempt to delete theevent Ariel saved
search group.

Response Description
Response Sample

GET /ariel/flow_saved_search_groups
Retrieves a list of flow Ariel saved search groups.

Retrieves a list of flow Ariel saved search groups.

Table 165. GET /ariel/flow_saved_search_groups resource details
MIME Type
application/json

Table 166. GET /ariel/flow_saved_search_groups request parameter details

Parameter Type Optionality Data Type MIME Type Description
fields query Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.
filter query Optional String text/plain Optional - This parameter is
used to restrict the elements in
a list base on the contents of
various fields.
Range header Optional String text/plain Optional - Use this parameter
to restrict the number of
elements that are returned in
the list to a specified range.
The list is indexed starting at
zero.

6 REST API V9.0 References 101

Table 167. GET /ariel/flow_saved_search_groups response codes
HTTP Response Code Unique Code Description
200 The Retrieves a list of flow Ariel saved search groups were
returned.
500 1020 An error occurred during the attempt to retrieve the flow Ariel
saved search groups.

Response Description

List of the Group objects. A Group object contains the following fields:
v id - Long - The ID of the group.
v parent_id - Long - The ID of the parent group (default resources can have localized names).
v type - String - The type of the group.
v level - Long - The depth of the group in the group hierarchy.
v name - String - The name of the group (default resources can have localized names).
v description - String - The description of the group (default resources can have localized names).
v owner - String - The owner of the group.
v modified_time - Long - The time in milliseconds since epoch since the group was last modified.
v child_group_ids - Array of Longs - List of the child group IDs.

Response Sample
[
{
"child_groups": [
42
],
"child_items": [
"String"
],
"description": "String",
"id": 42,
"level": 42,
"modified_time": 42,
"name": "String",
"owner": "String",
"parent_id": 42,
"type": "String <one of:
LOG_SOURCE_GROUP,
REPORT_GROUP,
RULE_GROUP,
EVENT_SAVED_SEARCH_GROUP,
FLOW_SAVED_SEARCH_GROUP,
OFFENSE_SAVED_SEARCH_GROUP,
QRM_SAVED_SEARCH_GROUP,
MODEL_SAVED_SEARCH_GROUP,
QUESTION_SAVED_SEARCH_GROUP,
SIMULATION_SAVED_SEARCH_GROUP,
TOPOLOGY_SAVED_SEARCH_GROUP,
ASSET_SAVED_SEARCH_GROUP,
VULNERABILITY_SAVED_SEARCH_GROUP>"
}
]

102 QRadar API Reference Guide

GET /ariel/flow_saved_search_groups/{group_id}
Retrieves a flow Ariel saved search group.

Retrieves a flow Ariel saved search group.

Table 168. GET /ariel/flow_saved_search_groups/{group_id} resource details
MIME Type
application/json

Table 169. GET /ariel/flow_saved_search_groups/{group_id} request parameter details

Parameter Type Optionality Data Type MIME Type Description
group_id path Required Number text/plain null
(Integer)
fields query Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.

Table 170. GET /ariel/flow_saved_search_groups/{group_id} response codes

HTTP Response Code Unique Code Description
200 The flow Ariel saved search group was retrieved.
404 1002 The flow Ariel saved search group does not exist.
500 1020 An error occurred during the attempt to retrieve the flow Ariel
saved search group.

Response Description

A single Group object. A Group object contains the following fields:

v id - Long - The ID of the group.
v parent_id - Long - The ID of the parent group (default resources can have localized names).
v type - String - The type of the group.
v level - Long - The depth of the group in the group hierarchy.
v name - String - The name of the group (default resources can have localized names).
v description - String - The description of the group (default resources can have localized names).
v owner - String - The owner of the group.
v modified_time - Long - The time in milliseconds since epoch since the group was last modified.
v child_group_ids - Array of Longs - List of the child group IDs.

Response Sample
{
"child_groups": [
42
],
"child_items": [
"String"

6 REST API V9.0 References 103

 ],
"description": "String",
"id": 42,
"level": 42,
"modified_time": 42,
"name": "String",
"owner": "String",
"parent_id": 42,
"type": "String <one of:
LOG_SOURCE_GROUP,
REPORT_GROUP,
RULE_GROUP,
EVENT_SAVED_SEARCH_GROUP,
FLOW_SAVED_SEARCH_GROUP,
OFFENSE_SAVED_SEARCH_GROUP,
QRM_SAVED_SEARCH_GROUP,
MODEL_SAVED_SEARCH_GROUP,
QUESTION_SAVED_SEARCH_GROUP,
SIMULATION_SAVED_SEARCH_GROUP,
TOPOLOGY_SAVED_SEARCH_GROUP,
ASSET_SAVED_SEARCH_GROUP,
VULNERABILITY_SAVED_SEARCH_GROUP>"
}

POST /ariel/flow_saved_search_groups/{group_id}
Updates the owner of a flow Ariel saved search group.

Updates the owner of a flow Ariel saved search group.

Table 171. POST /ariel/flow_saved_search_groups/{group_id} resource details
MIME Type
application/json

Table 172. POST /ariel/flow_saved_search_groups/{group_id} request parameter details

Parameter Type Optionality Data Type MIME Type Description
group_id path Required Number text/plain null
(Integer)
fields header Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.

104 QRadar API Reference Guide

Table 173. POST /ariel/flow_saved_search_groups/{group_id} request body details
Parameter Data Type MIME Type Description Sample
group Object application/ Required - Group object {
json with the owner set to a "child_groups": [ 42 ],
valid deployed user.
"child_items": [ "String" ],
"description": "String",
"id": 42,
"level": 42,
"name": "String",
"owner": "String",
"parent_id": 42,
"type": "String <one of:
LOG_SOURCE_GROUP,
REPORT_GROUP,
RULE_GROUP,
EVENT_SAVED_SEARCH _GROUP,
FLOW_SAVED_SEARCH _GROUP,
OFFENSE_SAVED_SEARCH _GROUP,
QRM_SAVED_SEARCH _GROUP,
MODEL_SAVED_SEARCH_GROUP,
QUESTION_SAVED_SEARCH _GROUP,
SIMULATION_SAVED_SEARCH _GROUP,
TOPOLOGY_SAVED_SEARCH _GROUP,
ASSET_SAVED_SEARCH_GROUP,
VULNERABILITY_SAVED _SEARCH _GROUP>" }

Table 174. POST /ariel/flow_saved_search_groups/{group_id} response codes

HTTP Response Code Unique Code Description
200 The flow Ariel saved search group was updated.
404 1002 The flow Ariel saved search group does not exist.
409 1004 The provided user does not have the required capabilities to own
the flow Ariel saved search group.
422 1005 A request parameter is not valid.
500 1020 An error occurred during the attempt to update the flow Ariel
saved search group.

Response Description

The updated Group object. A Group object contains the following fields:
v id - Long - The ID of the group.
v parent_id - Long - The ID of the parent group (default resources can have localized names).
v type - String - The type of the group.
v level - Long - The depth of the group in the group hierarchy.
v name - String - The name of the group (default resources can have localized names).
v description - String - The description of the group (default resources can have localized names).
v owner - String - The owner of the group.
v modified_time - Long - The time in milliseconds since epoch since the group was last modified.
v child_group_ids - Array of Longs - List of the child group IDs.

6 REST API V9.0 References 105

Response Sample
{
"child_groups": [
42
],
"child_items": [
"String"
],
"description": "String",
"id": 42,
"level": 42,
"modified_time": 42,
"name": "String",
"owner": "String",
"parent_id": 42,
"type": "String <one of:
LOG_SOURCE_GROUP,
REPORT_GROUP,
RULE_GROUP,
EVENT_SAVED_SEARCH_GROUP,
FLOW_SAVED_SEARCH_GROUP,
OFFENSE_SAVED_SEARCH_GROUP,
QRM_SAVED_SEARCH_GROUP,
MODEL_SAVED_SEARCH_GROUP,
QUESTION_SAVED_SEARCH_GROUP,
SIMULATION_SAVED_SEARCH_GROUP,
TOPOLOGY_SAVED_SEARCH_GROUP,
ASSET_SAVED_SEARCH_GROUP,
VULNERABILITY_SAVED_SEARCH_GROUP>"
}

DELETE /ariel/flow_saved_search_groups/{group_id}
Deletes a flow Ariel saved search group.

Deletes a flow Ariel saved search group.

Table 175. DELETE /ariel/flow_saved_search_groups/{group_id} resource details
MIME Type
text/plain

Table 176. DELETE /ariel/flow_saved_search_groups/{group_id} request parameter details

Parameter Type Optionality Data Type MIME Type Description
group_id path Required Number text/plain null
(Integer)

Table 177. DELETE /ariel/flow_saved_search_groups/{group_id} response codes

HTTP Response Code Unique Code Description
204 The flow Ariel saved search group was deleted.
404 1002 The flow Ariel saved search group does not exist.
409 1004 null
500 1020 An error occurred during the attempt to delete the flow Ariel saved
search group.

106 QRadar API Reference Guide

Response Description

Response Sample

GET /ariel/parser_keywords
Retrieves keywords applicable to AQL Parser.

Retrieves AQL Parser set of keywords

Table 178. GET /ariel/parser_keywords resource details
MIME Type
application/json

Table 179. GET /ariel/parser_keywords request parameter details

Parameter Type Optionality Data Type MIME Type Description
fields query Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.

Table 180. GET /ariel/parser_keywords response codes

HTTP Response Code Unique Code Description
200 AQL Parser information retrieved

Response Description

Information about the AQL Parser.

Response Sample
{
"keywords": [
"String"
],
"where_clause_keywords": [
"String"
]
}

POST /ariel/processors/aql_metadata
Parses the Ariel Query Language (AQL) query expression and returns expected metadata without
execution of the query.

This endpoint only accepts SELECT query expressions.

Table 181. POST /ariel/processors/aql_metadata resource details
MIME Type
application/json

6 REST API V9.0 References 107

Table 182. POST /ariel/processors/aql_metadata request parameter details
Parameter Type Optionality Data Type MIME Type Description
query_expressionquery Required String text/plain Required - The AQL query for
metadata.
fields query Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.

Table 183. POST /ariel/processors/aql_metadata response codes

HTTP Response Code Unique Code Description
200 An AQL query expression was successfully validated.
422 2000 The query_expression contains invalid AQL syntax.
500 1020 An error occurred during the attempt to validate AQL.
503 1010 The Ariel server might be temporarily unavailable or offline. Please
try again later.

Response Description

A list of columns that are defined for the specified AQL query. Multiple properties of each column are
returned. For example, the column name or an indication that the column is indexable.

Response Sample
{
"columns": [
{
"argument_type": "String",
"indexable": true,
"name": "String",
"nullable": true,
"object_value_type": "String <one of: NULL, STRUCT, Byte, Short, Integer, Long, UnsignedByte, UnsignedShort, Un
"provider_name": "String"
}
]
}

GET /ariel/saved_search_delete_tasks/{task_id}
Retrieves the delete the Ariel saved search task status.

Retrieves the delete Ariel saved search task status.

Table 184. GET /ariel/saved_search_delete_tasks/{task_id} resource details
MIME Type
application/json

108 QRadar API Reference Guide

Table 185. GET /ariel/saved_search_delete_tasks/{task_id} request parameter details
Parameter Type Optionality Data Type MIME Type Description
task_id path Required Number text/plain null
(Integer)
fields query Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.

Table 186. GET /ariel/saved_search_delete_tasks/{task_id} response codes

HTTP Response Code Unique Code Description
200 The delete task status was retrieved.
404 1002 The delete task status was exist.
500 1020 An error occurred during the attempt to retrieve the delete task
status.

Response Description

A Delete Task Status object and the location header set to the task status url "/api/ariel/
saved_search_delete_tasks/{task_id}". A Delete Task Status object contains the following fields:
v id - Long - The ID of the task.
v message - String - The localized task message.
v status - String - The current state of the task.
v name - String - The name of the task.
v created_by - String - The name of the user who started the task.
v created - Long - The time in milliseconds since epoch since the task was created.
v started - Long - The time in milliseconds since epoch since the task was started.
v modified - Long - The time in milliseconds since epoch since the task was modified.
v completed - Long - The time in milliseconds since epoch since the task was completed.

Response Sample
{
"completed": 42,
"created": 42,
"created_by": "String",
"id": 42,
"message": "String",
"modified": 42,
"name": "String",
"started": 42,
"status": "String <one of: CANCELLED,
CANCELING,
CANCEL_REQUESTED,
COMPLETED,
CONFLICT,
EXCEPTION,
INITIALIZING,
INTERRUPTED,

6 REST API V9.0 References 109

 PAUSED,
PROCESSING,
QUEUED,
RESUMING>"
}

GET /ariel/saved_search_dependent_tasks/{task_id}
Retrieves the dependent the Ariel saved search task status.

Retrieves the dependent Ariel saved search task status.

Table 187. GET /ariel/saved_search_dependent_tasks/{task_id} resource details
MIME Type
application/json

Table 188. GET /ariel/saved_search_dependent_tasks/{task_id} request parameter details

Parameter Type Optionality Data Type MIME Type Description
task_id path Required Number text/plain null
(Integer)
fields query Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.

Table 189. GET /ariel/saved_search_dependent_tasks/{task_id} response codes

HTTP Response Code Unique Code Description
200 The dependent task status was retrieved.
404 1002 The dependent task status does not exist.
500 1020 An error occurred during the attempt to retrieve the dependent task
status.

Response Description

A Dependent Task Status object and the location header set to the task status url "/api/ariel/
saved_search_dependent_tasks/{task_id}". A Dependent Task Status object contains the following fields:
v id - Long - The ID of the task.
v message - String - The localized task message.
v status - String - The current state of the task.
v name - String - The name of the task.
v created_by - String - The name of the user who started the task.
v cancelled_by - String - The name of the user who requested cancellation of the task.
v created - Long - The time in milliseconds since epoch since the task was created.
v started - Long - The time in milliseconds since epoch since the task was started.
v modified - Long - The time in milliseconds since epoch since the task was modified.
v completed - Long - The time in milliseconds since epoch since the task was completed.

110 QRadar API Reference Guide

v number_of_dependents - Long - The number of dependents found. The value is null until the task
completes.
v maximum - Long - The maximum number of objects to check for dependency.
v progress - Long - The number of objects that were checked for dependency.
v task_components - Array - An array of task component objects. A task component object contains the
following fields:
– message - String - The localized sub-task status message.
– status - String - The current state of the sub-task.
– sub_task_type - String - The type of the sub-task.
– maximum - Long - The maximum number of objects to check for dependency.
– progress - Long - The number of objects that were checked for dependency.
– created - Long - The time in milliseconds since epoch since the sub-task was created.
– started - Long - The time in milliseconds since epoch since the sub-task was started.
– modified - Long - The time in milliseconds since epoch since the sub-task was modified.
– completed - Long - The time in milliseconds since epoch since the sub-task was completed.

Response Sample
{
"cancelled_by": "String",
"completed": 42,
"created": 42,
"created_by": "String",
"id": 42,
"maximum": 42,
"message": "String",
"modified": 42,
"name": "String",
"number_of_dependents": 42,
"progress": 42,
"started": 42,
"status": "String <one of: CANCELLED,
CANCELING,
CANCEL_REQUESTED,
COMPLETED,
CONFLICT,
EXCEPTION,
INITIALIZING,
INTERRUPTED,
PAUSED,
PROCESSING,
QUEUED,
RESUMING>"
"task_components": [
{
"completed": 42,
"created": 42,
"maximum": 42,
"message": "String",
"modified": 42,
"number_of_dependents": 42,
"progress": 42,
"started": 42,
"status": "String <one of: CANCELLED,
CANCELING,
CANCEL_REQUESTED,
COMPLETED,
CONFLICT,
EXCEPTION,
INITIALIZING,
INTERRUPTED,

6 REST API V9.0 References 111

 PAUSED,
PROCESSING,
QUEUED,
RESUMING>"
"task_sub_type": "String <one of:
FIND_DEPENDENT_ARIEL_SAVED_SEARCHES,
FIND_DEPENDENT_OFFENSE_SAVED_SEARCHES,
FIND_DEPENDENT_ASSET_SAVED_SEARCHES,
FIND_DEPENDENT_VULNERABILITY_SAVED_SEARCHES,
FIND_DEPENDENT_ADE_RULES,
FIND_DEPENDENT_RULES,
FIND_DEPENDENT_CALCULATED_PROPERTIES,
FIND_DEPENDENT_LOG_SOURCE_GROUPS,
FIND_DEPENDENT_CUSTOM_PROPERTIES,
FIND_DEPENDENT_REPORTS,
FIND_DEPENDENT_DASHBOARDS,
FIND_DEPENDENT_STORE_AND_FORWARD_POLICIES,
FIND_DEPENDENT_AUTHORIZED_SERVICES,
FIND_DEPENDENT_OFFENSE_TYPES,
FIND_DEPENDENT_ASSIGNED_OFFENSES,
FIND_DEPENDENT_VULNERABILITIES,
FIND_DEPENDENT_GROUPS,
FIND_DEPENDENT_HISTORICAL_CORRELATION_PROFILES>"
}
]
}

POST /ariel/saved_search_dependent_tasks/{task_id}
Cancels the dependent Ariel saved search task.

Cancels the dependent Ariel saved search task.

Table 190. POST /ariel/saved_search_dependent_tasks/{task_id} resource details
MIME Type
application/json

Table 191. POST /ariel/saved_search_dependent_tasks/{task_id} request parameter details

Parameter Type Optionality Data Type MIME Type Description
task_id path Required Number text/plain null
(Integer)
fields header Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.

112 QRadar API Reference Guide

Table 192. POST /ariel/saved_search_dependent_tasks/{task_id} request body details
Parameter Data Type MIME Type Description Sample
task Object application/ null { "status": "String <one of:
json CANCELLED, CANCELING,
CANCEL_REQUESTED,
COMPLETED, CONFLICT,
EXCEPTION, INITIALIZING,
INTERRUPTED, PAUSED,
PROCESSING, QUEUED,
RESUMING>" }

Table 193. POST /ariel/saved_search_dependent_tasks/{task_id} response codes

HTTP Response Code Unique Code Description
200 The delete task status was retrieved.
404 1002 The dependent task status does not exist.
409 1004 The task is in a completed state.
422 1005 A request parameter is not valid.
500 1020 An error occurred during the attempt to update the dependent task
status.

Response Description

A Dependent Task Status object and the location header set to the task status url "/api/ariel/
saved_search_dependent_tasks/{task_id}". A Dependent Task Status object contains the following fields:
v id - Long - The ID of the task.
v message - String - The localized task message.
v status - String - The current state that the task is in.
v name - String - The name of the task.
v created_by - String - The name of the user who started the task.
v cancelled_by - String - The name of the user who requested cancellation of the task.
v created - Long - The time in milliseconds since epoch since the task was created.
v started - Long - The time in milliseconds since epoch since the task was started.
v modified - Long - The time in milliseconds since epoch since the task was modified.
v completed - Long - The time in milliseconds since epoch since the task was completed.
v number_of_dependents - Long - The number of dependents found. the vaalue is null until the task
completes.
v maximum - Long - The maximum number of objects to check for dependency.
v progress - Long - The number of objects that were checked for dependency.
v task_components - Array - An array of task component objects. A task component object contains the
following fields:
– message - String - The localized sub-task status message.
– status - String - The current state of the sub-task.
– sub_task_type - String - The type of the sub-task
– maximum - Long - The maximum number of objects to check for dependency.
– progress - Long - The number of objects that were checked for dependency.
– created - Long - The time in milliseconds since epoch since the sub-task was created.
– started - Long - The time in milliseconds since epoch since the sub-task was started.

6 REST API V9.0 References 113

 – modified - Long - The time in milliseconds since epoch since the sub-task was modified.
– completed - Long - The time in milliseconds since epoch since the sub-task was completed.

Response Sample
{
"cancelled_by": "String",
"completed": 42,
"created": 42,
"created_by": "String",
"id": 42,
"maximum": 42,
"message": "String",
"modified": 42,
"name": "String",
"number_of_dependents": 42,
"progress": 42,
"started": 42,
"status": "String <one of: CANCELLED,
CANCELING,
CANCEL_REQUESTED,
COMPLETED,
CONFLICT,
EXCEPTION,
INITIALIZING,
INTERRUPTED,
PAUSED,
PROCESSING,
QUEUED,
RESUMING>"
"task_components": [
{
"completed": 42,
"created": 42,
"maximum": 42,
"message": "String",
"modified": 42,
"number_of_dependents": 42,
"progress": 42,
"started": 42,
"status": "String <one of: CANCELLED,
CANCELING,
CANCEL_REQUESTED,
COMPLETED,
CONFLICT,
EXCEPTION,
INITIALIZING,
INTERRUPTED,
PAUSED,
PROCESSING,
QUEUED,
RESUMING>"
"task_sub_type": "String <one of:
FIND_DEPENDENT_ARIEL_SAVED_SEARCHES,
FIND_DEPENDENT_OFFENSE_SAVED_SEARCHES,
FIND_DEPENDENT_ASSET_SAVED_SEARCHES,
FIND_DEPENDENT_VULNERABILITY_SAVED_SEARCHES,
FIND_DEPENDENT_ADE_RULES,
FIND_DEPENDENT_RULES,
FIND_DEPENDENT_CALCULATED_PROPERTIES,
FIND_DEPENDENT_LOG_SOURCE_GROUPS,
FIND_DEPENDENT_CUSTOM_PROPERTIES,
FIND_DEPENDENT_REPORTS,
FIND_DEPENDENT_DASHBOARDS,
FIND_DEPENDENT_STORE_AND_FORWARD_POLICIES,
FIND_DEPENDENT_AUTHORIZED_SERVICES,
FIND_DEPENDENT_OFFENSE_TYPES,

114 QRadar API Reference Guide

 FIND_DEPENDENT_ASSIGNED_OFFENSES,
FIND_DEPENDENT_VULNERABILITIES,
FIND_DEPENDENT_GROUPS,
FIND_DEPENDENT_HISTORICAL_CORRELATION_PROFILES>"
}
]
}

GET /ariel/saved_search_dependent_tasks/{task_id}/results
Retrieves the Ariel saved search dependent task results.

Retrieves the Ariel saved search dependent task results.

Table 194. GET /ariel/saved_search_dependent_tasks/{task_id}/results resource details
MIME Type
application/json

Table 195. GET /ariel/saved_search_dependent_tasks/{task_id}/results request parameter details

Parameter Type Optionality Data Type MIME Type Description
task_id path Required Number text/plain null
(Integer)
fields query Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.

Table 196. GET /ariel/saved_search_dependent_tasks/{task_id}/results response codes

HTTP Response Code Unique Code Description
200 The Ariel saved search dependents were retrieved.
404 1002 The Dependent Task Status does not exist.
500 1020 An error occurred during the attempt to retrieve the Ariel saved
searches.

Response Description

An list of Dependent objects. A Dependent object contains the following fields:

v dependent_id - String - The ID of the dependent resource.
v dependent_name - String - The name of the dependent resource. ( Default resources can have localized
names )
v dependent_owner - String - The owner of the dependent resource.
v dependent_type - String - The type of the dependent resource.
v dependent_database - String - The database of the dependent resource.
v dependent_group_ids - Array of Longs - List of groups that the dependent resource belongs to.
v user_has_edit_permissions - Boolean - The true if the user who created the task has permission to edit
this dependent resource.

6 REST API V9.0 References 115

Response Sample
[
{
"blocking": true,
"dependent_database": "String <one of: EVENTS, FLOWS>",
"dependent_group_ids": [
42
],
"dependent_id": "String",
"dependent_name": "String",
"dependent_owner": "String",
"dependent_type": "String <one of:
ARIEL_SAVED_SEARCH,
ASSET_SAVED_SEARCH,
OFFENSE_SAVED_SEARCH,
VULNERABILITY_SAVED_SEARCH,
QRM_SAVED_SEARCH_GROUP,
ASSET_SAVED_SEARCH_GROUP,
CUSTOM_RULE_GROUP,
EVENT_ARIEL_SAVED_SEARCH_GROUP,
FLOW_ARIEL_SAVED_SEARCH_GROUP,
LOG_SOURCE_GROUP, MODEL_GROUP,
OFFENSE_SAVED_SEARCH_GROUP,
QUESTION_GROUP,
REPORT_GROUP,
SIMULATION_GROUP,
TOPOLOGY_SAVED_SEARCH_GROUP,
VULNERABILITY_SAVED_SEARCH_GROUP,
ASSIGNED_OFFENSE,
ASSIGNED_VULNERABILITY,
AUTHORIZED_SERVICE,
BUILDING_BLOCK,
CRE_RULE,
CRE_ADE_RULE,
EVENT_REGEX_PROPERTY,
EVENT_CALCULATED_PROPERTY,
FLOW_REGEX_PROPERTY,
FLOW_CALCULATED_PROPERTY,
DASHBOARD,
GV_REFERENCE,
REPORT,
REFERENCE_DATA,
REFERENCE_DATA_MAP_OF_SETS,
REFERENCE_DATA_MAPS,
REFERENCE_DATA_SETS,
REFERENCE_DATA_TABLES,
REFERENCE_DATA_RESPONSE,
REFERENCE_SET_RESPONSE,
EVENT_RETENTION_BUCKET,
FLOW_RETENTION_BUCKET,
ROUTING_RULE,
STORE_AND_FORWARD_POLICY,
USER,
HISTORICAL_PROFILE,
OFFENSE_TYPE>",
"user_has_edit_permissions": true
}
]

GET /ariel/saved_searches
Retrieves a list of Ariel saved searches.

Retrieves a list of Ariel saved searches.

116 QRadar API Reference Guide

Table 197. GET /ariel/saved_searches resource details
MIME Type
application/json

Table 198. GET /ariel/saved_searches request parameter details

Parameter Type Optionality Data Type MIME Type Description
fields query Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.
filter query Optional String text/plain Optional - This parameter is
used to restrict the elements in
a list base on the contents of
various fields.
Range header Optional String text/plain Optional - Use this parameter
to restrict the number of
elements that are returned in
the list to a specified range.
The list is indexed starting at
zero.

Table 199. GET /ariel/saved_searches response codes

HTTP Response Code Unique Code Description
200 The Ariel saved searches were retrieved.
422 1010 A request parameter is not valid.
500 1020 An error occurred during the attempt to retrieve the Ariel Saved
Searches.

Response Description

An array of Ariel Saved Search objects. An Ariel Saved Search object contains the following fields:
v id - Long - The ID of the ariel saved search.
v uuid - String - The uuid of the Ariel saved search.
v name - String - The name of the Ariel saved search.
v database - String - The database of the Ariel saved search, events or flows.
v isShared - Boolean - True if the Ariel saved search is shared with other users.
v owner - String - The owner of the Ariel saved search.

Response Sample
[
{
"database": "String <one of: EVENTS, FLOWS>",
"id": 42,
"is_shared": true,
"name": "String",

6 REST API V9.0 References 117

 "owner": "String",
"uid": "String"
}
]

GET /ariel/saved_searches/{id}
Retrieves an Ariel saved search.

Retrieves an Ariel saved search.

Table 200. GET /ariel/saved_searches/{id} resource details
MIME Type
application/json

Table 201. GET /ariel/saved_searches/{id} request parameter details

Parameter Type Optionality Data Type MIME Type Description
id path Required Number text/plain null
(Integer)
fields query Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.

Table 202. GET /ariel/saved_searches/{id} response codes

HTTP Response Code Unique Code Description
200 The Ariel saved search was retrieved.
404 1002 The Ariel saved search does not exist.
500 1020 An error occurred during the attempt to retrieve the Ariel Saved
Search.

Response Description
The Ariel saved search after it is retrieved. An Ariel Saved Search object contains the following fields:
v id - Long - The ID of the Ariel saved search.
v uuid - String - The uuid of the Ariel saved search.
v name - String - The name of the Ariel saved search.
v database - String - The database of the Ariel saved search, events or flows.
v isShared - Boolean - True if the Ariel saved search is shared with other users.
v owner - String - The owner of the Ariel saved search.

Response Sample
{
"database": "String <one of: EVENTS, FLOWS>",
"id": 42,
"is_shared": true,

118 QRadar API Reference Guide

 "name": "String",
"owner": "String",
"uid": "String"
}

POST /ariel/saved_searches/{id}
Updates the Ariel saved search owner only.

Updates the Ariel saved search owner only.

Table 203. POST /ariel/saved_searches/{id} resource details
MIME Type
application/json

Table 204. POST /ariel/saved_searches/{id} request parameter details

Parameter Type Optionality Data Type MIME Type Description
id path Required Number text/plain null
(Integer)
fields header Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.

Table 205. POST /ariel/saved_searches/{id} request body details

Parameter Data Type MIME Type Description Sample
saved_search Object application/ null { "id": "1", "name": "String",
json "database": "String",
"is_shared": true, "owner":
"String" }

Table 206. POST /ariel/saved_searches/{id} response codes

HTTP Response Code Unique Code Description
200 The Ariel saved search was updated.
403 1009 You do not have the required capabilities to update the Ariel Saved
Search.
404 1002 The Ariel saved search does not exist.
409 1004 The provided user does not have the required capabilities to own
the Ariel saved search.
422 1005 A request parameter is not valid.
500 1020 An error occurred during the attempt to update the Ariel Saved
Search.

Response Description

The Ariel saved search after it has been updated. An Ariel Saved Search object contains the following
fields:

6 REST API V9.0 References 119

v id - Long - The ID of the Ariel saved search.
v uuid - String - The uuid of the Ariel saved search.
v name - String - The name of the Ariel saved search.
v database - String - The database of the Ariel saved search, events or flows.
v isShared - Boolean - True if the Ariel saved search is shared with other users.
v owner - String - The owner of the Ariel saved search.

Response Sample
{
"database": "String <one of: EVENTS, FLOWS>",
"id": 42,
"is_shared": true,
"name": "String",
"owner": "String",
"uid": "String"
}

DELETE /ariel/saved_searches/{id}
Deletes an Ariel saved search. To ensure safe deletion, a dependency check is carried out. The check
might take some time. An asynchronous task is started to do this check.

Deletes an Ariel saved search. To ensure safe deletion, a dependency check is carried out. The check
might take some time. An asynchronous task is started to do this check.
Table 207. DELETE /ariel/saved_searches/{id} resource details
MIME Type
application/json

Table 208. DELETE /ariel/saved_searches/{id} request parameter details

Parameter Type Optionality Data Type MIME Type Description
id path Required Number text/plain null
(Integer)
fields query Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.

Table 209. DELETE /ariel/saved_searches/{id} response codes

HTTP Response Code Unique Code Description
202 The Ariel saved search delete command was accepted and is in
progress.
403 1009 You do not have the required capabilities to delete the Ariel saved
search.
404 1002 The Ariel saved search does not exist.
500 1020 An error occurred during the attempt to delete the Ariel Saved
Search.

120 QRadar API Reference Guide

Response Description

A Delete Task Status object and the location header set to the task status url "/api/ariel/
saved_search_delete_tasks/{task_id}". A Delete Task Status object contains the following fields:
v id - Long - The ID of the task.
v message - String - The localized task message.
v status - String - The current state of the task.
v name - String - The name of the task.
v created_by - String - The name of the user who started the task.
v created - Long - The time in milliseconds since epoch since the task was created.
v started - Long - The time in milliseconds since epoch since the task was started.
v modified - Long - The time in milliseconds since epoch since the task was modified.
v completed - Long - The time in milliseconds since epoch since the task was completed.

Response Sample
{
"completed": 42,
"created": 42,
"created_by": "String",
"id": 42,
"message": "String",
"modified": 42,
"name": "String",
"started": 42,
"status": "String <one of: CANCELLED,
CANCELING,
CANCEL_REQUESTED,
COMPLETED,
CONFLICT,
EXCEPTION,
INITIALIZING,
INTERRUPTED,
PAUSED,
PROCESSING,
QUEUED,
RESUMING>"
}

GET /ariel/saved_searches/{id}/dependents
Retrieves the objects that depend on the Ariel saved search.

Retrieves the objects that depend on the Ariel saved search.

Table 210. GET /ariel/saved_searches/{id}/dependents resource details
MIME Type
application/json

Table 211. GET /ariel/saved_searches/{id}/dependents request parameter details

Parameter Type Optionality Data Type MIME Type Description
id path Required Number text/plain null
(Integer)

6 REST API V9.0 References 121

Table 211. GET /ariel/saved_searches/{id}/dependents request parameter details (continued)
Parameter Type Optionality Data Type MIME Type Description
fields query Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.

Table 212. GET /ariel/saved_searches/{id}/dependents response codes

HTTP Response Code Unique Code Description
202 The Ariel saved search dependents retrieval was accepted and is in
progress
404 1002 The Ariel saved search does not exist
500 1020 An error occurred during the attempt to initiate the Ariel Saved
Search dependents retrieval task

Response Description

A Dependents Task Status object and the location header set to the task status url "/api/ariel/
saved_search_dependents_tasks/{task_id}". A Dependent Task Status object contains the following fields:
v id - Long - The ID of the task.
v message - String - The localized task message.
v status - String - The current state of the task.
v name - String - The name of the task.
v created_by - String - The name of the user who started the task.
v cancelled_by - String - The name of the user who requested to cancel the task.
v created - Long - The time in milliseconds since epoch since the task was created.
v started - Long - The time in milliseconds since epoch since the task was started.
v modified - Long - The time in milliseconds since epoch since the task was modified.
v completed - Long - The time in milliseconds since epoch since the task was completed.
v number_of_dependents - Long - The number of dependents found. The value is null until the task
completes.
v maximum - Long - The maximum number of objects to check for dependency.
v progress - Long - The number of objects that were checked for dependency.
v task_components - Array - An array of task component objects. A task component object contains the
following fields:
– message - String - The localized sub-task status message.
– status - String - The current state of the sub-task.
– sub_task_type - String - The type of the sub-task
– maximum - Long - The maximum number of objects to check for dependency.
– progress - Long - The number of objects that were checked for dependency.
– created - Long - The time in milliseconds since epoch since the sub-task was created.
– started - Long - The time in milliseconds since epoch since the sub-task was started.
– modified - Long - The time in milliseconds since epoch since the sub-task was modified.

122 QRadar API Reference Guide

 – completed - Long - The time in milliseconds since epoch since the sub-task was completed.

Response Sample
{
"cancelled_by": "String",
"completed": 42,
"created": 42,
"created_by": "String",
"id": 42,
"maximum": 42,
"message": "String",
"modified": 42,
"name": "String",
"number_of_dependents": 42,
"progress": 42,
"started": 42,
"status": "String <one of: CANCELLED,
CANCELING,
CANCEL_REQUESTED,
COMPLETED,
CONFLICT,
EXCEPTION,
INITIALIZING,
INTERRUPTED,
PAUSED,
PROCESSING,
QUEUED,
RESUMING>"
"task_components": [
{
"completed": 42,
"created": 42,
"maximum": 42,
"message": "String",
"modified": 42,
"number_of_dependents": 42,
"progress": 42,
"started": 42,
"status": "String <one of: CANCELLED,
CANCELING,
CANCEL_REQUESTED,
COMPLETED,
CONFLICT,
EXCEPTION,
INITIALIZING,
INTERRUPTED,
PAUSED,
PROCESSING,
QUEUED,
RESUMING>"
"task_sub_type": "String <one of:
FIND_DEPENDENT_ARIEL_SAVED_SEARCHES,
FIND_DEPENDENT_OFFENSE_SAVED_SEARCHES,
FIND_DEPENDENT_ASSET_SAVED_SEARCHES,
FIND_DEPENDENT_VULNERABILITY_SAVED_SEARCHES,
FIND_DEPENDENT_ADE_RULES,
FIND_DEPENDENT_RULES,
FIND_DEPENDENT_CALCULATED_PROPERTIES,
FIND_DEPENDENT_LOG_SOURCE_GROUPS,
FIND_DEPENDENT_CUSTOM_PROPERTIES,
FIND_DEPENDENT_REPORTS,
FIND_DEPENDENT_DASHBOARDS,
FIND_DEPENDENT_STORE_AND_FORWARD_POLICIES,
FIND_DEPENDENT_AUTHORIZED_SERVICES,
FIND_DEPENDENT_OFFENSE_TYPES,
FIND_DEPENDENT_ASSIGNED_OFFENSES,

6 REST API V9.0 References 123

 FIND_DEPENDENT_VULNERABILITIES,
FIND_DEPENDENT_GROUPS,
FIND_DEPENDENT_HISTORICAL_CORRELATION_PROFILES>"
}
]
}

GET /ariel/searches
Retrieves the list of Ariel searches. Search IDs for completed and active searches are returned.

Retrieves the list of Ariel searches. This includes search IDs for completed and active searches.
Table 213. GET /ariel/searches resource details
MIME Type
application/json

Table 214. GET /ariel/searches request parameter details

Parameter Type Optionality Data Type MIME Type Description
db_name query Optional String text/plain Optional - The name of the
Ariel database to retrieve the
list of Ariel searches.
filter query Optional String text/plain Optional - This parameter is
used to restrict the elements in
a list base on the contents of
various fields.
Range header Optional String text/plain Optional - Use this parameter
to restrict the number of
elements that are returned in
the list to a specified range.
The list is indexed starting at
zero.

Table 215. GET /ariel/searches response codes

HTTP Response Code Unique Code Description
200 The search list was retrieved.
500 1020 An error occurred during the attempt to retrieve the list of searches.
503 1010 The ariel server might be temporarily unavailable or offline. Please
try again later.

Response Description

A list of search IDs.

Response Sample
[
"String"
]

POST /ariel/searches
Creates a new asynchronous Ariel search.

124 QRadar API Reference Guide

Creates a new Ariel search as specified by the Ariel Query Language (AQL) query expression. Searches
are executed asynchronously. A reference to the search ID is returned and should be used in subsequent
API calls to determine the status of the search and retrieve the results once it is complete.

This endpoint only accepts SELECT query expressions.

Queries are applied to the range of data in a certain time interval. By default this time interval is the last
60 seconds. An alternative time interval can be specified by specifying them as part of the query
expression. For further information, see the AQL reference guide.
Table 216. POST /ariel/searches resource details
MIME Type
application/json

Table 217. POST /ariel/searches request parameter details

Parameter Type Optionality Data Type MIME Type Description
query_expression query Required String text/plain Required - The AQL query to
execute.

Table 218. POST /ariel/searches response codes

HTTP Response Code Unique Code Description
201 A new Ariel search was successfully created.
409 1004 The search cannot be created. The requested search ID that was
provided in the query expression is already in use. Please use a
unique search ID (or allow one to be generated).
422 2000 The query_expression contains invalid AQL syntax.
422 1005 A request parameter is not valid.
500 1020 An error occurred during the attempt to create a new search.
503 1010 The Ariel server might be temporarily unavailable or offline. Please
try again later.

Response Description

Information about the specified search, including the search ID. Use the search ID to access or manipulate
the search with the other API endpoints. If the exact search being created was already recently created,
the response message will return a reference to the original search ID rather than creating a new search.

Response Sample
{
"cursor_id": "s16",
"compressed_data_file_count": 0,
"compressed_data_total_size": 0,
"data_file_count": 5470,
"data_total_size": 67183115,
"index_file_count": 0,
"index_total_size": 0,
"processed_record_count": 1256462,
"error_messages": [
{
"code": "String",
"contexts": [
"String"
],
"message": "String",

6 REST API V9.0 References 125

 "severity": "String <one of: INFO, WARN, ERROR>"
}
],
"desired_retention_time_msec": 86400000,
"progress": 46,
"progress_details": [
0,
0,
0,
0,
66957,
652657,
76594,
89809,
86032,
107729
],
"query_execution_time": 1480,
"query_string": "SELECT sourceip, starttime from events
into s16 where sourceip
in (select destinationip from events)
parameters snapshotsize=2, PROGRESSDETAILSRESOLUTION=10",
"record_count": 1240923,
"save_results": false,
"status": "EXECUTE",
"snapshot": {
"events": [
{
"sourceip": "10.100.65.20",
"starttime": "1467049610018"
},
{
"sourceip": "10.100.100.121",
"starttime": "1467049610019"
}
]
},
"subsearch_ids": [
"sub_id_1"
],
"search_id": "s16"
}

DELETE /ariel/searches/{search_id}
Deletes an Ariel search.

Deletes an Ariel search. This discards any results that were collected and stops the search if it is in
progress. This search is deleted regardless of whether the results were saved.
Table 219. DELETE /ariel/searches/{search_id} resource details
MIME Type
application/json

Table 220. DELETE /ariel/searches/{search_id} request parameter details

Parameter Type Optionality Data Type MIME Type Description
search_id path Required String text/plain Required - The search ID of
the search to delete.

126 QRadar API Reference Guide

Table 221. DELETE /ariel/searches/{search_id} response codes
HTTP Response Code Unique Code Description
202 The delete request has been accepted.
404 1002 The search does not exist.
422 1005 A request parameter is not valid.
500 1020 An error occurred during the attempt to delete the search.
503 1010 The ariel server might be temporarily unavailable or offline. Please
try again later.

Response Description

Information about the deleted search.

Response Sample
{
"cursor_id": "s16",
"compressed_data_file_count": 0,
"compressed_data_total_size": 0,
"data_file_count": 5470,
"data_total_size": 67183115,
"index_file_count": 0,
"index_total_size": 0,
"processed_record_count": 1256462,
"error_messages": [
{
"code": "String",
"contexts": [
"String"
],
"message": "String",
"severity": "String <one of: INFO, WARN, ERROR>"
}
],
"desired_retention_time_msec": 86400000,
"progress": 46,
"progress_details": [
0,
0,
0,
0,
66957,
652657,
76594,
89809,
86032,
107729
],
"query_execution_time": 1480,
"query_string": "SELECT sourceip, starttime, qid, sourceport from events into s16 where sourceip in (select destinatio
"record_count": 1240923,
"save_results": false,
"status": "String <one of: WAIT, EXECUTE, SORTING, COMPLETED, CANCELED, ERROR>",
"snapshot": {
"events": [
{
"sourceip": "10.100.65.20",
"starttime": 1467049610018,
"qid": 10034,
"sourceport": 13675
},
{

6 REST API V9.0 References 127

 "sourceip": "10.100.100.121",
"starttime": 1467049610019,
"qid": 20034,
"sourceport": 80
}
]
},
"subsearch_ids": [
"sub_id_1"
],
"search_id": "s16"
}

GET /ariel/searches/{search_id}
Retrieves information about an Ariel search.

Retrieve status information for a search, based on the search ID parameter. The same informational fields
are returned regardless of whether the search is in progress or is complete.
Table 222. GET /ariel/searches/{search_id} resource details
MIME Type
application/json

Table 223. GET /ariel/searches/{search_id} request parameter details

Parameter Type Optionality Data Type MIME Type Description
search_id path Required String text/plain Required. The identifier for an
Ariel search.
Prefer header Optional String text/plain Optional. Specify 'wait=N'
where N is number of seconds
to wait for COMPLETED
status of the search.

Table 224. GET /ariel/searches/{search_id} response codes

HTTP Response Code Unique Code Description
200 The search information was retrieved.
206 The search information was retrieved with 'Prefer: wait=N'
timeout(sec) expired before the search is completed
404 1002 The search does not exist.
422 1005 A request parameter is not valid.
500 1020 An error occurred during the attempt to retrieve the search
information.
503 1010 The Ariel server might be temporarily unavailable or offline. Please
try again later.

Response Description

Information about the specified search, including the search status.

Response Sample
{
"cursor_id": "s16",
"compressed_data_file_count": 0,
"compressed_data_total_size": 0,

128 QRadar API Reference Guide

 "data_file_count": 5470,
"data_total_size": 67183115,
"index_file_count": 0,
"index_total_size": 0,
"processed_record_count": 1256462,
"error_messages": [
{
"code": "String",
"contexts": [
"String"
],
"message": "String",
"severity": "String <one of: INFO, WARN, ERROR>"
}
],
"desired_retention_time_msec": 86400000,
"progress": 46,
"progress_details": [
0,
0,
0,
0,
66957,
652657,
76594,
89809,
86032,
107729
],
"query_execution_time": 1480,
"query_string": "SELECT sourceip, starttime, qid, sourceport from events into s16 where sourceip in (select destinatio
"record_count": 1240923,
"save_results": false,
"status": "String <one of: WAIT, EXECUTE, SORTING, COMPLETED, CANCELED, ERROR>",
"snapshot": {
"events": [
{
"sourceip": "10.100.65.20",
"starttime": 1467049610018,
"qid": 10034,
"sourceport": 13675
},
{
"sourceip": "10.100.100.121",
"starttime": 1467049610019,
"qid": 20034,
"sourceport": 80
}
]
},
"subsearch_ids": [
"sub_id_1"
],
"search_id": "s16"
}

GET /ariel/searches/{search_id}/metadata
Retrieve the columns that are defined for a specific Ariel search id.

Retrieve the columns that are defined for the specified Ariel search id. This is the set of columns that can
be explicitly named in the column list of a SELECT query.

6 REST API V9.0 References 129

Table 225. GET /ariel/searches/{search_id}/metadata resource details
MIME Type
application/json

Table 226. GET /ariel/searches/{search_id}/metadata request parameter details

Parameter Type Optionality Data Type MIME Type Description
search_id path Required String text/plain null
fields query Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.
filter query Optional String text/plain Optional - This parameter is
used to restrict the elements in
a list base on the contents of
various fields.
Range header Optional String text/plain Optional - Use this parameter
to restrict the number of
elements that are returned in
the list to a specified range.
The list is indexed starting at
zero.

Table 227. GET /ariel/searches/{search_id}/metadata response codes

HTTP Response Code Unique Code Description
200 Columns were successfully retrieved.
404 1002 The search does not exist.
503 1010 The Ariel server might be temporarily unavailable or offline. Please
try again later.

Response Description

A list of columns that are defined for the specified database. Multiple properties of each column are
returned. For example, the column name or an indication that the column is indexable.

Response Sample
{
"columns": [
{
"argument_type": "String",
"indexable": true,
"name": "String",
"nullable": true,
"object_value_type": "String <one of: NULL, STRUCT, Byte, Short, Integer, Long, UnsignedByte, UnsignedShort, Un
"provider_name": "String"
}
]
}

130 QRadar API Reference Guide

POST /ariel/searches/{search_id}
Updates an Ariel search.

Updates details for an Ariel search. You can update searches in the following ways:
v To cancel an active search, set the status parameter to CANCELED. This stops the search and keeps
any search results that were collected before the search was canceled.
v The results for a completed search can be saved by setting the save_results parameter to true. This
ensures that the search is not automatically removed when it expires in accordance with the retention
policy.

The Ariel server uses an internal retention policy to manage available disk space. Searches might be
deleted automatically, according to the settings of the retention policy. Searches with saved results are not
automatically reclaimed by the server and are therefore retained. A search can be explicitly deleted by
using the DELETE /searches/{search_id} endpoint.

Note: Saving too many search results might result in insufficient disk space to process new searches.
Table 228. POST /ariel/searches/{search_id} resource details
MIME Type
application/json

Table 229. POST /ariel/searches/{search_id} request parameter details

Parameter Type Optionality Data Type MIME Type Description
search_id path Required String text/plain Required. The ID of the search
to update.
status query Optional String text/plain Optional. The only accepted
value is CANCELED. If this
value is provided, the search is
canceled.
save_results query Optional String text/plain Optional. The only accepted
value is true. If this value is
provided, the search results
are not deleted by the search
expiration removal process. If
status parameter was
provided, this parameter is not
checked and silently ignored.

Table 230. POST /ariel/searches/{search_id} response codes

HTTP Response Code Unique Code Description
200 The search was updated.
404 1002 The search does not exist.
422 1005 A request parameter is not valid.
500 1020 An error occurred during the attempt to update the search.
503 1010 The Ariel server might be temporarily unavailable or offline. Please
try again later.

Response Description

Information about the specified search that was updated.

6 REST API V9.0 References 131

Response Sample
{
"cursor_id": "s16",
"compressed_data_file_count": 0,
"compressed_data_total_size": 0,
"data_file_count": 5470,
"data_total_size": 67183115,
"index_file_count": 0,
"index_total_size": 0,
"processed_record_count": 1256462,
"error_messages": [
{
"code": "String",
"contexts": [
"String"
],
"message": "String",
"severity": "String <one of: INFO, WARN, ERROR>"
}
],
"desired_retention_time_msec": 86400000,
"progress": 46,
"progress_details": [
0,
0,
0,
0,
66957,
652657,
76594,
89809,
86032,
107729
],
"query_execution_time": 1480,
"query_string": "SELECT sourceip, starttime from events
into s16 where sourceip
in (select destinationip from events)
parameters snapshotsize=2, PROGRESSDETAILSRESOLUTION=10",
"record_count": 1240923,
"save_results": false,
"status": "EXECUTE",
"snapshot": {
"events": [
{
"sourceip": "10.100.65.20",
"starttime": "1467049610018"
},
{
"sourceip": "10.100.100.121",
"starttime": "1467049610019"
}
]
},
"subsearch_ids": [
"sub_id_1"
],
"search_id": "s16"
}

GET /ariel/searches/{search_id}/results
Retrieves search results in the requested format.

132 QRadar API Reference Guide

Retrieve the results of the Ariel search that is identified by the search ID. The Accepts request header
indicates the format of the result. The formats are RFC compliant and can be JSON, CSV, XML, or tabular
text.

By default, all query result records are returned. To restrict the results to a contiguous subset of the
records, you can supply a Range header to specify the inclusive range of records to be returned.

This end-point works with query results that are generated by AQL query expressions. This endpoint
might not work as expected for results that are generated by other means. Search results might not be
retrievable for searches that are created on the Console.

The response samples are for the following query: Select sourceIP, destinationIP from events.
Table 231. GET /ariel/searches/{search_id}/results resource details
MIME Type
application/json application/csv text/table application/xml

Table 232. GET /ariel/searches/{search_id}/results request parameter details

Parameter Type Optionality Data Type MIME Type Description
search_id path Required String text/plain The ID of the search criteria
for the returned results.
Range header Optional String text/plain Optional - Use this parameter
to restrict the number of
elements that are returned in
the list to a specified range.
The list is indexed starting at
zero.

Table 233. GET /ariel/searches/{search_id}/results response codes

HTTP Response Code Unique Code Description
200 The search results were retrieved.
404 1002 The search does not exist.
404 1003 Search results not found. The search is still in progress.
422 1005 A request parameter is not valid.
500 1020 An error occurred during the attempt to retrieve the search results.
503 1010 The Ariel server might be temporarily unavailable or offline. Please
try again later.

Response Description

The search results for the specified search ID. The format that is used to encapsulate the data depends on
the format specified in the Accept header for this request.

Response Sample
{
"events": [
{
"sourceIP": "1.1.1.1",
"destinationIP": "127.0.0.1"
},
{
"sourceIP": "1.1.1.1",

6 REST API V9.0 References 133

 "destinationIP": "127.0.0.1"
}
]
}

POST /ariel/validators/aql
Validates the AQL query expression.

Validates the Ariel search as specified by the Ariel Query Language (AQL) query expression.

This endpoint only accepts SELECT query expressions.

Table 234. POST /ariel/validators/aql resource details
MIME Type
application/json

Table 235. POST /ariel/validators/aql request parameter details

Parameter Type Optionality Data Type MIME Type Description
query_expressionquery Required String text/plain Required - The AQL query to
validate.
fields query Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.

Table 236. POST /ariel/validators/aql response codes

HTTP Response Code Unique Code Description
200 An AQL query expression was successfully validated.
500 1020 An error occurred during the attempt to validate AQL.
503 1010 The Ariel server might be temporarily unavailable or offline. Please
try again later.

Response Description

Array of errors/warnings encountered during AQL validation or null if validation was successful.

Response Sample
{
"error_messages": [
{
"code": 42,
"contexts": [
"String"
],
"message": "String",
"severity": "String <one of: INFO, WARN, ERROR>"
}
]
}

134 QRadar API Reference Guide

Asset model endpoints
Use the references for REST API V9.0 Asset Model endpoints.

GET /asset_model/assets
List all assets found in the model.
Table 237. GET /asset_model/assets resource details
MIME Type
application/json

Table 238. GET /asset_model/assets request parameter details

Parameter Type Optionality Data Type MIME Type Description
Range header Optional String text/plain Optional - Use this parameter
to restrict the number of
elements that are returned in
the list to a specified range.
The list is indexed starting at
zero.
fields query Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.
filter query Optional String text/plain Optional - This parameter is
used to restrict the elements in
a list base on the contents of
various fields.

Table 239. GET /asset_model/assets response codes

HTTP Response Code Unique Code Description
200 The request to retrieve assets completed successfully.
500 1020 The server encountered an error while trying to retrieve the assets.

Response Description
List of assets retrieved using the associated asset saved search.

Response Sample
[{"id": 42,
"domain_id": 42,
"interfaces": [{"first_seen_scanner": 42,
"id": 42,
"first_seen_profiler": 42,
"created": 42,
"last_seen_profiler": 42,
"last_seen_scanner": 42,
"mac_address": "String",
"ip_addresses": [{"first_seen_scanner": 42,
"id": 42,

6 REST API V9.0 References 135

 "first_seen_profiler": 42,
"created": 42,
"network_id": 42,
"value": "String",
"last_seen_profiler": 42,
"last_seen_scanner": 42,
"type": "String"}]
}],
"properties": [{"id": 42,
"name": "String",
"value": "String",
"last_reported": 42,
"type_id": 42,
"last_reported_by": "String"}]
}]

POST /asset_model/assets/{asset_id}
Update an asset with several pertinent pieces of information.

The asset_id tag is mandatory, and is the unique identifier for an asset. This field is available through the
/asset_model/assets or /asset_model/saved_searches/{saved_search_id}/results query. To update
properties, the property type ID which is available through the /asset_model/properties query must be
provided along with the new value. See the sample provided demonstrating an example asset update.
Table 240. POST /asset_model/assets/{asset_id} resource details
MIME Type
text/plain

Table 241. POST /asset_model/assets/{asset_id} request parameter details

Parameter Type Optionality Data Type MIME Type Description
asset_id path Required String text/plain Unique identifier of the asset
to update.

Table 242. POST /asset_model/assets/{asset_id} request body details

Parameter Data Type MIME Type Description Sample
asset JSON application/json JSON representation of an { "properties": [ { "type_id":
asset. 1001, "value": "given name
value" }, { "type_id": 1002,
"value": "unified name value" }
]}

Table 243. POST /asset_model/assets/{asset_id} response codes

HTTP Response Code Unique Code Description
202 The request to update the asset was successful. The update will
take place when the asset profile application receives the request.
422 1005 One or more of the requested property updates were invalid.
500 1020 The server encountered an error registering the update with the
asset profile application.

Response Description

Information about the asset that was updated.

136 QRadar API Reference Guide

Response Sample
String

GET /asset_model/properties
Get a list of available asset property types that can be used.

Get a list of available asset property types that can be used or applied against the /asset_model/assets
endpoint.
Table 244. GET /asset_model/properties resource details
MIME Type
application/json

Table 245. GET /asset_model/properties request parameter details

Parameter Type Optionality Data Type MIME Type Description
Range header Optional String text/plain Optional - Use this parameter
to restrict the number of
elements that are returned in
the list to a specified range.
The list is indexed starting at
zero.
fields query Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.
filter query Optional String text/plain Optional - This parameter is
used to restrict the elements in
a list base on the contents of
various fields.

Table 246. GET /asset_model/properties response codes

HTTP Response Code Unique Code Description
200 The request to retrieve the list of asset property types completed
successfully.
500 1020 An error occurred while trying to retrieve the list of asset property
types.

Response Description

List of asset properties. Per asset property type: id and name that make up this asset property type.

Response Sample
[
{
"custom": true,
"data_type": "String",
"display": true,
"id": 42,

6 REST API V9.0 References 137

 "name": "String",
"state": 42
}
]

GET /asset_model/saved_search_groups
Retrieves a list the asset saved search groups.

Retrieves a list the asset saved search groups.

Table 247. GET /asset_model/saved_search_groups resource details
MIME Type
application/json

Table 248. GET /asset_model/saved_search_groups request parameter details

Parameter Type Optionality Data Type MIME Type Description
fields query Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.
Range header Optional String text/plain Optional - Use this parameter
to restrict the number of
elements that are returned in
the list to a specified range.
The list is indexed starting at
zero.
filter query Optional String text/plain Optional - This parameter is
used to restrict the elements in
a list base on the contents of
various fields.

Table 249. GET /asset_model/saved_search_groups response codes

HTTP Response Code Unique Code Description
200 The asset saved search groups were returned.
500 1020 An error occurred during the attempt to retrieve the asset saved
search groups.

Response Description

List of the Group objects. A Group object contains the following fields:
v id - Long - The ID of the group.
v parent_id - Long - The ID of the parent group (default resources can have localized names).
v type - String - The type of the group.
v level - Long - The depth of the group in the group hierarchy.
v name - String - The name of the group (default resources can have localized names).
v description - String - The description of the group (default resources can have localized names).

138 QRadar API Reference Guide

v owner - String - The owner of the group.
v modified_time - Long - The time in milliseconds since epoch since the group was last modified.
v child_group_ids - Array of Longs - List of the child group IDs.

Response Sample
[
{
"child_groups": [
42
],
"child_items": [
"String"
],
"description": "String",
"id": 42,
"level": 42,
"modified_time": 42,
"name": "String",
"owner": "String",
"parent_id": 42,
"type": "String <one of:
LOG_SOURCE_GROUP,
REPORT_GROUP,
RULE_GROUP,
EVENT_SAVED_SEARCH_GROUP,
FLOW_SAVED_SEARCH_GROUP,
OFFENSE_SAVED_SEARCH_GROUP,
QRM_SAVED_SEARCH_GROUP,
MODEL_SAVED_SEARCH_GROUP,
QUESTION_SAVED_SEARCH_GROUP,
SIMULATION_SAVED_SEARCH_GROUP,
TOPOLOGY_SAVED_SEARCH_GROUP,
ASSET_SAVED_SEARCH_GROUP,
VULNERABILITY_SAVED_SEARCH_GROUP>"
}
]

GET /asset_model/saved_search_groups/{group_id}
Retrieves an asset saved search group.

Retrieves an asset saved search group.

Table 250. GET /asset_model/saved_search_groups/{group_id} resource details
MIME Type
application/json

Table 251. GET /asset_model/saved_search_groups/{group_id} request parameter details

Parameter Type Optionality Data Type MIME Type Description
group_id path Required Number text/plain null
(Integer)

6 REST API V9.0 References 139

Table 251. GET /asset_model/saved_search_groups/{group_id} request parameter details (continued)
Parameter Type Optionality Data Type MIME Type Description
fields query Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.

Table 252. GET /asset_model/saved_search_groups/{group_id} response codes

HTTP Response Code Unique Code Description
200 The asset saved search group was retrieved.
404 1002 The asset saved search group does not exist.
500 1020 An error occurred during the attempt to retrieve the asset saved
search group.

Response Description

A single Group object. A Group object contains the following fields:

v id - Long - The ID of the group.
v parent_id - Long - The id of the parent group. ( Default resources can have localized names )
v type - String - The type of the group.
v level - Long - The depth of the group in the group hierarchy.
v name - String - The name of the group. ( Default groups can have localized names )
v description - String - The description of the group. ( Default groups can have localized names )
v owner - String - The owner of the group.
v modified_time - Long - The time in milliseconds since epoch since the group was last modified.
v child_group_ids - Array of Longs - List of the child group IDs.

Response Sample
{
"child_groups": [
42
],
"child_items": [
"String"
],
"description": "String",
"id": 42,
"level": 42,
"modified_time": 42,
"name": "String",
"owner": "String",
"parent_id": 42,
"type": "String <one of:
LOG_SOURCE_GROUP,
REPORT_GROUP,
RULE_GROUP,
EVENT_SAVED_SEARCH_GROUP,
FLOW_SAVED_SEARCH_GROUP,
OFFENSE_SAVED_SEARCH_GROUP,

140 QRadar API Reference Guide

 QRM_SAVED_SEARCH_GROUP,
MODEL_SAVED_SEARCH_GROUP,
QUESTION_SAVED_SEARCH_GROUP,
SIMULATION_SAVED_SEARCH_GROUP,
TOPOLOGY_SAVED_SEARCH_GROUP,
ASSET_SAVED_SEARCH_GROUP,
VULNERABILITY_SAVED_SEARCH_GROUP>"
}

POST /asset_model/saved_search_groups/{group_id}
Updates the owner of an asset saved search group.

Updates the owner of an asset saved search group.

Table 253. POST /asset_model/saved_search_groups/{group_id} resource details
MIME Type
application/json

Table 254. POST /asset_model/saved_search_groups/{group_id} request parameter details

Parameter Type Optionality Data Type MIME Type Description
group_id path Required Number text/plain null
(Integer)
fields header Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.

Table 255. POST /asset_model/saved_search_groups/{group_id} request body details

Parameter Data Type MIME Type Description Sample
group Object application/ Required - Group object with { "child_groups": [ 42 ], "child_items": [ "String" ], "description":
json the owner set to a valid "String", "id": 42, "level": 42, "name": "String", "owner": "String",
deployed user. "parent_id": 42, "type": "String <one of:
LOG_SOURCE_GROUP, REPORT_GROUP, RULE_GROUP,
EVENT_SAVED_SEARCH_GROUP,
FLOW_SAVED_SEARCH_GROUP,
OFFENSE_SAVED_SEARCH_GROUP,
QRM_SAVED_SEARCH_GROUP,
MODEL_SAVED_SEARCH_GROUP,
QUESTION_SAVED_SEARCH_GROUP,
SIMULATION_SAVED_SEARCH_GROUP,
TOPOLOGY_SAVED_SEARCH_GROUP,
ASSET_SAVED_SEARCH_GROUP,
VULNERABILITY_SAVED_SEARCH_GROUP>" }

Table 256. POST /asset_model/saved_search_groups/{group_id} response codes

HTTP Response Code Unique Code Description
200 The asset saved search group has been updated.
404 1002 The asset saved search group does not exist.
409 1004 The provided user does not have the required capabilities to own
the asset saved search group.
422 1005 A request parameter is not valid.

6 REST API V9.0 References 141

Table 256. POST /asset_model/saved_search_groups/{group_id} response codes (continued)
HTTP Response Code Unique Code Description
500 1020 An error occurred during the attempt to update the asset saved
search group.

Response Description
The updated Group object. A Group object contains the following fields:
v id - Long - The ID of the group.
v parent_id - Long - The ID of the parent group (default resources can have localized names).
v type - String - The type of the group.
v level - Long - The depth of the group in the group hierarchy.
v name - String - The name of the group (default resources can have localized names).
v description - String - The description of the group (default resources can have localized names).
v owner - String - The owner of the group.
v modified_time - Long - The time in milliseconds since epoch since the group was last modified.
v child_group_ids - Array of Longs - List of the child group IDs.

Response Sample
{
"child_groups": [
42
],
"child_items": [
"String"
],
"description": "String",
"id": 42,
"level": 42,
"modified_time": 42,
"name": "String",
"owner": "String",
"parent_id": 42,
"type": "String <one of:
LOG_SOURCE_GROUP,
REPORT_GROUP,
RULE_GROUP,
EVENT_SAVED_SEARCH_GROUP,
FLOW_SAVED_SEARCH_GROUP,
OFFENSE_SAVED_SEARCH_GROUP,
QRM_SAVED_SEARCH_GROUP,
MODEL_SAVED_SEARCH_GROUP,
QUESTION_SAVED_SEARCH_GROUP,
SIMULATION_SAVED_SEARCH_GROUP,
TOPOLOGY_SAVED_SEARCH_GROUP,
ASSET_SAVED_SEARCH_GROUP,
VULNERABILITY_SAVED_SEARCH_GROUP>"
}

DELETE /asset_model/saved_search_groups/{group_id}
Deletes an asset saved search group.

Deletes an asset saved search group.

142 QRadar API Reference Guide

Table 257. DELETE /asset_model/saved_search_groups/{group_id} resource details
MIME Type
text/plain

Table 258. DELETE /asset_model/saved_search_groups/{group_id} request parameter details

Parameter Type Optionality Data Type MIME Type Description
group_id path Required Number text/plain null
(Integer)

Table 259. DELETE /asset_model/saved_search_groups/{group_id} response codes

HTTP Response Code Unique Code Description
204 The asset saved search group was deleted.
404 1002 The asset saved search group does not exist.
409 1004 null
500 1020 An error occurred during the attempt to delete the asset saved
search group.

Response Description
Response Sample

GET /asset_model/saved_searches
Get a list of saved searches that can be used.

Get a list of saved searches that can be used or applied against the /asset_model/saved_searches/
{saved_search_id}/results query.
Table 260. GET /asset_model/saved_searches resource details
MIME Type
application/json

Table 261. GET /asset_model/saved_searches request parameter details

Parameter Type Optionality Data Type MIME Type Description
Range header Optional String text/plain Optional - Use this parameter
to restrict the number of
elements that are returned in
the list to a specified range.
The list is indexed starting at
zero.
fields query Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.

6 REST API V9.0 References 143

Table 261. GET /asset_model/saved_searches request parameter details (continued)
Parameter Type Optionality Data Type MIME Type Description
filter query Optional String text/plain Optional - This parameter is
used to restrict the elements in
a list base on the contents of
various fields.

Table 262. GET /asset_model/saved_searches response codes

HTTP Response Code Unique Code Description
200 The request to retrieve the list of saved searches completed
successfully.
500 1020 The server encountered an error while trying to retrieve the list of
saved searches.

Response Description

List of saved searches. Per saved search: id, name and list of filters that make up this saved search

Response Sample
[
{
"columns": [
{
"name": "String",
"type": "String"
}
],
"description": "String",
"filters": [
{
"operator": "String",
"parameter": "String",
"value": "String"
}
],
"id": 42,
"name": "String"
}
]

GET /asset_model/saved_searches/{saved_search_id}
Retrieves an asset saved search.

Retrieves an asset saved search.

Table 263. GET /asset_model/saved_searches/{saved_search_id} resource details
MIME Type
application/json

Table 264. GET /asset_model/saved_searches/{saved_search_id} request parameter details

Parameter Type Optionality Data Type MIME Type Description
saved_search_id path Required Number text/plain null
(Integer)

144 QRadar API Reference Guide

Table 264. GET /asset_model/saved_searches/{saved_search_id} request parameter details (continued)
Parameter Type Optionality Data Type MIME Type Description
fields query Optional String text/plain Optional - Use this parameter to
specify which fields you would
like to get back in the response.
Fields that are not named are
excluded. Specify subfields in
brackets and multiple fields in
the same object are separated by
commas.

Table 265. GET /asset_model/saved_searches/{saved_search_id} response codes

HTTP Response Code Unique Code Description
200 The asset saved search was retrieved,
404 1002 The asset saved search does not exist,
500 1020 An error occurred during the attempt to retrieve the asset saved
search,

Response Description

The asset saved search after it is retrieved. An Asset Saved Search object contains the following fields:
v id - Long - The ID of the asset saved search.
v name - String - The name of the asset saved search.
v owner - String - The owner of the asset saved search.
v isShared - Boolean - True if the asset saved search is shared with other users.
v description - String - The description of the asset saved search.
v filters - List of Strings - The asset saved search filters.
v columns - List of Strings - The asset saved search columns.

Response Sample
{
"columns": [
{
"name": "String",
"type": "String"
}
],
"description": "String",
"filters": [
{
"operator": "String",
"parameter": "String",
"value": "String"
}
],
"id": 42,
"is_shared": true,
"name": "String",
"owner": "String"
}

POST /asset_model/saved_searches/{saved_search_id}
Updates the asset saved search owner only.

Updates the asset saved search owner only.

6 REST API V9.0 References 145

Table 266. POST /asset_model/saved_searches/{saved_search_id} resource details
MIME Type
application/json

Table 267. POST /asset_model/saved_searches/{saved_search_id} request parameter details

Parameter Type Optionality Data Type MIME Type Description
saved_search_id path Required Number text/plain null
(Integer)
fields header Optional String text/plain Optional - Use this parameter to
specify which fields you would
like to get back in the response.
Fields that are not named are
excluded. Specify subfields in
brackets and multiple fields in
the same object are separated by
commas.

Table 268. POST /asset_model/saved_searches/{saved_search_id} request body details

Parameter Data Type MIME Type Description Sample
saved_search Object application/json null { "columns": [ { "name": "String",
"type": "String" } ], "description":
"String", "filters": [ { "operator":
"String", "parameter": "String",
"value": "String" } ], "id": 42,
"is_shared": true, "name":
"String", "owner": "String" }

Table 269. POST /asset_model/saved_searches/{saved_search_id} response codes

HTTP Response Code Unique Code Description
200 The asset saved search was updated.
403 1009 You do not have the required capabilities to update the asset saved
search.
404 1002 The asset saved search does not exist.
409 1004 The provided user does not have the required capabilities to own
the asset saved search.
422 1005 A request parameter is not valid.
500 1020 An error occurred during the attempt to update the asset saved
search.

Response Description

The asset saved search after it is updated. An Asset Saved Search object contains the following fields:
v id - Long - The ID of the asset saved search.
v name - String - The name of the asset saved search.
v owner - String - The owner of the asset saved search.
v isShared - Boolean - True if the asset saved search is shared with other users.
v description - String - The description of the asset saved search.
v filters - List of Strings - The asset saved search filters.
v columns - List of Strings - The asset saved search columns.

146 QRadar API Reference Guide

Response Sample
{
"columns": [
{
"name": "String",
"type": "String"
}
],
"description": "String",
"filters": [
{
"operator": "String",
"parameter": "String",
"value": "String"
}
],
"id": 42,
"is_shared": true,
"name": "String",
"owner": "String"
}

DELETE /asset_model/saved_searches/{saved_search_id}
Deletes an asset saved search.

Deletes an asset saved search.

Table 270. DELETE /asset_model/saved_searches/{saved_search_id} resource details
MIME Type
text/plain

Table 271. DELETE /asset_model/saved_searches/{saved_search_id} request parameter details

Parameter Type Optionality Data Type MIME Type Description
saved_search_id path Required Number text/plain null
(Integer)

Table 272. DELETE /asset_model/saved_searches/{saved_search_id} response codes

HTTP Response Code Unique Code Description
204 The asset saved searchh was deleted.
403 1009 You do not have the required capabilities to delete the asset saved
search.
404 1002 The asset saved search does not exist.
500 1020 An error occurred during the attempt to delete the asset saved
search.

6 REST API V9.0 References 147

Response Description

Response Sample

GET /asset_model/saved_searches/{saved_search_id}/results
Retrieves a list of assets based on the results of an asset saved search.
Table 273. GET /asset_model/saved_searches/{saved_search_id}/results resource details
MIME Type
application/json

Table 274. GET /asset_model/saved_searches/{saved_search_id}/results request parameter details

Parameter Type Optionality Data Type MIME Type Description
saved_search_id path Required String text/plain Unique identifier of the saved
search used to retrieve assets.
Range header Optional String text/plain Optional - Use this parameter to
restrict the number of elements
that are returned in the list to a
specified range. The list is
indexed starting at zero.
fields query Optional String text/plain Optional - Use this parameter to
specify which fields you would
like to get back in the response.
Fields that are not named are
excluded. Specify subfields in
brackets and multiple fields in
the same object are separated by
commas.
filter query Optional String text/plain Optional - This parameter is
used to restrict the elements in a
list base on the contents of
various fields.

Table 275. GET /asset_model/saved_searches/{saved_search_id}/results response codes

HTTP Response Code Unique Code Description
200 The request to retrieve assets completed successfully.
422 1005 The unique identifier of the saved search provided was invalid.
500 1003 The server encountered an error executing the saved search.

Response Description

List of assets retrieved using the associated asset saved search.

Response Sample
[
{
"domain_id": 42,
"id": 42,
"interfaces": [
{
"created": 42,
"first_seen_profiler": 42,
"first_seen_scanner": 42,
"id": 42,
"ip_addresses": [
{

148 QRadar API Reference Guide

 "created": 42,
"first_seen_profiler": 42,
"first_seen_scanner": 42,
"id": 42,
"last_seen_profiler": 42,
"last_seen_scanner": 42,
"network_id": 42,
"type": "String",
"value": "String"
}
],
"last_seen_profiler": 42,
"last_seen_scanner": 42,
"mac_address": "String"
}
],
"properties": [
{
"id": 42,
"last_reported": 42,
"last_reported_by": "String",
"name": "String",
"type_id": 42,
"value": "String"
}
]
}
]

Authentication endpoints
Use the references for REST API V9.0 authentication endpoints.

POST /auth/logout
Invoke this method as an authorized user and your session will be invalidated.
Table 276. POST /auth/logout resource details
MIME Type
text/plain

There are no parameters for this endpoint.

Table 277. POST /auth/logout response codes
HTTP Response Code Unique Code Description
200 The session was invalidated.

Response Description

Returns true. Throws exception upon failure.

Response Sample
true

Configuration endpoints
Use the references for REST API V9.0 configuration endpoints.

6 REST API V9.0 References 149

GET /config/access/tenant_management/tenants
Retrieve the list of all tenants ordered by tenant ID.

Retrieve the list of all tenants. The list is ordered by tenant ID.
Table 278. GET /config/access/tenant_management/tenants resource details
MIME Type
application/json

Table 279. GET /config/access/tenant_management/tenants request parameter details

Parameter Type Optionality Data Type MIME Type Description
Range header Optional String text/plain Optional - Use this parameter
to restrict the number of
elements that are returned in
the list to a specified range.
The list is indexed starting at
zero.
fields query Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.
filter query Optional String text/plain Optional - This parameter is
used to restrict the elements in
a list base on the contents of
various fields.

Table 280. GET /config/access/tenant_management/tenants response codes

HTTP Response Code Unique Code Description
200 The tenant list was successfully retrieved.
500 1020 An error occurred while the tenant list was being retrieved.

Response Description

a list of all the tenants

Response Sample
[
{
"deleted": true,
"description": "String",
"event_rate_limit": 42,
"flow_rate_limit": 42,
"id": 42,
"name": "String"
}
]

150 QRadar API Reference Guide

POST /config/access/tenant_management/tenants
Create a new tenant.
Table 281. POST /config/access/tenant_management/tenants resource details
MIME Type
application/json

Table 282. POST /config/access/tenant_management/tenants request parameter details

Parameter Type Optionality Data Type MIME Type Description
fields header Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.

Table 283. POST /config/access/tenant_management/tenants request body details

Parameter Data Type MIME Type Description Sample
tenant Object application/json Required - Tenant - includes { "deleted": true, "description":
name, event_rate_limit (unit "String", "event_rate_limit": 42,
eps), flow_rate_limit (unit "flow_rate_limit": 42, "name":
fpm) and description "String" }

Table 284. POST /config/access/tenant_management/tenants response codes

HTTP Response Code Unique Code Description
201 A new tenant was created successfully and returned the new tenant
object.
409 1004 A tenant with the given name already exists.
422 1005 A request parameter is invalid.
500 1020 Failed to create the tenant.

Response Description

a created tenant object

Response Sample
{
"deleted": true,
"description": "String",
"event_rate_limit": 42,
"flow_rate_limit": 42,
"id": 42,
"name": "String"
}

6 REST API V9.0 References 151

GET /config/access/tenant_management/tenants/{tenant_id}
Retrieve a tenant by tenant id.
Table 285. GET /config/access/tenant_management/tenants/{tenant_id} resource details
MIME Type
application/json

Table 286. GET /config/access/tenant_management/tenants/{tenant_id} request parameter details

Parameter Type Optionality Data Type MIME Type Description
tenant_id path Required Number text/plain null
(Integer)
fields query Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.

Table 287. GET /config/access/tenant_management/tenants/{tenant_id} response codes

HTTP Response Code Unique Code Description
200 The tenant was successfully retrieved.
404 1002 No tenant was found for the provided tenant id.
500 1020 An error occurred while the tenant was being retrieved.

Response Description

the associated tenants object

Response Sample
{
"deleted": true,
"description": "String",
"event_rate_limit": 42,
"flow_rate_limit": 42,
"id": 42,
"name": "String"
}

POST /config/access/tenant_management/tenants/{tenant_id}
Update a tenant
Table 288. POST /config/access/tenant_management/tenants/{tenant_id} resource details
MIME Type
application/json

152 QRadar API Reference Guide

Table 289. POST /config/access/tenant_management/tenants/{tenant_id} request parameter details
Parameter Type Optionality Data Type MIME Type Description
tenant_id path Required Number text/plain Required - Integer - the tenant
(Integer) id to modify
fields header Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.

Table 290. POST /config/access/tenant_management/tenants/{tenant_id} request body details

Parameter Data Type MIME Type Description Sample
tenant Object application/json Required - Tenant - includes { "deleted": true, "description":
name, event_rate_limit (unit "String", "event_rate_limit": 42,
eps), flow_rate_limit (unit "flow_rate_limit": 42, "name":
fpm) and description "String" }

Table 291. POST /config/access/tenant_management/tenants/{tenant_id} response codes

HTTP Response Code Unique Code Description
200 A tenant profile that was updated successfully and returned the
updated tenant object.
404 1002 The tenant profile does not exist.
409 1004 A tenant with the given name already exists.
422 1005 A request parameter is invalid.
500 1020 Failed to retrieve/update the given tenant profile.

Response Description
The updated tenant object.

Response Sample
{
"deleted": true,
"description": "String",
"event_rate_limit": 42,
"flow_rate_limit": 42,
"id": 42,
"name": "String"
}

DELETE /config/access/tenant_management/tenants/{tenant_id}
Delete a tenant.

Deletes a tenant by tenant ID.

Table 292. DELETE /config/access/tenant_management/tenants/{tenant_id} resource details
MIME Type
application/json

6 REST API V9.0 References 153

Table 293. DELETE /config/access/tenant_management/tenants/{tenant_id} request parameter details
Parameter Type Optionality Data Type MIME Type Description
tenant_id path Required Number text/plain Required - String - id
(Integer) associated to a tenant

Table 294. DELETE /config/access/tenant_management/tenants/{tenant_id} response codes

HTTP Response Code Unique Code Description
200 The tenant was deleted successfully (soft delete).
404 1002 The tenant does not exists.
500 1020 An error occurred while deleting tenant.

Response Description

the deleted tenant object with its parameter deleted set to true

Response Sample
{
"deleted": true,
"description": "String",
"event_rate_limit": 42,
"flow_rate_limit": 42,
"id": 42,
"name": "String"
}

GET /config/access/user_dependent_tasks/{task_id}
Retrieves the dependent user task status.

Retrieves the dependent user task status.

Table 295. GET /config/access/user_dependent_tasks/{task_id} resource details
MIME Type
application/json

Table 296. GET /config/access/user_dependent_tasks/{task_id} request parameter details

Parameter Type Optionality Data Type MIME Type Description
task_id path Required Number text/plain null
(Integer)
fields query Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.

Table 297. GET /config/access/user_dependent_tasks/{task_id} response codes

HTTP Response Code Unique Code Description
200 The Delete Task Status was retrieved.

154 QRadar API Reference Guide

Table 297. GET /config/access/user_dependent_tasks/{task_id} response codes (continued)
HTTP Response Code Unique Code Description
404 1002 The Delete Task Status does not exist.
500 1020 An error occurred during the attempt to retrieve the Delete Task
Status.

Response Description
A Dependent Task Status object and the location header set to the task status url "/api/config/access/
user_dependent_tasks/{task_id}". A Dependent Task Status object contains the following fields:
v id - Long - The ID of the task.
v message - String - The localized task message.
v status - String - The current state of the task.
v name - String - The name of the task.
v created_by - String - The name of the user who started the task.
v cancelled_by - String - The name of the user who requested to cancel the task.
v created - Long - The time in milliseconds since epoch since the task was created.
v started - Long - The time in milliseconds since epoch since the task was started.
v modified - Long - The time in milliseconds since epoch since the task was modified.
v completed - Long - The time in milliseconds since epoch since the task was completed.
v number_of_dependents - Long - The number of dependents found. Value is null until task completes.
v maximum - Long - The maximum number of objects to check for dependency.
v progress - Long - The number of objects checked for dependency.
v task_components - Array - An array of task component objects. A task component object contains the
following fields:
– message - String - The localized sub-task status message.
– status - String - The current state the sub-task is in.
– sub_task_type - String - The type of the sub-task.
– maximum - Long - The maximum number of objects to check for dependency.
– progress - Long - The number of objects checked for dependency.
– created - Long - The time in milliseconds since epoch since the sub-task was created.
– started - Long - The time in milliseconds since epoch since the sub-task was started.
– modified - Long - The time in milliseconds since epoch since the sub-task was modified.
– completed - Long - The time in milliseconds since epoch since the sub-task was completed.

Response Sample
{
"cancelled_by": "String",
"completed": 42,
"created": 42,
"created_by": "String",
"id": 42,
"maximum": 42,
"message": "String",
"modified": 42,
"name": "String",
"number_of_dependents": 42,
"progress": 42,
"started": 42,
"status": "String <one of: CANCELLED, CANCELING, CANCEL_REQUESTED, COMPLETED, CONFLICT, EXCEPTION, INITIALIZING, INTE

6 REST API V9.0 References 155

 "task_components": [
{
"completed": 42,
"created": 42,
"maximum": 42,
"message": "String",
"modified": 42,
"number_of_dependents": 42,
"progress": 42,
"started": 42,
"status": "String <one of: CANCELLED, CANCELING, CANCEL_REQUESTED, COMPLETED, CONFLICT, EXCEPTION, INITIALIZING
"task_sub_type": "String <one of: FIND_DEPENDENT_ARIEL_SAVED_SEARCHES, FIND_DEPENDENT_OFFENSE_SAVED_SEARCHES, F
}
]
}

POST /config/access/user_dependent_tasks/{task_id}
Cancels a dependent user task.

Cancels a dependent user task.

Table 298. POST /config/access/user_dependent_tasks/{task_id} resource details
MIME Type
application/json

Table 299. POST /config/access/user_dependent_tasks/{task_id} request parameter details

Parameter Type Optionality Data Type MIME Type Description
task_id path Required Number text/plain null
(Integer)
fields header Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.

Table 300. POST /config/access/user_dependent_tasks/{task_id} request body details

Parameter Data Type MIME Type Description Sample
task Object application/ null { "status": "String <one of:
json CANCELLED, CANCELING,
CANCEL_REQUESTED,
COMPLETED, CONFLICT,
EXCEPTION, INITIALIZING,
INTERRUPTED, PAUSED,
PROCESSING, QUEUED,
RESUMING>" }

Table 301. POST /config/access/user_dependent_tasks/{task_id} response codes

HTTP Response Code Unique Code Description
200 The Dependent Task Status was retrieved.
404 1002 The Dependent Task Status does not exist.

156 QRadar API Reference Guide

Table 301. POST /config/access/user_dependent_tasks/{task_id} response codes (continued)
HTTP Response Code Unique Code Description
409 1004 The task is in a completed state.
422 1005 A request parameter is not valid.
500 1020 An error occurred during the attempt to update the Dependent
Task Status.

Response Description

A Dependent Task Status object and the location header set to the task status url "/api/config/access/
user_dependent_tasks/{task_id}". A Dependent Task Status object contains the following fields:
v id - Long - The ID of the task.
v message - String - The localized task message.
v status - String - The current state that the task is in.
v name - String - The name of the task.
v created_by - String - The name of the user who started the task.
v cancelled_by - String - The name of the user who requested to cancel the task.
v created - Long - The time in milliseconds since epoch since the task was created.
v started - Long - The time in milliseconds since epoch since the task was started.
v modified - Long - The time in milliseconds since epoch since the task was modified.
v completed - Long - The time in milliseconds since epoch since the task was completed.
v number_of_dependents - Long - The number of dependents found. The value is null until the task
completes.
v maximum - Long - The maximum number of objects to check for dependency.
v progress - Long - The number of objects checked for dependency.
v task_components - Array - An array of task component objects. A task component object contains the
following fields:
– message - String - The localized sub-task status message.
– status - String - The current state the sub-task is in.
– sub_task_type - String - The type of the sub-task.
– maximum - Long - The maximum number of objects to check for dependency.
– progress - Long - The number of objects checked for dependency.
– created - Long - The time in milliseconds since epoch since the sub-task was created.
– started - Long - The time in milliseconds since epoch since the sub-task was started.
– modified - Long - The time in milliseconds since epoch since the sub-task was modified.
– completed - Long - The time in milliseconds since epoch since the sub-task was completed.

Response Sample
{
"cancelled_by": "String",
"completed": 42,
"created": 42,
"created_by": "String",
"id": 42,
"maximum": 42,
"message": "String",
"modified": 42,
"name": "String",
"number_of_dependents": 42,
"progress": 42,

6 REST API V9.0 References 157

 "started": 42,
"status": "String <one of: CANCELLED, CANCELING, CANCEL_REQUESTED, COMPLETED, CONFLICT, EXCEPTION, INITIALIZING, INTERR
"task_components": [
{
"completed": 42,
"created": 42,
"maximum": 42,
"message": "String",
"modified": 42,
"number_of_dependents": 42,
"progress": 42,
"started": 42,
"status": "String <one of: CANCELLED, CANCELING, CANCEL_REQUESTED, COMPLETED, CONFLICT, EXCEPTION, INITIALIZING
"task_sub_type": "String <one of: FIND_DEPENDENT_ARIEL_SAVED_SEARCHES, FIND_DEPENDENT_OFFENSE_SAVED_SEARCHES, F
}
]
}

GET /config/access/user_dependent_tasks/{task_id}/results
Retrieves the user dependent task results.

Retrieves the user dependent task results.

Table 302. GET /config/access/user_dependent_tasks/{task_id}/results resource details
MIME Type
application/json

Table 303. GET /config/access/user_dependent_tasks/{task_id}/results request parameter details

Parameter Type Optionality Data Type MIME Type Description
task_id path Required Number text/plain null
(Integer)
fields query Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.

Table 304. GET /config/access/user_dependent_tasks/{task_id}/results response codes

HTTP Response Code Unique Code Description
200 The User Dependents were retrieved.
404 1002 The Dependent Task Status does not exist.
500 1020 An error occurred during the attempt to retrieve the Users.

Response Description

An list of Dependent objects. A Dependent object contains the following fields:

v dependent_id - String - The ID of the dependent resource.
v dependent_name - String - The name of the dependent resource (default resources can have localized
names).
v dependent_owner - String - The owner of the dependent resource.

158 QRadar API Reference Guide

v dependent_type - String - The type of the dependent resource.
v dependent_database - String - The database of the dependent resource.
v dependent_group_ids - Array of Longs - List of groups that the dependent resource belongs to.
v user_has_edit_permissions - Boolean - True if the user who created the task has permission to edit this
dependent resource.

Response Sample
[
{
"blocking": true,
"dependent_database": "String <one of: EVENTS, FLOWS>",
"dependent_group_ids": [
42
],
"dependent_id": "String",
"dependent_name": "String",
"dependent_owner": "String",
"dependent_type": "String <one of: ARIEL_SAVED_SEARCH, ASSET_SAVED_SEARCH, OFFENSE_SAVED_SEARCH, VULNERABILITY_SA
"user_has_edit_permissions": true
}
]

GET /config/access/users
Retrieves a list of deployed users.

Retrieves a list of deployed users.

Table 305. GET /config/access/users resource details
MIME Type
application/json

Table 306. GET /config/access/users request parameter details

Parameter Type Optionality Data Type MIME Type Description
fields query Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.
Range header Optional String text/plain Optional - Use this parameter
to restrict the number of
elements that are returned in
the list to a specified range.
The list is indexed starting at
zero.
filter query Optional String text/plain Optional - This parameter is
used to restrict the elements in
a list base on the contents of
various fields.

6 REST API V9.0 References 159

Table 307. GET /config/access/users response codes
HTTP Response Code Unique Code Description
200 The users were retrieved.
500 1020 An error occurred during the attempt to retrieve the Users.

Response Description
An array of User objects. An User object contains the following fields:
v id - Long - The ID of the user.
v name - String - The name of the user.

Response Sample
[
{
"id": 42,
"username": "String"
}
]

GET /config/access/users/{id}/dependents
Retrieves the objects that depend on the user.

Retrieves the objects that depend on the user.

Table 308. GET /config/access/users/{id}/dependents resource details
MIME Type
application/json

Table 309. GET /config/access/users/{id}/dependents request parameter details

Parameter Type Optionality Data Type MIME Type Description
id path Required Number text/plain null
(Integer)
fields query Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.

Table 310. GET /config/access/users/{id}/dependents response codes

HTTP Response Code Unique Code Description
202 The User dependents retrieval was accepted and is in progress.
404 1002 The User does not exist.
500 1020 An error occurred during the attempt to initiate the User
dependents retrieval task.

160 QRadar API Reference Guide

Response Description

A Dependents Task Status object and the location header set to the task status url "/api/config/access/
user_dependents_tasks/{task_id}". A Dependent Task Status object contains the following fields:
v id - Long - The ID of the task.
v message - String - The localized task message.
v status - String - The current state of the task.
v name - String - The name of the task.
v created_by - String - The name of the user who started the task.
v cancelled_by - String - The name of the user who requested cancellation of the task.
v created - Long - The time in milliseconds since epoch since the task was created.
v started - Long - The time in milliseconds since epoch since the task was started.
v modified - Long - The time in milliseconds since epoch since the task was modified.
v completed - Long - The time in milliseconds since epoch since the task was completed.
v number_of_dependents - Long - The number of dependents found. Value is null until task completes.
v maximum - Long - The maximum number of objects to check for dependency.
v progress - Long - The number of objects checked for dependency.
v task_components - Array - An array of task component objects. A task component object contains the
following fields
– message - String - The localized sub-task status message.
– status - String - The current state of the sub-task.
– sub_task_type - String - The type of the sub-task
– maximum - Long - The maximum number of objects to check for dependency.
– progress - Long - The number of objects checked for dependency.
– created - Long - The time in milliseconds since epoch since the sub-task was created.
– started - Long - The time in milliseconds since epoch since the sub-task was started.
– modified - Long - The time in milliseconds since epoch since the sub-task was modified.
– completed - Long - The time in milliseconds since epoch since the sub-task was completed.

Response Sample
{
"cancelled_by": "String",
"completed": 42,
"created": 42,
"created_by": "String",
"id": 42,
"maximum": 42,
"message": "String",
"modified": 42,
"name": "String",
"number_of_dependents": 42,
"progress": 42,
"started": 42,
"status": "String <one of: CANCELLED, CANCELING, CANCEL_REQUESTED, COMPLETED, CONFLICT, EXCEPTION, INITIALIZING, INTE
"task_components": [
{
"completed": 42,
"created": 42,
"maximum": 42,
"message": "String",
"modified": 42,
"number_of_dependents": 42,
"progress": 42,
"started": 42,

6 REST API V9.0 References 161

 "status": "String <one of: CANCELLED, CANCELING, CANCEL_REQUESTED, COMPLETED, CONFLICT, EXCEPTION, INITIALIZING
"task_sub_type": "String <one of: FIND_DEPENDENT_ARIEL_SAVED_SEARCHES, FIND_DEPENDENT_OFFENSE_SAVED_SEARCHES, F
}
]
}

GET /config/access/users/{id}
Retrieves a deployed user.

Retrieves a deployed user.

Table 311. GET /config/access/users/{id} resource details
MIME Type
application/json

Table 312. GET /config/access/users/{id} request parameter details

Parameter Type Optionality Data Type MIME Type Description
id path Required Number text/plain null
(Integer)
fields query Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.

Table 313. GET /config/access/users/{id} response codes

HTTP Response Code Unique Code Description
200 The user was retrieved
404 1002 The User does not exist
500 1020 An error occurred while attempting to retrieve the User

Response Description

The User after it is retrieved. A User object contains the following fields:
v id - Long - The ID of the user.
v name - String - The name of the user.

Response Sample
{
"id": 42,
"username": "String"
}

GET /config/deployment/hosts
Retrieves a list of all deployed hosts.

Retrieves the list of all deployed hosts.

162 QRadar API Reference Guide

Table 314. GET /config/deployment/hosts resource details
MIME Type
application/json

Table 315. GET /config/deployment/hosts request parameter details

Parameter Type Optionality Data Type MIME Type Description
fields query Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.
Range header Optional String text/plain Optional - Use this parameter
to restrict the number of
elements that are returned in
the list to a specified range.
The list is indexed starting at
zero.
filter query Optional String text/plain Optional - This parameter is
used to restrict the elements in
a list base on the contents of
various fields.

Table 316. GET /config/deployment/hosts response codes

HTTP Response Code Unique Code Description
200 The host list was successfully retrieved.
500 1001 An error occurred during the attempt to retrieve the host list.

Response Description

A list of all the hosts. Each Host object has the following fields:
v id - The ID of this managed host.
v hostname - The host name of this managed host.
v private_ip - The private IP of this managed host.
v public_ip - The public IP of this managed host.
v appliance - An object that represents the appliance type ID and description of this managed host.
v version - The installed version on this managed host.
v status - The status of this managed host.
v eps_rate_hardware_limit - The upper limit for eps_allocation based on hardware constraints for this
managed host.
v eps_allocation - The allocated eps rate of this managed host.
v average_eps - The average eps rate of this managed host over the previous month.
v peak_eps - The peak eps rate that was experienced by this managed host over the previous month.
v fpm_rate_hardware_limit - The upper limit for fpm_allocation based on hardware constraints for this
managed host
v fpm_allocation - The allocated fpm rate of this managed host.

6 REST API V9.0 References 163

v average_fpm - The average fpm rate of this managed host over the previous month.
v peak_fpm - The peak fpm rate that was experienced by this managed host over the previous month.
v primary_server_id - The ID for the primary server host for this managed host.
v secondary_server_id - If configured, the ID for the secondary server host for this managed host.
v license_serial_number - The serial number that is associated with this managed host's license.
v components - A list of components that are associated with this managed host.
v compression_enabled - Whether or not compression is enabled for this managed host.
v encryption_enabled - Whether or not encryption is enabled for this managed host.

Response Sample
[
{
"appliance": {
"id": "String",
"type": "String"
},
"average_eps": 42,
"average_fpm": 42,
"components": [
"String <one of: eventcollector,
eventprocessor,
dataNode,
magistrate,
ariel_query_server,
ariel_proxy_server,
vis,
assetprofiler,
qflow,
hostcontext,
tunnel,
setuptunnel,
ecs-ec,
ecs-ep,
resolveragent,
resolver_manager,
offsiteSource,
offsiteTarget,
accumulator,
offline_forwarder,
qvm,
qvmprocessor,
qvmscanner,
qvmhostedscanner,
qvmsiteprotector,
arc_builder,
tomcat-rm,
ziptie-server,
qrm,
asset_change_publisher,
forensicsnode,
forensics_realtime,
masterdaemon>"
],
"compression_enabled": true,
"encryption_enabled": true,
"eps_allocation": 42,
"eps_rate_hardware_limit": 42,
"fpm_allocation": 42,
"fpm_rate_hardware_limit": 42,
"hostname": "String",
"id": 42,
"license_serial_number": "String",
"peak_eps": 42,

164 QRadar API Reference Guide

 "peak_fpm": 42,
"primary_server_id": 42,
"private_ip": "String",
"public_ip": "String",
"secondary_server_id": 42,
"status": "String <one of: Active,
ADDING,
Deleted,
Deleting,
ADD_FAILED,
New,
ADD_FAILED_VERSION_CHECK,
ADD_FAILED_DEPLOY_IN_PROGRESS,
ADD_FAILED_RETRY_CONNECTION,
ADD_FAILED_HA,
ADD_FAILED_CHECK_LOGS>",
"version": "String"
}
]

GET /config/deployment/hosts/{id}
Retrieves a deployed host by ID.

Retrieves a deployed host by ID.

Table 317. GET /config/deployment/hosts/{id} resource details
MIME Type
application/json

Table 318. GET /config/deployment/hosts/{id} request parameter details

Parameter Type Optionality Data Type MIME Type Description
id path Required Number text/plain Required - The ID of the
(Integer) deployed host to be retrieved.
fields query Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.

Table 319. GET /config/deployment/hosts/{id} response codes

HTTP Response Code Unique Code Description
200 The host was successfully retrieved.
404 1002 No such host is deployed for the given ID
422 1003 The provided ID was a negative number or zero.
500 1004 An error occurred during the retrieval of the host.

Response Description

The associated deployed host object. The Host object has the following fields:
v id - The ID of this managed host.

6 REST API V9.0 References 165

v hostname - The host name of this managed host.
v private_ip - The private IP of this managed host.
v public_ip - The public IP of this managed host.
v appliance - An object that represents the appliance type ID and description of this managed host.
v version - The installed version on this managed host.
v status - The status of this managed host.
v eps_rate_hardware_limit - The upper limit for eps_allocation based on hardware constraints for this
managed host.
v eps_allocation - The allocated eps rate of this managed host.
v average_eps - The average eps rate of this managed host over the previous month.
v peak_eps - The peak eps rate that was experienced by this managed host over the previous month.
v fpm_rate_hardware_limit - The upper limit for fpm_allocation based on hardware constraints for this
managed host.
v fpm_allocation - The allocated fpm rate of this managed host.
v average_fpm - The average fpm rate of this managed host over the previous month.
v peak_fpm - The peak fpm rate that was experienced by this managed host over the previous month.
v primary_server_id - The ID for the primary server host for this managed host.
v secondary_server_id - If configured, the ID for the secondary server host for this managed host.
v license_serial_number - The serial number that is associated with this managed host's license.
v components - A list of components that are associated with this managed host.
v compression_enabled - Whether or not compression is enabled for this managed host.
v encryption_enabled - Whether or not encryption is enabled for this managed host.

Response Sample
[
{
"appliance": {
"id": "String",
"type": "String"
},
"average_eps": 42,
"average_fpm": 42,
"components": [
"String <one of: eventcollector,
eventprocessor,
dataNode,
magistrate,
ariel_query_server,
ariel_proxy_server,
vis,
assetprofiler,
qflow,
hostcontext,
tunnel,
setuptunnel,
ecs-ec,
ecs-ep,
resolveragent,
resolver_manager,
offsiteSource,
offsiteTarget,
accumulator,
offline_forwarder,
qvm,
qvmprocessor,
qvmscanner,

166 QRadar API Reference Guide

 qvmhostedscanner,
qvmsiteprotector,
arc_builder,
tomcat-rm,
ziptie-server,
qrm,
asset_change_publisher,
forensicsnode,
forensics_realtime,
masterdaemon>"
],
"compression_enabled": true,
"encryption_enabled": true,
"eps_allocation": 42,
"eps_rate_hardware_limit": 42,
"fpm_allocation": 42,
"fpm_rate_hardware_limit": 42,
"hostname": "String",
"id": 42,
"license_serial_number": "String",
"peak_eps": 42,
"peak_fpm": 42,
"primary_server_id": 42,
"private_ip": "String",
"public_ip": "String",
"secondary_server_id": 42,
"status": "String <one of: Active,
ADDING,
Deleted,
Deleting,
ADD_FAILED,
New,
ADD_FAILED_VERSION_CHECK,
ADD_FAILED_DEPLOY_IN_PROGRESS,
ADD_FAILED_RETRY_CONNECTION,
ADD_FAILED_HA,
ADD_FAILED_CHECK_LOGS>",
"version": "String"
}
]

POST /config/deployment/hosts/{id}
Updates a host by ID and sends a JMS message to update the pipeline.

Updates a host by the given ID.

Table 320. POST /config/deployment/hosts/{id} resource details
MIME Type
application/json

Table 321. POST /config/deployment/hosts/{id} request parameter details

Parameter Type Optionality Data Type MIME Type Description
id path Required Number text/plain Required - The ID of the
(Integer) staged host to be updated.

6 REST API V9.0 References 167

Table 321. POST /config/deployment/hosts/{id} request parameter details (continued)
Parameter Type Optionality Data Type MIME Type Description
fields header Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.

Table 322. POST /config/deployment/hosts/{id} request body details

Parameter Data Type MIME Type Description Sample
host Object application/json Required - The host values to be { "appliance": { "id": "String", "type": "String" }, "average_eps": 42,
updated. At the moment, the only "average_fpm": 42, "components": [ "String <one of: eventcollector,
writable properties are eventprocessor, dataNode, magistrate, ariel_query_server,
eps_allocation and fpm_allocation. ariel_proxy_server, vis, assetprofiler, qflow, hostcontext, tunnel,
setuptunnel, ecs-ec, ecs-ep, resolveragent, resolver_manager,
offsiteSource, offsiteTarget, accumulator, offline_forwarder, qvm,
qvmprocessor, qvmscanner, qvmhostedscanner, qvmsiteprotector,
arc_builder, tomcat-rm, ziptie-server, qrm, asset_change_publisher,
forensicsnode, forensics_realtime, masterdaemon>" ],
"compression_enabled": true, "encryption_enabled": true, "eps_allocation":
42, "eps_rate_hardware_limit": 42, "fpm_allocation": 42,
"fpm_rate_hardware_limit": 42, "hostname": "String", "id": 42,
"license_serial_number": "String", "peak_eps": 42, "peak_fpm": 42,
"primary_server_id": 42, "private_ip": "String", "public_ip": "String",
"secondary_server_id": 42, "status": "String <one of: Active, ADDING,
Deleted, Deleting, ADD_FAILED, New,
ADD_FAILED_VERSION_CHECK,
ADD_FAILED_DEPLOY_IN_PROGRESS,
ADD_FAILED_RETRY_CONNECTION, ADD_FAILED_HA,
ADD_FAILED_CHECK_LOGS,
ADD_FAILED_QVMPROCESSOR_ALREADY_EXISTS>", "version":
"String" }

Table 323. POST /config/deployment/hosts/{id} response codes

HTTP Response Code Unique Code Description
200 The host was successfully updated.
404 1010 Could not find the host to update.
417 1011 EPS values are expected to be a multiple of the set EPS block. By
default the block size is 500.
417 1012 FPM values are expected to be a multiple of the set FPM block. By
default the block size is 10000.
417 1013 The EPS value given does not meet the minimum required EPS 200.
417 1014 The FPM value given does not meet the minimum required FPM
200.
417 1016 Can't change EPS/FPM values for a host with a serialized license.
417 1017 EPS value exceeds hardware limit.
417 1018 FPM value exceeds hardware limit.
417 1019 EPS value is greater than that available in the license pool.
417 1020 FPM value is greater than that available in the license pool.
422 1009 null
500 1021 null

168 QRadar API Reference Guide

Response Description

The updated host object. The host object has the following fields:
v id - The ID of this managed host.
v hostname - The host name of this managed host.
v private_ip - The private IP of this managed host.
v public_ip - The public IP of this managed host.
v appliance - An object that represents the appliance type ID and description of this managed host.
v version - The installed version on this managed host.
v status - The status of this managed host.
v eps_rate_hardware_limit - The upper limit for eps_allocation based on hardware constraints for this
managed host.
v eps_allocation - The allocated eps rate of this managed host.
v average_eps - The average eps rate of this managed host over the previous month.
v peak_eps - The peak eps rate that was experienced by this managed host over the previous month.
v fpm_rate_hardware_limit - The upper limit for fpm_allocation based on hardware constraints for this
managed host.
v fpm_allocation - The allocated fpm rate of this managed host.
v average_fpm - The average fpm rate of this managed host over the previous month.
v peak_fpm - The peak fpm rate that was experienced by this managed host over the previous month.
v primary_server_id - The ID for the primary server host for this managed host.
v secondary_server_id - If configured, the ID for the secondary server host for this managed host.
v license_serial_number - The serial number associated with this managed host's license.
v components - A list of components that are associated with this managed host.
v compression_enabled - Whether or not compression is enabled for this managed host.
v encryption_enabled - Whether or not encryption is enabled for this managed host.

* @throws ServerProcessingException An unexpected exception occurred during the updating of the host.

Response Sample
[
{
"appliance": {
"id": "String",
"type": "String"
},
"average_eps": 42,
"average_fpm": 42,
"components": [
"String <one of: eventcollector,
eventprocessor,
dataNode,
magistrate,
ariel_query_server,
ariel_proxy_server,
vis,
assetprofiler,
qflow,
hostcontext,
tunnel,
setuptunnel,
ecs-ec,
ecs-ep,
resolveragent,
resolver_manager,

6 REST API V9.0 References 169

 offsiteSource,
offsiteTarget,
accumulator,
offline_forwarder,
qvm,
qvmprocessor,
qvmscanner,
qvmhostedscanner,
qvmsiteprotector,
arc_builder,
tomcat-rm,
ziptie-server,
qrm,
asset_change_publisher,
forensicsnode,
forensics_realtime,
masterdaemon>"
],
"compression_enabled": true,
"encryption_enabled": true,
"eps_allocation": 42,
"eps_rate_hardware_limit": 42,
"fpm_allocation": 42,
"fpm_rate_hardware_limit": 42,
"hostname": "String",
"id": 42,
"license_serial_number": "String",
"peak_eps": 42,
"peak_fpm": 42,
"primary_server_id": 42,
"private_ip": "String",
"public_ip": "String",
"secondary_server_id": 42,
"status": "String <one of: Active,
ADDING,
Deleted,
Deleting,
ADD_FAILED,
New,
ADD_FAILED_VERSION_CHECK,
ADD_FAILED_DEPLOY_IN_PROGRESS,
ADD_FAILED_RETRY_CONNECTION,
ADD_FAILED_HA,
ADD_FAILED_CHECK_LOGS>",
"version": "String"
}
]

GET /config/deployment/license_pool
Retrieves the deployed license pool information.

Retrieves the deployed license pool information.

Table 324. GET /config/deployment/license_pool resource details
MIME Type
application/json

170 QRadar API Reference Guide

Table 325. GET /config/deployment/license_pool request parameter details
Parameter Type Optionality Data Type MIME Type Description
fields query Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.

Table 326. GET /config/deployment/license_pool response codes

HTTP Response Code Unique Code Description
200 The license pool was successfully retrieved.
500 1001 An error occurred during the retrieval of the license pool.

Response Description

The deployed license pool information.

v eps(allocated) - The amount of EPS rate allocated from the pool.
v eps(overallocated) - Whether EPS is overallocated or not in the pool.
v eps(total) - The total EPS rate available in the pool.
v fpm(allocated) - The amount of FPM rate allocated from the pool.
v fpm(overallocated) - Whether FPM is overallocated or not in the pool.
v fpm(total) - The total FPM rate available in the pool.

Response Sample
{
"eps": {
"allocated": 42,
"overallocated": true,
"total": 42
},
"fpm": {
"allocated": 42,
"overallocated": true,
"total": 42
}
}

GET /config/domain_management/domains
Retrieves the list of all domains, active and deleted (including the default domain).

The list is ordered by domain ID. If domains were never configured, only the default domain is returned.
Table 327. GET /config/domain_management/domains resource details
MIME Type
application/json

6 REST API V9.0 References 171

Table 328. GET /config/domain_management/domains request parameter details
Parameter Type Optionality Data Type MIME Type Description
Range header Optional String text/plain Optional - Use this parameter
to restrict the number of
elements that are returned in
the list to a specified range.
The list is indexed starting at
zero.
fields query Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.
filter query Optional String text/plain Optional - This parameter is
used to restrict the elements in
a list base on the contents of
various fields.

Table 329. GET /config/domain_management/domains response codes

HTTP Response Code Unique Code Description
200 The domain list has been successfully retrieved.
500 1020 An error occurred while the domain list was being retrieved.

Response Description

The list of domain objects.

Response Sample
[
{
"asset_scanner_ids": [
42
],
"custom_properties": [
{
"capture_result": "String",
"id": 42
}
],
"deleted": true,
"description": "String",
"event_collector_ids": [
42
],
"flow_collector_ids": [
42
],
"flow_source_ids": [
42
],
"id": 42,
"log_source_group_ids": [
42
],

172 QRadar API Reference Guide

 "log_source_ids": [
42
],
"name": "String",
"qvm_scanner_ids": [
42
],
"tenant_id": 42
}
]

POST /config/domain_management/domains
Creates a new domain.
Table 330. POST /config/domain_management/domains resource details
MIME Type
application/json

Table 331. POST /config/domain_management/domains request parameter details

Parameter Type Optionality Data Type MIME Type Description
fields header Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.

Table 332. POST /config/domain_management/domains request body details

Parameter Data Type MIME Type Description Sample
domain Object application/json A domain JSON object (its id { "asset_scanner_ids": [42],
parameter is ignored). "custom_properties":
[{"capture_result": "String",
"id": 42}], "deleted": true,
"description": "String",
"event_collector_ids": [42],
"flow_collector_ids": [42],
"flow_source_ids": [42],
"log_source_group_ids": [42],
"log_source_ids": [42], "name":
"String", "qvm_scanner_ids":
[42], "tenant_id": 42 }

Table 333. POST /config/domain_management/domains response codes

HTTP Response Code Unique Code Description
201 The domain has been successfully created.
409 1004 A domain object parameter already exists.
422 1005 A domain object parameter is invalid.
500 1020 An error occurred while the domain was being created.

Response Description

A created domain object.

6 REST API V9.0 References 173

Response Sample
{
"asset_scanner_ids": [
42
],
"custom_properties": [
{
"capture_result": "String",
"id": 42
}
],
"deleted": true,
"description": "String",
"event_collector_ids": [
42
],
"flow_collector_ids": [
42
],
"flow_source_ids": [
42
],
"id": 42,
"log_source_group_ids": [
42
],
"log_source_ids": [
42
],
"name": "String",
"qvm_scanner_ids": [
42
],
"tenant_id": 42
}

GET /config/domain_management/domains/{domain_id}
Retrieves a domain by domain ID.
Table 334. GET /config/domain_management/domains/{domain_id} resource details
MIME Type
application/json

Table 335. GET /config/domain_management/domains/{domain_id} request parameter details

Parameter Type Optionality Data Type MIME Type Description
domain_id path Required Number text/plain The ID of the domain object to
(Integer) retrieve.
fields query Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.

174 QRadar API Reference Guide

Table 336. GET /config/domain_management/domains/{domain_id} response codes
HTTP Response Code Unique Code Description
200 The domain has been successfully retrieved.
404 1002 No domain was found for the provided domain id.
500 1020 An error occurred while the domain was being retrieved.

Response Description

A domain object.

Response Sample
{
"asset_scanner_ids": [
42
],
"custom_properties": [
{
"capture_result": "String",
"id": 42
}
],
"deleted": true,
"description": "String",
"event_collector_ids": [
42
],
"flow_collector_ids": [
42
],
"flow_source_ids": [
42
],
"id": 42,
"log_source_group_ids": [
42
],
"log_source_ids": [
42
],
"name": "String",
"qvm_scanner_ids": [
42
],
"tenant_id": 42
}

POST /config/domain_management/domains/{domain_id}
Updates an existing domain.
Table 337. POST /config/domain_management/domains/{domain_id} resource details
MIME Type
application/json

Table 338. POST /config/domain_management/domains/{domain_id} request parameter details

Parameter Type Optionality Data Type MIME Type Description
domain_id path Required Number text/plain The ID of the domain object to
(Integer) update.

6 REST API V9.0 References 175

Table 338. POST /config/domain_management/domains/{domain_id} request parameter details (continued)
Parameter Type Optionality Data Type MIME Type Description
fields header Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.

Table 339. POST /config/domain_management/domains/{domain_id} request body details

Parameter Data Type MIME Type Description Sample
domain Object application/json A domain JSON object. { "asset_scanner_ids": [42],
"custom_properties":
[{"capture_result": "String",
"id": 42}], "deleted": true,
"description": "String",
"event_collector_ids": [42],
"flow_collector_ids": [42],
"flow_source_ids": [42],
"log_source_group_ids": [42],
"log_source_ids": [42], "name":
"String", "qvm_scanner_ids":
[42], "tenant_id": 42 }

Table 340. POST /config/domain_management/domains/{domain_id} response codes

HTTP Response Code Unique Code Description
200 The domain has been successfully updated.
404 1002 No domain was found for the provided domain id.
409 1004 A domain object parameter already exists.
422 1005 A domain object parameter is invalid.
500 1020 An error occurred while the domain was being updated.

Response Description

The updated domain object.

Response Sample
{
"asset_scanner_ids": [
42
],
"custom_properties": [
{
"capture_result": "String",
"id": 42
}
],
"deleted": true,
"description": "String",
"event_collector_ids": [
42
],
"flow_collector_ids": [

176 QRadar API Reference Guide

 42
],
"flow_source_ids": [
42
],
"id": 42,
"log_source_group_ids": [
42
],
"log_source_ids": [
42
],
"name": "String",
"qvm_scanner_ids": [
42
],
"tenant_id": 42
}

DELETE /config/domain_management/domains/{domain_id}
Deletes a domain by domain ID.

All domain mappings are also deleted

Table 341. DELETE /config/domain_management/domains/{domain_id} resource details
MIME Type
application/json

Table 342. DELETE /config/domain_management/domains/{domain_id} request parameter details

Parameter Type Optionality Data Type MIME Type Description
domain_id path Required Number text/plain The ID of the domain object to
(Integer) delete.
fields query Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.

Table 343. DELETE /config/domain_management/domains/{domain_id} response codes

HTTP Response Code Unique Code Description
200 The domain has been successfully deleted.
404 1002 No domain was found for the provided domain id.
422 1005 Default domain cannot be deleted.
500 1020 An error occurred while the domain was being deleted.

Response Description

The deleted domain object with its parameter deleted set to true.

6 REST API V9.0 References 177

Response Sample
{
"asset_scanner_ids": [
42
],
"custom_properties": [
{
"capture_result": "String",
"id": 42
}
],
"deleted": true,
"description": "String",
"event_collector_ids": [
42
],
"flow_collector_ids": [
42
],
"flow_source_ids": [
42
],
"id": 42,
"log_source_group_ids": [
42
],
"log_source_ids": [
42
],
"name": "String",
"qvm_scanner_ids": [
42
],
"tenant_id": 42
}

GET /config/event_retention_buckets
Retrieves a list of event retention buckets.

Retrieves a list of event retention buckets.

Table 344. GET /config/event_retention_buckets resource details
MIME Type
application/json

Table 345. GET /config/event_retention_buckets request parameter details

Parameter Type Optionality Data Type MIME Type Description
Range header Optional String text/plain Optional - Use this parameter
to restrict the number of
elements that are returned in
the list to a specified range.
The list is indexed starting at
zero.
filter query Optional String text/plain Optional - This parameter is
used to restrict the elements in
a list base on the contents of
various fields.

178 QRadar API Reference Guide

Table 345. GET /config/event_retention_buckets request parameter details (continued)
Parameter Type Optionality Data Type MIME Type Description
fields query Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.

Table 346. GET /config/event_retention_buckets response codes

HTTP Response Code Unique Code Description
200 The event retention buckets were retrieved.
422 1010 A request parameter is not valid.
500 1020 An error occurred during the attempt to retrieve the event retention
buckets.

Response Description

An array of Retention Bucket objects. An Retention Bucket object contains the following fields:
v id - Integer - The ID of the retention bucket.
v bucket_id - Integer - The Bucket ID of the retention bucket. ( 0 - 10 )
v priority - Integer - The priority of the retention bucket. ( 0 - 10 ).
v name - String - The name of the retention bucket.
v database - String - The database of the retention bucket, EVENTS or FLOWS.
v description - String - The description of the retention bucket.
v period - Integer - The retention period in hours.
v delete - String - The delete protocol of the retention bucket, IMMEDIATELY or ON_DEMAND.
v created - Long - The time in milliseconds since epoch since the retention bucket was created.
v modified - Long - The time in milliseconds since epoch since the retention bucket was last modified.
v saved_search_id - String - The id of the saved search used by the retention bucket.
v enabled - Boolean - True if the retention bucket is enabled.

Response Sample
[
{
"bucket_id": 42,
"created": 42,
"database": "String",
"deletion": "String <one of: ON_DEMAND, IMMEDIATELY>",
"description": "String",
"enabled": true,
"id": 42,
"modified": 42,
"name": "String",
"period": 42,
"priority": 42,
"saved_search_id": "String"
}
]

6 REST API V9.0 References 179

GET /config/event_retention_buckets/{id}
Retrieves an event retention bucket.

Retrieves an event retention bucket.

Table 347. GET /config/event_retention_buckets/{id} resource details
MIME Type
application/json

Table 348. GET /config/event_retention_buckets/{id} request parameter details

Parameter Type Optionality Data Type MIME Type Description
id path Required Number text/plain null
(Integer)
fields query Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.

Table 349. GET /config/event_retention_buckets/{id} response codes

HTTP Response Code Unique Code Description
200 The event retention bucket was retrieved.
404 1002 The event retention bucket does not exist.
500 1020 An error occurred during the attempt to retrieve the event retention
bucket.

Response Description

The retention bucket after it has been retrieved. An Retention Bucket object contains the following fields:
v id - Integer - The ID of the retention bucket.
v bucket_id - Integer - The Bucket ID of the retention bucket (0 - 10).
v priority - Integer - The priority of the retention bucket (0 - 10).
v name - String - The name of the retention bucket.
v database - String - The database of the retention bucket, EVENTS or FLOWS.
v description - String - The description of the retention bucket.
v period - Integer - The retention period in hours.
v delete - String - The delete protocol of the retention bucket, IMMEDIATELY or ON_DEMAND.
v created - Long - The time in milliseconds since epoch since the retention bucket was created.
v modified - Long - The time in milliseconds since epoch since the retention bucket was last modified.
v saved_search_id - String - The ID of the saved search that is used by the retention bucket.
v enabled - Boolean - True if the retention bucket is enabled.

180 QRadar API Reference Guide

Response Sample
{
"bucket_id": 42,
"created": 42,
"database": "String",
"deletion": "String <one of: ON_DEMAND, IMMEDIATELY>",
"description": "String",
"enabled": true,
"id": 42,
"modified": 42,
"name": "String",
"period": 42,
"priority": 42,
"saved_search_id": "String"
}

POST /config/event_retention_buckets/{id}
Updates the event retention bucket owner or enabled/disabled only.

Updates the event retention bucket owner or enabled/disabled only.

Table 350. POST /config/event_retention_buckets/{id} resource details
MIME Type
application/json

Table 351. POST /config/event_retention_buckets/{id} request parameter details

Parameter Type Optionality Data Type MIME Type Description
id path Required Number text/plain null
(Integer)
fields header Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.

Table 352. POST /config/event_retention_buckets/{id} request body details

Parameter Data Type MIME Type Description Sample
retention_bucket Object application/json null { "id": 1, "name": "String", "description": "String",
"priority": 1, "period": 1, "deletion": "String",
"created": 123123, "modified": 123123,
"saved_search_id": "String", "enabled": true }

Table 353. POST /config/event_retention_buckets/{id} response codes

HTTP Response Code Unique Code Description
200 The event retention bucket has been updated.
404 1002 The event retention bucket does not exist.
409 1004 The provided user does not have the required capabilities to own
the event retention bucket.
422 1005 A request parameter is not valid.

6 REST API V9.0 References 181

Table 353. POST /config/event_retention_buckets/{id} response codes (continued)
HTTP Response Code Unique Code Description
500 1020 An error occurred during the attempt to update the event retention
bucket.

Response Description
The Retention Bucket after it is updated. A Retention Bucket object contains the following fields:
v id - Integer - The ID of the retention bucket.
v bucket_id - Integer - The Bucket ID of the retention bucket (0 - 10).
v priority - Integer - The priority of the retention bucket (0 - 10).
v name - String - The name of the retention bucket.
v database - String - The database of the retention bucket, EVENTS or FLOWS.
v description - String - The description of the retention bucket.
v period - Integer - The retention period in hours.
v delete - String - The delete protocol of the retention bucket, IMMEDIATELY or ON_DEMAND.
v created - Long - The time in milliseconds since epoch since the retention bucket was created.
v modified - Long - The time in milliseconds since epoch since the retention bucket was last modified.
v saved_search_id - String - The ID of the saved search that is used by the retention bucket.
v enabled - Boolean - True if the retention bucket is enabled.

Response Sample
{
"bucket_id": 42,
"created": 42,
"database": "String",
"deletion": "String <one of: ON_DEMAND, IMMEDIATELY>",
"description": "String",
"enabled": true,
"id": 42,
"modified": 42,
"name": "String",
"period": 42,
"priority": 42,
"saved_search_id": "String"
}

DELETE /config/event_retention_buckets/{id}
Deletes an event retention bucket.

Deletes an event retention bucket.

Table 354. DELETE /config/event_retention_buckets/{id} resource details
MIME Type
text/plain

Table 355. DELETE /config/event_retention_buckets/{id} request parameter details

Parameter Type Optionality Data Type MIME Type Description
id path Required Number text/plain null
(Integer)

182 QRadar API Reference Guide

Table 356. DELETE /config/event_retention_buckets/{id} response codes
HTTP Response Code Unique Code Description
204 The Event Retention Bucket was deleted.
403 1009 You do not have the proper capabilities to delete the event retention
bucket.
404 1002 The Event Retention Bucket does not exist.
500 1020 An error occurred during the attempt to delete the event retention
bucket.

Response Description

Response Sample

DELETE /config/event_sources/custom_properties/
calculated_properties/{calculated_property_id}
Deletes the event calculated property. To ensure safe deletion, a dependency check is carried out. This
check might take some time. An asynchronous task to do is started for this check.

Deletes the event calculated property. To ensure safe deletion, a dependency check is carried out. This
check might take some time. An asynchronous task to do is started for this check.
Table 357. DELETE /config/event_sources/custom_properties/calculated_properties/{calculated_property_id} resource
details
MIME Type
application/json

Table 358. DELETE /config/event_sources/custom_properties/calculated_properties/{calculated_property_id} request

parameter details
Parameter Type Optionality Data Type MIME Type Description
calculated_property_id
path Required Number text/plain Required - String - The ID of
(Integer) the event calculated property
to delete.
fields query Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.

Table 359. DELETE /config/event_sources/custom_properties/calculated_properties/{calculated_property_id} response

codes
HTTP Response Code Unique Code Description
202 The calculated event property deletion task was accepted and is in
progress.
403 1009 The requested delete action is unauthorized.
404 1002 The requested calculated event property cannot be found.

6 REST API V9.0 References 183

Table 359. DELETE /config/event_sources/custom_properties/calculated_properties/{calculated_property_id} response
codes (continued)
HTTP Response Code Unique Code Description
422 1005 One or more parameters are invalid in the request.
500 1020 An error occurred during the attempt to delete a calculated event
property.

Response Description

A Delete Task Status object and the location header set to the task status URL "/api/config/
event_sources/custom_properties/calculated_property_delete_tasks/{task_id}". A Delete Task Status
object contains the following fields:
v id - Long - The ID of the task.
v message - String - The localized task message.
v status - String - The current state of the task.
v name - String - The name of the task.
v created_by - String - The name of the user who started the task.
v created - Long - The time in milliseconds since epoch since the task was created.
v started - Long - The time in milliseconds since epoch since the task was started.
v modified - Long - The time in milliseconds since epoch since the task was modified.
v completed - Long - The time in milliseconds since epoch since the task was completed.

Response Sample
{
"completed": 42,
"created": 42,
"created_by": "String",
"id": 42,
"message": "String",
"modified": 42,
"name": "String",
"started": 42,
"status": "String <one of: CANCELLED, CANCELING, CANCEL_REQUESTED, COMPLETED, CONFLICT, EXCEPTION, INITIALIZING, INTERR
}

GET /config/event_sources/custom_properties/calculated_properties/
{calculated_property_id}/dependents
Retrieves the objects that depend on the event calculated property.

Retrieves the objects that depend on the event calculated property.

Table 360. GET /config/event_sources/custom_properties/calculated_properties/{calculated_property_id}/dependents
resource details
MIME Type
application/json

184 QRadar API Reference Guide

Table 361. GET /config/event_sources/custom_properties/calculated_properties/{calculated_property_id}/dependents
request parameter details
Parameter Type Optionality Data Type MIME Type Description
calculated_property_id
path Required Number text/plain Required - The ID of the event
(Integer) calculated property to get the
dependents for.
fields query Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.

Table 362. GET /config/event_sources/custom_properties/calculated_properties/{calculated_property_id}/dependents

response codes
HTTP Response Code Unique Code Description
202 The calculated event property dependents retrieval was accepted
and is in progress.
403 1009 The user does not have the required authorization to start the task
for finding dependents of calculated event property.
404 1002 The requested calculated event property cannot be found.
422 1005 One or more parameters are invalid in the request.
500 1020 An error occurred during the attempt to initiate the calculated
event property dependents retrieval task.

Response Description

A Dependents Task Status object and the location header set to the task status URL "/api/config/
event_sources/custom_properties/calculated_property_dependents_tasks/{task_id}". A Dependent Task
Status object contains the following fields:
v id - Long - The ID of the task.
v message - String - The localized task message.
v status - String - The current state of the task.
v name - String - The name of the task.
v created_by - String - The name of the user who started the task.
v cancelled_by - String - The name of the user who requested to cancel the task.
v created - Long - The time in milliseconds since epoch since the task was created.
v started - Long - The time in milliseconds since epoch since the task was started.
v modified - Long - The time in milliseconds since epoch since the task was modified.
v completed - Long - The time in milliseconds since epoch since the task was completed.
v number_of_dependents - Long - The number of dependents found. The value is null until the task
completes.
v maximum - Long - The maximum number of objects to check for dependency.
v progress - Long - The number of objects that were checked for dependency.
v task_components - Array - An array of task component objects. A task component object contains the
following fields:

6 REST API V9.0 References 185

 – message - String - The localized sub-task status message.
– status - String - The current state of the sub-task.
– sub_task_type - String - The type of the sub-task
– maximum - Long - The maximum number of objects to check for dependency.
– progress - Long - The number of objects that were checked for dependency.
– created - Long - The time in milliseconds since epoch since the sub-task was created.
– started - Long - The time in milliseconds since epoch since the sub-task was started.
– modified - Long - The time in milliseconds since epoch since the sub-task was modified.
– completed - Long - The time in milliseconds since epoch since the sub-task was completed.

Response Sample
{
"cancelled_by": "String",
"completed": 42,
"created": 42,
"created_by": "String",
"id": 42,
"maximum": 42,
"message": "String",
"modified": 42,
"name": "String",
"number_of_dependents": 42,
"progress": 42,
"started": 42,
"status": "String <one of: CANCELLED, CANCELING, CANCEL_REQUESTED, COMPLETED, CONFLICT, EXCEPTION, INITIALIZING, INTERR
"task_components": [
{
"completed": 42,
"created": 42,
"maximum": 42,
"message": "String",
"modified": 42,
"number_of_dependents": 42,
"progress": 42,
"started": 42,
"status": "String <one of: CANCELLED, CANCELING, CANCEL_REQUESTED, COMPLETED, CONFLICT, EXCEPTION, INITIALIZING
"task_sub_type": "String <one of: FIND_DEPENDENT_ARIEL_SAVED_SEARCHES, FIND_DEPENDENT_OFFENSE_SAVED_SEARCHES, F
}
]
}

GET /config/event_sources/custom_properties/calculated_properties/
{calculated_property_id}
Retrieves a calculated event property based on the supplied calculated property ID.

Retrieves a calculated event property based on the supplied calculated property ID.
Table 363. GET /config/event_sources/custom_properties/calculated_properties/{calculated_property_id} resource
details
MIME Type
application/json

186 QRadar API Reference Guide

Table 364. GET /config/event_sources/custom_properties/calculated_properties/{calculated_property_id} request
parameter details
Parameter Type Optionality Data Type MIME Type Description
calculated_property_id
path Required Number text/plain Required - String - The ID of
(Integer) the calculated event property.
fields query Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.

Table 365. GET /config/event_sources/custom_properties/calculated_properties/{calculated_property_id} response

codes
HTTP Response Code Unique Code Description
200 The requested calculated event property was retrieved.
404 1002 The requested calculated event property cannot be found.
422 1005 One or more parameters are invalid in the request.
500 1020 An error occurred during the attempt to retrieve the requested
calculated event property.

Response Description

A calculated event property that contains the following fields:

v id - Number - A sequence id for the calculated event property.
v identifier - String - A string that uniquely identifies the calculated event property.
v name - String - The name of the calculated event property.
v description - String - The description of the calculated event property.
v enabled - Boolean - Whether the calculated event property is enabled.
v first_operand - String - An operand object describing the first operand in the expression.
v second_operand - String - An operand object describing the second operand in the expression.
v operator - String - A string that represents one of the basic arithmetic operations in the expression.
v username - String - The username of the creator of the calculated event property.
v creation_date - Number - The time stamp for when the calculated event property is created in
milliseconds since epoch.
v modification_date - Number - The time stamp for when the calculated event property is last modified
in milliseconds since epoch.
An operand object contains the following fields:
v type - String - can be "STATIC" (for numeric operand) or "PROPERTY" (for operand that is a property).
v numeric_value - Number - when property_type is "STATIC", this is the value of the operand;
otherwise, it is suppressed.
v property_name - String - when property_type is "PROPERTY", this is the name of the property that is
being used as the operand; otherwise, it is suppressed.

6 REST API V9.0 References 187

Response Sample
{
"creation_date": 42,
"description": "String",
"enabled": true,
"first_operand": {
"numeric_value": 42.5,
"property_name": "String",
"type": "String <one of: STATIC, PROPERTY>"
},
"id": 42,
"identifier": "String",
"modification_date": 42,
"name": "String",
"operator": "String <one of: ADD, SUBTRACT, MULTIPLY, DIVIDE>",
"second_operand": {
"numeric_value": 42.5,
"property_name": "String",
"type": "String <one of: STATIC, PROPERTY>"
},
"username": "String"
}

POST /config/event_sources/custom_properties/calculated_properties/
{calculated_property_id}
Updates an existing calculated event property.

Updates an existing calculated event property.

Table 366. POST /config/event_sources/custom_properties/calculated_properties/{calculated_property_id} resource
details
MIME Type
application/json

Table 367. POST /config/event_sources/custom_properties/calculated_properties/{calculated_property_id} request

parameter details
Parameter Type Optionality Data Type MIME Type Description
calculated_property_id
path Required Number text/plain Required - The ID of the
(Integer) calculated event property.
fields header Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.

188 QRadar API Reference Guide

Table 368. POST /config/event_sources/custom_properties/calculated_properties/{calculated_property_id} request
body details
Parameter Data Type MIME Type Description Sample
data Object application/ Required - A JSON structure { "description": "String",
json that contains the "enabled": true, "first_operand":
field_name-value pairs of the { "numeric_value": 42.5,
calculated event property that "property_name": "String",
is to be updated. "type": "String <one of:
v description - Optional - STATIC, PROPERTY>" },
String - The description of "name": "String", "operator":
the calculated event "String <one of: ADD,
property. Defaults to an SUBTRACT, MULTIPLY,
empty string. DIVIDE>", "second_operand": {
"numeric_value": 42.5,
v enabled - Optional - Boolean
"property_name": "String",
- Whether the calculated
"type": "String <one of:
event property is enabled.
STATIC, PROPERTY>" },
Defaults to true.
"username": "String" }
v first_operand - Optional -
Operand Object - An object
describing the first operand
in the expression.
v second_operand - Optional -
Operand Object - An object
describing the second
operand in the expression.
v operator - Optional -String -
A string that represents one
of the basic arithmetic
operations in the expression.
Defaults to "ADD".

Table 369. POST /config/event_sources/custom_properties/calculated_properties/{calculated_property_id} response

codes
HTTP Response Code Unique Code Description
200 The calculated event property was updated.
403 1009 The requested update action is unauthorized.
404 1002 The requested calculated event property can not be found.
422 1005 One or more parameters are invalid in the request.
500 1020 An error occurred during the attempt to update a calculated event
property.

Response Description
The updated calculated event property that contains the following fields:
v id - Number - A sequence id for the calculated event property.
v identifier - String - A string that uniquely identifies the calculated event property.
v name - String - The name of the calculated event property.
v description - String - The description of the calculated event property.
v enabled - Boolean - Whether the calculated event property is enabled.
v first_operand - String - An operand object describing the first operand in the expression.
v second_operand - String - An operand object describing the second operand in the expression.

6 REST API V9.0 References 189

v operator - String - A string that represents one of the basic arithmetic operations in the expression.
v username - String - The username of the creator of the calculated event property.
v creation_date - Number - The time stamp for when the calculated event property is created in
milliseconds since epoch.
v modification_date - Number - The time stamp for when the calculated event property is last modified
in milliseconds since epoch.
An operand object contains the following fields:
v type - String - can be "STATIC" (for numeric operand) or "PROPERTY" (for operand that is a property).
v numeric_value - Number - when property_type is "STATIC", this is the value of the operand;
otherwise, it is suppressed.
v property_name - String - when property_type is "PROPERTY", this is the name of the property that is
being used as the operand; otherwise, it is suppressed.

Response Sample
{
"creation_date": 42,
"description": "String",
"enabled": true,
"first_operand": {
"numeric_value": 42.5,
"property_name": "String",
"type": "String <one of: STATIC, PROPERTY>"
},
"id": 42,
"identifier": "String",
"modification_date": 42,
"name": "String",
"operator": "String <one of: ADD, SUBTRACT, MULTIPLY, DIVIDE>",
"second_operand": {
"numeric_value": 42.5,
"property_name": "String",
"type": "String <one of: STATIC, PROPERTY>"
},
"username": "String"
}

GET /config/event_sources/custom_properties/calculated_properties
Retrieves a list of calculated event properties.

Retrieves a list of calculated event properties.

Table 370. GET /config/event_sources/custom_properties/calculated_properties resource details
MIME Type
application/json

Table 371. GET /config/event_sources/custom_properties/calculated_properties request parameter details

Parameter Type Optionality Data Type MIME Type Description
fields query Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.

190 QRadar API Reference Guide

Table 371. GET /config/event_sources/custom_properties/calculated_properties request parameter details (continued)
Parameter Type Optionality Data Type MIME Type Description
filter query Optional String text/plain Optional - This parameter is
used to restrict the elements in
a list base on the contents of
various fields.
Range header Optional String text/plain Optional - Use this parameter
to restrict the number of
elements that are returned in
the list to a specified range.
The list is indexed starting at
zero.

Table 372. GET /config/event_sources/custom_properties/calculated_properties response codes

HTTP Response Code Unique Code Description
200 The requested list of calculated event properties was retrieved.
500 1020 An error occurred during the attempt to retrieve the list of
calculated event properties.

Response Description

A list of calculated event properties. Each calculated event property contains the following fields:
v id - Number - A sequence id for the calculated event property.
v identifier - String - A string that uniquely identifies the calculated event property.
v name - String - The name of the calculated event property.
v description - String - The description of the calculated event property.
v enabled - Boolean - Whether the calculated event property is enabled.
v first_operand - String - An operand object describing the first operand in the expression.
v second_operand - String - An operand object describing the second operand in the expression.
v operator - String - A string that represents one of the basic arithmetic operations in the expression.
v username - String - The username of the creator of the calculated event property.
v creation_date - Number - The time stamp for when the calculated event property is created in
milliseconds since epoch.
v modification_date - Number - The time stamp for when the calculated event property is last modified
in milliseconds since epoch.
An operand object contains the following fields:
v type - String - can be "STATIC" (for numeric operand) or "PROPERTY" (for operand that is a property).
v numeric_value - Number - when property_type is "STATIC", this is the value of the operand;
otherwise, it is suppressed.
v property_name - String - when property_type is "PROPERTY", this is the name of the property that is
being used as the operand; otherwise, it is suppressed.

Response Sample
[
{
"creation_date": 42,
"description": "String",
"enabled": true,
"first_operand": {
"numeric_value": 42.5,

6 REST API V9.0 References 191

 "property_name": "String",
"type": "String <one of: STATIC, PROPERTY>"
},
"id": 42,
"identifier": "String",
"modification_date": 42,
"name": "String",
"operator": "String <one of: ADD, SUBTRACT, MULTIPLY, DIVIDE>",
"second_operand": {
"numeric_value": 42.5,
"property_name": "String",
"type": "String <one of: STATIC, PROPERTY>"
},
"username": "String"
}
]

POST /config/event_sources/custom_properties/calculated_properties
Creates a new calculated event property.

Creates a new calculated event property.

Table 373. POST /config/event_sources/custom_properties/calculated_properties resource details
MIME Type
application/json

Table 374. POST /config/event_sources/custom_properties/calculated_properties request parameter details

Parameter Type Optionality Data Type MIME Type Description
fields header Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.

192 QRadar API Reference Guide

Table 375. POST /config/event_sources/custom_properties/calculated_properties request body details
Parameter Data Type MIME Type Description Sample
data Object application/ Required - A JSON structure { "description": "String",
json that contains the "enabled": true, "first_operand":
field_name-value pairs of the { "numeric_value": 42.5,
calculated event property that "property_name": "String",
is to be created. "type": "String <one of:
v name - Required - String - STATIC, PROPERTY>" },
The name of the calculated "name": "String", "operator":
event property. "String <one of: ADD,
SUBTRACT, MULTIPLY,
v description - Optional -
DIVIDE>", "second_operand": {
String - The description of
"numeric_value": 42.5,
the calculated event
"property_name": "String",
property. Defaults to an
"type": "String <one of:
empty string.
STATIC, PROPERTY>" },
v enabled - Optional - Boolean "username": "String" }
- Whether the calculated
event property is enabled.
Defaults to true.
v first_operand - Required -
Operand Object - An object
describing the first operand
in the expression.
v second_operand - Required -
Operand Object - An object
describing the second
operand in the expression.
v operator - Optional -String -
A string that represents one
of the basic arithmetic
operations in the expression.
Defaults to "ADD".

Table 376. POST /config/event_sources/custom_properties/calculated_properties response codes

HTTP Response Code Unique Code Description
201 The new calculated event property was created.
403 1009 The requested create action is unauthorized.
409 1004 The name of the calculated property has been used.
422 1005 One or more parameters are invalid in the request.
500 1020 An error occurred during the attempt to create a new calculated
event property.

Response Description

The newly created calculated event property that contains the following fields:
v id - Number - A sequence id for the calculated event property.
v identifier - String - A string that uniquely identifies the calculated event property.
v name - String - The name of the calculated event property.
v description - String - The description of the calculated event property.
v enabled - Boolean - Whether the calculated event property is enabled.
v first_operand - String - An operand object describing the first operand in the expression.

6 REST API V9.0 References 193

v second_operand - String - An operand object describing the second operand in the expression.
v operator - String - A string that represents one of the basic arithmetic operations in the expression.
v username - String - The username of the creator of the calculated event property.
v creation_date - Number - The time stamp for when the calculated event property is created in
milliseconds since epoch.
v modification_date - Number - The time stamp for when the calculated event property is last modified
in milliseconds since epoch.
An operand object contains the following fields:
v type - String - can be "STATIC" (for numeric operand) or "PROPERTY" (for operand that is a property).
v numeric_value - Number - when property_type is "STATIC", this is the value of the operand;
otherwise, it is suppressed.
v property_name - String - when property_type is "PROPERTY", this is the name of the property that is
being used as the operand; otherwise, it is suppressed.

Response Sample
{
"creation_date": 42,
"description": "String",
"enabled": true,
"first_operand": {
"numeric_value": 42.5,
"property_name": "String",
"type": "String <one of: STATIC, PROPERTY>"
},
"id": 42,
"identifier": "String",
"modification_date": 42,
"name": "String",
"operator": "String <one of: ADD, SUBTRACT, MULTIPLY, DIVIDE>",
"second_operand": {
"numeric_value": 42.5,
"property_name": "String",
"type": "String <one of: STATIC, PROPERTY>"
},
"username": "String"
}

GET /config/event_sources/custom_properties/
calculated_property_delete_tasks/{task_id}
Retrieves the status of the event calculated property delete task.

Retrieves the status of the event calculated property delete task.

Table 377. GET /config/event_sources/custom_properties/calculated_property_delete_tasks/{task_id} resource details
MIME Type
application/json

Table 378. GET /config/event_sources/custom_properties/calculated_property_delete_tasks/{task_id} request

parameter details
Parameter Type Optionality Data Type MIME Type Description
task_id path Required Number text/plain Required - The ID of the
(Integer) calculated property delete task.

194 QRadar API Reference Guide

Table 378. GET /config/event_sources/custom_properties/calculated_property_delete_tasks/{task_id} request
parameter details (continued)
Parameter Type Optionality Data Type MIME Type Description
fields query Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.

Table 379. GET /config/event_sources/custom_properties/calculated_property_delete_tasks/{task_id} response codes

HTTP Response Code Unique Code Description
200 The status of the event calculated property delete task was
retrieved.
404 1002 The requested task status can not be found.
422 1005 One or more parameters are invalid in the request.
500 1020 An error occurred during the attempt to retrieve the status of the
deletion task.

Response Description

A Delete Task Status object and the location header set to the task status URL "/api/config/
event_sources/custom_properties/calculated_property_delete_tasks/{task_id}". A Delete Task Status
object contains the following fields:
v id - Long - The ID of the task.
v message - String - The localized task message.
v status - String - The current state of the task.
v name - String - The name of the task.
v created_by - String - The name of the user who started the task.
v created - Long - The time in milliseconds since epoch since the task was created.
v started - Long - The time in milliseconds since epoch since the task was started.
v modified - Long - The time in milliseconds since epoch since the task was modified.
v completed - Long - The time in milliseconds since epoch since the task was completed.

Response Sample
{
"completed": 42,
"created": 42,
"created_by": "String",
"id": 42,
"message": "String",
"modified": 42,
"name": "String",
"started": 42,
"status": "String <one of: CANCELLED, CANCELING, CANCEL_REQUESTED, COMPLETED, CONFLICT, EXCEPTION, INITIALIZING, INTE
}

6 REST API V9.0 References 195

GET /config/event_sources/custom_properties/
calculated_property_dependent_tasks/{task_id}
Retrieves the status of the event calculated property dependents task.

Retrieves the status of the event calculated property dependents task.

Table 380. GET /config/event_sources/custom_properties/calculated_property_dependent_tasks/{task_id} resource
details
MIME Type
application/json

Table 381. GET /config/event_sources/custom_properties/calculated_property_dependent_tasks/{task_id} request

parameter details
Parameter Type Optionality Data Type MIME Type Description
task_id path Required Number text/plain Required - The ID of the
(Integer) calculated property dependent
task status to retrieve
fields query Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.

Table 382. GET /config/event_sources/custom_properties/calculated_property_dependent_tasks/{task_id} response

codes
HTTP Response Code Unique Code Description
200 The status of the find dependents task was retrieved.
404 1002 The requested task status can not be found.
422 1005 One or more parameters are invalid in the request.
500 1020 An error occurred during the attempt to retrieves the details of a
task status.

Response Description

A Dependent Task Status object and the location header set to the task status URL "/api/config/
event_sources/custom_properties/calculated_property_dependent_tasks/{task_id}". A Dependent Task
Status object contains the following fields:
v id - Long - The ID of the task.
v message - String - The localized task message.
v status - String - The current state of the task.
v name - String - The name of the task.
v created_by - String - The name of the user who started the task.
v cancelled_by - String - The name of the user who requested to cancel the task.
v created - Long - The time in milliseconds since epoch since the task was created.
v started - Long - The time in milliseconds since epoch since the task was started.

196 QRadar API Reference Guide

v modified - Long - The time in milliseconds since epoch since the task was modified.
v completed - Long - The time in milliseconds since epoch since the task was completed.
v number_of_dependents - Long - The number of dependents found. The value is null until the task
completes.
v maximum - Long - The maximum number of objects to check for dependency.
v progress - Long - The number of objects that were checked for dependency.
v task_components - Array - An array of task component objects. A task component object contains the
following fields
– message - String - The localized sub-task status message.
– status - String - The current state of the sub-task.
– sub_task_type - String - The type of the sub-task
– maximum - Long - The maximum number of objects to check for dependency.
– progress - Long - The number of objects that were checked for dependency.
– created - Long - The time in milliseconds since epoch since the sub-task was created.
– started - Long - The time in milliseconds since epoch since the sub-task was started.
– modified - Long - The time in milliseconds since epoch since the sub-task was modified.
– completed - Long - The time in milliseconds since epoch since the sub-task was completed.

Response Sample
{
"cancelled_by": "String",
"completed": 42,
"created": 42,
"created_by": "String",
"id": 42,
"maximum": 42,
"message": "String",
"modified": 42,
"name": "String",
"number_of_dependents": 42,
"progress": 42,
"started": 42,
"status": "String <one of: CANCELLED, CANCELING, CANCEL_REQUESTED, COMPLETED, CONFLICT, EXCEPTION, INITIALIZING, INTE
"task_components": [
{
"completed": 42,
"created": 42,
"maximum": 42,
"message": "String",
"modified": 42,
"number_of_dependents": 42,
"progress": 42,
"started": 42,
"status": "String <one of: CANCELLED, CANCELING, CANCEL_REQUESTED, COMPLETED, CONFLICT, EXCEPTION, INITIALIZI
"task_sub_type": "String <one of: FIND_DEPENDENT_ARIEL_SAVED_SEARCHES, FIND_DEPENDENT_OFFENSE_SAVED_SEARCHES,
}
]
}

POST /config/event_sources/custom_properties/
calculated_property_dependent_tasks/{task_id}
Cancels the event calculated property dependent task.

Cancels the event calculated property dependent task.

6 REST API V9.0 References 197

Table 383. POST /config/event_sources/custom_properties/calculated_property_dependent_tasks/{task_id} resource
details
MIME Type
application/json

Table 384. POST /config/event_sources/custom_properties/calculated_property_dependent_tasks/{task_id} request

parameter details
Parameter Type Optionality Data Type MIME Type Description
task_id path Required Number text/plain Required - The ID of the
(Integer) calculated property dependent
task status to cancel
fields header Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.

Table 385. POST /config/event_sources/custom_properties/calculated_property_dependent_tasks/{task_id} request

body details
Parameter Data Type MIME Type Description Sample
task Object application/ Required - Dependent Task { "status": "String <one of:
json Status object with the status set CANCELLED, CANCELING,
to "CANCEL_REQUESTED" is CANCEL_REQUESTED,
the only acceptable input. COMPLETED, CONFLICT,
EXCEPTION, INITIALIZING,
INTERRUPTED, PAUSED,
PROCESSING, QUEUED,
RESUMING>" }

Table 386. POST /config/event_sources/custom_properties/calculated_property_dependent_tasks/{task_id} response

codes
HTTP Response Code Unique Code Description
200 The dependent task status was retrieved.
404 1002 The dependent task status does not exist.
409 1004 The task is in a completed state.
422 1005 A request parameter is not valid.
500 1020 An error occurred during the attempt to update the dependent task
status.

Response Description

A Dependent Task Status object and the location header set to the task status URL "/api/config/
event_sources/custom_properties/calculated_property_dependent_tasks/{task_id}". A Dependent Task
Status object contains the following fields:
v id - Long - The ID of the task.
v message - String - The localized task message.

198 QRadar API Reference Guide

v status - String - The current state of the task.
v name - String - The name of the task.
v created_by - String - The name of the user who started the task.
v cancelled_by - String - The name of the user who requested to cancel the task.
v created - Long - The time in milliseconds since epoch since the task was created.
v started - Long - The time in milliseconds since epoch since the task was started.
v modified - Long - The time in milliseconds since epoch since the task was modified.
v completed - Long - The time in milliseconds since epoch since the task was completed.
v number_of_dependents - Long - The number of dependents found. The value is null until the task
completes.
v maximum - Long - The maximum number of objects to check for dependency.
v progress - Long - The number of objects that were checked for dependency.
v task_components - Array - An array of task component objects. A task component object contains the
following fields:
– message - String - The localized sub-task status message.
– status - String - The current state of the sub-task.
– sub_task_type - String - The type of the sub-task
– maximum - Long - The maximum number of objects to check for dependency.
– progress - Long - The number of objects that were checked for dependency.
– created - Long - The time in milliseconds since epoch since the sub-task was created.
– started - Long - The time in milliseconds since epoch since the sub-task was started.
– modified - Long - The time in milliseconds since epoch since the sub-task was modified.
– completed - Long - The time in milliseconds since epoch since the sub-task was completed.

Response Sample
{
"cancelled_by": "String",
"completed": 42,
"created": 42,
"created_by": "String",
"id": 42,
"maximum": 42,
"message": "String",
"modified": 42,
"name": "String",
"number_of_dependents": 42,
"progress": 42,
"started": 42,
"status": "String <one of: CANCELLED, CANCELING, CANCEL_REQUESTED, COMPLETED, CONFLICT, EXCEPTION, INITIALIZING, INTE
"task_components": [
{
"completed": 42,
"created": 42,
"maximum": 42,
"message": "String",
"modified": 42,
"number_of_dependents": 42,
"progress": 42,
"started": 42,
"status": "String <one of: CANCELLED, CANCELING, CANCEL_REQUESTED, COMPLETED, CONFLICT, EXCEPTION, INITIALIZI
"task_sub_type": "String <one of: FIND_DEPENDENT_ARIEL_SAVED_SEARCHES, FIND_DEPENDENT_OFFENSE_SAVED_SEARCHES,
}
]
}

6 REST API V9.0 References 199

GET /config/event_sources/custom_properties/
calculated_property_dependent_tasks/{task_id}/results
Retrieves the calculated property dependent task results.

Retrieves the event calculated property dependent task results.

Table 387. GET /config/event_sources/custom_properties/calculated_property_dependent_tasks/{task_id}/results
resource details
MIME Type
application/json

Table 388. GET /config/event_sources/custom_properties/calculated_property_dependent_tasks/{task_id}/results

request parameter details
Parameter Type Optionality Data Type MIME Type Description
task_id path Required Number text/plain Required - The ID of the
(Integer) calculated property dependent
task to retrieve results for.
fields query Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.

Table 389. GET /config/event_sources/custom_properties/calculated_property_dependent_tasks/{task_id}/results

response codes
HTTP Response Code Unique Code Description
200 The result of the find dependents task was retrieved.
404 1002 The result of the task can not be found.
500 1020 An error occurred during the attempt to retrieves the result of a
task.

Response Description
An list of Dependent objects. A Dependent object contains the following fields:
v dependent_id - String - The ID of the dependent resource.
v dependent_name - String - The name of the dependent resource (default resources can have localized
names).
v dependent_owner - String - The owner of the dependent resource
v dependent_type - String - The type of the dependent resource
v dependent_database - String - The database of the dependent resource.
v dependent_group_ids - Array of Longs - List of groups that the dependent resource belongs to.
v user_has_edit_permissions - Boolean - True if the user who created the task has permission to edit this
dependent resource.

200 QRadar API Reference Guide

Response Sample
[
{
"blocking": true,
"dependent_database": "String <one of: EVENTS, FLOWS>",
"dependent_group_ids": [
42
],
"dependent_id": "String",
"dependent_name": "String",
"dependent_owner": "String",
"dependent_type": "String <one of: ARIEL_SAVED_SEARCH, ASSET_SAVED_SEARCH, OFFENSE_SAVED_SEARCH, VULNERABILITY_SA
"user_has_edit_permissions": true
}
]

GET /config/event_sources/custom_properties/
calculated_property_operands
Retrieves the list of available options for calculated event property operand.

Retrieves the list of available options for calculated event property operand.
Table 390. GET /config/event_sources/custom_properties/calculated_property_operands resource details
MIME Type
application/json

Table 391. GET /config/event_sources/custom_properties/calculated_property_operands request parameter details

Parameter Type Optionality Data Type MIME Type Description
filter query Optional String text/plain Optional - This parameter is
used to restrict the elements in
a list base on the contents of
various fields.
Range header Optional String text/plain Optional - Use this parameter
to restrict the number of
elements that are returned in
the list to a specified range.
The list is indexed starting at
zero.

Table 392. GET /config/event_sources/custom_properties/calculated_property_operands response codes

HTTP Response Code Unique Code Description
200 The list of available options for calculated event property operand
was retrieved.
500 1020 An error occurred during the attempt to retrieve the available
options for calculated event property operand.

Response Description

An array that contains the available options for calculated event property operand.

Response Sample
[
"String"
]

6 REST API V9.0 References 201

GET /config/event_sources/custom_properties/property_expressions
Retrieves a list of event regex property expressions.

Retrieves a list of event regex property expressions.

Table 393. GET /config/event_sources/custom_properties/property_expressions resource details
MIME Type
application/json

Table 394. GET /config/event_sources/custom_properties/property_expressions request parameter details

Parameter Type Optionality Data Type MIME Type Description
fields query Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.
Range header Optional String text/plain Optional - Use this parameter
to restrict the number of
elements that are returned in
the list to a specified range.
The list is indexed starting at
zero.
filter query Optional String text/plain Optional - This parameter is
used to restrict the elements in
a list base on the contents of
various fields.

Table 395. GET /config/event_sources/custom_properties/property_expressions response codes

HTTP Response Code Unique Code Description
200 The requested list of event regex property expressions was
retrieved.
422 1010 An error occurred while building the filter.
500 1020 An error occurred during the attempt to retrieve the list of event
regex property expressions.

Response Description
A list of event regex property expressions. Each regex property expression contains the following fields:
v id - Integer - The sequence ID of the event regex property expression.
v identifier - String - The ID of the event regex property expression.
v regex_property_identifier - String - The identifier of the event regex property that this expression
belongs to.
v enabled - Boolean - Flag that indicates whether this expression is enabled.
v regex - String - The regex to extract the property from the payload.
v capture_group - Integer - The capture group to capture.

202 QRadar API Reference Guide

v payload - String - Test payload. This parameter is only used in the UI so that the user can verify their
regex matches the expected payload.
v log_source_type_id - Integer - The expression is only applied to events for this log source type.
v log_source_id - Integer - The expression is only applied to events for this log source (more specific
than type alone).
v qid - Integer - The expression is only applied to events associated with this QID record.
v low_level_category_id - Integer - The expression is only applied to events with this low level category.
v username - String - The owner of the event regex property expression.

Response Sample
[
{
"capture_group": 42,
"creation_date": 42,
"enabled": true,
"id": 42,
"identifier": "String",
"log_source_id": 42,
"log_source_type_id": 42,
"low_level_category_id": 42,
"modification_date": 42,
"payload": "String",
"qid": 42,
"regex": "String",
"regex_property_identifier": "String",
"username": "String"
}
]

POST /config/event_sources/custom_properties/property_expressions
Creates a new event regex property expression.

Creates a new event regex property expression.

Table 396. POST /config/event_sources/custom_properties/property_expressions resource details
MIME Type
application/json

Table 397. POST /config/event_sources/custom_properties/property_expressions request parameter details

Parameter Type Optionality Data Type MIME Type Description
fields header Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.

6 REST API V9.0 References 203

Table 398. POST /config/event_sources/custom_properties/property_expressions request body details
Parameter Data Type MIME Type Description Sample
data Object application/json Required - A JSON representation of the regex { "capture_group": 42, "creation_date": 42, "enabled":
property expression object true, "id": 42, "identifier": "String", "log_source_id": 42,
"log_source_type_id": 42, "low_level_category_id": 42,
v regex_property_identifier - Required - String - The
"modification_date": 42, "payload": "String", "qid": 42,
identifier of the event regex property that this
"regex": "String", "regex_property_identifier": "String",
expression belongs to. "username": "String" }
v enabled - Optional - Boolean - Flag that indicates
whether this expression is enabled. It defaults to
true if not provided.
v regex - Required - String - The regex to extract the
property from the payload.
v capture_group - Optional - Integer - The capture
group to capture. It defaults to 1 if not provided.
v payload - Optional - String - Test payload. This
parameter is only used in the UI so that the user can
verify their regex matches the expected payload.
v log_source_type_id - Required - Integer - The
expression is only applied to events for this log
source type.
v log_source_id - Optional - Integer - The expression
is only applied to events for this log source (more
specific than type alone).
v qid - Optional - Integer - The expression is only
applied to events associated with this QID record.
v low_level_category_id - Optional - Integer - The
expression is only applied to events with this low
level category.

Table 399. POST /config/event_sources/custom_properties/property_expressions response codes

HTTP Response Code Unique Code Description
201 A new event regex property expression was created.
422 1005 One or more request parameter are invalid in request.
500 1020 An error occurred during the attempt to create a new event regex
property expression.

Response Description

The newly created event regex property expression that contains the following fields:
v id - Integer - The sequence ID of the event regex property expression.
v identifier - String - The ID of the event regex property expression.
v regex_property_identifier - String - The identifier of the event regex property that this expression
belongs to.
v enabled - Boolean - Flag that indicates whether this expression is enabled.
v regex - String - The regex to extract the property from the payload.
v capture_group - Integer - The capture group to capture.
v payload - String - Test payload. This parameter is only used in the UI so that the user can verify their
regex matches the expected payload.
v log_source_type_id - Integer - The expression is only applied to events for this log source type.
v log_source_id - Integer - The expression is only applied to events for this log source (more specific
than type alone).
v qid - Integer - The expression is only applied to events associated with this QID record.
v low_level_category_id - Integer - The expression is only applied to events with this low level category.
v username - String - The owner of the event regex property expression.

204 QRadar API Reference Guide

Response Sample
{
"capture_group": 42,
"creation_date": 42,
"enabled": true,
"id": 42,
"identifier": "String",
"log_source_id": 42,
"log_source_type_id": 42,
"low_level_category_id": 42,
"modification_date": 42,
"payload": "String",
"qid": 42,
"regex": "String",
"regex_property_identifier": "String",
"username": "String"
}

GET /config/event_sources/custom_properties/property_expressions/
{expression_id}
Retrieves an event regex property expression based on the supplied expression ID.

Retrieves an event regex property expression based on the supplied expression ID.
Table 400. GET /config/event_sources/custom_properties/property_expressions/{expression_id} resource details
MIME Type
application/json

Table 401. GET /config/event_sources/custom_properties/property_expressions/{expression_id} request parameter

details
Parameter Type Optionality Data Type MIME Type Description
expression_id path Required Number (Integer) text/plain Required - The Guid ID of the
event_regex_property_expression.
fields query Optional String text/plain Optional - Use this parameter to specify which fields you
would like to get back in the response. Fields that are not
named are excluded. Specify subfields in brackets and multiple
fields in the same object are separated by commas.

Table 402. GET /config/event_sources/custom_properties/property_expressions/{expression_id} response codes

HTTP Response Code Unique Code Description
200 The requested event regex property expression was successfully
retrieved.
404 1002 The requested event regex property expression cannot be found.
500 1020 An error occurred during the attempt to retrieve the requested
event regex property expression.

Response Description

A event regex property expression that contains the following fields:

v id - Integer - The sequence ID of the event regex property expression.
v identifier - String - The ID of the event regex property expression.
v regex_property_identifier - String - The identifier of the event regex property that this expression
belongs to.
v enabled - Boolean - Flag that indicates whether this expression is enabled.
v regex - String - The regex to extract the property from the payload.

6 REST API V9.0 References 205

v capture_group - Integer - The capture group to capture.
v payload - String - Test payload. This parameter is only used in the UI so that the user can verify their
regex matches the expected payload.
v log_source_type_id - Integer - The expression is only applied to events for this log source type.
v log_source_id - Integer - The expression is only applied to events for this log source (more specific
than type alone).
v qid - Integer - The expression is only applied to events associated with this QID record.
v low_level_category_id - Integer - The expression is only applied to events with this low level category.
v username - String - The owner of the event regex property expression.

Response Sample
{
"capture_group": 42,
"creation_date": 42,
"enabled": true,
"id": 42,
"identifier": "String",
"log_source_id": 42,
"log_source_type_id": 42,
"low_level_category_id": 42,
"modification_date": 42,
"payload": "String",
"qid": 42,
"regex": "String",
"regex_property_identifier": "String",
"username": "String"
}

POST /config/event_sources/custom_properties/property_expressions/
{expression_id}
Updates an existing event regex property expression.

Updates an existing event regex property expression.

Table 403. POST /config/event_sources/custom_properties/property_expressions/{expression_id} resource details
MIME Type
application/json

Table 404. POST /config/event_sources/custom_properties/property_expressions/{expression_id} request parameter

details
Parameter Type Optionality Data Type MIME Type Description
expression_id path Required Number text/plain Required - The sequence ID
(Integer) of the event regex property
expression.
fields header Optional String text/plain Optional - Use this
parameter to specify which
fields you would like to get
back in the response. Fields
that are not named are
excluded. Specify subfields
in brackets and multiple
fields in the same object are
separated by commas.

206 QRadar API Reference Guide

Table 405. POST /config/event_sources/custom_properties/property_expressions/{expression_id} request body details
Parameter Data Type MIME Type Description Sample
data Object application/json Required - A JSON representation of the event regex { "capture_group": 42, "creation_date": 42, "enabled":
property expression object. true, "id": 42, "identifier": "String", "log_source_id": 42,
"log_source_type_id": 42, "low_level_category_id": 42,
v regex_property_identifier - Optional - String - The
"modification_date": 42, "payload": "String", "qid": 42,
identifier of the event regex property that this
"regex": "String", "regex_property_identifier": "String",
expression belongs to. "username": "String" }
v enabled - Optional - Boolean - Flag that indicates
whether this expression is enabled.
v regex - Optional - String - The regex to extract the
property from the payload.
v capture_group - Optional - Integer - The capture
group to capture.
v payload - Optional - String - Test payload. This
parameter is only used in the UI so that the user can
verify their regex matches the expected payload.
v log_source_type_id - Optional - Integer - The
expression is only applied to events for this log
source type.
v log_source_id - Optional - Integer - The expression
is only applied to events for this log source (more
specific than type alone).
v qid - Optional - Integer - The expression is only
applied to events associated with this QID record.
v low_level_category_id - Optional - Integer - The
expression is only applied to events with this low
level category.
v username - Optional - String - The owner of the
event regex property expression. If the input
username is authorized service, the prefix
"API_token: " is required.

Table 406. POST /config/event_sources/custom_properties/property_expressions/{expression_id} response codes

HTTP Response Code Unique Code Description
200 The event regex property expression was updated.
403 1009 The user cannot update the resource because it only can be updated
by the owner or admin user.
404 1002 The requested event regex property expression cannot be found.
422 1005 One or more parameters are invalid in request.
500 1020 An error occurred during the attempt to update an event regex
property expression.

Response Description

The updated event regex property expression object contains the following fields:
v id - Integer - The sequence ID of the event regex property expression.
v identifier - String - The ID of the event regex property expression.
v regex_property_identifier - String - The ID of the event regex property that this expression belongs to.
v enabled - Boolean - Flag that indicates whether this expression is enabled.
v regex - String - The regex to extract the property from the payload.
v capture_group - Integer - The capture group to capture.
v payload - String - Test payload. This parameter is only used in the UI so that the user can verify their
regex matches the expected payload.
v log_source_type_id - Integer - The expression is only applied to events for this log source type.
v log_source_id - Integer - The expression is only applied to events for this log source (more specific
than type alone).
v qid - Integer - The expression is only applied to events associated with this QID record.

6 REST API V9.0 References 207

v low_level_category_id - Integer - The expression is only applied to events with this low level category.
v username - String - The owner of the event regex property expression.

Response Sample
{
"capture_group": 42,
"creation_date": 42,
"enabled": true,
"id": 42,
"identifier": "String",
"log_source_id": 42,
"log_source_type_id": 42,
"low_level_category_id": 42,
"modification_date": 42,
"payload": "String",
"qid": 42,
"regex": "String",
"regex_property_identifier": "String",
"username": "String"
}

DELETE /config/event_sources/custom_properties/
property_expressions/{expression_id}
Deletes an event regex property expression based on the supplied expression ID.

Deletes an event regex property expression based on the supplied expression ID.
Table 407. DELETE /config/event_sources/custom_properties/property_expressions/{expression_id} resource details
MIME Type
text/plain

Table 408. DELETE /config/event_sources/custom_properties/property_expressions/{expression_id} request

parameter details
Parameter Type Optionality Data Type MIME Type Description
expression_id path Required Number (Integer) text/plain Required - The sequence ID of the
event_regex_property_expression.

Table 409. DELETE /config/event_sources/custom_properties/property_expressions/{expression_id} response codes

HTTP Response Code Unique Code Description
204 The requested event regex property expression was successfully
deleted.
403 1009 The user cannot delete the resource because it only can be deleted
by the owner or admin user.
404 1002 The requested event regex property expression cannot be found.
500 1020 An error occurred during the attempt to delete the requested event
regex property expression.

208 QRadar API Reference Guide

Response Description

Response Sample

DELETE /config/event_sources/custom_properties/
property_json_expressions/{expression_id}
Deletes an Ariel property JSON expression based on the supplied expression ID.

Deletes an Ariel property JSON expression based on the supplied expression ID.
Table 410. DELETE /config/event_sources/custom_properties/property_json_expressions/{expression_id} resource
details
MIME Type
text/plain

Table 411. DELETE /config/event_sources/custom_properties/property_json_expressions/{expression_id} request

parameter details
Parameter Type Optionality Data Type MIME Type Description
expression_id path Required Number text/plain Required - The sequence ID of
(Integer) the
event_regex_property_expression.

Table 412. DELETE /config/event_sources/custom_properties/property_json_expressions/{expression_id} response

codes
HTTP Response Code Unique Code Description
204 The requested ariel property JSON expression was successfully
deleted.
403 1009 The user cannot delete the resource because it only can be deleted
by the owner or admin user.
404 1002 The requested ariel property json expression cannot be found.
500 1020 An error occurred during the attempt to delete the requested ariel
property json expression.

Response Description

Response Sample

GET /config/event_sources/custom_properties/
property_json_expressions/{expression_id}
Retrieves an Ariel property JSON expression based on the supplied expression ID.

Retrieves an Ariel property JSON expression based on the supplied expression ID.
Table 413. GET /config/event_sources/custom_properties/property_json_expressions/{expression_id} resource details
MIME Type
application/json

6 REST API V9.0 References 209

Table 414. GET /config/event_sources/custom_properties/property_json_expressions/{expression_id} request
parameter details
Parameter Type Optionality Data Type MIME Type Description
expression_id path Required Number text/plain Required - The Sequence ID of
(Integer) the
Ariel_property_JSON_expression.
fields query Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.

Table 415. GET /config/event_sources/custom_properties/property_json_expressions/{expression_id} response codes

HTTP Response Code Unique Code Description
200 The requested ariel property json expression was successfully
retrieved.
404 1002 The requested ariel property json expression cannot be found.
500 1020 An error occurred during the attempt to retrieve the requested ariel
property json expression.

Response Description

An Ariel property JSON expression that contains the following fields:

v id - Integer - The sequence ID of the Ariel property JSON expression.
v identifier - String - The ID of the Ariel property JSON expression.
v regex_property_identifier - String - The identifier of the event regex property that this expression
belongs to.
v enabled - Boolean - Flag that indicates whether this expression is enabled.
v expression - String - The JSON expression path to find the property value from the JSON payload.
v payload - String - Test payload. This parameter is only used in the UI so that you can verify your
expression matches the expected payload.
v log_source_type_id - Integer - The expression is only applied to events for this log source type.
v log_source_id - Integer - The expression is only applied to events for this log source (more specific
than type alone).
v qid - Integer - The expression is only applied to events associated with this QID record.
v low_level_category_id - Integer - The expression is only applied to events with this low level category.
v username - String - The owner of the Ariel property JSON expression.

Response Sample
{
"creation_date": 42,
"enabled": true,
"expression": "String",
"id": 42,
"identifier": "String",
"log_source_id": 42,
"log_source_type_id": 42,
"low_level_category_id": 42,

210 QRadar API Reference Guide

 "modification_date": 42,
"payload": "String",
"qid": 42,
"regex_property_identifier": "String",
"username": "String"
}

POST /config/event_sources/custom_properties/
property_json_expressions/{expression_id}
Updates an existing Ariel property JSON expression.

Updates an existing Ariel property JSON expression.

Table 416. POST /config/event_sources/custom_properties/property_json_expressions/{expression_id} resource
details
MIME Type
application/json

Table 417. POST /config/event_sources/custom_properties/property_json_expressions/{expression_id} request

parameter details
Parameter Type Optionality Data Type MIME Type Description
expression_id path Required Number text/plain Required - The sequence ID of
(Integer) the Ariel property JSON
expression.
fields header Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.

6 REST API V9.0 References 211

Table 418. POST /config/event_sources/custom_properties/property_json_expressions/{expression_id} request body
details
Parameter Data Type MIME Type Description Sample
data Object application/ Required - A JSON { "creation_date": 42, "enabled":
json representation of the Ariel true, "expression": "String", "id":
property JSON expression 42, "identifier": "String",
object. "log_source_id": 42,
v regex_property_identifier - "log_source_type_id": 42,
Optional - String - The "low_level_category_id": 42,
identifier of the event regex "modification_date": 42,
property that this expression "payload": "String", "qid": 42,
belongs to. "regex_property_identifier":
"String", "username": "String" }
v enabled - Optional - Boolean
- Flag that indicates whether
this expression is enabled.
v expression - Optional -
String - The JSON expression
path to find the property
value from the JSON
payload.
v payload - Optional - String -
Test payload. This parameter
is only used in the UI so that
you can verify your
expression matches the
expected payload.
v log_source_type_id -
Optional - Integer - The
expression is only applied to
events for this log source
type.
v log_source_id - Optional -
Integer - The expression is
only applied to events for
this log source (more specific
than type alone).
v qid - Optional - Integer -
The expression is only
applied to events associated
with this QID record.
v low_level_category_id -
Optional - Integer - The
expression is only applied to
events with this low level
category.
v username - Optional - String
- The owner of the Ariel
property JSON expression. If
the input username is an
authorized service, the prefix
"API_token: " is required.

212 QRadar API Reference Guide

Table 419. POST /config/event_sources/custom_properties/property_json_expressions/{expression_id} response
codes
HTTP Response Code Unique Code Description
200 The ariel property JSON expression was updated.
403 1009 The user cannot update the resource because it only can be updated
by the owner or admin user.
404 1002 The requested ariel property json expression cannot be found.
422 1005 One or more parameters are invalid in request.
500 1020 An error occurred during the attempt to update an ariel property
json expression.

Response Description

The updated Ariel property JSON expression object contains the following fields:
v id - Integer - The sequence ID of the Ariel property JSON expression.
v identifier - String - The ID of the Ariel property JSON expression.
v regex_property_identifier - String - The identifier of the event regex property that this expression
belongs to.
v enabled - Boolean - Flag that indicates whether this expression is enabled.
v expression - String - The JSON expression path to find the property value from the JSON payload.
v payload - String - Test payload. This parameter is only used in the UI so that you can verify your
expression matches the expected payload.
v log_source_type_id - Integer - The expression is only applied to events for this log source type.
v log_source_id - Integer - The expression is only applied to events for this log source (more specific
than type alone).
v qid - Integer - The expression is only applied to events associated with this QID record.
v low_level_category_id - Integer - The expression is only applied to events with this low level category.
v username - String - The owner of the Ariel property JSON expression.

Response Sample
{
"creation_date": 42,
"enabled": true,
"expression": "String",
"id": 42,
"identifier": "String",
"log_source_id": 42,
"log_source_type_id": 42,
"low_level_category_id": 42,
"modification_date": 42,
"payload": "String",
"qid": 42,
"regex_property_identifier": "String",
"username": "String"
}

GET /config/event_sources/custom_properties/
property_json_expressions
Retrieves a list of Ariel property JSON expressions.

Retrieves a list of Ariel property JSON expressions.

6 REST API V9.0 References 213

Table 420. GET /config/event_sources/custom_properties/property_json_expressions resource details
MIME Type
application/json

Table 421. GET /config/event_sources/custom_properties/property_json_expressions request parameter details

Parameter Type Optionality Data Type MIME Type Description
fields query Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.
filter query Optional String text/plain Optional - This parameter is
used to restrict the elements in
a list base on the contents of
various fields.
Range header Optional String text/plain Optional - Use this parameter
to restrict the number of
elements that are returned in
the list to a specified range.
The list is indexed starting at
zero.

Table 422. GET /config/event_sources/custom_properties/property_json_expressions response codes

HTTP Response Code Unique Code Description
200 The requested list of ariel property json expressions was retrieved.
422 1010 An error occurred while building the filter.
500 1020 An error occurred during the attempt to retrieve the list of ariel
property json expressions.

Response Description

A list of Ariel property JSON expressions. Each Ariel property JSON expression contains the following
fields:
v id - Integer - The sequence ID of the Ariel property JSON expression.
v identifier - String - The ID of the Ariel property JSON expression.
v regex_property_identifier - String - The identifier of the event regex property that this expression
belongs to.
v enabled - Boolean - Flag that indicates whether this expression is enabled.
v expression - String - The JSON expression path to find the property value from the JSON payload.
v payload - String - Test payload. This parameter is only used in the UI so that you can verify your
expression matches the expected payload.
v log_source_type_id - Integer - The expression is only applied to events for this log source type.
v log_source_id - Integer - The expression is only applied to events for this log source (more specific
than type alone).
v qid - Integer - The expression is only applied to events associated with this QID record.
v low_level_category_id - Integer - The expression is only applied to events with this low level category.

214 QRadar API Reference Guide

v username - String - The owner of the Ariel property JSON expression.

Response Sample
[
{
"creation_date": 42,
"enabled": true,
"expression": "String",
"id": 42,
"identifier": "String",
"log_source_id": 42,
"log_source_type_id": 42,
"low_level_category_id": 42,
"modification_date": 42,
"payload": "String",
"qid": 42,
"regex_property_identifier": "String",
"username": "String"
}
]

POST /config/event_sources/custom_properties/
property_json_expressions
Creates a new Ariel property JSON expression.

Creates a new Ariel property JSON expression.

Table 423. POST /config/event_sources/custom_properties/property_json_expressions resource details
MIME Type
application/json

Table 424. POST /config/event_sources/custom_properties/property_json_expressions request parameter details

Parameter Type Optionality Data Type MIME Type Description
fields header Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.

6 REST API V9.0 References 215

Table 425. POST /config/event_sources/custom_properties/property_json_expressions request body details
Parameter Data Type MIME Type Description Sample
data Object application/ Required - A JSON { "creation_date": 42, "enabled":
json representation of the Ariel true, "expression": "String", "id":
property JSON expression 42, "identifier": "String",
object "log_source_id": 42,
v regex_property_identifier - "log_source_type_id": 42,
Required - String - The "low_level_category_id": 42,
identifier of the event regex "modification_date": 42,
property that this expression "payload": "String", "qid": 42,
belongs to. "regex_property_identifier":
"String", "username": "String" }
v enabled - Optional - Boolean
- Flag that indicates whether
this expression is enabled. It
defaults to true if not
provided.
v expression - Required -
String - The JSON expression
path to find the property
value from the JSON
payload.
v payload - Optional - String -
Test payload. This parameter
is only used in the UI so that
you can verify your
expression matches the
expected payload.
v log_source_type_id -
Required - Integer - The
expression is only applied to
events for this log source
type.
v log_source_id - Optional -
Integer - The expression is
only applied to events for
this log source (more specific
than type alone).
v qid - Optional - Integer -
The expression is only
applied to events associated
with this QID record.
v low_level_category_id -
Optional - Integer - The
expression is only applied to
events with this low level
category.

Table 426. POST /config/event_sources/custom_properties/property_json_expressions response codes

HTTP Response Code Unique Code Description
201 A new ariel property JSON expression was created.
422 1005 One or more request parameter are invalid in request.
500 1020 An error occurred during the attempt to create a new ariel property
json expression.

216 QRadar API Reference Guide

Response Description

The newly created Ariel property JSON expression that contains the following fields:
v id - Integer - The sequence ID of the Ariel property JSON expression.
v identifier - String - The ID of the Ariel property JSON expression.
v regex_property_identifier - String - The identifier of the event regex property that this expression
belongs to.
v enabled - Boolean - Flag that indicates whether this expression is enabled.
v expression - String - The JSON expression path to find the property value from the JSON payload.
v payload - String - Test payload. This parameter is only used in the UI so that you can verify your
expression matches the expected payload.
v log_source_type_id - Integer - The expression is only applied to events for this log source type.
v log_source_id - Integer - The expression is only applied to events for this log source (more specific
than type alone).
v qid - Integer - The expression is only applied to events associated with this QID record.
v low_level_category_id - Integer - The expression is only applied to events with this low level category.
v username - String - The owner of the Ariel property JSON expression.

Response Sample
{
"creation_date": 42,
"enabled": true,
"expression": "String",
"id": 42,
"identifier": "String",
"log_source_id": 42,
"log_source_type_id": 42,
"low_level_category_id": 42,
"modification_date": 42,
"payload": "String",
"qid": 42,
"regex_property_identifier": "String",
"username": "String"
}

GET /config/event_sources/custom_properties/regex_properties
Retrieves a list of event regex properties.

Retrieves a list of event regex properties.

Table 427. GET /config/event_sources/custom_properties/regex_properties resource details
MIME Type
application/json

6 REST API V9.0 References 217

Table 428. GET /config/event_sources/custom_properties/regex_properties request parameter details
Parameter Type Optionality Data Type MIME Type Description
fields query Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.
filter query Optional String text/plain Optional - This parameter is
used to restrict the elements in
a list base on the contents of
various fields.
Range header Optional String text/plain Optional - Use this parameter
to restrict the number of
elements that are returned in
the list to a specified range.
The list is indexed starting at
zero.

Table 429. GET /config/event_sources/custom_properties/regex_properties response codes

HTTP Response Code Unique Code Description
200 The requested list of event regex properties was retrieved.
422 1010 An error occurred while building the filter.
500 1020 An error occurred during the attempt to retrieve the list of event
regex properties.

Response Description

A list of event regex properties. Each regex property contains the following fields:
v id - Integer - The sequence ID of the event regex property.
v identifier - String - The ID of the event regex property.
v name - String - The name of the event regex property.
v username - String - The owner of the event regex property.
v description - String - The description of the event regex property.
v property_type - String - The property type (STRING, NUMERIC, IP, PORT, TIME) of event regex
property.
v use_for_rule_engine - Boolean - The flag to indicate if the event regex property is parsed when the
event is received.
v datetime_format - String - The date/time pattern that the event regex property matches.
v locale - String - The Language tag of what locale the Property matches.
v auto_discovered - Boolean - The flag to indicate if the event regex property is generated by custom
properties discovery engine.

Response Sample
[
{
"auto_discovered": true,
"creation_date": 42,

218 QRadar API Reference Guide

 "datetime_format": "String",
"description": "String",
"id": 42,
"identifier": "String",
"locale": "String",
"modification_date": 42,
"name": "String",
"property_type": "String <one of: string, numeric, ip, port, time>",
"use_for_rule_engine": true,
"username": "String"
}
]

POST /config/event_sources/custom_properties/regex_properties
Creates a new event regex property.

Creates a new event regex property.

Table 430. POST /config/event_sources/custom_properties/regex_properties resource details
MIME Type
application/json

Table 431. POST /config/event_sources/custom_properties/regex_properties request parameter details

Parameter Type Optionality Data Type MIME Type Description
fields header Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.

6 REST API V9.0 References 219

Table 432. POST /config/event_sources/custom_properties/regex_properties request body details
Parameter Data Type MIME Type Description Sample
data Object application/ Required - A JSON { "auto_discovered": true,
json representation of the event "creation_date": 42,
regex property object. "datetime_format": "String",
v name - Required - String - "description": "String", "id": 42,
The name of the event regex "identifier": "String", "locale":
property. "String", "modification_date":
42, "name": "String",
v description - Optional -
"property_type": "String <one
String - The description of
of: string, numeric, ip, port,
the event regex property.
time>", "use_for_rule_engine":
v property_type - Required - true, "username": "String" }
String - The property type
(string, numeric, ip, port,
time) of event regex
property.
v use_for_rule_engine -
Optional - Boolean - The flag
to indicate if the event regex
property is parsed when the
event is received. It is false if
no value supplied.
v datetime_format - Optional -
String - The date/time
pattern that the event regex
property matches.. It is
required when property type
is TIME.
v locale - Optional - String -
The language tag of the
locale that the property
matches. The locale is
required when the property
type is TIME.

Table 433. POST /config/event_sources/custom_properties/regex_properties response codes

HTTP Response Code Unique Code Description
201 A new event regex property was created.
422 1005 One or more request parameter are invalid in the request.
500 1020 An error occurred during the attempt to create a new event regex
property.

Response Description

The newly created event regex property that contains the following fields:
v id - Integer - The sequence ID of the event regex property.
v identifier - String - The ID of the event regex property.
v name - String - The name of the event regex property.
v username - String - The owner of the event regex property.
v description - String - The description of the event regex property.
v property_type - String - The property type (string, numeric, ip, port, time) of event regex property.

220 QRadar API Reference Guide

v use_for_rule_engine - Boolean - The flag to indicate if the event regex property is parsed when the
event is received.
v datetime_format - String - The date/time pattern that the event regex property matches.
v locale - String - The language tag of the locale that the property matches.
v auto_discovered - Boolean - The flag to indicate if the event regex property is generated by custom
properties discovery engine.

Response Sample
{
"auto_discovered": true,
"creation_date": 42,
"datetime_format": "String",
"description": "String",
"id": 42,
"identifier": "String",
"locale": "String",
"modification_date": 42,
"name": "String",
"property_type": "String <one of: string, numeric, ip, port, time>",
"use_for_rule_engine": true,
"username": "String"
}

GET /config/event_sources/custom_properties/regex_properties/
{regex_property_id}
Retrieves a event regex property based on the supplied regex property ID.

Retrieves a event regex property based on the supplied regex property ID.
Table 434. GET /config/event_sources/custom_properties/regex_properties/{regex_property_id} resource details
MIME Type
application/json

Table 435. GET /config/event_sources/custom_properties/regex_properties/{regex_property_id} request parameter

details
Parameter Type Optionality Data Type MIME Type Description
regex_property_idpath Required Number text/plain Required - The sequence ID of
(Integer) the event_regex_property.
fields query Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.

Table 436. GET /config/event_sources/custom_properties/regex_properties/{regex_property_id} response codes

HTTP Response Code Unique Code Description
200 The requested event regex property was successfully retrieved.
404 1002 The requested event regex property cannot be found.

6 REST API V9.0 References 221

Table 436. GET /config/event_sources/custom_properties/regex_properties/{regex_property_id} response
codes (continued)
HTTP Response Code Unique Code Description
500 1020 An error occurred during the attempt to retrieve the requested
event regex property.

Response Description

A event regex property that contains the following fields:

v id - Integer - The sequence ID of the event regex property.
v identifier - String - The ID of the event regex property.
v name - String - The name of the event regex property.
v username - String - The owner of the event regex property.
v description - String - The description of the event regex property.
v property_type - String - The property type (string, numeric, ip, port, time) of the event regex property.
v use_for_rule_engine - Boolean - The flag to indicate if the event regex property is parsed when the
event is received.
v datetime_format - String - The date/time pattern that the event regex property matches.
v locale - String - The language tag of the locale that the property matches.
v auto_discovered - Boolean - The flag to indicate if the event regex property is generated by custom
properties discovery engine.

Response Sample
{
"auto_discovered": true,
"creation_date": 42,
"datetime_format": "String",
"description": "String",
"id": 42,
"identifier": "String",
"locale": "String",
"modification_date": 42,
"name": "String",
"property_type": "String <one of: string, numeric, ip, port, time>",
"use_for_rule_engine": true,
"username": "String"
}

POST /config/event_sources/custom_properties/regex_properties/
{regex_property_id}
Updates an existing event regex property.

Updates an existing event regex property.

Table 437. POST /config/event_sources/custom_properties/regex_properties/{regex_property_id} resource details
MIME Type
application/json

222 QRadar API Reference Guide

Table 438. POST /config/event_sources/custom_properties/regex_properties/{regex_property_id} request parameter
details
Parameter Type Optionality Data Type MIME Type Description
regex_property_idpath Required Number text/plain Required - The sequence ID of
(Integer) the event regex property.
fields header Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.

Table 439. POST /config/event_sources/custom_properties/regex_properties/{regex_property_id} request body details

Parameter Data Type MIME Type Description Sample
data Object application/ Required - A JSON { "auto_discovered": true,
json representation of the event "creation_date": 42,
regex property object. "datetime_format": "String",
v description - Optional - "description": "String", "id": 42,
String - The description of "identifier": "String", "locale":
the event regex property. "String", "modification_date":
42, "name": "String",
v property_type - Optional -
"property_type": "String <one
String - The property type
of: string, numeric, ip, port,
(string, numeric, ip, port,
time>", "use_for_rule_engine":
time) of event regex
true, "username": "String" }
property.
v use_for_rule_engine -
Optional - Boolean - The flag
to indicate if the event regex
property is parsed when the
event is received.
v datetime_format - Optional -
String - The date/time
pattern that the event regex
property matches. It is
required when property type
is TIME.
v locale - Optional - String -
The language tag of the
locale that the property
matches. The locale is
required when the property
type is TIME.
v username - Optional - String
- The owner of the event
regex property. If the input
username is authorized
service, the prefix
"API_token: " is required.

6 REST API V9.0 References 223

Table 440. POST /config/event_sources/custom_properties/regex_properties/{regex_property_id} response codes
HTTP Response Code Unique Code Description
200 The event regex property was updated.
403 1009 The user cannot update the resource because it only can be updated
by the owner or admin user.
404 1002 The requested event regex property cannot be found.
422 1005 One or more parameters are invalid in request.
500 1020 An error occurred during the attempt to update an event regex
property.

Response Description

The updated event regex property object contains the following fields:
v id - Integer - The sequence ID of the event regex property.
v identifier - String - The ID of the event regex property.
v name - String - The name of the event regex property.
v username - String - The owner of the event regex property.
v description - String - The description of the event regex property.
v property_type - String - The property type (string, numeric, ip, port, time) of event regex property.
v use_for_rule_engine - Boolean - The flag to indicate if the event regex property is parsed when the
event is received.
v datetime_format - String - The date/time pattern that the event regex property matches.
v locale - String - The language tag of the locale the the property matches.
v auto_discovered - Boolean - The flag to indicate if the event regex property is generated by custom
properties discovery engine.

Response Sample
{
"auto_discovered": true,
"creation_date": 42,
"datetime_format": "String",
"description": "String",
"id": 42,
"identifier": "String",
"locale": "String",
"modification_date": 42,
"name": "String",
"property_type": "String <one of: string, numeric, ip, port, time>",
"use_for_rule_engine": true,
"username": "String"
}

DELETE /config/event_sources/custom_properties/regex_properties/
{regex_property_id}
Deletes an event regex property. To ensure safe deletion, a dependency check is carried out. This check
might take some time. An asynchronous task is started to do this check.

Deletes an event regex property. To ensure safe deletion, a dependency check is carried out. This check
might take some time. An asynchronous task is started to do this check.

224 QRadar API Reference Guide

Table 441. DELETE /config/event_sources/custom_properties/regex_properties/{regex_property_id} resource details
MIME Type
application/json

Table 442. DELETE /config/event_sources/custom_properties/regex_properties/{regex_property_id} request parameter

details
Parameter Type Optionality Data Type MIME Type Description
regex_property_id path Required Number (Integer) text/plain null
fields query Optional String text/plain Optional - Use this parameter to
specify which fields you would like
to get back in the response. Fields
that are not named are excluded.
Specify subfields in brackets and
multiple fields in the same object
are separated by commas.

Table 443. DELETE /config/event_sources/custom_properties/regex_properties/{regex_property_id} response codes

HTTP Response Code Unique Code Description
202 The event regex property delete request was accepted and is in
progress.
403 1009 The user cannot delete the regex_property because it only can be
deleted by the owner or admin user.
404 1002 The requested event regex property cannot be found.
500 1020 An error occurred while attempting to delete the event regex
property.

Response Description

A Delete Task Status object and the location header set to the task status URL "/api/config/
event_sources/custom_properties/regex_property_delete_tasks/{task_id}". A Delete Task Status object
contains the following fields:
v id - Long - The ID of the task.
v message - String - The localized task message.
v status - String - The current state of the task.
v name - String - The name of the task.
v created_by - String - The name of the user who started the task.
v created - Long - The time in milliseconds since epoch since the task was created.
v started - Long - The time in milliseconds since epoch since the task was started.
v modified - Long - The time in milliseconds since epoch since the task was modified.
v completed - Long - The time in milliseconds since epoch since the task was completed.

Response Sample
{
"completed": 42,
"created": 42,
"created_by": "String",
"id": 42,
"message": "String",
"modified": 42,
"name": "String",
"started": 42,
"status": "String <one of:
CANCELLED,

6 REST API V9.0 References 225

 CANCELING,
CANCEL_REQUESTED,
COMPLETED,
CONFLICT,
EXCEPTION,
INITIALIZING,
INTERRUPTED,
PAUSED,
PROCESSING,
QUEUED,
RESUMING>"
}

GET /config/event_sources/custom_properties/regex_properties/
{regex_property_id}/dependents
Retrieves the objects that depend on the event regex property.

Retrieves the objects that depend on the event regex property.

Table 444. GET /config/event_sources/custom_properties/regex_properties/{regex_property_id}/dependents resource
details
MIME Type
application/json

Table 445. GET /config/event_sources/custom_properties/regex_properties/{regex_property_id}/dependents request

parameter details
Parameter Type Optionality Data Type MIME Type Description
regex_property_id path Required Number (Integer) text/plain null
fields query Optional String text/plain Optional - Use this parameter to
specify which fields you would like
to get back in the response. Fields
that are not named are excluded.
Specify subfields in brackets and
multiple fields in the same object
are separated by commas.

Table 446. GET /config/event_sources/custom_properties/regex_properties/{regex_property_id}/dependents response

codes
HTTP Response Code Unique Code Description
202 The event regex property dependents retrieval was accepted and is
in progress.
404 1002 The event regex property does not exist.
500 1020 An error occurred while attempting to initiate the event regex
property dependents retrieval task.

Response Description
A Dependents Task Status object and the location header set to the task status URL "/api/config/
event_sources/custom_properties/regex_property_dependents_tasks/{task_id}". A Dependent Task Status
object contains the following fields:
v id - Long - The ID of the task.
v message - String - The localized task message.
v status - String - The current state of the task.
v name - String - The name of the task.

226 QRadar API Reference Guide

v created_by - String - The name of the user who started the task.
v cancelled_by - String - The name of the user who requested to cancel the task.
v created - Long - The time in milliseconds since epoch since the task was created.
v started - Long - The time in milliseconds since epoch since the task was started.
v modified - Long - The time in milliseconds since epoch since the task was modified.
v completed - Long - The time in milliseconds since epoch since the task was completed.
v number_of_dependents - Long - The number of dependents found. The value is null until the task
completes.
v maximum - Long - The maximum number of objects to check for dependency.
v progress - Long - The number of objects that were checked for dependency.
v task_components - Array - An array of task component objects. A task component object contains the
following fields:
– message - String - The localized sub-task status message.
– status - String - The current state of the sub-task.
– sub_task_type - String - The type of the sub-task
– maximum - Long - The maximum number of objects to check for dependency.
– progress - Long - The number of objects that were checked for dependency.
– created - Long - The time in milliseconds since epoch since the sub-task was created.
– started - Long - The time in milliseconds since epoch since the sub-task was started.
– modified - Long - The time in milliseconds since epoch since the sub-task was modified.
– completed - Long - The time in milliseconds since epoch since the sub-task was completed.

Response Sample
{
"cancelled_by": "String",
"completed": 42,
"created": 42,
"created_by": "String",
"id": 42,
"maximum": 42,
"message": "String",
"modified": 42,
"name": "String",
"number_of_dependents": 42,
"progress": 42,
"started": 42,
"status": "String <one of:
CANCELLED,
CANCELING,
CANCEL_REQUESTED,
COMPLETED,
CONFLICT,
EXCEPTION,
INITIALIZING,
INTERRUPTED,
PAUSED,
PROCESSING,
QUEUED,
RESUMING>",
"task_components": [
{
"completed": 42,
"created": 42,
"maximum": 42,
"message": "String",
"modified": 42,
"number_of_dependents": 42,

6 REST API V9.0 References 227

 "progress": 42,
"started": 42,
"status": "String <one of: CANCELLED,
CANCELING,
CANCEL_REQUESTED,
COMPLETED,
CONFLICT,
EXCEPTION,
INITIALIZING,
INTERRUPTED,
PAUSED,
PROCESSING,
QUEUED,
RESUMING>",
"task_sub_type": "String <one of:
FIND_DEPENDENT_ARIEL_SAVED_SEARCHES,
FIND_DEPENDENT_OFFENSE_SAVED_SEARCHES,
FIND_DEPENDENT_ASSET_SAVED_SEARCHES,
FIND_DEPENDENT_VULNERABILITY_SAVED_SEARCHES,
FIND_DEPENDENT_ADE_RULES,
FIND_DEPENDENT_RULES,
FIND_DEPENDENT_CALCULATED_PROPERTIES,
FIND_DEPENDENT_LOG_SOURCE_GROUPS,
FIND_DEPENDENT_CUSTOM_PROPERTIES,
FIND_DEPENDENT_REPORTS,
FIND_DEPENDENT_DASHBOARDS,
FIND_DEPENDENT_STORE_AND_FORWARD_POLICIES,
FIND_DEPENDENT_AUTHORIZED_SERVICES,
FIND_DEPENDENT_OFFENSE_TYPES,
FIND_DEPENDENT_ASSIGNED_OFFENSES,
FIND_DEPENDENT_VULNERABILITIES,
FIND_DEPENDENT_GROUPS,
FIND_DEPENDENT_HISTORICAL_CORRELATION_PROFILES>"
}
]
}

GET /config/event_sources/custom_properties/
regex_property_delete_tasks/{task_id}
Retrieves the event regex property delete task status.

Retrieves the event regex property delete task status.

Table 447. GET /config/event_sources/custom_properties/regex_property_delete_tasks/{task_id} resource details
MIME Type
application/json

Table 448. GET /config/event_sources/custom_properties/regex_property_delete_tasks/{task_id} request parameter

details
Parameter Type Optionality Data Type MIME Type Description
task_id path Required Number text/plain null
(Integer)

228 QRadar API Reference Guide

Table 448. GET /config/event_sources/custom_properties/regex_property_delete_tasks/{task_id} request parameter
details (continued)
Parameter Type Optionality Data Type MIME Type Description
fields query Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.

Table 449. GET /config/event_sources/custom_properties/regex_property_delete_tasks/{task_id} response codes

HTTP Response Code Unique Code Description
200 The delete task status was retrieved.
404 1002 The requested delete task status cannot be found.
422 1005 The task ID is invalid in the request.
500 1020 An error occurred during the attempt to retrieve the delete task
status.

Response Description

A Delete Task Status object and the location header set to the task status URL "/api/config/
event_sources/custom_properties/regex_property_delete_tasks/{task_id}". A Delete Task Status object
contains the following fields:
v id - Long - The ID of the task.
v message - String - The localized task message.
v status - String - The current state of the task.
v name - String - The name of the task.
v created_by - String - The name of the user who started the task.
v created - Long - The time in milliseconds since epoch since the task was created.
v started - Long - The time in milliseconds since epoch since the task was started.
v modified - Long - The time in milliseconds since epoch since the task was modified.
v completed - Long - The time in milliseconds since epoch since the task was completed.

Response Sample
{
"completed": 42,
"created": 42,
"created_by": "String",
"id": 42,
"message": "String",
"modified": 42,
"name": "String",
"started": 42,
"status": "String <one of:
CANCELLED,
CANCELING,
CANCEL_REQUESTED,
COMPLETED,
CONFLICT,
EXCEPTION,

6 REST API V9.0 References 229

 INITIALIZING,
INTERRUPTED,
PAUSED,
PROCESSING,
QUEUED,
RESUMING>"
}

GET /config/event_sources/custom_properties/
regex_property_dependent_tasks/{task_id}
Retrieves the event regex property dependent task status.

Retrieves the event regex property dependent task status.

Table 450. GET /config/event_sources/custom_properties/regex_property_dependent_tasks/{task_id} resource details
MIME Type
application/json

Table 451. GET /config/event_sources/custom_properties/regex_property_dependent_tasks/{task_id} request

parameter details
Parameter Type Optionality Data Type MIME Type Description
task_id path Required Number text/plain null
(Integer)
fields query Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.

Table 452. GET /config/event_sources/custom_properties/regex_property_dependent_tasks/{task_id} response codes

HTTP Response Code Unique Code Description
200 The dependent task status was retrieved.
404 1002 The requested dependent task status cannot be found.
422 1005 The task ID is invalid in the request.
500 1020 An error occurred during the attempt to retrieve the task status.

Response Description

A Dependent Task Status object and the location header set to the task status URL "/api/config/
event_sources/custom_properties/regex_property_dependent_tasks/{task_id}". A Dependent Task Status
object contains the following fields:
v id - Long - The ID of the task.
v message - String - The localized task message.
v status - String - The current state of the task.
v name - String - The name of the task.
v created_by - String - The name of the user who started the task.
v cancelled_by - String - The name of the user who requested to cancel the task.

230 QRadar API Reference Guide

v created - Long - The time in milliseconds since epoch since the task was created.
v started - Long - The time in milliseconds since epoch since the task was started.
v modified - Long - The time in milliseconds since epoch since the task was modified.
v completed - Long - The time in milliseconds since epoch since the task was completed.
v number_of_dependents - Long - The number of dependents found. The value is null until the task
completes.
v maximum - Long - The maximum number of objects to check for dependency.
v progress - Long - The number of objects that were checked for dependency.
v task_components - Array - An array of task component objects. A task component object contains the
following fields
– message - String - The localized sub-task status message.
– status - String - The current state of the sub-task.
– sub_task_type - String - The type of the sub-task
– maximum - Long - The maximum number of objects to check for dependency.
– progress - Long - The number of objects that were checked for dependency.
– created - Long - The time in milliseconds since epoch since the sub-task was created.
– started - Long - The time in milliseconds since epoch since the sub-task was started.
– modified - Long - The time in milliseconds since epoch since the sub-task was modified.
– completed - Long - The time in milliseconds since epoch since the sub-task was completed.

Response Sample
{
"cancelled_by": "String",
"completed": 42,
"created": 42,
"created_by": "String",
"id": 42,
"maximum": 42,
"message": "String",
"modified": 42,
"name": "String",
"number_of_dependents": 42,
"progress": 42,
"started": 42,
"status": "String <one of:
CANCELLED,
CANCELING,
CANCEL_REQUESTED,
COMPLETED,
CONFLICT,
EXCEPTION,
INITIALIZING,
INTERRUPTED,
PAUSED,
PROCESSING,
QUEUED,
RESUMING>",
"task_components": [
{
"completed": 42,
"created": 42,
"maximum": 42,
"message": "String",
"modified": 42,
"number_of_dependents": 42,
"progress": 42,
"started": 42,
"status": "String <one of: CANCELLED,

6 REST API V9.0 References 231

 CANCELING,
CANCEL_REQUESTED,
COMPLETED,
CONFLICT,
EXCEPTION,
INITIALIZING,
INTERRUPTED,
PAUSED,
PROCESSING,
QUEUED,
RESUMING>",
"task_sub_type": "String <one of:
FIND_DEPENDENT_ARIEL_SAVED_SEARCHES,
FIND_DEPENDENT_OFFENSE_SAVED_SEARCHES,
FIND_DEPENDENT_ASSET_SAVED_SEARCHES,
FIND_DEPENDENT_VULNERABILITY_SAVED_SEARCHES,
FIND_DEPENDENT_ADE_RULES,
FIND_DEPENDENT_RULES,
FIND_DEPENDENT_CALCULATED_PROPERTIES,
FIND_DEPENDENT_LOG_SOURCE_GROUPS,
FIND_DEPENDENT_CUSTOM_PROPERTIES,
FIND_DEPENDENT_REPORTS,
FIND_DEPENDENT_DASHBOARDS,
FIND_DEPENDENT_STORE_AND_FORWARD_POLICIES,
FIND_DEPENDENT_AUTHORIZED_SERVICES,
FIND_DEPENDENT_OFFENSE_TYPES,
FIND_DEPENDENT_ASSIGNED_OFFENSES,
FIND_DEPENDENT_VULNERABILITIES,
FIND_DEPENDENT_GROUPS,
FIND_DEPENDENT_HISTORICAL_CORRELATION_PROFILES>"
}
]
}

POST /config/event_sources/custom_properties/
regex_property_dependent_tasks/{task_id}
Cancels the regex property dependent task.

Cancels the regex property dependent task.

Table 453. POST /config/event_sources/custom_properties/regex_property_dependent_tasks/{task_id} resource
details
MIME Type
application/json

Table 454. POST /config/event_sources/custom_properties/regex_property_dependent_tasks/{task_id} request

parameter details
Parameter Type Optionality Data Type MIME Type Description
task_id path Required Number text/plain null
(Integer)
fields header Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.

232 QRadar API Reference Guide

Table 455. POST /config/event_sources/custom_properties/regex_property_dependent_tasks/{task_id} request body
details
Parameter Data Type MIME Type Description Sample
task Object application/ null { "status": "String <one of:
json CANCELLED, CANCELING,
CANCEL_REQUESTED,
COMPLETED, CONFLICT,
EXCEPTION, INITIALIZING,
INTERRUPTED, PAUSED,
PROCESSING, QUEUED,
RESUMING>" }

Table 456. POST /config/event_sources/custom_properties/regex_property_dependent_tasks/{task_id} response

codes
HTTP Response Code Unique Code Description
200 The dependent task was cancelled.
404 1002 The dependent task status does not exist.
409 1004 The task is in a completed state.
422 1005 A request parameter is not valid.
500 1020 An error occurred while attempting to update the dependent task
status.

Response Description

A Dependent Task Status object and the location header set to the task status URL "/api/config/
event_sources/custom_properties/regex_property_dependent_tasks/{task_id}". A Dependent Task Status
object contains the following fields:
v id - Long - The ID of the task.
v message - String - The localized task message.
v status - String - The current state of the task.
v name - String - The name of the task.
v created_by - String - The name of the user who started the task.
v cancelled_by - String - The name of the user who requested to cancel the task.
v created - Long - The time in milliseconds since epoch since the task was created.
v started - Long - The time in milliseconds since epoch since the task was started.
v modified - Long - The time in milliseconds since epoch since the task was modified.
v completed - Long - The time in milliseconds since epoch since the task was completed.
v number_of_dependents - Long - The number of dependents found. The value is null until the task
completes.
v maximum - Long - The maximum number of objects to check for dependency.
v progress - Long - The number of objects that were checked for dependency.
v task_components - Array - An array of task component objects. A task component object contains the
following fields:
– message - String - The localized sub-task status message.
– status - String - The current state of the sub-task.
– sub_task_type - String - The type of the sub-task
– maximum - Long - The maximum number of objects to check for dependency.
– progress - Long - The number of objects that were checked for dependency.

6 REST API V9.0 References 233

 – created - Long - The time in milliseconds since epoch since the sub-task was created.
– started - Long - The time in milliseconds since epoch since the sub-task was started.
– modified - Long - The time in milliseconds since epoch since the sub-task was modified.
– completed - Long - The time in milliseconds since epoch since the sub-task was completed.

Response Sample
{
"cancelled_by": "String",
"completed": 42,
"created": 42,
"created_by": "String",
"id": 42,
"maximum": 42,
"message": "String",
"modified": 42,
"name": "String",
"number_of_dependents": 42,
"progress": 42,
"started": 42,
"status": "String <one of:
CANCELLED,
CANCELING,
CANCEL_REQUESTED,
COMPLETED,
CONFLICT,
EXCEPTION,
INITIALIZING,
INTERRUPTED,
PAUSED,
PROCESSING,
QUEUED,
RESUMING>",
"task_components": [
{
"completed": 42,
"created": 42,
"maximum": 42,
"message": "String",
"modified": 42,
"number_of_dependents": 42,
"progress": 42,
"started": 42,
"status": "String <one of: CANCELLED,
CANCELING,
CANCEL_REQUESTED,
COMPLETED,
CONFLICT,
EXCEPTION,
INITIALIZING,
INTERRUPTED,
PAUSED,
PROCESSING,
QUEUED,
RESUMING>",
"task_sub_type": "String <one of:
FIND_DEPENDENT_ARIEL_SAVED_SEARCHES,
FIND_DEPENDENT_OFFENSE_SAVED_SEARCHES,
FIND_DEPENDENT_ASSET_SAVED_SEARCHES,
FIND_DEPENDENT_VULNERABILITY_SAVED_SEARCHES,
FIND_DEPENDENT_ADE_RULES,
FIND_DEPENDENT_RULES,
FIND_DEPENDENT_CALCULATED_PROPERTIES,
FIND_DEPENDENT_LOG_SOURCE_GROUPS,
FIND_DEPENDENT_CUSTOM_PROPERTIES,
FIND_DEPENDENT_REPORTS,

234 QRadar API Reference Guide

 FIND_DEPENDENT_DASHBOARDS,
FIND_DEPENDENT_STORE_AND_FORWARD_POLICIES,
FIND_DEPENDENT_AUTHORIZED_SERVICES,
FIND_DEPENDENT_OFFENSE_TYPES,
FIND_DEPENDENT_ASSIGNED_OFFENSES,
FIND_DEPENDENT_VULNERABILITIES,
FIND_DEPENDENT_GROUPS,
FIND_DEPENDENT_HISTORICAL_CORRELATION_PROFILES>"
}
]
}

GET /config/event_sources/custom_properties/
regex_property_dependent_tasks/{task_id}/results
Retrieves the regex property dependent task results.

Retrieves the regex property dependent task results.

Table 457. GET /config/event_sources/custom_properties/regex_property_dependent_tasks/{task_id}/results resource
details
MIME Type
application/json

Table 458. GET /config/event_sources/custom_properties/regex_property_dependent_tasks/{task_id}/results request

parameter details
Parameter Type Optionality Data Type MIME Type Description
task_id path Required Number text/plain null
(Integer)
fields query Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.

Table 459. GET /config/event_sources/custom_properties/regex_property_dependent_tasks/{task_id}/results response

codes
HTTP Response Code Unique Code Description
200 The regex property dependents were retrieved.
404 1002 The requested task status cannot be found.
500 1020 An error occurred during the attempt to retrieve the task results.

Response Description

A list of Dependent objects. A Dependent object contains the following fields:

v dependent_id - String - The ID of the dependent resource.
v dependent_name - String - The name of the dependent resource )default resources can have localized
names).
v dependent_owner - String - The owner of the dependent resource

6 REST API V9.0 References 235

v dependent_type - String - The type of the dependent resource
v dependent_database - String - The database of the dependent resource.
v dependent_group_ids - Array of Longs - List of groups that the dependent resource belongs to.
v user_has_edit_permissions - Boolean - True if the user who created the task has permission to edit this
dependent resource.

Response Sample
[
{
"blocking": true,
"dependent_database": "String <one of: EVENTS, FLOWS>",
"dependent_group_ids": [
42
],
"dependent_id": "String",
"dependent_name": "String",
"dependent_owner": "String",
"dependent_type": "String <one of:
ARIEL_SAVED_SEARCH,
ASSET_SAVED_SEARCH,
OFFENSE_SAVED_SEARCH,
VULNERABILITY_SAVED_SEARCH,
QRM_SAVED_SEARCH_GROUP,
ASSET_SAVED_SEARCH_GROUP,
CUSTOM_RULE_GROUP,
EVENT_ARIEL_SAVED_SEARCH_GROUP,
FLOW_ARIEL_SAVED_SEARCH_GROUP,
LOG_SOURCE_GROUP, MODEL_GROUP,
OFFENSE_SAVED_SEARCH_GROUP,
QUESTION_GROUP,
REPORT_GROUP,
SIMULATION_GROUP,
TOPOLOGY_SAVED_SEARCH_GROUP,
VULNERABILITY_SAVED_SEARCH_GROUP,
ASSIGNED_OFFENSE,
ASSIGNED_VULNERABILITY,
AUTHORIZED_SERVICE,
BUILDING_BLOCK,
CRE_RULE,
CRE_ADE_RULE,
EVENT_REGEX_PROPERTY,
EVENT_CALCULATED_PROPERTY,
FLOW_REGEX_PROPERTY,
FLOW_CALCULATED_PROPERTY,
DASHBOARD,
GV_REFERENCE,
REPORT,
REFERENCE_DATA,
REFERENCE_DATA_MAP_OF_SETS,
REFERENCE_DATA_MAPS,
REFERENCE_DATA_SETS,
REFERENCE_DATA_TABLES,
REFERENCE_DATA_RESPONSE,
REFERENCE_SET_RESPONSE,
EVENT_RETENTION_BUCKET,
FLOW_RETENTION_BUCKET,
ROUTING_RULE,
STORE_AND_FORWARD_POLICY,
USER,
HISTORICAL_PROFILE,
OFFENSE_TYPE>",
"user_has_edit_permissions": true
}
]

236 QRadar API Reference Guide

GET /config/event_sources/event_collectors
Retrieves the list of event collectors.
Table 460. GET /config/event_sources/event_collectors resource details
MIME Type
application/json

Table 461. GET /config/event_sources/event_collectors request parameter details

Parameter Type Optionality Data Type MIME Type Description
fields query Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.
filter query Optional String text/plain Optional - This parameter is
used to restrict the elements in
a list base on the contents of
various fields.
Range header Optional String text/plain Optional - Use this parameter
to restrict the number of
elements that are returned in
the list to a specified range.
The list is indexed starting at
zero.

Table 462. GET /config/event_sources/event_collectors response codes

HTTP Response Code Unique Code Description
200 The event collectors were retrieved successfully.
500 1020 An error occurred during the attempt to retrieve the event
collectors.

Response Description
The list of all event collectors. A event collector contains the following fields:
v id - Long - The ID of the event collector.
v name - String - The display name of the event collector entity. Not localized because it is derived from
a process/component name and the hostname of the managed host it runs on.
v component_name - String - The name of the component backing this event collector process. Also
contained in the 'name' field.
v host_id - Long - The ID of the host on which this event collector process runs. See Hosts API.

Response Sample
[
{
"component_name": "String",
"host_id": 42,

6 REST API V9.0 References 237

 "id": 42,
"name": "String"
}
]

GET /config/event_sources/event_collectors/{id}
Retrieves an individual event collector by ID.
Table 463. GET /config/event_sources/event_collectors/{id} resource details
MIME Type
application/json

Table 464. GET /config/event_sources/event_collectors/{id} request parameter details

Parameter Type Optionality Data Type MIME Type Description
id path Required Number text/plain The ID of the event collector to
(Integer) retrieve.
fields query Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.

Table 465. GET /config/event_sources/event_collectors/{id} response codes

HTTP Response Code Unique Code Description
200 The event collector was retrieved successfully.
404 1002 The requested event collector cannot be found.
500 1020 An error occurred during the attempt to retrieve the event collector.

Response Description
The event collector after it is retrieved. A event collector contains the following fields:
v id - Long - The ID of the event collector.
v name - String - The display name of the event collector entity. Not localized because it is derived from
a process/component name and the hostname of the managed host it runs on, neither of which are
translatable.
v component_name - String - The name of the component backing this event collector process. Also
contained in the 'name' field.
v host_id - Long - The ID of the host on which this event collector process runs. See Hosts API.

Response Sample
{
"component_name": "String",
"host_id": 42,
"id": 42,
"name": "String"
}

238 QRadar API Reference Guide

GET /config/event_sources/log_source_management/autodetection/
config_records/{config_id}
Retrieves an Autodetection Config Record.

Retrieves an Autodetection Config Record.

Table 466. GET /config/event_sources/log_source_management/autodetection/config_records/{config_id} resource
details
MIME Type
application/json

Table 467. GET /config/event_sources/log_source_management/autodetection/config_records/{config_id} request

parameter details
Parameter Type Optionality Data Type MIME Type Description
config_id path Required Number text/plain Required. The ID of the
(Integer) Autodetection Config Record
to retrieve.
fields query Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.

Table 468. GET /config/event_sources/log_source_management/autodetection/config_records/{config_id} response

codes
HTTP Response Code Unique Code Description
200 The Autodetection Config Record was retrieved.
404 1002 The Autodetection Config Record does not exist.
500 1020 An error occurred during the attempt to retrieve the Autodetection
Config Record.

Response Description
The Autodetection Config Record containing the following fields:
v id - Number - The ID of the Autodetection Config Record.
v log_source_type_id - Number - The ID of the Log Source Type corresponding to the Autodetection
Config Record.
v enabled - Boolean - Returns true if Traffic Analysis is enabled for the given log source type.

Response Sample
{
"enabled": true,
"id": 42,
"log_source_type_id": 42
}

6 REST API V9.0 References 239

POST /config/event_sources/log_source_management/autodetection/
config_records/{config_id}
Updates the Autodetection Config Record enabled/disabled only.

Updates the Autodetection Config Record enabled/disabled only.

Table 469. POST /config/event_sources/log_source_management/autodetection/config_records/{config_id} resource
details
MIME Type
application/json

Table 470. POST /config/event_sources/log_source_management/autodetection/config_records/{config_id} request

parameter details
Parameter Type Optionality Data Type MIME Type Description
config_id path Required Number text/plain Required. The ID of the
(Integer) Autodetection Config Record
to update.
fields header Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.

Table 471. POST /config/event_sources/log_source_management/autodetection/config_records/{config_id} request

body details
Parameter Data Type MIME Type Description Sample
config_record Object application/ Required. A single { "enabled": true, "id": 42,
json Autodetection Config Record "log_source_type_id": 42 }
object has the following
modifiable fields:
v enabled - Boolean - Returns
true if Traffic Analysis is
enabled for the given log
source type.
Any other set fields will be
ignored.

Table 472. POST /config/event_sources/log_source_management/autodetection/config_records/{config_id} response

codes
HTTP Response Code Unique Code Description
200 The Autodetection Config Record was updated.
404 1002 The Autodetection Config Record does not exist.
422 1005 A request parameter is not valid.
500 1020 An error occurred during the attempt to update the Autodetection
Config Record.

240 QRadar API Reference Guide

Response Description

The updated Autodetection Config Record containing the following fields:

v id - Number - The ID of the Autodetection Config Record.
v log_source_type_id - Number - The ID of the Log Source Type corresponding to the Autodetection
Config Record.
v enabled - Boolean - Returns true if Traffic Analysis is enabled for the given log source type.

Response Sample
{
"enabled": true,
"id": 42,
"log_source_type_id": 42
}

GET /config/event_sources/log_source_management/autodetection/
config_records
Retrieves the list of Autodetection Config Records.

Retrieves the list of Autodetection Config Records.

Table 473. GET /config/event_sources/log_source_management/autodetection/config_records resource details
MIME Type
application/json

Table 474. GET /config/event_sources/log_source_management/autodetection/config_records request parameter

details
Parameter Type Optionality Data Type MIME Type Description
Range header Optional String text/plain Optional - Use this parameter
to restrict the number of
elements that are returned in
the list to a specified range.
The list is indexed starting at
zero.
fields query Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.
filter query Optional String text/plain Optional - This parameter is
used to restrict the elements in
a list base on the contents of
various fields.

Table 475. GET /config/event_sources/log_source_management/autodetection/config_records response codes

HTTP Response Code Unique Code Description
200 The Autodetection Config Records were retrieved.
422 1010 A request parameter is not valid.

6 REST API V9.0 References 241

Table 475. GET /config/event_sources/log_source_management/autodetection/config_records response
codes (continued)
HTTP Response Code Unique Code Description
500 1020 An error occurred during the attempt to retrieve the Autodetection
Config Records.

Response Description

An array of Autodetection Config Record objects. An Autodetection Config Record object contains the
following fields:
v id - Number - The ID of the Autodetection Config Record.
v log_source_type_id - Number - The ID of the Log Source Type corresponding to the Autodetection
Config Record.
v enabled - Boolean - Returns true if Autodetection is enabled for the given log source type.

Response Sample
[
{
"enabled": true,
"id": 42,
"log_source_type_id": 42
}
]

GET /config/event_sources/log_source_management/
log_source_extensions
Retrieves the list of log source extensions.
Table 476. GET /config/event_sources/log_source_management/log_source_extensions resource details
MIME Type
application/json

Table 477. GET /config/event_sources/log_source_management/log_source_extensions request parameter details

Parameter Type Optionality Data Type MIME Type Description
fields query Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.
filter query Optional String text/plain Optional - This parameter is
used to restrict the elements in
a list base on the contents of
various fields.
Range header Optional String text/plain Optional - Use this parameter
to restrict the number of
elements that are returned in
the list to a specified range.
The list is indexed starting at
zero.

242 QRadar API Reference Guide

Table 478. GET /config/event_sources/log_source_management/log_source_extensions response codes
HTTP Response Code Unique Code Description
200 The log source extensions were retrieved successfully.
500 1020 An error occurred during the attempt to retrieve the log source
extensions.

Response Description

The list of all log source extensions. A log source extension contains the following fields:
v id - Long - The ID of the extension.
v name - String - The name of the log source extension. Not localized, because it's user-provided.
v description - String - The description of the extension. Not localized, because it's user-provided.

Response Sample
[
{
"description": "String",
"id": 42,
"name": "String"
}
]

GET /config/event_sources/log_source_management/
log_source_extensions/{id}
Retrieves a log source extension by ID.
Table 479. GET /config/event_sources/log_source_management/log_source_extensions/{id} resource details
MIME Type
application/json

Table 480. GET /config/event_sources/log_source_management/log_source_extensions/{id} request parameter details

Parameter Type Optionality Data Type MIME Type Description
id path Required Number text/plain The ID of the log source
(Integer) extension to retrieve.
fields query Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.

Table 481. GET /config/event_sources/log_source_management/log_source_extensions/{id} response codes

HTTP Response Code Unique Code Description
200 The log source extension was retrieved successfully.
404 1002 The requested log source extension cannot be found.

6 REST API V9.0 References 243

Table 481. GET /config/event_sources/log_source_management/log_source_extensions/{id} response
codes (continued)
HTTP Response Code Unique Code Description
500 1020 An error occurred during the attempt to retrieve the log source
extension.

Response Description

The log source extension after it is retrieved. A log source extension contains the following fields:
v id - Long - The ID of the extension.
v name - String - The name of the log source extension. Not localized, because it's user-provided.
v description - String - The description of the extension. Not localized, because it's user-provided.

Response Sample
{
"description": "String",
"id": 42,
"name": "String"
}

GET /config/event_sources/log_source_management/
log_source_groups
Retrieves the list of log source groups.
Table 482. GET /config/event_sources/log_source_management/log_source_groups resource details
MIME Type
application/json

Table 483. GET /config/event_sources/log_source_management/log_source_groups request parameter details

Parameter Type Optionality Data Type MIME Type Description
fields query Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.
filter query Optional String text/plain Optional - This parameter is
used to restrict the elements in
a list base on the contents of
various fields.
Range header Optional String text/plain Optional - Use this parameter
to restrict the number of
elements that are returned in
the list to a specified range.
The list is indexed starting at
zero.

244 QRadar API Reference Guide

Table 484. GET /config/event_sources/log_source_management/log_source_groups response codes
HTTP Response Code Unique Code Description
200 The log source groups were retrieved successfully.
500 1020 An error occurred during the attempt to retrieve the log source
groups.

Response Description
The list of all log source groups. A log source group contains the following fields:
v id - Long - The ID of the group.
v name - String - The name of the group.
v description - String - The description of the group.
v parent_id - Long - The ID of the group's parent. Note that the root group node will have a null
parent_ID.
v owner - String - The name of the user who owns the group.
v modification_date - Long - The date and time (expressed as milliseconds since epoch) that the group
was last modified.
v assignable - Boolean - True if log sources can be assigned to this group, false if they cannot. Log
sources cannot be assigned directly to the Other group or to the root log source group node.
v child_groups - Array<Long> - The list of IDs of any child log source groups of which this group is a
parent.

Response Sample
[
{
"assignable": true,
"child_group_ids": [
42
],
"description": "String",
"id": 42,
"modification_date": 42,
"name": "String",
"owner": "String",
"parent_id": 42
}
]

GET /config/event_sources/log_source_management/
log_source_groups/{id}
Retrieves a log source group by ID.
Table 485. GET /config/event_sources/log_source_management/log_source_groups/{id} resource details
MIME Type
application/json

Table 486. GET /config/event_sources/log_source_management/log_source_groups/{id} request parameter details

Parameter Type Optionality Data Type MIME Type Description
id path Required Number text/plain The ID of the log source group
(Integer) to retrieve.

6 REST API V9.0 References 245

Table 486. GET /config/event_sources/log_source_management/log_source_groups/{id} request parameter
details (continued)
Parameter Type Optionality Data Type MIME Type Description
fields query Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.

Table 487. GET /config/event_sources/log_source_management/log_source_groups/{id} response codes

HTTP Response Code Unique Code Description
200 The log source group was retrieved successfully.
404 1002 The requested log source group cannot be found.
500 1020 An error occurred during the attempt to retrieve the log source
group.

Response Description

The log source group after it is retrieved. A log source group contains the following fields:
v id - Long - The ID of the group.
v name - String - The name of the group.
v description - String - The description of the group.
v parent_id - Long - The ID of the group's parent. Note that the root group node will have a null
parent_ID.
v owner - String - The name of the user who owns the group.
v modification_date - Long - The date and time (expressed as milliseconds since epoch) that the group
was last modified.
v assignable - Boolean - True if log sources can be assigned to this group, false if they cannot. Log
sources cannot be assigned directly to the Other group or to the root log source group node.
v child_groups - Array<Long> - The list of IDs of any child log source groups of which this group is a
parent.

Response Sample
{
"assignable": true,
"child_group_ids": [
42
],
"description": "String",
"id": 42,
"modification_date": 42,
"name": "String",
"owner": "String",
"parent_id": 42
}

246 QRadar API Reference Guide

GET /config/event_sources/log_source_management/
log_source_languages
Retrieves the list of log source languages.
Table 488. GET /config/event_sources/log_source_management/log_source_languages resource details
MIME Type
application/json

Table 489. GET /config/event_sources/log_source_management/log_source_languages request parameter details

Parameter Type Optionality Data Type MIME Type Description
fields query Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.
filter query Optional String text/plain Optional - This parameter is
used to restrict the elements in
a list base on the contents of
various fields.
Range header Optional String text/plain Optional - Use this parameter
to restrict the number of
elements that are returned in
the list to a specified range.
The list is indexed starting at
zero.

Table 490. GET /config/event_sources/log_source_management/log_source_languages response codes

HTTP Response Code Unique Code Description
200 The log source languages were retrieved successfully.
500 1020 An error occurred during the attempt to retrieve the log source
languages.

Response Description

The list of all log source languages. A log source language contains the following fields:
v id - Integer - The ID of the language. This ID does not change across deployments.
v name - String - The display name of the language. Should be localized.

Response Sample
[
{
"id": 42,
"name": "String"
}
]

6 REST API V9.0 References 247

GET /config/event_sources/log_source_management/
log_source_languages/{id}
Retrieves a log source language by ID.
Table 491. GET /config/event_sources/log_source_management/log_source_languages/{id} resource details
MIME Type
application/json

Table 492. GET /config/event_sources/log_source_management/log_source_languages/{id} request parameter details

Parameter Type Optionality Data Type MIME Type Description
id path Required Number text/plain The ID of the log source
(Integer) language to retrieve.
fields query Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.

Table 493. GET /config/event_sources/log_source_management/log_source_languages/{id} response codes

HTTP Response Code Unique Code Description
200 The log source language was retrieved successfully.
404 1002 The requested log source language cannot be found.
500 1020 An error occurred during the attempt to retrieve the log source
language.

Response Description

The log source language after it is retrieved. A log source language contains the following fields:
v id - Integer - The ID of the language. This ID does not change across deployments.
v name - String - The display name of the language. Should be localized.

Response Sample
{
"id": 42,
"name": "String"
}

GET /config/event_sources/log_source_management/log_source_types
Retrieves the list of log source types.
Table 494. GET /config/event_sources/log_source_management/log_source_types resource details
MIME Type
application/json

248 QRadar API Reference Guide

Table 495. GET /config/event_sources/log_source_management/log_source_types request parameter details
Parameter Type Optionality Data Type MIME Type Description
fields query Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.
filter query Optional String text/plain Optional - This parameter is
used to restrict the elements in
a list base on the contents of
various fields.
Range header Optional String text/plain Optional - Use this parameter
to restrict the number of
elements that are returned in
the list to a specified range.
The list is indexed starting at
zero.

Table 496. GET /config/event_sources/log_source_management/log_source_types response codes

HTTP Response Code Unique Code Description
200 The log source types were retrieved successfully.
500 1020 An error occurred during the attempt to retrieve the log source
types.

Response Description

The list of all log source types. A log source type contains the following fields:
v id - Integer - The ID of the log source type.
v name - String - The name of the log source type.
v internal - Boolean - Indicates whether the log source type is an internal one (e.g. System Notification,
SIM Audit, Asset Profiler, etc) for which log sources cannot be created, edited or deleted.
v custom - Boolean - Indicates whether the log source type is a custom one.
v protocol_types - Array - The type of protocols available for the log source type.
v default_protocol_id - Long - The protocol option that should be the default solution for this log source
type.
v log_source_extension_id - Long - The optional log source extension that is associated with the log
source type.
v supported_language_ids - Array - The supported languages for the log source type.

Response Sample
[
{
"custom": true,
"default_protocol_id": 42,
"id": 42,
"internal": true,
"log_source_extension_id": 42,
"name": "String",
"protocol_types": [

6 REST API V9.0 References 249

 {
"documented": true,
"protocol_id": 42
}
],
"supported_language_ids": [
42
]
}
]

DELETE /config/event_sources/log_source_management/
log_source_types/{id}
Delete a custom log source type by ID. This is only permitted for custom log source types.
Table 497. DELETE /config/event_sources/log_source_management/log_source_types/{id} resource details
MIME Type
text/plain

Table 498. DELETE /config/event_sources/log_source_management/log_source_types/{id} request parameter details

Parameter Type Optionality Data Type MIME Type Description
id path Required Number text/plain The ID of the custom log
(Integer) source type to delete.

Table 499. DELETE /config/event_sources/log_source_management/log_source_types/{id} response codes

HTTP Response Code Unique Code Description
204 The log source type was deleted successfully.
404 1010 The requested log source type cannot be found.
409 1015 The requested log source type is not a custom type and thus cannot
be deleted.
500 1020 An error occurred while attempting to delete the log source.

Response Description

Response Sample

GET /config/event_sources/log_source_management/
log_source_types/{id}
Retrieves a log source type by ID.
Table 500. GET /config/event_sources/log_source_management/log_source_types/{id} resource details
MIME Type
application/json

Table 501. GET /config/event_sources/log_source_management/log_source_types/{id} request parameter details

Parameter Type Optionality Data Type MIME Type Description
id path Required Number text/plain The ID of the log source type
(Integer) to retrieve.

250 QRadar API Reference Guide

Table 501. GET /config/event_sources/log_source_management/log_source_types/{id} request parameter
details (continued)
Parameter Type Optionality Data Type MIME Type Description
fields query Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.

Table 502. GET /config/event_sources/log_source_management/log_source_types/{id} response codes

HTTP Response Code Unique Code Description
200 The log source type was retrieved successfully.
404 1002 The requested log source type cannot be found.
500 1020 An error occurred during the attempt to retrieve the log source
type.

Response Description

The log source type after it is retrieved. A log source type contains the following fields:
v id - Integer - The ID of the log source type.
v name - String - The name of the log source type.
v internal - Boolean - Indicates whether the log source type is an internal one (e.g. System Notification,
SIM Audit, Asset Profiler, etc) for which log sources cannot be created, edited or deleted.
v custom - Boolean - Indicates whether the log source type is a custom one.
v protocol_types - Array - The type of protocols available for the log source type.
v default_protocol_id - Long - The protocol option that should be the default solution for this log source
type.
v log_source_extension_id - Long - The optional log source extension that is associated with the log
source type.
v supported_language_ids - Array - The supported languages for the log source type.

Response Sample
{
"custom": true,
"default_protocol_id": 42,
"id": 42,
"internal": true,
"log_source_extension_id": 42,
"name": "String",
"protocol_types": [
{
"documented": true,
"protocol_id": 42
}
],
"supported_language_ids": [
42
]
}

6 REST API V9.0 References 251

POST /config/event_sources/log_source_management/
log_source_types/{id}
Update a log source type.

The following fields can be provided in the body of this request, all other log source type fields will be
ignored:
v name - String - The name of the log source type. Cannot be empty. Must be 241 characters or less.
Must not have been used before. This is only editable for custom log source types.
v protocol_types - Array - The protocols that can be used for the log source type. All protocol ids must
exist, list cannot be empty. This is only editable for custom log source types.
v default_protocol_id - Long - The protocol option that should be the default solution for this log source
type.
v log_source_extension_id - Long - The log source extension that is associated with the log source type.
If specified, this must correspond to an existing log source extension. This field can have a value of
'null', which will remove the extension on this log source type.
Table 503. POST /config/event_sources/log_source_management/log_source_types/{id} resource details
MIME Type
application/json

Table 504. POST /config/event_sources/log_source_management/log_source_types/{id} request parameter details

Parameter Type Optionality Data Type MIME Type Description
id path Required Number text/plain The ID of the log source to be
(Integer) updated.
fields header Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.

Table 505. POST /config/event_sources/log_source_management/log_source_types/{id} request body details

Parameter Data Type MIME Type Description Sample
log_source_type_data
Object application/ The updated log source type { "default_protocol_id": 42,
json data. Any field not provided "log_source_extension_id": 42,
will be ignored. "name": "String",
"protocol_types": [ {
"protocol_id": 42 } ] }

Table 506. POST /config/event_sources/log_source_management/log_source_types/{id} response codes

HTTP Response Code Unique Code Description
200 The log source type was updated successfully.
404 1010 The requested log source type cannot be found.
422 1001 The provided name is already in use.
422 1002 The provided name is empty.
422 1003 The provided name exceeds 241 characters.

252 QRadar API Reference Guide

Table 506. POST /config/event_sources/log_source_management/log_source_types/{id} response codes (continued)
HTTP Response Code Unique Code Description
422 1004 The provided protocol_types array is empty.
422 1005 The provided protocol_types array contains one or more
ProtocolMapping's whose protocol_ids do not correspond to an
existing protocol type.
422 1006 The provided log_source_extension_id does not correspond to an
existing log source extension.
500 1020 An error occurred while attempting to update the log source.

Response Description

The updated log source type which will have the following fields:
v id - Integer - The ID of the log source type.
v name - String - The name of the log source type.
v internal - Boolean - Indicates whether the log source type is an internal one.
v custom - Boolean - Indicates whether the log source type is a custom one.
v protocol_types - Array - The type of protocols available for the log source type.
v default_protocol_id - Long - The protocol option that should be the default solution for this log source
type.
v log_source_extension_id - Long - The optional log source extension that is associated with the log
source type.
v supported_language_ids - Array - The supported languages for the log source type.

Response Sample
{
"custom": true,
"default_protocol_id": 42,
"id": 42,
"internal": true,
"log_source_extension_id": 42,
"name": "String",
"protocol_types": [
{
"documented": true,
"protocol_id": 42
}
],
"supported_language_ids": [
42
]
}

POST /config/event_sources/log_source_management/
log_source_types
Create a new custom log source type.

Log source types do not need to be deployed. The following fields can be provided in the body of this
request, all other log source type fields will be ignored:
v name - String - The name of the log source type. Cannot be empty. Must be 241 characters or less.
Must not have been used before.

6 REST API V9.0 References 253

v protocol_types - Array - The optional protocols that can be used for the log source type. All protocol
ids must exist, list cannot be empty. If this field is not provided, all protocols will be available for this
log source type.
v default_protocol_id - Long - The protocol option that should be the default solution for this log source
type.
v log_source_extension_id - Long - The optional log source extension that is associated with the log
source type. If specified, this must correspond to an existing log source extension.
Table 507. POST /config/event_sources/log_source_management/log_source_types resource details
MIME Type
application/json

Table 508. POST /config/event_sources/log_source_management/log_source_types request parameter details

Parameter Type Optionality Data Type MIME Type Description
fields header Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.

Table 509. POST /config/event_sources/log_source_management/log_source_types request body details

Parameter Data Type MIME Type Description Sample
log_source_data Object application/ The new log source type data. { "default_protocol_id": 42,
json "log_source_extension_id": 42,
"name": "String",
"protocol_types": [ {
"protocol_id": 42 } ] }

Table 510. POST /config/event_sources/log_source_management/log_source_types response codes

HTTP Response Code Unique Code Description
201 The log source type was created successfully.
422 1001 The provided name is already in use.
422 1002 The provided name is empty.
422 1003 The provided name exceeds 241 characters.
422 1004 The provided protocol_types array is empty.
422 1005 The provided protocol_types array contains one or more
ProtocolMapping's whose protocol_ids do not correspond to an
existing protocol type.
422 1006 The provided log_source_extension_id does not correspond to an
existing log source extension.
500 1100 An error occurred while attempting to create the log source.

Response Description

The newly created log source type which will have the following fields:
v id - Integer - The ID of the log source type.

254 QRadar API Reference Guide

v name - String - The name of the log source type.
v internal - Boolean - Indicates whether the log source type is an internal one. This will be set to false for
custom log source types.
v custom - Boolean - Indicates whether the log source type is a custom one. This will always be set to
true for custom log source types.
v protocol_types - Array - The type of protocols available for the log source type.
v default_protocol_id - Long - The protocol option that should be the default solution for this log source
type.
v log_source_extension_id - Long - The optional log source extension that is associated with the log
source type.
v supported_language_ids - Array - The supported languages for the log source type. This will always
be empty for custom log source types.

Response Sample
{
"custom": true,
"default_protocol_id": 42,
"id": 42,
"internal": true,
"log_source_extension_id": 42,
"name": "String",
"protocol_types": [
{
"documented": true,
"protocol_id": 42
}
],
"supported_language_ids": [
42
]
}

GET /config/event_sources/log_source_management/log_sources
Retrieves the list of log sources.
Table 511. GET /config/event_sources/log_source_management/log_sources resource details
MIME Type
application/json

Table 512. GET /config/event_sources/log_source_management/log_sources request parameter details

Parameter Type Optionality Data Type MIME Type Description
fields query Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.
filter query Optional String text/plain Optional - This parameter is
used to restrict the elements in
a list base on the contents of
various fields.

6 REST API V9.0 References 255

Table 512. GET /config/event_sources/log_source_management/log_sources request parameter details (continued)
Parameter Type Optionality Data Type MIME Type Description
sort query Optional String text/plain Optional - This parameter is
used to sort the elements in a
list.
Range header Optional String text/plain Optional - Use this parameter
to restrict the number of
elements that are returned in
the list to a specified range.
The list is indexed starting at
zero.

Table 513. GET /config/event_sources/log_source_management/log_sources response codes

HTTP Response Code Unique Code Description
200 The log sources were retrieved successfully.
422 1000 Sorting not supported on the provided field.
422 1001 An invalid filter criteria was specified.
500 1020 An error occurred during the attempt to retrieve the log sources.

Response Description

The list of all log sources. A log source contains the following fields:
v id - Number - The ID of the log source.
v name - String - The name of the log source.
v description - String - The description of the log source.
v type_id - Number - The type of the log source.
v protocol_type_id - Number - The type of protocol used by the log source.
v protocol_parameters - Array - The protocol parameters. This is a collection of ProtocolParameter. The
content is defined by Protocol Type used by the log source (see Protocol Type API endpoints).
v enabled - Boolean - Indicates whether the log source is enabled.
v gateway - Boolean - Indicates whether the log source is configured as a gateway. A gateway log source
is essentially a standalone protocol configuration. The log source receives no events itself, instead it
serves only as a host for a protocol configuration which retrieves event data to feed other log sources.
It serves as a "gateway" for events from multiple systems to enter the event pipeline.
v internal - Boolean - Indicates whether the log source is internal (i.e. has an internal log source type).
v credibility - Short - The credibility of the log source.
v target_event_collector_id - Number - The id of the event collector where the log source will send its
data.
v coalesce_events - Boolean - Indicates whether the log source will coalesce events.
v store_event_payloads - Boolean - Indicates whether to store event payloads for this log source.
v log_source_extension_id - Long - The log source extension (if any) associated with the log source.
v language_id - Integer - The language of the events being processed by this log source.
v group_ids - Array - The set of log source group ids this log source is a member of. Could be an empty
list.
v requires_deploy Boolean - Indicates if a deploy action is required to enable the log source for use.
v status - Object - The status of the log source. This is a LogSourceStatus structure.
v auto_discovered - Boolean - Indicates whether this log source was auto-discovered.

256 QRadar API Reference Guide

v average_eps - Number - The average EPS of the log source (over the last 60 seconds).
v creation_date - Number - The creation date of the log source. The value represents the number of
milliseconds since epoch (Jan 1, 1970).
v modified_date - Number - The last modified date of the log source. The value represents the number
of milliseconds since epoch (Jan 1, 1970).
v last_event_time - Number - The time of the last event received by the log source. The value represents
the number of milliseconds since epoch (Jan 1, 1970).
v wincollect_internal_destination_id - Long - The internal WinCollect destination for this log source, if
applicable.
v wincollect_external_destination_ids - Array<Long> - If provided, must be a list of valid WinCollect
destination IDs, where each corresponding WinCollect Destination resource has internal=false.
v legacy_bulk_group_name - Array<Long> - The name of the legacy bulk group that the log source
belongs to.

Response Sample
[{"internal": true, "legacy_bulk_group_name": "String", "protocol_parameters": [{"name": "String", "id": 42, "value": "St

DELETE /config/event_sources/log_source_management/log_sources/
{id}
Removes the specified log source from the system.
Table 514. DELETE /config/event_sources/log_source_management/log_sources/{id} resource details
MIME Type
text/plain

Table 515. DELETE /config/event_sources/log_source_management/log_sources/{id} request parameter details

Parameter Type Optionality Data Type MIME Type Description
id path Required Number text/plain The ID of the log source to
(Integer) delete.

Table 516. DELETE /config/event_sources/log_source_management/log_sources/{id} response codes

HTTP Response Code Unique Code Description
204 The log source was deleted successfully.
403 1000 The endpoint cannot be used by users associated with a tenant.
404 1010 The requested log source cannot be found.
422 1001 The requested log source cannot be deleted because its type_id
corresponds to an internal log source type.
422 1002 This method is not supported for this log source because it is part
of a bulk group.
500 1020 An error occurred while attempting to delete the log source.

6 REST API V9.0 References 257

Response Description

Response Sample

GET /config/event_sources/log_source_management/log_sources/{id}
Retrieves a log source by ID.
Table 517. GET /config/event_sources/log_source_management/log_sources/{id} resource details
MIME Type
application/json

Table 518. GET /config/event_sources/log_source_management/log_sources/{id} request parameter details

Parameter Type Optionality Data Type MIME Type Description
id path Required Number text/plain The ID of the log source to
(Integer) retrieve.
fields query Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.

Table 519. GET /config/event_sources/log_source_management/log_sources/{id} response codes

HTTP Response Code Unique Code Description
200 The log source was retrieved successfully.
404 1002 The requested log source cannot be found.
500 1020 An error occurred during the attempt to retrieve the log source.

Response Description

The retrieved log source. A log source contains the following fields:
v id - Number - The ID of the log source.
v name - String - The name of the log source.
v description - String - The description of the log source.
v type_id - Number - The type of the log source.
v protocol_type_id - Number - The type of protocol used by the log source.
v protocol_parameters - Array - The protocol parameters. This is a collection of ProtocolParameter. The
content is defined by Protocol Type used by the log source (see Protocol Type API endpoints).
v enabled - Boolean - Indicates whether the log source is enabled.
v gateway - Boolean - Indicates whether the log source is configured as a gateway. A gateway log source
is essentially a standalone protocol configuration. The log source receives no events itself, instead it
serves only as a host for a protocol configuration which retrieves event data to feed other log sources.
It serves as a "gateway" for events from multiple systems to enter the event pipeline.
v internal - Boolean - Indicates whether the log source is internal (i.e. has an internal log source type).
v credibility - Short - The credibility of the log source.

258 QRadar API Reference Guide

v target_event_collector_id - Number - The id of the event collector where the log source will send its
data.
v coalesce_events - Boolean - Indicates whether the log source will coalesce events.
v store_event_payloads - Boolean - Indicates whether to store event payloads for this log source.
v log_source_extension_id - Long - The log source extension (if any) associated with the log source.
v language_id - Integer - The language of the events being processed by this log source.
v group_ids - Array - The set of log source group ids this log source is a member of. Could be an empty
list.
v requires_deploy Boolean - Indicates if a deploy action is required to enable the log source for use.
v status - Object - The status of the log source. This is a LogSourceStatus structure.
v auto_discovered - Boolean - Indicates whether this log source was auto-discovered.
v average_eps - Number - The average EPS of the log source (over the last 60 seconds).
v creation_date - Number - The creation date of the log source. The value represents the number of
milliseconds since epoch (Jan 1, 1970).
v modified_date - Number - The last modified date of the log source. The value represents the number
of milliseconds since epoch (Jan 1, 1970).
v last_event_time - Number - The time of the last event received by the log source. The value represents
the number of milliseconds since epoch (Jan 1, 1970).
v wincollect_internal_destination_id - Long - The internal WinCollect destination for this log source, if
applicable.
v wincollect_external_destination_ids - Array<Long> - If provided, must be a list of valid WinCollect
destination IDs, where each corresponding WinCollect Destination resource has internal=false.
v legacy_bulk_group_name - Array<Long> - The name of the legacy bulk group that the log source
belongs to.

Response Sample
{
"auto_discovered": true,
"average_eps": 42,
"coalesce_events": true,
"creation_date": 42,
"credibility": 42,
"description": "String",
"enabled": true,
"gateway": true,
"group_ids": [
42
],
"id": 42,
"internal": true,
"language_id": 42,
"last_event_time": 42,
"legacy_bulk_group_name": "String",
"log_source_extension_id": 42,
"modified_date": 42,
"name": "String",
"protocol_parameters": [
{
"id": 42,
"name": "String",
"value": "String"
}
],
"protocol_type_id": 42,
"requires_deploy": true,
"status": {
"last_updated": 42,

6 REST API V9.0 References 259

 "messages": [
{
"severity": "String",
"text": "String"
}
],
"status": "String"
},
"store_event_payload": true,
"target_event_collector_id": 42,
"type_id": 42,
"wincollect_external_destination_ids": [
42
],
"wincollect_internal_destination_id": 42
}

POST /config/event_sources/log_source_management/log_sources/{id}
Updates a log source.
Table 520. POST /config/event_sources/log_source_management/log_sources/{id} resource details
MIME Type
application/json

Table 521. POST /config/event_sources/log_source_management/log_sources/{id} request parameter details

Parameter Type Optionality Data Type MIME Type Description
id path Required Number text/plain The ID of the log source to
(Integer) update.
fields header Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.

260 QRadar API Reference Guide

Table 522. POST /config/event_sources/log_source_management/log_sources/{id} request body details
Parameter Data Type MIME Type Description Sample
log_source_data Object application/ The updated log source data. { "coalesce_events": true,
json Any field not provided will be "credibility": 42, "description":
ignored. "String", "enabled": true,
"gateway": true, "group_ids": [
42 ], "id": 42, "language_id": 42,
"legacy_bulk_group_name":
"String",
"log_source_extension_id": 42,
"name": "String",
"protocol_parameters": [ { "id":
42, "name": "String", "value":
"String" } ], "protocol_type_id":
42, "store_event_payload": true,
"target_event_collector_id": 42,
"type_id": 42,
"wincollect_external_destination_ids":
[ 42 ],
"wincollect_internal_destination_id":
42 }

Table 523. POST /config/event_sources/log_source_management/log_sources/{id} response codes

HTTP Response Code Unique Code Description
200 The log source was updated successfully.
403 1000 The endpoint cannot be used by users associated with a tenant.
404 1050 The requested log source cannot be found.
409 1001 The 'name' parameter must be unique.
409 1002 The combination of 'type_id','protocol_type_id' and 'identifier' (from
'protocol_parameters') must be unique.
422 1004 The 'name' parameter is required.
422 1005 The 'name' parameter must not exceed 255 characters.
422 1006 The 'description' parameter must not exceed 255 characters.
422 1007 The 'type_id' parameter does not match any of the available log
source types.
422 1008 The 'type_id' parameter cannot correspond to an internal log source
type.
422 1009 The 'protocol_type_id' parameter does not match any of the
available protocol types.
422 1010 The combination of 'type_id' and 'protocol_type_id' is not
supported.
422 1011 The requested log source cannot be updated because its type_id
corresponds to an internal log source type.
422 1012 The protocol parameter is invalid.
422 1013 The protocol parameter id or name is invalid.
422 1014 The protocol parameter value format is incorrect.
422 1015 The protocol parameter is required but the value is missing.
422 1016 The protocol parameter value does not match one of the allowed
values.
422 1017 The protocol parameter value is too short.

6 REST API V9.0 References 261

Table 523. POST /config/event_sources/log_source_management/log_sources/{id} response codes (continued)
HTTP Response Code Unique Code Description
422 1018 The protocol parameter value is too long.
422 1019 The protocol parameter value is too big.
422 1020 The protocol parameter value is too small.
422 1021 The protocol parameter value does not match the allowed pattern.
422 1022 The protocol parameter is not a supported encoding.
422 1023 At least one protocol parameter from the group must be set.
422 1024 The 'credibility' parameter must be a value between 0 and 10
inclusive.
422 1025 The 'target_event_collector_id' parameter does not match any of the
available event collectors.
422 1026 The 'log_source_extension_id' parameter does not match any of the
available log source extensions.
422 1027 The 'language_id' parameter does not match any of the available
log source languages.
422 1028 The 'language_id' parameter does not match a supported language
for the selected log source type.
422 1029 The 'group_ids' parameter contains one or more group IDs that
cannot be found.
422 1030 The 'group_ids' parameter contains unassignable groups (IDs 0 or
1).
422 1031 The 'wincollect_internal_destination_id' parameter does not match
any available internal WinCollect destination.
422 1032 The 'wincollect_external_destination_ids' parameter contains one or
more IDs that do not match an available external WinCollect
destination.
422 1033 For log sources associated with a WinCollect agent, at least one
internal or external WinCollect destination must be provided.
422 1034 This method is not supported for this log source because it is part
of a bulk group.
422 1035 This legacy_bulk_group_name field can only be set to null.
422 1036 A log source using this protocol cannot be used as a gateway.
500 1100 An error occurred during the attempt to create the log source.

Response Description

The updated log source identified by the id specified in the request. A log source contains the following
fields:
v id - Number - The ID of the log source.
v name - String - The name of the log source.
v description - String - The description of the log source.
v type_id - Number - The type of the log source.
v protocol_type_id - Number - The type of protocol used by the log source.
v protocol_parameters - Array - The protocol parameters. This is a collection of ProtocolParameter. The
content is defined by Protocol Type used by the log source (see Protocol Type API endpoints).
v enabled - Boolean - Indicates whether the log source is enabled.

262 QRadar API Reference Guide

v gateway - Boolean - Indicates whether the log source is configured as a gateway. A gateway log source
is essentially a standalone protocol configuration. The log source receives no events itself, instead it
serves only as a host for a protocol configuration which retrieves event data to feed other log sources.
It serves as a "gateway" for events from multiple systems to enter the event pipeline.
v internal - Boolean - Indicates whether the log source is internal (i.e. has an internal log source type).
v credibility - Short - The credibility of the log source.
v target_event_collector_id - Number - The id of the event collector where the log source will send its
data.
v coalesce_events - Boolean - Indicates whether the log source will coalesce events.
v store_event_payloads - Boolean - Indicates whether to store event payloads for this log source.
v log_source_extension_id - Long - The log source extension (if any) associated with the log source.
v language_id - Integer - The language of the events being processed by this log source.
v group_ids - Array - The set of log source group ids this log source is a member of. Could be an empty
list.
v requires_deploy Boolean - Indicates if a deploy action is required to enable the log source for use.
v status - Object - The status of the log source. This is a LogSourceStatus structure.
v auto_discovered - Boolean - Indicates whether this log source was auto-discovered.
v average_eps - Number - The average EPS of the log source (over the last 60 seconds).
v creation_date - Number - The creation date of the log source. The value represents the number of
milliseconds since epoch (Jan 1, 1970).
v modified_date - Number - The last modified date of the log source. The value represents the number
of milliseconds since epoch (Jan 1, 1970).
v last_event_time - Number - The time of the last event received by the log source. The value represents
the number of milliseconds since epoch (Jan 1, 1970).
v wincollect_internal_destination_id - Long - The internal WinCollect destination for this log source, if
applicable.
v wincollect_external_destination_ids - Array<Long> - If provided, must be a list of valid WinCollect
destination IDs, where each corresponding WinCollect Destination resource has internal=false.
v legacy_bulk_group_name - Array<Long> - The name of the legacy bulk group that the log source
belongs to.

Response Sample
{
"auto_discovered": true,
"average_eps": 42,
"coalesce_events": true,
"creation_date": 42,
"credibility": 42,
"description": "String",
"enabled": true,
"gateway": true,
"group_ids": [
42
],
"id": 42,
"internal": true,
"language_id": 42,
"last_event_time": 42,
"legacy_bulk_group_name": "String",
"log_source_extension_id": 42,
"modified_date": 42,
"name": "String",
"protocol_parameters": [
{
"id": 42,

6 REST API V9.0 References 263

 "name": "String",
"value": "String"
}
],
"protocol_type_id": 42,
"requires_deploy": true,
"status": {
"last_updated": 42,
"messages": [
{
"severity": "String",
"text": "String"
}
],
"status": "String"
},
"store_event_payload": true,
"target_event_collector_id": 42,
"type_id": 42,
"wincollect_external_destination_ids": [
42
],
"wincollect_internal_destination_id": 42
}

POST /config/event_sources/log_source_management/log_sources
Creates a new log source.

A log source contains the following fields:

v id - Number - The ID of the log source.
v name - String - The name of the log source.
v description - String - The description of the log source.
v type_id - Number - The type of the log source.
v protocol_type_id - Number - The type of protocol used by the log source.
v protocol_parameters - Array - The protocol parameters. This is a collection of ProtocolParameter. The
content is defined by Protocol Type used by the log source (see Protocol Type API endpoints).
v enabled - Boolean - Indicates whether the log source is enabled.
v gateway - Boolean - Indicates whether the log source is configured as a gateway. A gateway log source
is essentially a standalone protocol configuration. The log source receives no events itself, instead it
serves only as a host for a protocol configuration which retrieves event data to feed other log sources.
It serves as a "gateway" for events from multiple systems to enter the event pipeline.
v internal - Boolean - Indicates whether the log source is internal (i.e. has an internal log source type).
v credibility - Short - The credibility of the log source.
v target_event_collector_id - Number - The id of the event collector where the log source will send its
data.
v coalesce_events - Boolean - Indicates whether the log source will coalesce events.
v store_event_payloads - Boolean - Indicates whether to store event payloads for this log source.
v log_source_extension_id - Long - The log source extension (if any) associated with the log source.
v language_id - Integer - The language of the events being processed by this log source.
v group_ids - Array - The set of log source group ids this log source is a member of. Could be an empty
list.
v requires_deploy Boolean - Indicates if a deploy action is required to enable the log source for use.
v status - Object - The status of the log source. This is a LogSourceStatus structure.
v auto_discovered - Boolean - Indicates whether this log source was auto-discovered.

264 QRadar API Reference Guide

v average_eps - Number - The average EPS of the log source (over the last 60 seconds).
v creation_date - Number - The creation date of the log source. The value represents the number of
milliseconds since epoch (Jan 1, 1970).
v modified_date - Number - The last modified date of the log source. The value represents the number
of milliseconds since epoch (Jan 1, 1970).
v last_event_time - Number - The time of the last event received by the log source. The value represents
the number of milliseconds since epoch (Jan 1, 1970).
v wincollect_internal_destination_id - Long - The internal WinCollect destination for this log source, if
applicable.
v wincollect_external_destination_ids - Array<Long> - If provided, must be a list of valid WinCollect
destination IDs, where each corresponding WinCollect Destination resource has internal=false.
v legacy_bulk_group_name - Array<Long> - The name of the legacy bulk group that the log source
belongs to.

A protocol parameter contains the following fields:

v id - Number - The id of the parameter. The id matches one of the ProtocolParameterType defined by
the Protocol Type used by the log source (see Protocol Type API endpoints).
v name - String - The ID of the log source.
v value - String - The ID of the log source.
Table 524. POST /config/event_sources/log_source_management/log_sources resource details
MIME Type
application/json

Table 525. POST /config/event_sources/log_source_management/log_sources request parameter details

Parameter Type Optionality Data Type MIME Type Description
fields header Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.

6 REST API V9.0 References 265

Table 526. POST /config/event_sources/log_source_management/log_sources request body details
Parameter Data Type MIME Type Description Sample
log_source_data Object application/ The new log source data. { "coalesce_events": true,
json "credibility": 42, "description":
"String", "enabled": true,
"gateway": true, "group_ids": [
42 ], "id": 42, "language_id": 42,
"legacy_bulk_group_name":
"String",
"log_source_extension_id": 42,
"name": "String",
"protocol_parameters": [ { "id":
42, "name": "String", "value":
"String" } ], "protocol_type_id":
42, "store_event_payload": true,
"target_event_collector_id": 42,
"type_id": 42,
"wincollect_external_destination_ids":
[ 42 ],
"wincollect_internal_destination_id":
42 }

Table 527. POST /config/event_sources/log_source_management/log_sources response codes

HTTP Response Code Unique Code Description
201 The log source was created successfully.
403 1000 The endpoint cannot be used by users associated with a tenant.
409 1001 The 'name' parameter must be unique.
409 1002 The combination of 'type_id','protocol_type_id' and 'identifier' (from
'protocol_parameters') must be unique.
422 1003 The 'name' parameter is required.
422 1004 The 'name' parameter must not exceed 255 characters.
422 1005 The 'description' parameter must not exceed 255 characters.
422 1006 null
422 1007 The 'type_id' parameter does not match any of the available log
source types.
422 1008 The 'type_id' parameter cannot correspond to an internal log source
type.
422 1009 null
422 1010 The 'protocol_type_id' parameter does not match any of the
available protocol types.
422 1011 The combination of 'type_id' and 'protocol_type_id' is not
supported.
422 1012 The protocol parameter is invalid.
422 1013 The protocol parameter id or name is invalid.
422 1014 The protocol parameter value format is incorrect.
422 1015 The protocol parameter is required but the value is missing.
422 1016 The protocol parameter value does not match one of the allowed
values.
422 1017 The protocol parameter value is too short.

266 QRadar API Reference Guide

Table 527. POST /config/event_sources/log_source_management/log_sources response codes (continued)
HTTP Response Code Unique Code Description
422 1018 The protocol parameter value is too long.
422 1019 The protocol parameter value is too big.
422 1020 The protocol parameter value is too small.
422 1021 The protocol parameter value does not match the allowed pattern.
422 1022 The protocol parameter is not a supported encoding.
422 1023 At least one protocol parameter from the group must be set.
422 1024 The 'credibility' parameter must be a value between 0 and 10
inclusive.
422 1025 The 'target_event_collector_id' parameter does not match any of the
available event collectors.
422 1026 The 'log_source_extension_id' parameter does not match any of the
available log source extensions.
422 1027 The 'language_id' parameter does not match any of the available
log source languages.
422 1028 The 'language_id' parameter does not match a supported language
for the selected log source type.
422 1029 The 'group_ids' parameter contains one or more group IDs that
cannot be found.
422 1031 The 'group_ids' parameter contains unassignable groups (IDs 0 or
1).
422 1032 The 'wincollect_internal_destination_id' parameter does not match
any available internal WinCollect destination.
422 1033 The 'wincollect_external_destination_ids' parameter contains one or
more IDs that do not match an available external WinCollect
destination.
422 1034 For log sources associated with a WinCollect agent, at least one
internal or external WinCollect destination must be provided.
422 1035 This method is not supported for this log source because it is part
of a bulk group.
422 1036 This 'legacy_bulk_group_name' parameter can only be set to null.
422 1037 A log source using this protocol cannot be used as a gateway.
500 1100 An error occurred during the attempt to create the log source.

Response Description

The newly created log source.

Response Sample
{
"auto_discovered": true,
"average_eps": 42,
"coalesce_events": true,
"creation_date": 42,
"credibility": 42,
"description": "String",
"enabled": true,
"gateway": true,
"group_ids": [

6 REST API V9.0 References 267

 42
],
"id": 42,
"internal": true,
"language_id": 42,
"last_event_time": 42,
"legacy_bulk_group_name": "String",
"log_source_extension_id": 42,
"modified_date": 42,
"name": "String",
"protocol_parameters": [
{
"id": 42,
"name": "String",
"value": "String"
}
],
"protocol_type_id": 42,
"requires_deploy": true,
"status": {
"last_updated": 42,
"messages": [
{
"severity": "String",
"text": "String"
}
],
"status": "String"
},
"store_event_payload": true,
"target_event_collector_id": 42,
"type_id": 42,
"wincollect_external_destination_ids": [
42
],
"wincollect_internal_destination_id": 42
}

GET /config/event_sources/log_source_management/protocol_types
Retrieves the list of protocol types.
Table 528. GET /config/event_sources/log_source_management/protocol_types resource details
MIME Type
application/json

Table 529. GET /config/event_sources/log_source_management/protocol_types request parameter details

Parameter Type Optionality Data Type MIME Type Description
fields query Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.
filter query Optional String text/plain Optional - This parameter is
used to restrict the elements in
a list base on the contents of
various fields.

268 QRadar API Reference Guide

Table 529. GET /config/event_sources/log_source_management/protocol_types request parameter details (continued)
Parameter Type Optionality Data Type MIME Type Description
Range header Optional String text/plain Optional - Use this parameter
to restrict the number of
elements that are returned in
the list to a specified range.
The list is indexed starting at
zero.

Table 530. GET /config/event_sources/log_source_management/protocol_types response codes

HTTP Response Code Unique Code Description
200 The protocol types were retrieved successfully.
500 1020 An error occurred during the attempt to retrieve the protocols.

Response Description

The list of all protocol types. A protocol type contains the following fields:
v id - Long - The ID of the protocol type.
v name - String - The name of the protocol type.
v version - String - The version of the protocol component.
v gateway_supported - Boolean - Indicates whether this protocol can be configured for a gateway log
source. A gateway log source is essentially a standalone protocol configuration. The log source receives
no events itself, instead it serves only as a host for a protocol configuration which retrieves event data
to feed other log sources. It serves as a "gateway" for events from multiple systems to enter the event
pipeline. Not all protocol types can support collecting event data from multiple sources, thus not all
protocol types can be used for a gateway.
v parameters - Array - The parameters of this protocol type.
v parameter_groups - Array - The parameter groups of this protocol type.
A parameter contains the following fields:
v id - Long - The ID of the parameter.
v name - String - The internal name of the parameter.
v label - String - The display name of the parameter.
v description - String - The display description of the parameter.
v type - Enumeration - The type of the parameter. Possible values are: STRING, TEXT, INTEGER, REAL,
BOOLEAN, DATE, TIME, DATETIME, INTERVAL, HOST, PASSWORD, REGEX
v group_id - Number - The optional id of the group that this parameter belongs to. This is a reference to
one of the groups listed in the protocol type's parameter_groups field.
v required - Boolean - Indicates whether the parameter is mandatory.
v min_length - Integer - The optional minimum length of the parameter value. This is only applicable
when 'type' is STRING, TEXT, HOST, PASSWORD, REGEX.
v max_length - Integer - The optional maximum length of the parameter value. This is only applicable
when 'type' is STRING, TEXT, HOST, PASSWORD, REGEX.
v min_value - String - The optional minimum of the parameter value. This is only applicable when 'type'
is INTEGER, REAL, DATE, TIME, DATETIME, INTERVAL.
v max_value - String - The optional maximum of the parameter value. This is only applicable when
'type' is INTEGER, REAL, DATE, TIME, DATETIME, INTERVAL.
v default_value - String - The optional default parameter value.

6 REST API V9.0 References 269

v pattern - String - An optional Java regex pattern restriction on the parameter value. This is only
applicable when 'type' is STRING, TEXT, HOST, PASSWORD.
v pattern_error_message - String - An optional message to show when the 'pattern' restriction fails.
v allowed_values - Array - A optional restrictive list of allowed parameter values. This is used to
implement an enumeration parameter.
v rules - Array - The parameter rules. This is used to manage parameter rules (e.g. Option A is only
available when Option B is set to True, Option C is required whenever Option A is set to False, etc.)
This is a list of ProtocolParameterRule structures. *
A parameter allowed value contains the following fields:
v name - String - The user-friendly name of the value.
v value - String - The value.
A parameter rule contains the following fields:
v parameter_id - String - The parameter affected by the rule.
v trigger_parameter_id - Long - The ID of the trigger parameter.
v trigger_pattern - String - The pattern that will trigger the rule. If the value of trigger_parameter_id
matches the regular expression of this field, the rule will trigger.
v affected_property - String - The affected property. Possible values are:
– AVAILABLE: Indicates that the parameter's availability will be affected by this rule
– REQUIRED: Indicates that the required state of the parameter will be affected by this rule
– DEFAULT: Indicates that the default value of the parameter will be affected by this rule.
v affected_property_value - String - The value to be applied to the affected parameter when the rule is
triggered. Here is how this field is interpreted based on the affected property:
– AVAILABLE: This will be a boolean value indicating whether the affected parameter should be
available. Since all fields are always available by default, setting this to 'true' does not make much
sense.
– REQUIRED: This will be a boolean value indicating whether the affected parameter should be
required.
– DEFAULT: This will be the default value to be used by the affected parameter.
A parameter group contains the following fields:
v id - Long - The id of the group.
v name - String - The name of the group.
v required - Boolean - This indicates whether at least one of the fields in this group is required.

Response Sample
[
{
"gateway_supported": true,
"id": 42,
"name": "String",
"parameter_groups": [
{
"id": 42,
"name": "String",
"required": true
}
],
"parameters": [
{
"allowed_values": [
{
"name": "String",
"value": "String"
}

270 QRadar API Reference Guide

 ],
"default_value": "String",
"description": "String",
"group_id": 42,
"id": 42,
"label": "String",
"max_length": 42,
"max_value": "String",
"min_length": 42,
"min_value": "String",
"name": "String",
"pattern": "String",
"pattern_description": "String",
"required": true,
"rules": [
{
"affected_property": "String",
"affected_property_value": "String",
"parameter_id": 42,
"trigger_parameter_id": 42,
"trigger_pattern": "String"
}
],
"type": "String"
}
],
"version": "String"
}
]

GET /config/event_sources/log_source_management/protocol_types/
{id}
Retrieves a protocol type by ID.
Table 531. GET /config/event_sources/log_source_management/protocol_types/{id} resource details
MIME Type
application/json

Table 532. GET /config/event_sources/log_source_management/protocol_types/{id} request parameter details

Parameter Type Optionality Data Type MIME Type Description
id path Required Number text/plain The ID of the protocol type to
(Integer) retrieve.
fields query Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.

Table 533. GET /config/event_sources/log_source_management/protocol_types/{id} response codes

HTTP Response Code Unique Code Description
200 The protocol type was retrieved successfully.
404 1002 A protocol type with the specified ID could not be found.
500 1020 An error occurred during the attempt to retrieve the protocol.

6 REST API V9.0 References 271

Response Description

The protocol type after it is retrieved. A protocol type contains the following fields:
v id - Long - The ID of the protocol type.
v name - String - The name of the protocol type.
v version - String - The version of the protocol component.
v gateway_supported - Boolean - Indicates whether this protocol can be configured for a gateway log
source. A gateway log source is essentially a standalone protocol configuration. The log source receives
no events itself, instead it serves only as a host for a protocol configuration which retrieves event data
to feed other log sources. It serves as a "gateway" for events from multiple systems to enter the event
pipeline. Not all protocol types can support collecting event data from multiple sources, thus not all
protocol types can be used for a gateway.
v parameters - Array - The parameters of this protocol type.
v parameter_groups - Array - The parameter groups of this protocol type.
A parameter contains the following fields:
v id - Long - The ID of the parameter.
v name - String - The internal name of the parameter.
v label - String - The display name of the parameter.
v description - String - The display description of the parameter.
v type - Enumeration - The type of the parameter. Possible values are: STRING, TEXT, INTEGER, REAL,
BOOLEAN, DATE, TIME, DATETIME, INTERVAL, HOST, PASSWORD, REGEX
v group_id - Number - The optional id of the group that this parameter belongs to. This is a reference to
one of the groups listed in the protocol type's parameter_groups field.
v required - Boolean - Indicates whether the parameter is mandatory.
v min_length - Integer - The optional minimum length of the parameter value. This is only applicable
when 'type' is STRING, TEXT, HOST, PASSWORD, REGEX.
v max_length - Integer - The optional maximum length of the parameter value. This is only applicable
when 'type' is STRING, TEXT, HOST, PASSWORD, REGEX.
v min_value - String - The optional minimum of the parameter value. This is only applicable when 'type'
is INTEGER, REAL, DATE, TIME, DATETIME, INTERVAL.
v max_value - String - The optional maximum of the parameter value. This is only applicable when
'type' is INTEGER, REAL, DATE, TIME, DATETIME, INTERVAL.
v default_value - String - The optional default parameter value.
v pattern - String - An optional Java regex pattern restriction on the parameter value. This is only
applicable when 'type' is STRING, TEXT, HOST, PASSWORD.
v pattern_error_message - String - An optional message to show when the 'pattern' restriction fails.
v allowed_values - Array - A optional restrictive list of allowed parameter values. This is used to
implement an enumeration parameter.
v rules - Array - The parameter rules. This is used to manage parameter rules (e.g. Option A is only
available when Option B is set to True, Option C is required whenever Option A is set to False, etc.)
This is a list of ProtocolParameterRule structures. *
A parameter allowed value contains the following fields:
v name - String - The user-friendly name of the value.
v value - String - The value.
A parameter rule contains the following fields:
v parameter_id - String - The parameter affected by the rule.

272 QRadar API Reference Guide

v trigger_parameter_id - Long - The ID of the trigger parameter.
v trigger_pattern - String - The pattern that will trigger the rule. If the value of trigger_parameter_id
matches the regular expression of this field, the rule will trigger.
v affected_property - String - The affected property. Possible values are:
– AVAILABLE: Indicates that the parameter's availability will be affected by this rule
– REQUIRED: Indicates that the required state of the parameter will be affected by this rule
– DEFAULT: Indicates that the default value of the parameter will be affected by this rule.
v affected_property_value - String - The value to be applied to the affected parameter when the rule is
triggered. Here is how this field is interpreted based on the affected property:
– AVAILABLE: This will be a boolean value indicating whether the affected parameter should be
available. Since all fields are always available by default, setting this to 'true' does not make much
sense.
– REQUIRED: This will be a boolean value indicating whether the affected parameter should be
required.
– DEFAULT: This will be the default value to be used by the affected parameter.
A parameter group contains the following fields:
v id - Long - The id of the group.
v name - String - The name of the group.
v required - Boolean - This indicates whether at least one of the fields in this group is required.

Response Sample
{
"gateway_supported": true,
"id": 42,
"name": "String",
"parameter_groups": [
{
"id": 42,
"name": "String",
"required": true
}
],
"parameters": [
{
"allowed_values": [
{
"name": "String",
"value": "String"
}
],
"default_value": "String",
"description": "String",
"group_id": 42,
"id": 42,
"label": "String",
"max_length": 42,
"max_value": "String",
"min_length": 42,
"min_value": "String",
"name": "String",
"pattern": "String",
"pattern_description": "String",
"required": true,
"rules": [
{
"affected_property": "String",
"affected_property_value": "String",
"parameter_id": 42,

6 REST API V9.0 References 273

 "trigger_parameter_id": 42,
"trigger_pattern": "String"
}
],
"type": "String"
}
],
"version": "String"
}

GET /config/event_sources/property_discovery_profiles
Gets all PropertyDiscoveryProfiles currently in the system.
Table 534. GET /config/event_sources/property_discovery_profiles resource details
MIME Type
application/json

Table 535. GET /config/event_sources/property_discovery_profiles request parameter details

Parameter Type Optionality Data Type MIME Type Description
fields query Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.
filter query Optional String text/plain Optional - This parameter is
used to restrict the elements in
a list base on the contents of
various fields.
Range header Optional String text/plain Optional - Use this parameter
to restrict the number of
elements that are returned in
the list to a specified range.
The list is indexed starting at
zero.

Table 536. GET /config/event_sources/property_discovery_profiles response codes

HTTP Response Code Unique Code Description
500 1020 An internal server error has occurred.

Response Description

A List of PropertyDiscoveryProfiles currently in the system.

v id - Integer - The ID of the property discovery profile.
v property_discovery_type - String - The type of property discovery for this profile (JSON or NONE).
v optimized - Boolean - Indicates whether this profile creates custom properties as optimized.
v active - Boolean - Indicates whether this profile is enabled and actively being used.
v threshold - Integer - How many events should be handling creating no custom-properties before this
profile becomes inactive.

274 QRadar API Reference Guide

v log_source_type_id - Integer - The ID of a log-source-type that this profile corresponds to (This is the
basic filter property, it must be set for the profile to be used).
v create_for_normalized - Boolean - If false, the property-discovery-engine will NOT create custom
properties for any fields that match the name of a normalized system property. If true, it creates the
properties, but with identifying tag on the name; for example a field that is called 'username' creates a
custom-property that is named 'username_custom'.

Response Sample
[
{
"active": true,
"create_for_normalized": true,
"id": 42,
"log_source_type_id": 42,
"property_discovery_type": "String",
"threshold": 42,
"use_for_rule_engine": true
}
]

DELETE /config/event_sources/property_discovery_profiles/{id}
Deletes the specified PropertyDiscoveryProfile.
Table 537. DELETE /config/event_sources/property_discovery_profiles/{id} resource details
MIME Type
text/plain

Table 538. DELETE /config/event_sources/property_discovery_profiles/{id} request parameter details

Parameter Type Optionality Data Type MIME Type Description
id path Required Number text/plain The ID of the
(Integer) PropertyDiscoveryProfile to be
deleted.

Table 539. DELETE /config/event_sources/property_discovery_profiles/{id} response codes

HTTP Response Code Unique Code Description
404 1002 If the supplied id does not correlate to an existing
PropertyDiscoveryProfile.
500 1020 An internal server error has occurred.

Response Description

Response Sample

GET /config/event_sources/property_discovery_profiles/{id}
Gets a PropertyDiscoveryProfile based on the information supplied by the property_discovery_profile
corresponding to the supplied ID.
Table 540. GET /config/event_sources/property_discovery_profiles/{id} resource details
MIME Type
application/json

6 REST API V9.0 References 275

Table 541. GET /config/event_sources/property_discovery_profiles/{id} request parameter details
Parameter Type Optionality Data Type MIME Type Description
id path Required Number text/plain The ID of the
(Integer) PropertyDiscoveryProfile.
fields query Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.

Table 542. GET /config/event_sources/property_discovery_profiles/{id} response codes

HTTP Response Code Unique Code Description
404 1002 If the supplied id does not correlate to an existing
PropertyDiscoveryProfile.
500 1020 An internal server error has occurred.

Response Description

A PropertyDiscoveryProfile corresponding to the supplied ID.

v id - Integer - The ID of the property discovery profile.
v property_discovery_type - String - The type of property discovery for this profile (JSON or NONE).
v optimized - Boolean - Indicates whether this profile creates custom properties as optimized.
v active - Boolean - Indicates whether this profile is enabled and actively being used.
v threshold - Integer - How many events should be handling creating no custom-properties before this
profile becomes inactive.
v log_source_type_id - Integer - The ID of a log-source-type that this profile corresponds to (This is the
basic filter property, it must be set for the profile to be used).
v create_for_normalized - Boolean - If false, the property-discovery-engine will NOT create custom
properties for any fields that match the name of a normalized system property. If true, it creates the
properties, but with identifying tag on the name; for example a field that is called 'username' creates a
custom-property that is named 'username_custom'.

Response Sample
{
"active": true,
"create_for_normalized": true,
"id": 42,
"log_source_type_id": 42,
"property_discovery_type": "String",
"threshold": 42,
"use_for_rule_engine": true
}

POST /config/event_sources/property_discovery_profiles/{id}
Updates a PropertyDiscoveryProfile based on the information supplied via the property_discovery_profile
JSON object.

276 QRadar API Reference Guide

Table 543. POST /config/event_sources/property_discovery_profiles/{id} resource details
MIME Type
application/json

Table 544. POST /config/event_sources/property_discovery_profiles/{id} request parameter details

Parameter Type Optionality Data Type MIME Type Description
id path Required Number text/plain The ID of the
(Integer) PropertyDiscoveryProfile to be
updated.
fields header Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.

Table 545. POST /config/event_sources/property_discovery_profiles/{id} request body details

Parameter Data Type MIME Type Description Sample
data Object application/ A { "active": true,
json PropertyDiscoveryProfileDTO "create_for_normalized": true,
instance that describes the "log_source_type_id": 42,
profile to be updated. "property_discovery_type":
"String", "threshold": 42,
"use_for_rule_engine": true }

Table 546. POST /config/event_sources/property_discovery_profiles/{id} response codes

HTTP Response Code Unique Code Description
404 1002 If one or more of the parameters cannot be correlated to an existing
system entity.
409 1004 Log source type id is already in use by another property discovery
profile.
422 1010 If one or more of the parameters cannot be validated correctly.
500 1020 An internal server error has occurred.

Response Description

A PropertyDiscoveryProfile as updated within the system.

v id - Integer - The ID of the property discovery profile.
v property_discovery_type - String - The type of property discovery for this profile (JSON or NONE).
v optimized - Boolean - Indicates whether this profile creates custom properties as optimized.
v active - Boolean - Indicates whether this profile is enabled and actively being used.
v threshold - Integer - How many events should be handling creating no custom-properties before this
profile becomes inactive.
v log_source_type_id - Integer - The ID of a log-source-type that this profile corresponds to (This is the
basic filter property, it must be set for the profile to be used).

6 REST API V9.0 References 277

v create_for_normalized - Boolean - If false, the property-discovery-engine will NOT create custom
properties for any fields that match the name of a normalized system property. If true, it creates the
properties, but with identifying tag on the name; for example a field that is called 'username' creates a
custom-property that is named 'username_custom'.

Response Sample
{
"active": true,
"create_for_normalized": true,
"id": 42,
"log_source_type_id": 42,
"property_discovery_type": "String",
"threshold": 42,
"use_for_rule_engine": true
}

POST /config/event_sources/property_discovery_profiles
Creates a PropertyDiscoveryProfile based on the information supplied by the property_discovery_profile
JSON object.
Table 547. POST /config/event_sources/property_discovery_profiles resource details
MIME Type
application/json

Table 548. POST /config/event_sources/property_discovery_profiles request parameter details

Parameter Type Optionality Data Type MIME Type Description
fields header Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.

Table 549. POST /config/event_sources/property_discovery_profiles request body details

Parameter Data Type MIME Type Description Sample
data Object application/ A { "active": true,
json PropertyDiscoveryProfileCreatorDTO
"create_for_normalized": true,
instance that describes the "log_source_type_id": 42,
profile. "property_discovery_type":
"String", "threshold": 42,
"use_for_rule_engine": true }

Table 550. POST /config/event_sources/property_discovery_profiles response codes

HTTP Response Code Unique Code Description
409 1004 Log source type id is already in use by another property discovery
profile.
422 1010 If one or more of the parameters cannot be validated correctly.
500 1020 An internal server error has occurred.

278 QRadar API Reference Guide

Response Description

A PropertyDiscoveryProfile as created within the system.

v id - Integer - The ID of the property discovery profile.
v property_discovery_type - String - The type of property discovery for this profile (JSON or NONE).
v optimized - Boolean - Indicates whether this profile creates custom properties as optimized.
v active - Boolean - Indicates whether this profile is enabled and actively being used.
v threshold - Integer - How many events should be handling creating no custom-properties before this
profile becomes inactive.
v log_source_type_id - Integer - The ID of a log-source-type that this profile corresponds to (This is the
basic filter property, it must be set for the profile to be used).
v create_for_normalized - Boolean - If false, the property-discovery-engine will NOT create custom
properties for any fields that match the name of a normalized system property. If true, it creates the
properties, but with identifying tag on the name; for example a field that is called 'username' creates a
custom-property that is named 'username_custom'.

Response Sample
{
"active": true,
"create_for_normalized": true,
"id": 42,
"log_source_type_id": 42,
"property_discovery_type": "String",
"threshold": 42,
"use_for_rule_engine": true
}

GET /config/event_sources/wincollect/wincollect_agents
Gets a list of WinCollectAgentDTO based on the rows in the ale_client table
Table 551. GET /config/event_sources/wincollect/wincollect_agents resource details
MIME Type
application/json

Table 552. GET /config/event_sources/wincollect/wincollect_agents request parameter details

Parameter Type Optionality Data Type MIME Type Description
fields query Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.
filter query Optional String text/plain Optional - This parameter is
used to restrict the elements in
a list base on the contents of
various fields.

6 REST API V9.0 References 279

Table 552. GET /config/event_sources/wincollect/wincollect_agents request parameter details (continued)
Parameter Type Optionality Data Type MIME Type Description
Range header Optional String text/plain Optional - Use this parameter
to restrict the number of
elements that are returned in
the list to a specified range.
The list is indexed starting at
zero.

Table 553. GET /config/event_sources/wincollect/wincollect_agents response codes

HTTP Response Code Unique Code Description
422 1010 The supplied filter is invalid
500 1020 An internal server error has occurred.

Response Description

A List of WinCollectAgentDTOs
v id - Integer - The id of the WinCollect Agent.
v name - String - Name of the WinCollect agent..
v description - String - Description of the WinCollect agent..
v host - String - IP address or hostname of WinCollect agent.
v version - String - Version of WinCollect agent.
v os_version - String - Operating system version of the host the agent is running on.
v status - Enumeration - Status of the agent, from the perspective of QRadar.
v enabled - Boolean - True if the agent is enabled/running, false if it's been deliberately disabled/turned
off.
v autoupdates_enabled - Boolean - True if the agent is allowed to autonomously request configuration
and software updates from QRadar, false if it is not allowed to receive updates.
v autodiscovered - Boolean - True if the agent entity was created as the result of an agent registering
itself with QRadar, false if a user manually created the agent entity before the agent initiated
communication.
v last_heartbeat_time - Long - The date/time (expressed as milliseconds since epoch) that a heartbeat
signal from the agent was last received.
v last_config_generation_time - Long - The date/time (expressed as milliseconds since epoch) that the
agent's configuration file was last generated on QRadar.

Response Sample
[
{
"autodiscovered": true,
"autoupdates_enabled": true,
"description": "String",
"enabled": true,
"host": "String",
"id": 42,
"last_config_generation_time": 42,
"last_heartbeat_time": 42,
"name": "String",
"os_version": "String",
"status": "String <one of: NO_COMMUNICATION_FROM_AGENT, RUNNING, STOPPED, UNAVAILABLE, UNKNOWN>",
"version": "String"
}
]

280 QRadar API Reference Guide

GET /config/event_sources/wincollect/wincollect_agents/{id}
Gets a WinCollectAgentDTO based on the information supplied via the ale_client corresponding to the
supplied id.
Table 554. GET /config/event_sources/wincollect/wincollect_agents/{id} resource details
MIME Type
application/json

Table 555. GET /config/event_sources/wincollect/wincollect_agents/{id} request parameter details

Parameter Type Optionality Data Type MIME Type Description
id path Required Number text/plain The id of the WinCollect Agent
(Integer) to retrieve
fields query Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.

Table 556. GET /config/event_sources/wincollect/wincollect_agents/{id} response codes

HTTP Response Code Unique Code Description
404 1010 The requested WinCollect Agent cannot be found.
500 1020 An internal server error has occurred.

Response Description

A WinCollectAgentDTO represents the WinCollect Agent associated to the supplied id

v id - Integer - The id of the WinCollect Agent.
v name - String - Name of the WinCollect agent..
v description - String - Description of the WinCollect agent..
v host - String - IP address or hostname of WinCollect agent.
v version - String - Version of WinCollect agent.
v os_version - String - Operating system version of the host the agent is running on.
v status - Enumeration - Status of the agent, from the perspective of QRadar.
v enabled - Boolean - True if the agent is enabled/running, false if it's been deliberately disabled/turned
off.
v autoupdates_enabled - Boolean - True if the agent is allowed to autonomously request configuration
and software updates from QRadar, false if it is not allowed to receive updates.
v autodiscovered - Boolean - True if the agent entity was created as the result of an agent registering
itself with QRadar, false if a user manually created the agent entity before the agent initiated
communication.
v last_heartbeat_time - Long - The date/time (expressed as milliseconds since epoch) that a heartbeat
signal from the agent was last received.
v last_config_generation_time - Long - The date/time (expressed as milliseconds since epoch) that the
agent's configuration file was last generated on QRadar.

6 REST API V9.0 References 281

Response Sample
{
"autodiscovered": true,
"autoupdates_enabled": true,
"description": "String",
"enabled": true,
"host": "String",
"id": 42,
"last_config_generation_time": 42,
"last_heartbeat_time": 42,
"name": "String",
"os_version": "String",
"status": "String <one of: NO_COMMUNICATION_FROM_AGENT, RUNNING, STOPPED, UNAVAILABLE, UNKNOWN>",
"version": "String"
}

GET /config/event_sources/wincollect/wincollect_destinations
Gets a list of WinCollectDestinationDTO based on the rows in the ale_destination table
Table 557. GET /config/event_sources/wincollect/wincollect_destinations resource details
MIME Type
application/json

Table 558. GET /config/event_sources/wincollect/wincollect_destinations request parameter details

Parameter Type Optionality Data Type MIME Type Description
fields query Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.
filter query Optional String text/plain Optional - This parameter is
used to restrict the elements in
a list base on the contents of
various fields.
Range header Optional String text/plain Optional - Use this parameter
to restrict the number of
elements that are returned in
the list to a specified range.
The list is indexed starting at
zero.

Table 559. GET /config/event_sources/wincollect/wincollect_destinations response codes

HTTP Response Code Unique Code Description
500 1020 An internal server error has occurred.

Response Description

A List of WinCollectAgentDTOs
v id - Integer - The id of the WinCollect destination.
v name - String - Name of the WinCollect destination.

282 QRadar API Reference Guide

v host - String - IP address or hostname of WinCollect destination..
v port - Integer - Listen port on the WinCollect destination.
v transport_protocol - Enumeration - The protocol over which event data should be sent to this
WinCollect destination.
v event_rate_throttle - Integer - Event-per-second rate at which to throttle the event flow to this
destination.
v internal - Boolean - True if the destination corresponds to a QRadar event collector process from this
deployment, false if it is any other host.

Response Sample
[
{
"event_rate_throttle": 42,
"host": "String",
"id": 42,
"internal": true,
"name": "String",
"port": 42,
"tls_certificate": "String",
"transport_protocol": "String <one of: UDP, TCP, TLS, UNKNOWN>"
}
]

GET /config/event_sources/wincollect/wincollect_destinations/{id}
Gets a WinCollectDestinationDTO based on the information supplied via the ale_destination
corresponding to the supplied id.
Table 560. GET /config/event_sources/wincollect/wincollect_destinations/{id} resource details
MIME Type
application/json

Table 561. GET /config/event_sources/wincollect/wincollect_destinations/{id} request parameter details

Parameter Type Optionality Data Type MIME Type Description
id path Required Number text/plain The id of the WinCollect
(Integer) Destination to retrieve
fields query Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.

Table 562. GET /config/event_sources/wincollect/wincollect_destinations/{id} response codes

HTTP Response Code Unique Code Description
404 1010 The requested WinCollect Destination cannot be found.
500 1020 An internal server error has occurred.

6 REST API V9.0 References 283

Response Description

A WinCollectDestinationDTO
v id - Integer - The id of the WinCollect destination.
v name - String - Name of the WinCollect destination.
v host - String - IP address or hostname of WinCollect destination..
v port - Integer - Listen port on the WinCollect destination.
v transport_protocol - Enumeration - The protocol over which event data should be sent to this
WinCollect destination.
v event_rate_throttle - Integer - Event-per-second rate at which to throttle the event flow to this
destination.
v internal - Boolean - True if the destination corresponds to a QRadar event collector process from this
deployment, false if it is any other host.

Response Sample
{
"event_rate_throttle": 42,
"host": "String",
"id": 42,
"internal": true,
"name": "String",
"port": 42,
"tls_certificate": "String",
"transport_protocol": "String <one of: UDP, TCP, TLS, UNKNOWN>"
}

GET /config/extension_management/extensions
Retrieve a list of extensions.

Retrieves a list of extensions.

Table 563. GET /config/extension_management/extensions resource details
MIME Type
application/json

Table 564. GET /config/extension_management/extensions request parameter details

Parameter Type Optionality Data Type MIME Type Description
fields query Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.
sort query Optional String text/plain Optional - This parameter is
used to sort the elements in a
list.

284 QRadar API Reference Guide

Table 564. GET /config/extension_management/extensions request parameter details (continued)
Parameter Type Optionality Data Type MIME Type Description
Range header Optional String text/plain Optional - Use this parameter
to restrict the number of
elements that are returned in
the list to a specified range.
The list is indexed starting at
zero.
filter query Optional String text/plain Optional - This parameter is
used to restrict the elements in
a list base on the contents of
various fields.

Table 565. GET /config/extension_management/extensions response codes

HTTP Response Code Unique Code Description
200 The requested list of extensions has been retrieved.
422 22608 The supplied filter is invalid.
422 22615 Unknown status used in filter.
422 22610 The selected field cannot be utilized for sorting.
422 22609 Only top-level-elements of the root entity can be sorted on.
500 22602 An error has occurred while trying to retrieve the list of extensions.

Response Description
A list of extensions. Each extension contains the following fields:
v id - Number - Unique ID of this extension within the QRadar deployment.
v name - String - The name of the extension.
v description - String - The description of the extension.
v author - String - The author (person who generated) the extension.
v authored_by_email - String - The email of the author.
v version - String - The version of the extension.
v supported_languages - Array of strings - The language tags supported by this extension.
v exported_qradar_version - String - The version of the QRadar deployment this extension was exported
from.
v min_qradar_version - String - The minimum QRadar version required for the extension to function
properly.
v file_location - String - The location of the extension file on disk.
v size - Number - The size in bytes of the extension file.
v signed - String - The state of the extension's signature.
v beta - Boolean - True if the extension is considered to be beta or experimental.
v added_by - String - The user or authorized service that added the extension to QRadar.
v installed_by - String The user or authorized service that installed the extension.
v add_time - Number - The date/time at which the extension was added to QRadar, represented as
number of milliseconds since Unix epoch.
v install_time - Number - The date/time at which the extension was installed, represented as number of
milliseconds since Unix epoch.
v full_uninstall - Boolean - True if the extension and all of its contents can be fully uninstalled.

6 REST API V9.0 References 285

v status - String - The tag corresponding to the current status of the extension. Possible values are
UPLOADED, UPLOADING, INSTALLED, INSTALLING, INSTALL_FAILED, UNINSTALLED,
UNINSTALLING, UNINSTALL_FAILED, NOT_INSTALLED, PREVIEWING, NONE.
v contents - Array of objects representing an item contained within the extension. Each object has the
following fields:
– content_type_id - Number - The ID of the content type.
– content_type_name - String - The name of the content type.
– identifier - String - The descriptive name/identifier of the item.

Response Sample
[
{
"file_location": "/store/cmt/exports/custom_rule.zip",
"supported_languages": [
"en_US"
],
"contents": [
{
"content_type_id": 3,
"identifier": "No Description Supplied",
"content_type_name": "custom_rule"
},
{
"content_type_id": 28,
"identifier": "Asset Reconciliation IPv4 Blacklist",
"content_type_name": "reference_data"
},
{
"content_type_id": 28,
"identifier": "Asset Reconciliation IPv4 Whitelist",
"content_type_name": "reference_data"
},
{
"content_type_id": 32,
"identifier": "No Description Supplied",
"content_type_name": "reference_data_rules"
}
],
"status": "INSTALLED",
"signed": "NOT_SIGNED",
"full_uninstall": false,
"min_qradar_version": null,
"beta": false,
"version": "7.2.6.20150825133843",
"size": 8575,
"id": 59,
"author": "admin",
"authored_by_email": "account@company.com",
"description": null,
"exported_qradar_version": null,
"name": "custom_rule.xml",
"install_time": 1440788704856,
"installed_by": "admin",
"added_by": "admin",
"add_time": 1440693660702
},
{
"file_location": "/store/cmt/exports/qidmap.xml",
"supported_languages": [
"en_US"
],
"contents": [
{
"content_type_id": 27,

286 QRadar API Reference Guide

 "identifier": "",
"content_type_name": "qidmap"
}
],
"status": "INSTALLED",
"signed": "NOT_SIGNED",
"full_uninstall": false,
"min_qradar_version": null,
"beta": false,
"version": "7.2.6.20150821144442",
"size": 675,
"id": 2,
"author": "admin",
"authored_by_email": "account@company.com",
"description": null,
"exported_qradar_version": null,
"name": "qidmap.xml",
"install_time": 1440612194941,
"installed_by": "admin",
"added_by": "admin",
"add_time": 1440555001236
}
]

POST /config/extension_management/extensions
Uploads the supplied extension file to the QRadar system.

Uploads the supplied extension file to the QRadar system.

Table 566. POST /config/extension_management/extensions resource details
MIME Type
application/json

Table 567. POST /config/extension_management/extensions request parameter details

Parameter Type Optionality Data Type MIME Type Description
fields header Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.

Table 568. POST /config/extension_management/extensions request body details

Parameter Data Type MIME Type Description Sample
file File application/x- Required - The Extension file. File
gzip Must be a properly-formed
QRadar extension/content
export, either an XML file or
an XML within a ZIP or
TAR.GZ archive. Must be
provided with MIME type
application/xml,
application/zip,
application/x-gzip or
multipart/form-data

6 REST API V9.0 References 287

Table 569. POST /config/extension_management/extensions response codes
HTTP Response Code Unique Code Description
201 The supplied extension file has been uploaded.
409 22613 The supplied extension file can not be uploaded because it shares
the same hub_id and version as one of the extensions in the system.
412 22619 null
422 22607 The supplied extension could not be validated successfully
422 22616 The supplied manifest for the extension is invalid.
500 22602 An error has occurred while trying to upload the extension file.

Response Description

An extension containing the following fields:

v id - Number - Unique ID of this extension within the QRadar deployment.
v name - String - The name of the extension.
v description - String - The description of the extension.
v author - String - The author (person who generated) the extension.
v authored_by_email - String - The email of the author.
v version - String - The version of the extension.
v supported_languages - Array of strings - The language tags supported by this extension.
v exported_qradar_version - String - The version of the QRadar deployment this extension was exported
from.
v min_qradar_version - String - The minimum QRadar version required for the extension to function
properly.
v file_location - String - The location of the extension file on disk.
v size - Number - The size in bytes of the extension file.
v signed - String - The state of the extension's signature.
v beta - Boolean - True if the extension is considered to be beta or experimental.
v added_by - String - The user or authorized service that added the extension to QRadar.
v installed_by - String The user or authorized service that installed the extension.
v add_time - Number - The date/time at which the extension was added to QRadar, represented as
number of milliseconds since Unix epoch.
v install_time - Number - The date/time at which the extension was installed, represented as number of
milliseconds since Unix epoch.
v full_uninstall - Boolean - True if the extension and all of its contents can be fully uninstalled.
v status - String - The tag corresponding to the current status of the extension. Possible values are
UPLOADED, UPLOADING, INSTALLED, INSTALLING, INSTALL_FAILED, UNINSTALLED,
UNINSTALLING, UNINSTALL_FAILED, NOT_INSTALLED, PREVIEWING, NONE.
v contents - Array of objects representing an item contained within the extension. Each object has the
following fields:
– content_type_id - Number - The ID of the content type.
– content_type_name - String - The name of the content type.
– identifier - String - The descriptive name/identifier of the item.

288 QRadar API Reference Guide

Response Sample
{
"file_location": "/store/cmt/exports/qidmaps.xml",
"supported_languages": [
"en_US"
],
"contents": [
{
"content_type_id": 27,
"identifier": "",
"content_type_name": "qidmap"
}
],
"status": "INSTALLED",
"signed": "NOT_SIGNED",
"full_uninstall": false,
"min_qradar_version": null,
"beta": false,
"version": "7.2.6.20150821144442",
"size": 675,
"id": 2,
"author": "admin",
"authored_by_email": "account@company.com",
"description": null,
"exported_qradar_version": null,
"name": "qidmaps.xml",
"install_time": 1440612194941,
"installed_by": "admin",
"added_by": "admin",
"add_time": 1440555001236
}

GET /config/extension_management/extensions/{extension_id}
Retrieves an extension based on the supplied extension_id.

Retrieves an extension based on the supplied extension_id.

Table 570. GET /config/extension_management/extensions/{extension_id} resource details
MIME Type
application/json

Table 571. GET /config/extension_management/extensions/{extension_id} request parameter details

Parameter Type Optionality Data Type MIME Type Description
extension_id path Required Number text/plain Required - The id of the
(Integer) extension.
fields query Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.

Table 572. GET /config/extension_management/extensions/{extension_id} response codes

HTTP Response Code Unique Code Description
200 The requested extension has been retrieved.

6 REST API V9.0 References 289

Table 572. GET /config/extension_management/extensions/{extension_id} response codes (continued)
HTTP Response Code Unique Code Description
404 22603 The requested extension cannot be found.
422 22606 A supplied numeric parameter was not positive.
500 22602 An error has occurred while trying to retrieve the requested
extension.

Response Description

An extension containing the following fields:

v id - Number - Unique ID of this extension within the QRadar deployment.
v name - String - The name of the extension.
v description - String - The description of the extension.
v author - String - The author (person who generated) the extension.
v authored_by_email - String - The email of the author.
v version - String - The version of the extension.
v supported_languages - Array of strings - The language tags supported by this extension.
v exported_qradar_version - String - The version of the QRadar deployment this extension was exported
from.
v min_qradar_version - String - The minimum QRadar version required for the extension to function
properly.
v file_location - String - The location of the extension file on disk.
v size - Number - The size in bytes of the extension file.
v signed - String - The state of the extension's signature.
v beta - Boolean - True if the extension is considered to be beta or experimental.
v added_by - String - The user or authorized service that added the extension to QRadar.
v installed_by - String The user or authorized service that installed the extension.
v add_time - Number - The date/time at which the extension was added to QRadar, represented as
number of milliseconds since Unix epoch.
v install_time - Number - The date/time at which the extension was installed, represented as number of
milliseconds since Unix epoch.
v full_uninstall - Boolean - True if the extension and all of its contents can be fully uninstalled.
v status - String - The tag corresponding to the current status of the extension. Possible values are
UPLOADED, UPLOADING, INSTALLED, INSTALLING, INSTALL_FAILED, UNINSTALLED,
UNINSTALLING, UNINSTALL_FAILED, NOT_INSTALLED, PREVIEWING, NONE.
v contents - Array of objects representing an item contained within the extension. Each object has the
following fields:
– content_type_id - Number - The ID of the content type.
– content_type_name - String - The name of the content type.
– identifier - String - The descriptive name/identifier of the item.

Response Sample
{
"file_location": "/store/cmt/exports/qidmaps.xml",
"supported_languages": [
"en_US"
],
"contents": [
{

290 QRadar API Reference Guide

 "content_type_id": 27,
"identifier": "",
"content_type_name": "qidmap"
}
],
"status": "INSTALLED",
"signed": "NOT_SIGNED",
"full_uninstall": false,
"min_qradar_version": null,
"beta": false,
"version": "7.2.6.20150821144442",
"size": 675,
"id": 2,
"author": "admin",
"authored_by_email": "account@company.com",
"description": null,
"exported_qradar_version": null,
"name": "qidmaps.xml",
"install_time": 1440612194941,
"installed_by": "admin",
"added_by": "admin",
"add_time": 1440555001236
}

POST /config/extension_management/extensions/{extension_id}/
metadata
Adds metadata to the Extension corresponding to the supplied extension_id.

Adds metadata to the Extension corresponding to the supplied extension_id.

Table 573. POST /config/extension_management/extensions/{extension_id}/metadata resource details
MIME Type
application/json

Table 574. POST /config/extension_management/extensions/{extension_id}/metadata request parameter details

Parameter Type Optionality Data Type MIME Type Description
extension_id path Required Number text/plain Required - The id of the
(Integer) extension.
fields header Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.

Table 575. POST /config/extension_management/extensions/{extension_id}/metadata request body details

Parameter Data Type MIME Type Description Sample
metadata Object application/ Required - Metadata to be { "app_oauth_users": [
json added to the extension. {"app_name": "TestApp1",
"user_id": 5} ] }

6 REST API V9.0 References 291

Table 576. POST /config/extension_management/extensions/{extension_id}/metadata response codes
HTTP Response Code Unique Code Description
404 22603 The requested extension cannot be found.
422 22606 A supplied numeric parameter was not positive.
500 22602 An error occurred while trying to add the metadata.

Response Description

the metadata that was added.

Response Sample
{
"app_oauth_users": [
{"app_name": "TestApp1", "user_id": 5}
]
}

POST /config/extension_management/extensions/{extension_id}
Install an extension based on the supplied extension_id. This is an asynchronous action.

Installs the Extension corresponding to the supplied extension_id. Alternatively can be used to preview
an Extension, showing what values would be applied if the Extension was installed.
Table 577. POST /config/extension_management/extensions/{extension_id} resource details
MIME Type
application/json

Table 578. POST /config/extension_management/extensions/{extension_id} request parameter details

Parameter Type Optionality Data Type MIME Type Description
extension_id path Required Number text/plain Required - The id of the
(Integer) extension.
action_type query Required String text/plain Required - The desired action
to take on the Extension
(INSTALL or PREVIEW)
overwrite query Optional Boolean text/plain Optional - If true, any existing
items on the importing system
will be overwritten if the
extension contains the same
items. If false, existing items
will be preserved, and the
corresponding items in the
extension will be skipped.
fields query Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.

292 QRadar API Reference Guide

Table 579. POST /config/extension_management/extensions/{extension_id} response codes
HTTP Response Code Unique Code Description
202 The requested install or preview task has been started.
404 22603 The requested extension cannot be found.
404 22604 The task status for status_id cannot be found.
409 22612 The supplied extension cannot be installed/previewed because it is
already installed
409 22611 The supplied extension cannot be installed/previewed because it is
already in the process of being installed/previewed.
409 22618 The requested task can not be initiated because another
preview/install task is already in progress.
422 22605 The supplied action type is invalid
422 22606 A supplied numeric parameter was not positive.
500 22602 An error has occurred while trying to install or preview the
requested extension.

Response Description

A JSON string depicting the accepted task for previewing/installing an extension:

v status_id - Number - id of the task status.
v message - String - description of the accepted task.
v status_location - String - the url of the task status.

Response Sample
{
"status_id": 25,
"message": "Installing an extension",
"status_location": "https://10.10.10.10/console/restapi/api/config/extension_management/extensions_task_status/25"
}

DELETE /config/extension_management/extensions/{extension_id}
Uninstall an extension based on the supplied extension ID. This is an asynchronous action.
Table 580. DELETE /config/extension_management/extensions/{extension_id} resource details
MIME Type
application/json

Table 581. DELETE /config/extension_management/extensions/{extension_id} request parameter details

Parameter Type Optionality Data Type MIME Type Description
extension_id path Required Number text/plain Required - The id of the
(Integer) extension to be uninstalled.
fields query Optional String text/plain Optional - Use this parameter to
specify which fields you would
like to get back in the response.
Fields that are not named are
excluded. Specify subfields in
brackets and multiple fields in
the same object are separated by
commas.

6 REST API V9.0 References 293

Table 582. DELETE /config/extension_management/extensions/{extension_id} response codes
HTTP Response Code Unique Code Description
202 The requested uninstall task has been started.
404 22603 The requested extension cannot be found.
404 22604 The task status for status_id cannot be found.
409 22611 The supplied extension cannot be uninstalled because it is already
in the process of being uninstalled.
409 22617 The extension can not be uninstalled because it is already in the
process of being previewed/installed.
422 22606 A supplied numeric parameter was not positive.
500 22602 An error has occurred while trying to uninstall an extension.

Response Description

A JSON string depicting the accepted task for uninstalling an extension:

v message - String - description of the accepted task.
v status_location - String - the url of the task status.
v current_status - String - a JSON object depicting the current status of the task.

Response Sample
{
"message": "Uninstalling an extension",
"status_location":
"https://1.1.1.1/console/restapi/api/config/extension_management/
extensions_task_status/101",
"current_status": {
"progress": 0,
"result_url": null,
"cancelled_by": null,
"status": "QUEUED",
"task_components": null,
"modified": 1440891410849,
"id": 101,
"message": "Queued Extension uninstallation task for extension id 2",
"created_by": "admin",
"created": 1440891410629,
"maximum": 0,
"cancel_requested": false,
"name": "Extension uninstallation task",
"child_tasks": null,
"started": 1440891410847,
"completed": null
}
}

GET /config/extension_management/extensions_task_status/
{status_id}
Retrieves the tasks status based on the status_id.

Retrieves the tasks status based on the status_id.

Table 583. GET /config/extension_management/extensions_task_status/{status_id} resource details
MIME Type
application/json

294 QRadar API Reference Guide

Table 584. GET /config/extension_management/extensions_task_status/{status_id} request parameter details
Parameter Type Optionality Data Type MIME Type Description
status_id path Required Number text/plain Required - the id of the task
(Integer) status.
fields query Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.

Table 585. GET /config/extension_management/extensions_task_status/{status_id} response codes

HTTP Response Code Unique Code Description
200 The requested task status has been retrieved.
404 22604 The task status for status_id cannot be found.
422 22606 A supplied numeric parameter was not positive.
500 22602 An error has occurred while trying to retrieve the task status.

Response Description

A task status containing the following fields:

v id - Number - The ID of the task status.
v name - String - The name of the task status.
v status - String - A string that represents the current state of the task status.
v message - String - A message regarding the current state of the task.
v progress - Number - The current progress of the task
v minimum - Number - The minimum progress of the task.
v maximum - Number - The maximum progress of the task.
v created_by - String - The username of the user who created the task.
v cancelled_by - String - The username of the user who cancelled the task.
v created - Number - The date/time at which this task was created, represented as number of
milliseconds since Unix epoch.
v started - Number - The date/time at which this task was started, represented as number of
milliseconds since Unix epoch.
v modified - Number - The date/time at which this task was last modified, represented as number of
milliseconds since Unix epoch.
v completed - Number - The date/time at which this task was completed, represented as number of
milliseconds since Unix epoch.
v result_url - String - The url where the result can be viewed.
v cancel_requested - Boolean - True if cancel has been requested.
v child_tasks - Array - Array of child task id's that are executed asynchronously from this task.
v task_components - Array - Array of task components that are executed sequentially.

6 REST API V9.0 References 295

Response Sample
{
"progress": 0,
"result_url": "",
"cancelled_by": "",
"status": "COMPLETED",
"task_components": null,
"modified": 1440891517961,
"id": 102,
"message": "Completed Extension uninstallation task for extension id 56",
"created_by": "admin",
"created": 1440891514006,
"maximum": 0,
"cancel_requested": false,
"name": "Extension uninstallation task",
"child_tasks": null,
"started": 1440891514041,
"completed": 1440891515224
}

GET /config/extension_management/extensions_task_status/
{status_id}/results
Retrieves the tasks status results based on the status ID.
Table 586. GET /config/extension_management/extensions_task_status/{status_id}/results resource details
MIME Type
application/json

Table 587. GET /config/extension_management/extensions_task_status/{status_id}/results request parameter details

Parameter Type Optionality Data Type MIME Type Description
status_id path Required Number text/plain Required - The id of the task
(Integer) status.
fields query Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.

Table 588. GET /config/extension_management/extensions_task_status/{status_id}/results response codes

HTTP Response Code Unique Code Description
200 The requested results of the task status have been retrieved.
404 22604 The task status for status_id cannot be found.
404 22614 The task results are not available.
422 22606 A supplied numeric parameter was not positive.
500 22602 An error has occurred while trying to retrieve the results of a task
status.

296 QRadar API Reference Guide

Response Description

A JSON object representing the result of an Extension preview, install or uninstall task. It contains the
following fields:
v id - Number - The ID of the extension.
v task_type - String - The type of task that was issued against the Extension.
v content - Array - An array of JSON objects representing the contents of the extension and what action
is associated with each content item for the task that was executed. Each content item contains the
following fields:
– name - String - The name of the content item.
– content_type_id - Number - The ID of the type of the content item.
– content_type_name - String - The name of the type of the content item.
– action - String - The action taken for the content item.

Response Sample
{
"id": 56,
"task_type": "UNINSTALL",
"content": [
{
"content_type_id": 3,
"name": "SYSTEM-1607",
"action": "SKIP",
"content_type_name": "custom_rule"
},
{
"content_type_id": 28,
"name": "Asset Reconciliation IPv4 Whitelist",
"action": "SKIP",
"content_type_name": "reference_data"
}
]
}

GET /config/flow_retention_buckets
Retrieves a list of flow retention buckets.

Retrieves a list of flow retention buckets.

Table 589. GET /config/flow_retention_buckets resource details
MIME Type
application/json

Table 590. GET /config/flow_retention_buckets request parameter details

Parameter Type Optionality Data Type MIME Type Description
Range header Optional String text/plain Optional - Use this parameter
to restrict the number of
elements that are returned in
the list to a specified range.
The list is indexed starting at
zero.
filter query Optional String text/plain Optional - This parameter is
used to restrict the elements in
a list base on the contents of
various fields.

6 REST API V9.0 References 297

Table 590. GET /config/flow_retention_buckets request parameter details (continued)
Parameter Type Optionality Data Type MIME Type Description
fields query Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.

Table 591. GET /config/flow_retention_buckets response codes

HTTP Response Code Unique Code Description
200 The flow retention buckets were retrieved.
422 1010 A request parameter is not valid.
500 1020 An error occurred during the attempt to retrieve the flow retention
buckets.

Response Description

An array of Retention Bucket objects. An Retention Bucket object contains the following fields:
v id - Integer - The ID of the retention bucket.
v bucket_id - Integer - The Bucket ID of the retention bucket. ( 0 - 10 )
v priority - Integer - The priority of the retention bucket. ( 0 - 10 ).
v name - String - The name of the retention bucket.
v database - String - The database of the retention bucket, EVENTS or FLOWS.
v description - String - The description of the retention bucket.
v period - Integer - The retention period in hours.
v delete - String - The delete protocol of the retention bucket, IMMEDIATELY or ON_DEMAND.
v created - Long - The time in milliseconds since epoch since the retention bucket was created.
v modified - Long - The time in milliseconds since epoch since the retention bucket was last modified.
v saved_search_id - String - The ID of the saved search used by the retention bucket.
v enabled - Boolean - True if the retention bucket is enabled.

Response Sample
[
{
"bucket_id": 42,
"created": 42,
"database": "String",
"deletion": "String <one of: ON_DEMAND, IMMEDIATELY>",
"description": "String",
"enabled": true,
"id": 42,
"modified": 42,
"name": "String",
"period": 42,
"priority": 42,
"saved_search_id": "String"
}
]

298 QRadar API Reference Guide

DELETE /config/flow_retention_buckets/{id}
Deletes a flow retention bucket.

Deletes a flow retention bucket.

Table 592. DELETE /config/flow_retention_buckets/{id} resource details
MIME Type
text/plain

Table 593. DELETE /config/flow_retention_buckets/{id} request parameter details

Parameter Type Optionality Data Type MIME Type Description
id path Required Number text/plain null
(Integer)

Table 594. DELETE /config/flow_retention_buckets/{id} response codes

HTTP Response Code Unique Code Description
204 The flow retention bucket was deleted.
403 1009 You do not have the proper capabilities to delete the flow retention
bucket.
404 1002 The flow retention bucket does not exist.
500 1020 An error occurred during the attempt to delete the flow retention
bucket.

Response Description
Response Sample

GET /config/flow_retention_buckets/{id}
Retrieves a flow retention bucket.

Retrieves a flow retention bucket.

Table 595. GET /config/flow_retention_buckets/{id} resource details
MIME Type
application/json

Table 596. GET /config/flow_retention_buckets/{id} request parameter details

Parameter Type Optionality Data Type MIME Type Description
id path Required Number text/plain null
(Integer)
fields query Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.

6 REST API V9.0 References 299

Table 597. GET /config/flow_retention_buckets/{id} response codes
HTTP Response Code Unique Code Description
200 The flow retention bucket was retrieved.
404 1002 The flow retention bucket does not exist.
500 1020 An error occurred during the attempt to retrieve the flow retention
bucket.

Response Description

The retention bucket after it is retrieved. An Retention Bucket object contains the following fields:
v id - Integer - The ID of the retention bucket.
v bucket_id - Integer - The Bucket ID of the retention bucket. ( 0 - 10 )
v priority - Integer - The priority of the retention bucket. ( 0 - 10 ).
v name - String - The name of the retention bucket.
v database - String - The database of the retention bucket, EVENTS or FLOWS.
v description - String - The description of the retention bucket.
v period - Integer - The retention period in hours.
v delete - String - The delete protocol of the retention bucket, IMMEDIATELY or ON_DEMAND.
v created - Long - The time in milliseconds since epoch since the retention bucket was created.
v modified - Long - The time in milliseconds since epoch since the retention bucket was last modified.
v saved_search_id - String - The ID of the saved search that is used by the retention bucket.
v enabled - Boolean - True if the retention bucket is enabled.

Response Sample
{
"bucket_id": 42,
"created": 42,
"database": "String",
"deletion": "String <one of: ON_DEMAND, IMMEDIATELY>",
"description": "String",
"enabled": true,
"id": 42,
"modified": 42,
"name": "String",
"period": 42,
"priority": 42,
"saved_search_id": "String"
}

POST /config/flow_retention_buckets/{id}
Updates the flow retention bucket owner, or enabled/disabled only.

Updates the flow retention bucket owner, or enabled/disabled only.

Table 598. POST /config/flow_retention_buckets/{id} resource details
MIME Type
application/json

300 QRadar API Reference Guide

Table 599. POST /config/flow_retention_buckets/{id} request parameter details
Parameter Type Optionality Data Type MIME Type Description
id path Required Number text/plain null
(Integer)
fields header Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.

Table 600. POST /config/flow_retention_buckets/{id} request body details

Parameter Data Type MIME Type Description Sample
retention_bucket Object application/ null { "bucket_id": 42, "database":
json "String", "description":
"String", "enabled": true, "id":
42, "name": "String", "period":
42, "priority": 42,
"saved_search_id": "String" }

Table 601. POST /config/flow_retention_buckets/{id} response codes

HTTP Response Code Unique Code Description
200 The flow retention bucket was updated.
404 1002 The Flow Retention Bucket does not exist.
409 1004 The provided user does not have the required capabilities to own
the flow retention bucket.
422 1005 A request parameter is not valid.
500 1020 An error occurred during the attempt to update the flow retention
bucket.

Response Description

The Retention Bucket after it is updated. A Retention Bucket object contains the following fields:
v id - Integer - The ID of the retention bucket.
v bucket_id - Integer - The Bucket ID of the retention bucket. ( 0 - 10 ).
v priority - Integer - The priority of the retention bucket ( 0 - 10 ).
v name - String - The name of the retention bucket.
v database - String - The database of the retention bucket, EVENTS or FLOWS.
v description - String - The description of the retention bucket.
v period - Integer - The retention period in hours.
v delete - String - The delete protocol of the retention bucket, IMMEDIATELY or ON_DEMAND.
v created - Long - The time in milliseconds since epoch since the retention bucket was created.
v modified - Long - The time in milliseconds since epoch since the retention bucket was last modified.
v saved_search_id - String - The ID of the saved search used by the retention bucket.
v enabled - Boolean - True if the retention bucket is enabled.

6 REST API V9.0 References 301

Response Sample
{
"bucket_id": 42,
"created": 42,
"database": "String",
"deletion": "String <one of: ON_DEMAND, IMMEDIATELY>",
"description": "String",
"enabled": true,
"id": 42,
"modified": 42,
"name": "String",
"period": 42,
"priority": 42,
"saved_search_id": "String"
}

DELETE /config/flow_sources/custom_properties/
calculated_properties/{calculated_property_id}
Deletes the flow calculated property. To ensure safe deletion, a dependency check is carried out. This
check might take some time. An asynchronous task to do is started for this check.

Deletes the flow calculated property. To ensure safe deletion, a dependency check is carried out. This
check might take some time. An asynchronous task to do is started for this check.
Table 602. DELETE /config/flow_sources/custom_properties/calculated_properties/{calculated_property_id} resource
details
MIME Type
application/json

Table 603. DELETE /config/flow_sources/custom_properties/calculated_properties/{calculated_property_id} request

parameter details
Parameter Type Optionality Data Type MIME Type Description
calculated_property_id
path Required Number text/plain Required - String - The ID of
(Integer) the flow calculated property to
delete.
fields query Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.

Table 604. DELETE /config/flow_sources/custom_properties/calculated_properties/{calculated_property_id} response

codes
HTTP Response Code Unique Code Description
202 The calculated flow property deletion task was accepted and is in
progress.
403 1009 The requested delete action is unauthorized.
404 1002 The requested calculated flow property cannot be found.
422 1005 One or more parameters are invalid in the request.

302 QRadar API Reference Guide

Table 604. DELETE /config/flow_sources/custom_properties/calculated_properties/{calculated_property_id} response
codes (continued)
HTTP Response Code Unique Code Description
500 1020 An error occurred during the attempt to delete a calculated flow
property.

Response Description

A Delete Task Status object and the location header set to the task status URL "/api/config/
flow_sources/custom_properties/calculated_property_delete_tasks/{task_id}". A Delete Task Status object
contains the following fields:
v id - Long - The ID of the task.
v message - String - The localized task message.
v status - String - The current state of the task.
v name - String - The name of the task.
v created_by - String - The name of the user who started the task.
v created - Long - The time in milliseconds since epoch since the task was created.
v started - Long - The time in milliseconds since epoch since the task was started.
v modified - Long - The time in milliseconds since epoch since the task was modified.
v completed - Long - The time in milliseconds since epoch since the task was completed.

Response Sample
{
"completed": 42,
"created": 42,
"created_by": "String",
"id": 42,
"message": "String",
"modified": 42,
"name": "String",
"started": 42,
"status": "String <one of: CANCELLED, CANCELING, CANCEL_REQUESTED, COMPLETED, CONFLICT, EXCEPTION, INITIALIZING, INTE
}

GET /config/flow_sources/custom_properties/calculated_properties/
{calculated_property_id}/dependents
Retrieves the objects that depend on the flow calculated property.

Retrieves the objects that depend on the flow calculated property.

Table 605. GET /config/flow_sources/custom_properties/calculated_properties/{calculated_property_id}/dependents
resource details
MIME Type
application/json

Table 606. GET /config/flow_sources/custom_properties/calculated_properties/{calculated_property_id}/dependents

request parameter details
Parameter Type Optionality Data Type MIME Type Description
calculated_property_id
path Required Number text/plain Required - The ID of the flow
(Integer) calculated property to get the
dependents for.

6 REST API V9.0 References 303

Table 606. GET /config/flow_sources/custom_properties/calculated_properties/{calculated_property_id}/dependents
request parameter details (continued)
Parameter Type Optionality Data Type MIME Type Description
fields query Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.

Table 607. GET /config/flow_sources/custom_properties/calculated_properties/{calculated_property_id}/dependents

response codes
HTTP Response Code Unique Code Description
202 The calculated flow property dependents retrieval was accepted
and is in progress.
403 1009 The user does not have the required authorization to start the task
for finding dependents of calculated flow property.
404 1002 The requested calculated flow property cannot be found.
422 1005 One or more parameters are invalid in the request.
500 1020 An error occurred during the attempt to initiate the calculated flow
property dependents retrieval task.

Response Description

A Dependents Task Status object and the location header set to the task status URL "/api/config/
flow_sources/custom_properties/calculated_property_dependents_tasks/{task_id}". A Dependent Task
Status object contains the following fields:
v id - Long - The ID of the task.
v message - String - The localized task message.
v status - String - The current state of the task.
v name - String - The name of the task.
v created_by - String - The name of the user who started the task.
v cancelled_by - String - The name of the user who requested to cancel the task.
v created - Long - The time in milliseconds since epoch since the task was created.
v started - Long - The time in milliseconds since epoch since the task was started.
v modified - Long - The time in milliseconds since epoch since the task was modified.
v completed - Long - The time in milliseconds since epoch since the task was completed.
v number_of_dependents - Long - The number of dependents found. The value is null until the task
completes.
v maximum - Long - The maximum number of objects to check for dependency.
v progress - Long - The number of objects that were checked for dependency.
v task_components - Array - An array of task component objects. A task component object contains the
following fields:
– message - String - The localized sub-task status message.
– status - String - The current state of the sub-task.
– sub_task_type - String - The type of the sub-task
304 QRadar API Reference Guide
 – maximum - Long - The maximum number of objects to check for dependency.
– progress - Long - The number of objects that were checked for dependency.
– created - Long - The time in milliseconds since epoch since the sub-task was created.
– started - Long - The time in milliseconds since epoch since the sub-task was started.
– modified - Long - The time in milliseconds since epoch since the sub-task was modified.
– completed - Long - The time in milliseconds since epoch since the sub-task was completed.

Response Sample
{
"cancelled_by": "String",
"completed": 42,
"created": 42,
"created_by": "String",
"id": 42,
"maximum": 42,
"message": "String",
"modified": 42,
"name": "String",
"number_of_dependents": 42,
"progress": 42,
"started": 42,
"status": "String <one of: CANCELLED, CANCELING, CANCEL_REQUESTED, COMPLETED, CONFLICT, EXCEPTION, INITIALIZING, INTE
"task_components": [
{
"completed": 42,
"created": 42,
"maximum": 42,
"message": "String",
"modified": 42,
"number_of_dependents": 42,
"progress": 42,
"started": 42,
"status": "String <one of: CANCELLED, CANCELING, CANCEL_REQUESTED, COMPLETED, CONFLICT, EXCEPTION, INITIALIZI
"task_sub_type": "String <one of: FIND_DEPENDENT_ARIEL_SAVED_SEARCHES, FIND_DEPENDENT_OFFENSE_SAVED_SEARCHES,
}
]
}

GET /config/flow_sources/custom_properties/calculated_properties/
{calculated_property_id}
Retrieves a calculated flow property based on the supplied calculated property ID.

Retrieves a calculated flow property based on the supplied calculated property ID.
Table 608. GET /config/flow_sources/custom_properties/calculated_properties/{calculated_property_id} resource
details
MIME Type
application/json

Table 609. GET /config/flow_sources/custom_properties/calculated_properties/{calculated_property_id} request

parameter details
Parameter Type Optionality Data Type MIME Type Description
calculated_property_id
path Required Number text/plain Required - String - The ID of
(Integer) the calculated flow property.

6 REST API V9.0 References 305

Table 609. GET /config/flow_sources/custom_properties/calculated_properties/{calculated_property_id} request
parameter details (continued)
Parameter Type Optionality Data Type MIME Type Description
fields query Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.

Table 610. GET /config/flow_sources/custom_properties/calculated_properties/{calculated_property_id} response

codes
HTTP Response Code Unique Code Description
200 The requested calculated flow property was retrieved.
404 1002 The requested calculated flow property cannot be found.
422 1005 One or more parameters are invalid in the request.
500 1020 An error occurred during the attempt to retrieve the requested
calculated flow property.

Response Description

A calculated flow property that contains the following fields:

v id - Number - A sequence id for the calculated flow property.
v identifier - String - A string that uniquely identifies the calculated flow property.
v name - String - The name of the calculated flow property.
v description - String - The description of the calculated flow property.
v enabled - Boolean - Whether the calculated flow property is enabled.
v first_operand - String - An operand object describing the first operand in the expression.
v second_operand - String - An operand object describing the second operand in the expression.
v operator - String - A string that represents one of the basic arithmetic operations in the expression.
v username - String - The username of the creator of the calculated flow property.
v creation_date - Number - The time stamp for when the calculated flow property is created in
milliseconds since epoch.
v modification_date - Number - The time stamp for when the calculated flow property is last modified
in milliseconds since epoch.
An operand object contains the following fields:
v type - String - can be "STATIC" (for numeric operand) or "PROPERTY" (for operand that is a property).
v numeric_value - Number - when property_type is "STATIC", this is the value of the operand;
otherwise, it is suppressed.
v property_name - String - when property_type is "PROPERTY", this is the name of the property that is
being used as the operand; otherwise, it is suppressed.

Response Sample
{
"creation_date": 42,
"description": "String",

306 QRadar API Reference Guide

 "enabled": true,
"first_operand": {
"numeric_value": 42.5,
"property_name": "String",
"type": "String <one of: STATIC, PROPERTY>"
},
"id": 42,
"identifier": "String",
"modification_date": 42,
"name": "String",
"operator": "String <one of: ADD, SUBTRACT, MULTIPLY, DIVIDE>",
"second_operand": {
"numeric_value": 42.5,
"property_name": "String",
"type": "String <one of: STATIC, PROPERTY>"
},
"username": "String"
}

POST /config/flow_sources/custom_properties/calculated_properties/
{calculated_property_id}
Updates an existing calculated flow property.

Updates an existing calculated flow property.

Table 611. POST /config/flow_sources/custom_properties/calculated_properties/{calculated_property_id} resource
details
MIME Type
application/json

Table 612. POST /config/flow_sources/custom_properties/calculated_properties/{calculated_property_id} request

parameter details
Parameter Type Optionality Data Type MIME Type Description
calculated_property_id
path Required Number text/plain Required - The ID of the
(Integer) calculated flow property.
fields header Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.

6 REST API V9.0 References 307

Table 613. POST /config/flow_sources/custom_properties/calculated_properties/{calculated_property_id} request body
details
Parameter Data Type MIME Type Description Sample
data Object application/ Required - A JSON structure { "description": "String",
json that contains the "enabled": true, "first_operand":
field_name-value pairs of the { "numeric_value": 42.5,
calculated flow property that is"property_name": "String",
to be updated. "type": "String <one of:
v description - Optional - STATIC, PROPERTY>" },
String - The description of "name": "String", "operator":
the calculated flow property. "String <one of: ADD,
Defaults to an empty string. SUBTRACT, MULTIPLY,
DIVIDE>", "second_operand": {
v enabled - Optional - Boolean
"numeric_value": 42.5,
- Whether the calculated
"property_name": "String",
flow property is enabled.
"type": "String <one of:
Defaults to true.
STATIC, PROPERTY>" },
v first_operand - Optional - "username": "String" }
Operand Object - An object
describing the first operand
in the expression.
v second_operand - Optional -
Operand Object - An object
describing the second
operand in the expression.
v operator - Optional -String -
A string that represents one
of the basic arithmetic
operations in the expression.
Defaults to "ADD".

Table 614. POST /config/flow_sources/custom_properties/calculated_properties/{calculated_property_id} response

codes
HTTP Response Code Unique Code Description
200 The calculated flow property was updated.
403 1009 The requested update action is unauthorized.
404 1002 The requested calculated flow property can not be found.
422 1005 One or more parameters are invalid in the request.
500 1020 An error occurred during the attempt to update a calculated flow
property.

Response Description

The updated calculated flow property that contains the following fields:
v id - Number - A sequence id for the calculated flow property.
v identifier - String - A string that uniquely identifies the calculated flow property.
v name - String - The name of the calculated flow property.
v description - String - The description of the calculated flow property.
v enabled - Boolean - Whether the calculated flow property is enabled.
v first_operand - String - An operand object describing the first operand in the expression.
v second_operand - String - An operand object describing the second operand in the expression.
v operator - String - A string that represents one of the basic arithmetic operations in the expression.

308 QRadar API Reference Guide

v username - String - The username of the creator of the calculated flow property.
v creation_date - Number - The time stamp for when the calculated flow property is created in
milliseconds since epoch.
v modification_date - Number - The time stamp for when the calculated flow property is last modified
in milliseconds since epoch.
An operand object contains the following fields:
v type - String - can be "STATIC" (for numeric operand) or "PROPERTY" (for operand that is a property).
v numeric_value - Number - when property_type is "STATIC", this is the value of the operand;
otherwise, it is suppressed.
v property_name - String - when property_type is "PROPERTY", this is the name of the property that is
being used as the operand; otherwise, it is suppressed.

Response Sample
{
"creation_date": 42,
"description": "String",
"enabled": true,
"first_operand": {
"numeric_value": 42.5,
"property_name": "String",
"type": "String <one of: STATIC, PROPERTY>"
},
"id": 42,
"identifier": "String",
"modification_date": 42,
"name": "String",
"operator": "String <one of: ADD, SUBTRACT, MULTIPLY, DIVIDE>",
"second_operand": {
"numeric_value": 42.5,
"property_name": "String",
"type": "String <one of: STATIC, PROPERTY>"
},
"username": "String"
}

GET /config/flow_sources/custom_properties/calculated_properties
Retrieves a list of calculated flow properties.

Retrieves a list of calculated flow properties.

Table 615. GET /config/flow_sources/custom_properties/calculated_properties resource details
MIME Type
application/json

Table 616. GET /config/flow_sources/custom_properties/calculated_properties request parameter details

Parameter Type Optionality Data Type MIME Type Description
fields query Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.

6 REST API V9.0 References 309

Table 616. GET /config/flow_sources/custom_properties/calculated_properties request parameter details (continued)
Parameter Type Optionality Data Type MIME Type Description
filter query Optional String text/plain Optional - This parameter is
used to restrict the elements in
a list base on the contents of
various fields.
Range header Optional String text/plain Optional - Use this parameter
to restrict the number of
elements that are returned in
the list to a specified range.
The list is indexed starting at
zero.

Table 617. GET /config/flow_sources/custom_properties/calculated_properties response codes

HTTP Response Code Unique Code Description
200 The requested list of calculated flow properties was retrieved.
500 1020 An error occurred during the attempt to retrieve the list of
calculated flow properties.

Response Description

A list of calculated flow properties. Each calculated flow property contains the following fields:
v id - Number - A sequence id for the calculated flow property.
v identifier - String - A string that uniquely identifies the calculated flow property.
v name - String - The name of the calculated flow property.
v description - String - The description of the calculated flow property.
v enabled - Boolean - Whether the calculated flow property is enabled.
v first_operand - String - An operand object describing the first operand in the expression.
v second_operand - String - An operand object describing the second operand in the expression.
v operator - String - A string that represents one of the basic arithmetic operations in the expression.
v username - String - The username of the creator of the calculated flow property.
v creation_date - Number - The time stamp for when the calculated flow property is created in
milliseconds since epoch.
v modification_date - Number - The time stamp for when the calculated flow property is last modified
in milliseconds since epoch.
An operand object contains the following fields:
v type - String - can be "STATIC" (for numeric operand) or "PROPERTY" (for operand that is a property).
v numeric_value - Number - when property_type is "STATIC", this is the value of the operand;
otherwise, it is suppressed.
v property_name - String - when property_type is "PROPERTY", this is the name of the property that is
being used as the operand; otherwise, it is suppressed.

Response Sample
[
{
"creation_date": 42,
"description": "String",
"enabled": true,
"first_operand": {
"numeric_value": 42.5,

310 QRadar API Reference Guide

 "property_name": "String",
"type": "String <one of: STATIC, PROPERTY>"
},
"id": 42,
"identifier": "String",
"modification_date": 42,
"name": "String",
"operator": "String <one of: ADD, SUBTRACT, MULTIPLY, DIVIDE>",
"second_operand": {
"numeric_value": 42.5,
"property_name": "String",
"type": "String <one of: STATIC, PROPERTY>"
},
"username": "String"
}
]

POST /config/flow_sources/custom_properties/calculated_properties
Creates a new calculated flow property.

Creates a new calculated flow property.

Table 618. POST /config/flow_sources/custom_properties/calculated_properties resource details
MIME Type
application/json

Table 619. POST /config/flow_sources/custom_properties/calculated_properties request parameter details

Parameter Type Optionality Data Type MIME Type Description
fields header Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.

6 REST API V9.0 References 311

Table 620. POST /config/flow_sources/custom_properties/calculated_properties request body details
Parameter Data Type MIME Type Description Sample
data Object application/ Required - A JSON structure { "description": "String",
json that contains the "enabled": true, "first_operand":
field_name-value pairs of the { "numeric_value": 42.5,
calculated flow property that is"property_name": "String",
to be created. "type": "String <one of:
v name - Required - String - STATIC, PROPERTY>" },
The name of the calculated "name": "String", "operator":
flow property. "String <one of: ADD,
SUBTRACT, MULTIPLY,
v description - Optional -
DIVIDE>", "second_operand": {
String - The description of
"numeric_value": 42.5,
the calculated flow property.
"property_name": "String",
Defaults to an empty string.
"type": "String <one of:
v enabled - Optional - Boolean STATIC, PROPERTY>" },
- Whether the calculated "username": "String" }
flow property is enabled.
Defaults to true.
v first_operand - Required -
Operand Object - An object
describing the first operand
in the expression.
v second_operand - Required -
Operand Object - An object
describing the second
operand in the expression.
v operator - Optional -String -
A string that represents one
of the basic arithmetic
operations in the expression.
Defaults to "ADD".

Table 621. POST /config/flow_sources/custom_properties/calculated_properties response codes

HTTP Response Code Unique Code Description
201 The new calculated flow property was created.
403 1009 The requested create action is unauthorized.
409 1004 The name of the calculated property has been used.
422 1005 One or more parameters are invalid in the request.
500 1020 An error occurred during the attempt to create a new calculated
flow property.

Response Description

The newly created calculated flow property that contains the following fields:
v id - Number - A sequence id for the calculated flow property.
v identifier - String - A string that uniquely identifies the calculated flow property.
v name - String - The name of the calculated flow property.
v description - String - The description of the calculated flow property.
v enabled - Boolean - Whether the calculated flow property is enabled.
v first_operand - String - An operand object describing the first operand in the expression.
v second_operand - String - An operand object describing the second operand in the expression.

312 QRadar API Reference Guide

v operator - String - A string that represents one of the basic arithmetic operations in the expression.
v username - String - The username of the creator of the calculated flow property.
v creation_date - Number - The time stamp for when the calculated flow property is created in
milliseconds since epoch.
v modification_date - Number - The time stamp for when the calculated flow property is last modified
in milliseconds since epoch.
An operand object contains the following fields:
v type - String - can be "STATIC" (for numeric operand) or "PROPERTY" (for operand that is a property).
v numeric_value - Number - when property_type is "STATIC", this is the value of the operand;
otherwise, it is suppressed.
v property_name - String - when property_type is "PROPERTY", this is the name of the property that is
being used as the operand; otherwise, it is suppressed.

Response Sample
{
"creation_date": 42,
"description": "String",
"enabled": true,
"first_operand": {
"numeric_value": 42.5,
"property_name": "String",
"type": "String <one of: STATIC, PROPERTY>"
},
"id": 42,
"identifier": "String",
"modification_date": 42,
"name": "String",
"operator": "String <one of: ADD, SUBTRACT, MULTIPLY, DIVIDE>",
"second_operand": {
"numeric_value": 42.5,
"property_name": "String",
"type": "String <one of: STATIC, PROPERTY>"
},
"username": "String"
}

GET /config/flow_sources/custom_properties/
calculated_property_delete_tasks/{task_id}
Retrieves the status of the flow calculated property delete task.

Retrieves the status of the flow calculated property delete task.

Table 622. GET /config/flow_sources/custom_properties/calculated_property_delete_tasks/{task_id} resource details
MIME Type
application/json

Table 623. GET /config/flow_sources/custom_properties/calculated_property_delete_tasks/{task_id} request parameter

details
Parameter Type Optionality Data Type MIME Type Description
task_id path Required Number text/plain Required - The ID of the
(Integer) calculated property delete task.

6 REST API V9.0 References 313

Table 623. GET /config/flow_sources/custom_properties/calculated_property_delete_tasks/{task_id} request parameter
details (continued)
Parameter Type Optionality Data Type MIME Type Description
fields query Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.

Table 624. GET /config/flow_sources/custom_properties/calculated_property_delete_tasks/{task_id} response codes

HTTP Response Code Unique Code Description
200 The status of the flow calculated property delete task was retrieved.
404 1002 The requested task status can not be found.
422 1005 One or more parameters are invalid in the request.
500 1020 An error occurred during the attempt to retrieve the status of the
deletion task.

Response Description

A Delete Task Status object and the location header set to the task status URL "/api/config/
flow_sources/custom_properties/calculated_property_delete_tasks/{task_id}". A Delete Task Status object
contains the following fields:
v id - Long - The ID of the task.
v message - String - The localized task message.
v status - String - The current state of the task.
v name - String - The name of the task.
v created_by - String - The name of the user who started the task.
v created - Long - The time in milliseconds since epoch since the task was created.
v started - Long - The time in milliseconds since epoch since the task was started.
v modified - Long - The time in milliseconds since epoch since the task was modified.
v completed - Long - The time in milliseconds since epoch since the task was completed.

Response Sample
{
"completed": 42,
"created": 42,
"created_by": "String",
"id": 42,
"message": "String",
"modified": 42,
"name": "String",
"started": 42,
"status": "String <one of: CANCELLED, CANCELING, CANCEL_REQUESTED, COMPLETED, CONFLICT, EXCEPTION, INITIALIZING, INTERR
}

314 QRadar API Reference Guide

GET /config/flow_sources/custom_properties/
calculated_property_dependent_tasks/{task_id}
Retrieves the status of the flow calculated property dependents task.

Retrieves the status of the flow calculated property dependents task.

Table 625. GET /config/flow_sources/custom_properties/calculated_property_dependent_tasks/{task_id} resource
details
MIME Type
application/json

Table 626. GET /config/flow_sources/custom_properties/calculated_property_dependent_tasks/{task_id} request

parameter details
Parameter Type Optionality Data Type MIME Type Description
task_id path Required Number text/plain Required - The ID of the
(Integer) calculated property dependent
task status to retrieve
fields query Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.

Table 627. GET /config/flow_sources/custom_properties/calculated_property_dependent_tasks/{task_id} response

codes
HTTP Response Code Unique Code Description
200 The status of the find dependents task was retrieved.
404 1002 The requested task status can not be found.
422 1005 One or more parameters are invalid in the request.
500 1020 An error occurred during the attempt to retrieves the details of a
task status.

Response Description

A Dependent Task Status object and the location header set to the task status URL "/api/config/
flow_sources/custom_properties/calculated_property_dependent_tasks/{task_id}". A Dependent Task
Status object contains the following fields:
v id - Long - The ID of the task.
v message - String - The localized task message.
v status - String - The current state of the task.
v name - String - The name of the task.
v created_by - String - The name of the user who started the task.
v cancelled_by - String - The name of the user who requested to cancel the task.
v created - Long - The time in milliseconds since epoch since the task was created.
v started - Long - The time in milliseconds since epoch since the task was started.

6 REST API V9.0 References 315

v modified - Long - The time in milliseconds since epoch since the task was modified.
v completed - Long - The time in milliseconds since epoch since the task was completed.
v number_of_dependents - Long - The number of dependents found. The value is null until the task
completes.
v maximum - Long - The maximum number of objects to check for dependency.
v progress - Long - The number of objects that were checked for dependency.
v task_components - Array - An array of task component objects. A task component object contains the
following fields
– message - String - The localized sub-task status message.
– status - String - The current state of the sub-task.
– sub_task_type - String - The type of the sub-task
– maximum - Long - The maximum number of objects to check for dependency.
– progress - Long - The number of objects that were checked for dependency.
– created - Long - The time in milliseconds since epoch since the sub-task was created.
– started - Long - The time in milliseconds since epoch since the sub-task was started.
– modified - Long - The time in milliseconds since epoch since the sub-task was modified.
– completed - Long - The time in milliseconds since epoch since the sub-task was completed.

Response Sample
{
"cancelled_by": "String",
"completed": 42,
"created": 42,
"created_by": "String",
"id": 42,
"maximum": 42,
"message": "String",
"modified": 42,
"name": "String",
"number_of_dependents": 42,
"progress": 42,
"started": 42,
"status": "String <one of: CANCELLED, CANCELING, CANCEL_REQUESTED, COMPLETED, CONFLICT, EXCEPTION, INITIALIZING, INTERR
"task_components": [
{
"completed": 42,
"created": 42,
"maximum": 42,
"message": "String",
"modified": 42,
"number_of_dependents": 42,
"progress": 42,
"started": 42,
"status": "String <one of: CANCELLED, CANCELING, CANCEL_REQUESTED, COMPLETED, CONFLICT, EXCEPTION, INITIALIZING
"task_sub_type": "String <one of: FIND_DEPENDENT_ARIEL_SAVED_SEARCHES, FIND_DEPENDENT_OFFENSE_SAVED_SEARCHES, F
}
]
}

POST /config/flow_sources/custom_properties/
calculated_property_dependent_tasks/{task_id}
Cancels the flow calculated property dependent task.

Cancels the flow calculated property dependent task.

316 QRadar API Reference Guide

Table 628. POST /config/flow_sources/custom_properties/calculated_property_dependent_tasks/{task_id} resource
details
MIME Type
application/json

Table 629. POST /config/flow_sources/custom_properties/calculated_property_dependent_tasks/{task_id} request

parameter details
Parameter Type Optionality Data Type MIME Type Description
task_id path Required Number text/plain Required - The ID of the
(Integer) calculated property dependent
task status to cancel
fields header Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.

Table 630. POST /config/flow_sources/custom_properties/calculated_property_dependent_tasks/{task_id} request

body details
Parameter Data Type MIME Type Description Sample
task Object application/ Required - Dependent Task { "status": "String <one of:
json Status object with the status set CANCELLED, CANCELING,
to "CANCEL_REQUESTED" is CANCEL_REQUESTED,
the only acceptable input. COMPLETED, CONFLICT,
EXCEPTION, INITIALIZING,
INTERRUPTED, PAUSED,
PROCESSING, QUEUED,
RESUMING>" }

Table 631. POST /config/flow_sources/custom_properties/calculated_property_dependent_tasks/{task_id} response

codes
HTTP Response Code Unique Code Description
200 The dependent task status was retrieved.
404 1002 The dependent task status does not exist.
409 1004 The task is in a completed state.
422 1005 A request parameter is not valid.
500 1020 An error occurred during the attempt to update the dependent task
status.

Response Description

A Dependent Task Status object and the location header set to the task status URL "/api/config/
flow_sources/custom_properties/calculated_property_dependent_tasks/{task_id}". A Dependent Task
Status object contains the following fields:
v id - Long - The ID of the task.
v message - String - The localized task message.

6 REST API V9.0 References 317

v status - String - The current state of the task.
v name - String - The name of the task.
v created_by - String - The name of the user who started the task.
v cancelled_by - String - The name of the user who requested to cancel the task.
v created - Long - The time in milliseconds since epoch since the task was created.
v started - Long - The time in milliseconds since epoch since the task was started.
v modified - Long - The time in milliseconds since epoch since the task was modified.
v completed - Long - The time in milliseconds since epoch since the task was completed.
v number_of_dependents - Long - The number of dependents found. The value is null until the task
completes.
v maximum - Long - The maximum number of objects to check for dependency.
v progress - Long - The number of objects that were checked for dependency.
v task_components - Array - An array of task component objects. A task component object contains the
following fields:
– message - String - The localized sub-task status message.
– status - String - The current state of the sub-task.
– sub_task_type - String - The type of the sub-task
– maximum - Long - The maximum number of objects to check for dependency.
– progress - Long - The number of objects that were checked for dependency.
– created - Long - The time in milliseconds since epoch since the sub-task was created.
– started - Long - The time in milliseconds since epoch since the sub-task was started.
– modified - Long - The time in milliseconds since epoch since the sub-task was modified.
– completed - Long - The time in milliseconds since epoch since the sub-task was completed.

Response Sample
{
"cancelled_by": "String",
"completed": 42,
"created": 42,
"created_by": "String",
"id": 42,
"maximum": 42,
"message": "String",
"modified": 42,
"name": "String",
"number_of_dependents": 42,
"progress": 42,
"started": 42,
"status": "String <one of: CANCELLED, CANCELING, CANCEL_REQUESTED, COMPLETED, CONFLICT, EXCEPTION, INITIALIZING, INTERR
"task_components": [
{
"completed": 42,
"created": 42,
"maximum": 42,
"message": "String",
"modified": 42,
"number_of_dependents": 42,
"progress": 42,
"started": 42,
"status": "String <one of: CANCELLED, CANCELING, CANCEL_REQUESTED, COMPLETED, CONFLICT, EXCEPTION, INITIALIZING
"task_sub_type": "String <one of: FIND_DEPENDENT_ARIEL_SAVED_SEARCHES, FIND_DEPENDENT_OFFENSE_SAVED_SEARCHES, F
}
]
}

318 QRadar API Reference Guide

GET /config/flow_sources/custom_properties/
calculated_property_dependent_tasks/{task_id}/results
Retrieves the calculated property dependent task results.

Retrieves the flow calculated property dependent task results.

Table 632. GET /config/flow_sources/custom_properties/calculated_property_dependent_tasks/{task_id}/results
resource details
MIME Type
application/json

Table 633. GET /config/flow_sources/custom_properties/calculated_property_dependent_tasks/{task_id}/results

request parameter details
Parameter Type Optionality Data Type MIME Type Description
task_id path Required Number text/plain Required - The ID of the
(Integer) calculated property dependent
task to retrieve results for.
fields query Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.

Table 634. GET /config/flow_sources/custom_properties/calculated_property_dependent_tasks/{task_id}/results

response codes
HTTP Response Code Unique Code Description
200 The result of the find dependents task was retrieved.
404 1002 The result of the task can not be found.
500 1020 An error occurred during the attempt to retrieves the result of a
task.

Response Description
An list of Dependent objects. A Dependent object contains the following fields:
v dependent_id - String - The ID of the dependent resource.
v dependent_name - String - The name of the dependent resource (default resources can have localized
names).
v dependent_owner - String - The owner of the dependent resource
v dependent_type - String - The type of the dependent resource
v dependent_database - String - The database of the dependent resource.
v dependent_group_ids - Array of Longs - List of groups that the dependent resource belongs to.
v user_has_edit_permissions - Boolean - True if the user who created the task has permission to edit this
dependent resource.

6 REST API V9.0 References 319

Response Sample
[
{
"blocking": true,
"dependent_database": "String <one of: EVENTS, FLOWS>",
"dependent_group_ids": [
42
],
"dependent_id": "String",
"dependent_name": "String",
"dependent_owner": "String",
"dependent_type": "String <one of: ARIEL_SAVED_SEARCH, ASSET_SAVED_SEARCH, OFFENSE_SAVED_SEARCH, VULNERABILITY_SAVE
"user_has_edit_permissions": true
}
]

GET /config/flow_sources/custom_properties/
calculated_property_operands
Retrieves the list of available options for calculated flow property operand.

Retrieves the list of available options for calculated flow property operand.
Table 635. GET /config/flow_sources/custom_properties/calculated_property_operands resource details
MIME Type
application/json

Table 636. GET /config/flow_sources/custom_properties/calculated_property_operands request parameter details

Parameter Type Optionality Data Type MIME Type Description
filter query Optional String text/plain Optional - This parameter is
used to restrict the elements in
a list base on the contents of
various fields.
Range header Optional String text/plain Optional - Use this parameter
to restrict the number of
elements that are returned in
the list to a specified range.
The list is indexed starting at
zero.

Table 637. GET /config/flow_sources/custom_properties/calculated_property_operands response codes

HTTP Response Code Unique Code Description
200 The list of available options for calculated flow property operand
was retrieved.
500 1020 An error occurred during the attempt to retrieve the available
options for calculated flow property operand.

Response Description

An array that contains the available options for calculated flow property operand.

Response Sample
[
"String"
]

320 QRadar API Reference Guide

DELETE /config/flow_sources/custom_properties/
property_expressions/{expression_id}
Deletes a flow regex property expression based on the supplied expression ID.

Deletes a flow regex property expression based on the supplied expression ID.
Table 638. DELETE /config/flow_sources/custom_properties/property_expressions/{expression_id} resource details
MIME Type
text/plain

Table 639. DELETE /config/flow_sources/custom_properties/property_expressions/{expression_id} request parameter

details
Parameter Type Optionality Data Type MIME Type Description
expression_id path Required Number text/plain Required - The sequence ID of the
(Integer) flow_regex_property_expression.

Table 640. DELETE /config/flow_sources/custom_properties/property_expressions/{expression_id} response codes

HTTP Response Code Unique Code Description
204 The requested flow regex property expression was successfully
deleted.
403 1009 The user cannot delete the resource because it only can be deleted
by the owner or admin user.
404 1002 The requested flow regex property expression cannot be found.
500 1020 An error occurred during the attempt to delete the requested flow
regex property expression.

Response Description

Response Sample

GET /config/flow_sources/custom_properties/property_expressions/
{expression_id}
Retrieves a flow regex property expression based on the supplied expression ID.

Retrieves a flow regex property expression based on the supplied expression ID.
Table 641. GET /config/flow_sources/custom_properties/property_expressions/{expression_id} resource details
MIME Type
application/json

Table 642. GET /config/flow_sources/custom_properties/property_expressions/{expression_id} request parameter

details
Parameter Type Optionality Data Type MIME Type Description
expression_id path Required Number text/plain Required - The sequence ID of the
(Integer) flow_regex_property_expression.
fields query Optional String text/plain Optional - Use this parameter to specify which
fields you would like to get back in the
response. Fields that are not named are
excluded. Specify subfields in brackets and
multiple fields in the same object are separated
by commas.

6 REST API V9.0 References 321

Table 643. GET /config/flow_sources/custom_properties/property_expressions/{expression_id} response codes
HTTP Response Code Unique Code Description
200 The requested flow regex property expression was successfully
retrieved.
404 1002 The requested flow regex property expression cannot be found.
500 1020 An error occurred during the attempt to retrieve the requested flow
regex property expression.

Response Description

A flow regex property expression containing the following fields:

v id - Integer - The sequence ID of the flow regex property expression.
v identifier - String - The ID of the flow regex property expression.
v regex_property_identifier - String - The identifier of the flow regex property that this expression
belongs to.
v enabled - Boolean - Flag that indicates whether this expression is enabled.
v regex - String - The regex to extract the property from the payload.
v capture_group - Integer - The capture group to capture.
v payload - String - Test payload. This is only used in the UI so that the user can verify their regex
matches the expected payload.
v qid - Integer - The QID of the flow to apply this expression to.
v low_level_category_id - Integer - The expression is applied to all flows with this low level category.
v payload_origin - BaseProperty - The payload type (source_payload, destination_payload) to apply the
expression to.
v username - String - The owner of the flow regex property expression.

Response Sample
{
"capture_group": 42,
"creation_date": 42,
"enabled": true,
"id": 42,
"identifier": "String",
"low_level_category_id": 42,
"modification_date": 42,
"payload": "String",
"payload_origin": "String <one of:
event_payload,
source_payload,
destination_payload>",
"qid": 42,
"regex": "String",
"regex_property_identifier": "String",
"username": "String"
}

POST /config/flow_sources/custom_properties/property_expressions/
{expression_id}
Updates an existing flow regex property expression.

Updates an existing flow regex property expression.

322 QRadar API Reference Guide

Table 644. POST /config/flow_sources/custom_properties/property_expressions/{expression_id} resource details
MIME Type
application/json

Table 645. POST /config/flow_sources/custom_properties/property_expressions/{expression_id} request parameter

details
Parameter Type Optionality Data Type MIME Type Description
expression_id path Required Number text/plain Required - The sequence ID
(Integer) of the flow regex property
expression.
fields header Optional String text/plain Optional - Use this
parameter to specify which
fields you would like to get
back in the response. Fields
that are not named are
excluded. Specify subfields
in brackets and multiple
fields in the same object are
separated by commas.

Table 646. POST /config/flow_sources/custom_properties/property_expressions/{expression_id} request body details

Parameter Data Type MIME Type Description Sample
data Object application/json Required - A JSON representation { "capture_group": 42, "creation_date": 42, "enabled":
of the flow regex property true, "id": 42, "identifier": "String",
expression object. "low_level_category_id": 42, "modification_date": 42,
v regex_property_identifier - "payload": "String", "payload_origin": "String <one of:
Optional - String - The identifier event_payload, source_payload,
destination_payload>", "qid": 42, "regex": "String",
of the flow regex property that
"regex_property_identifier": "String", "username":
this expression belongs to.
"String" }
v enabled - Optional - Boolean -
Flag that indicates whether this
expression is enabled.
v regex - Optional - String - The
regex to extract the property
from the payload.
v capture_group - Optional -
Integer - The capture group to
capture.
v payload - Optional - String - Test
payload. This is only used in the
UI so that the user can verify
their regex matches the expected
payload.
v qid - Optional - Integer - The
QID of the flow to apply this
expression to.
v low_level_category_id -
Optional - Integer - The
expression is applied to all flows
with this low level category.
v payload_origin - Optional -
String - The payload type
(source_payload,
destination_payload) to apply
the expression to.
v username - Optional - String -
The owner of the flow regex
property expression. If the input
username is authorized service,
the prefix "API_token: " is
required.

6 REST API V9.0 References 323

Table 647. POST /config/flow_sources/custom_properties/property_expressions/{expression_id} response codes
HTTP Response Code Unique Code Description
200 The flow regex property expression was updated.
403 1009 The user cannot update the resource because it only can be updated
by the owner or admin user.
404 1002 The requested flow regex property expression cannot be found.
422 1005 One or more parameters are invalid in the request.
500 1020 An error occurred during the attempt to update an flow regex
property expression.

Response Description

The updated flow regex property expression object contains the following fields:
v id - Integer - The sequence ID of the flow regex property expression.
v identifier - String - The ID of the flow regex property expression.
v regex_property_identifier - String - The identifier of the flow regex property that this expression
belongs to.
v enabled - Boolean - Flag that indicates whether this expression is enabled.
v regex - String - The regex to extract the property from the payload.
v capture_group - Integer - The capture group to capture.
v payload - String - Test payload. This is only used in the UI so that the user can verify their regex
matches the expected payload.
v qid - Integer - The QID of the flow to apply this expression to.
v low_level_category_id - Integer - The expression is applied to all flows with this low level category.
v payload_origin - BaseProperty - The payload type (source_payload, destination_payload) to apply the
expression to.
v username - String - The owner of the flow regex property expression.

Response Sample
{
"capture_group": 42,
"creation_date": 42,
"enabled": true,
"id": 42,
"identifier": "String",
"low_level_category_id": 42,
"modification_date": 42,
"payload": "String",
"payload_origin": "String <one of:
event_payload,
source_payload,
destination_payload>",
"qid": 42,
"regex": "String",
"regex_property_identifier": "String",
"username": "String"
}

GET /config/flow_sources/custom_properties/property_expressions
Retrieve a list of flow regex property expressions.

Retrieves a list of flow regex property expressions.

324 QRadar API Reference Guide

Table 648. GET /config/flow_sources/custom_properties/property_expressions resource details
MIME Type
application/json

Table 649. GET /config/flow_sources/custom_properties/property_expressions request parameter details

Parameter Type Optionality Data Type MIME Type Description
fields query Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.
Range header Optional String text/plain Optional - Use this parameter
to restrict the number of
elements that are returned in
the list to a specified range.
The list is indexed starting at
zero.
filter query Optional String text/plain Optional - This parameter is
used to restrict the elements in
a list base on the contents of
various fields.

Table 650. GET /config/flow_sources/custom_properties/property_expressions response codes

HTTP Response Code Unique Code Description
200 The requested list of flow regex property expressions was retrieved.
422 1010 An error occurred while building the filter.
500 1020 An error occurred during the attempt to retrieve the list of flow
regex property expressions.

Response Description

A list of flow regex property expressions. Each regex property expression contains the following fields:
v id - Integer - The sequence ID of the flow regex property expression.
v identifier - String - The ID of the flow regex property expression.
v regex_property_identifier - String - The identifier of the flow regex property that this expression
belongs to.
v enabled - Boolean - Flag that indicates whether this expression is enabled.
v regex - String - The regex to extract the property from the payload.
v capture_group - Integer - The capture group to capture.
v payload - String - Test payload. This is only used in the UI so that the user can verify their regex
matches the expected payload.
v qid - Integer - The QID of the flow to apply this expression to.
v low_level_category_id - Integer - The expression is applied to all flows with this low level category.
v payload_origin - BaseProperty - The payload type (source_payload, destination_payload) to apply the
expression to.

6 REST API V9.0 References 325

v username - String - The owner of the flow regex property expression.

Response Sample
[
{
"capture_group": 42,
"creation_date": 42,
"enabled": true,
"id": 42,
"identifier": "String",
"low_level_category_id": 42,
"modification_date": 42,
"payload": "String",
"payload_origin": "String <one of:
event_payload,
source_payload,
destination_payload>",
"qid": 42,
"regex": "String",
"regex_property_identifier": "String",
"username": "String"
}
]

POST /config/flow_sources/custom_properties/property_expressions
Creates a new flow regex property expression.

Creates a new flow regex property expression.

Table 651. POST /config/flow_sources/custom_properties/property_expressions resource details
MIME Type
application/json

Table 652. POST /config/flow_sources/custom_properties/property_expressions request parameter details

Parameter Type Optionality Data Type MIME Type Description
fields header Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.

326 QRadar API Reference Guide

Table 653. POST /config/flow_sources/custom_properties/property_expressions request body details
Parameter Data Type MIME Type Description Sample
data Object application/ Required - A JSON representation of the regex { "capture_group": 42, "creation_date": 42,
json property expression object. "enabled": true, "id": 42, "identifier": "String",
v regex_property_identifier - Required - "low_level_category_id": 42,
String - The identifier of the flow regex "modification_date": 42, "payload": "String",
"payload_origin": "String <one of:
property that this expression belongs to.
event_payload, source_payload,
v enabled - Optional - Boolean - Flag that destination_payload>", "qid": 42, "regex":
indicates whether this expression is enabled. "String", "regex_property_identifier": "String",
It defaults to true if not provided. "username": "String" }
v regex - Required - String - The regex to
extract the property from the payload.
v capture_group - Optional - Integer - The
capture group to capture. It defaults to 1 if
not provided.
v payload - Optional - String - Test payload.
This is only used in the UI so that the user
can verify their regex matches the expected
payload.
v qid - Optional - Integer - The QID of the
flow to apply this expression to.
v low_level_category_id - Optional - Integer -
The expression is applied to all flows with
this low level category.
v payload_origin - Required - String - The
payload type (source_payload,
destination_payload) to apply the expression
to.

Table 654. POST /config/flow_sources/custom_properties/property_expressions response codes

HTTP Response Code Unique Code Description
201 A new flow regex property expression was created.
422 1005 One or more request parameter are invalid in the request.
500 1020 An error occurred during the attempt to create a new flow regex
property expression.

Response Description

The newly created flow regex property expression containing the following fields:
v id - Integer - The sequence ID of the flow regex property expression.
v identifier - String - The ID of the flow regex property expression.
v regex_property_identifier - String - The identifier of the flow regex property that this expression
belongs to.
v enabled - Boolean - Flag that indicates whether this expression is enabled.
v regex - String - The regex to extract the property from the payload.
v capture_group - Integer - The capture group to capture.
v payload - String - Test payload. This is only used in the UI so that the user can verify their regex
matches the expected payload.
v qid - Integer - The QID of the flow to apply this expression to.
v low_level_category_id - Integer - The expression is applied to all flows with this low level category.
v payload_origin - BaseProperty - The payload type (source_payload, destination_payload) to apply the
expression to.
v username - String - The owner of the flow regex property expression.

6 REST API V9.0 References 327

Response Sample
{
"capture_group": 42,
"creation_date": 42,
"enabled": true,
"id": 42,
"identifier": "String",
"low_level_category_id": 42,
"modification_date": 42,
"payload": "String",
"payload_origin": "String <one of:
event_payload,
source_payload,
destination_payload>",
"qid": 42,
"regex": "String",
"regex_property_identifier": "String",
"username": "String"
}

GET /config/flow_sources/custom_properties/regex_properties
Retrieves a list of flow regex properties.

Retrieves a list of flow regex properties.

Table 655. GET /config/flow_sources/custom_properties/regex_properties resource details
MIME Type
application/json

Table 656. GET /config/flow_sources/custom_properties/regex_properties request parameter details

Parameter Type Optionality Data Type MIME Type Description
fields query Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.
Range header Optional String text/plain Optional - Use this parameter
to restrict the number of
elements that are returned in
the list to a specified range.
The list is indexed starting at
zero.
filter query Optional String text/plain Optional - This parameter is
used to restrict the elements in
a list base on the contents of
various fields.

Table 657. GET /config/flow_sources/custom_properties/regex_properties response codes

HTTP Response Code Unique Code Description
200 The requested list of flow regex properties was retrieved.
422 1010 An error occurred while building the filter.

328 QRadar API Reference Guide

 Table 657. GET /config/flow_sources/custom_properties/regex_properties response codes (continued)
HTTP Response Code Unique Code Description
500 1020 An error occurred during the attempt to retrieve the list of flow
regex properties.

Response Description
A list of flow regex properties. Each regex property contains the following fields:
v id - Integer - The sequence ID of the flow regex property.
v identifier - String - The ID of the flow regex property.
v name - String - The name of the flow regex property.
v username - String - The owner of the flow regex property.
v description - String - The description of the flow regex property.
v property_type - String - The property type (string, numeric, ip, port, time) of flow regex property.
v use_for_rule_engine - Boolean - The flag that indicates if the flow regex property is parsed when the
flow was captured.
v datetime_format - String - The date/time pattern that the flow regex property matches.
v locale - String - The language tag of the locale that the property matches.
.

Response Sample
[
{
"creation_date": 42,
"datetime_format": "String",
"description": "String",
"id": 42,
"identifier": "String",
"locale": "String",
"modification_date": 42,
"name": "String",
"property_type": "String <one of: string, numeric, ip, port, time>",
"use_for_rule_engine": true,
"username": "String"
}
]

POST /config/flow_sources/custom_properties/regex_properties
Creates a new flow regex property.

Creates a new flow regex property.

Table 658. POST /config/flow_sources/custom_properties/regex_properties resource details
MIME Type
application/json

6 REST API V9.0 References 329

Table 659. POST /config/flow_sources/custom_properties/regex_properties request parameter details
Parameter Type Optionality Data Type MIME Type Description
fields header Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.

Table 660. POST /config/flow_sources/custom_properties/regex_properties request body details

Parameter Data Type MIME Type Description Sample
data Object application/ Required - A JSON representation of the flow { "creation_date": 42, "datetime_format":
json regex property object. "String", "description": "String", "id": 42,
v name - Required - String - The name of the "identifier": "String", "locale": "String",
flow regex property. "modification_date": 42, "name": "String",
"property_type": "String <one of: string,
v description - Optional - String - The numeric, ip, port, time>",
description of the flow regex property. "use_for_rule_engine": true, "username":
v property_type - Required - String - The "String" }
property type (string, numeric, ip, port,
time) of flow regex property.
v use_for_rule_engine - Optional - Boolean -
The flag that indicates if the flow regex
property is parsed when the flow was
captured.
v datetime_format - Optional - String - The
date/time pattern that the flow regex
property matches. It is required when
property type is TIME.
v locale - Optional - String - The language tag
of the locale that the property matches. The
locale is required when property type is
TIME.

Table 661. POST /config/flow_sources/custom_properties/regex_properties response codes

HTTP Response Code Unique Code Description
201 A new flow regex property was created.
422 1005 One or more request parameter are invalid in the request.
500 1020 An error occurred during the attempt to create a new flow regex
property.

Response Description

The newly created flow regex property that contains the following fields:
v id - Integer - The sequence ID of the flow regex property.
v identifier - String - The ID of the flow regex property.
v name - String - The name of the flow regex property.
v username - String - The owner of the flow regex property.
v description - String - The description of the flow regex property.
v property_type - String - The property type (string, numeric, ip, port, time) of flow regex property.
v use_for_rule_engine - Boolean - The flag that indicates if the flow regex property is parsed when the
flow was captured.

330 QRadar API Reference Guide

v datetime_format - String - The date/time pattern that the flow regex property matches.
v locale - String - The language tag of the locale that the property matches.

Response Sample
{
"creation_date": 42,
"datetime_format": "String",
"description": "String",
"id": 42,
"identifier": "String",
"locale": "String",
"modification_date": 42,
"name": "String",
"property_type": "String <one of: string, numeric, ip, port, time>",
"use_for_rule_engine": true,
"username": "String"
}

GET /config/flow_sources/custom_properties/regex_properties/
{regex_property_id}
Retrieves a flow regex property based on the supplied regex property ID.

Retrieves a flow regex property based on the supplied regex property ID.
Table 662. GET /config/flow_sources/custom_properties/regex_properties/{regex_property_id} resource details
MIME Type
application/json

Table 663. GET /config/flow_sources/custom_properties/regex_properties/{regex_property_id} request parameter

details
Parameter Type Optionality Data Type MIME Type Description
regex_property_id path Required Number (Integer) text/plain Required - The sequence ID of the
flow_regex_property.
fields query Optional String text/plain Optional - Use this parameter to
specify which fields you would like
to get back in the response. Fields
that are not named are excluded.
Specify subfields in brackets and
multiple fields in the same object
are separated by commas.

Table 664. GET /config/flow_sources/custom_properties/regex_properties/{regex_property_id} response codes

HTTP Response Code Unique Code Description
200 The requested flow regex property was successfully retrieved.
404 1002 The requested flow regex property cannot be found.
500 1020 An error occurred during the attempt to retrieve the requested flow
regex property.

Response Description

A flow regex property that contains the following fields:

v id - Integer - The sequence ID of the flow regex property.
v identifier - String - The ID of the flow regex property.
v name - String - The name of the flow regex property.

6 REST API V9.0 References 331

v username - String - The owner of the flow regex property.
v description - String - The description of the flow regex property.
v property_type - String - The property type (string, numeric, ip, port, time) of flow regex property.
v use_for_rule_engine - Boolean - The flag that indicates if the flow regex property is parsed when the
flow was captured.
v datetime_format - String - The date/time pattern that the flow regex property matches.
v locale - String - The language tag of the locale that the property matches.

Response Sample
{
"creation_date": 42,
"datetime_format": "String",
"description": "String",
"id": 42,
"identifier": "String",
"locale": "String",
"modification_date": 42,
"name": "String",
"property_type": "String <one of: string, numeric, ip, port, time>",
"use_for_rule_engine": true,
"username": "String"
}

POST /config/flow_sources/custom_properties/regex_properties/
{regex_property_id}
Updates an existing flow regex property.

Updates an existing flow regex property.

Table 665. POST /config/flow_sources/custom_properties/regex_properties/{regex_property_id} resource details
MIME Type
application/json

Table 666. POST /config/flow_sources/custom_properties/regex_properties/{regex_property_id} request parameter

details
Parameter Type Optionality Data Type MIME Type Description
regex_property_id path Required Number (Integer) text/plain Required - The sequence ID of the
flow regex property.
fields header Optional String text/plain Optional - Use this parameter to
specify which fields you would like
to get back in the response. Fields
that are not named are excluded.
Specify subfields in brackets and
multiple fields in the same object
are separated by commas.

332 QRadar API Reference Guide

Table 667. POST /config/flow_sources/custom_properties/regex_properties/{regex_property_id} request body details
Parameter Data Type MIME Type Description Sample
data Object application/ Required - A JSON { "creation_date": 42,
json representation of the flow "datetime_format": "String",
regex property object. "description": "String", "id": 42,
v description - Optional - "identifier": "String", "locale":
String - The description of "String", "modification_date":
the flow regex property. 42, "name": "String",
"property_type": "String <one
v property_type - Optional -
of: string, numeric, ip, port,
String - The property type
time>", "use_for_rule_engine":
(string, numeric, ip, port,
true, "username": "String" }
time) of flow regex property.
v use_for_rule_engine -
Optional - Boolean - The flag
that indicates if the flow
regex property is parsed
when the flow is captured. It
is false if no value supplied.
v datetime_format - Optional -
String - The date/time
pattern that the flow regex
property matches. It is
required when property type
is TIME.
v locale - Optional - String -
The language tag of the
locale that the property
matches.The locale is
required when property type
is TIME.
v username - Optional - String
- The owner of the event
regex property. If the input
username is authorized
service, the prefix
"API_token: " is required.

Table 668. POST /config/flow_sources/custom_properties/regex_properties/{regex_property_id} response codes

HTTP Response Code Unique Code Description
200 The flow regex property was updated.
403 1009 The user cannot update the resourse because it only can be updated
by the owner or admin user.
404 1002 The requested flow regex property cannot be found.
422 1005 One or more parameters are invalid in the request.
500 1020 An error occurred during the attempt to update an flow regex
property.

Response Description
The updated flow regex property object contains the following fields:
v id - Integer - The sequence ID of the flow regex property.
v identifier - String - The ID of the flow regex property.
v name - String - The name of the flow regex property.
6 REST API V9.0 References 333
v username - String - The owner of the flow regex property.
v description - String - The description of the flow regex property.
v property_type - String - The property type (string, numeric, ip, port, time) of flow regex property.
v use_for_rule_engine - Boolean - The flag that indicates if the flow regex property is parsed when the
flow is captured.
v datetime_format - String - The date/time pattern that the flow regex property matches.
v locale - String - The language tag of the locale that the property matches.

Response Sample
{
"creation_date": 42,
"datetime_format": "String",
"description": "String",
"id": 42,
"identifier": "String",
"locale": "String",
"modification_date": 42,
"name": "String",
"property_type": "String <one of: string, numeric, ip, port, time>",
"use_for_rule_engine": true,
"username": "String"
}

DELETE /config/flow_sources/custom_properties/regex_properties/
{regex_property_id}
Deletes a flow regex property. To ensure safe deletion, a dependency check is carried out. This check
might take some time. An asynchronous task is started to do this check.

Deletes a flow regex property. To ensure safe deletion, a dependency check is carried out. This check
might take some time. An asynchronous task is started to do this check.
Table 669. DELETE /config/flow_sources/custom_properties/regex_properties/{regex_property_id} resource details
MIME Type
application/json

Table 670. DELETE /config/flow_sources/custom_properties/regex_properties/{regex_property_id} request parameter

details
Parameter Type Optionality Data Type MIME Type Description
regex_property_id path Required Number (Integer) text/plain Required - The sequence ID of the
Flow Regex property to delete.
fields query Optional String text/plain Optional - Use this parameter to
specify which fields you would like
to get back in the response. Fields
that are not named are excluded.
Specify subfields in brackets and
multiple fields in the same object
are separated by commas.

Table 671. DELETE /config/flow_sources/custom_properties/regex_properties/{regex_property_id} response codes

HTTP Response Code Unique Code Description
202 The flow regex property delete request was accepted and is in
progress
403 1009 The user cannot delete the regex_property because it only can be
deleted by the owner or admin user.
404 1002 The requested flow regex property cannot be found.

334 QRadar API Reference Guide

Table 671. DELETE /config/flow_sources/custom_properties/regex_properties/{regex_property_id} response
codes (continued)
HTTP Response Code Unique Code Description
500 1020 An error occurred during the attempt to delete the flow regex
property.

Response Description

A Delete Task Status object and the location header set to the task status URL "/api/config/
flow_sources/custom_properties/regex_property_delete_tasks/{task_id}". A Delete Task Status object
contains the following fields:
v id - Long - The ID of the task.
v message - String - The localized task message.
v status - String - The current state of the task .
v name - String - The name of the task.
v created_by - String - The name of the user who started the task.
v created - Long - The time in milliseconds since epoch since the task was created.
v started - Long - The time in milliseconds since epoch since the task was started.
v modified - Long - The time in milliseconds since epoch since the task was modified.
v completed - Long - The time in milliseconds since epoch since the task was completed.

Response Sample
{
"completed": 42,
"created": 42,
"created_by": "String",
"id": 42,
"message": "String",
"modified": 42,
"name": "String",
"started": 42,
"status": "String <one of:
CANCELLED,
CANCELING,
CANCEL_REQUESTED,
COMPLETED,
CONFLICT,
EXCEPTION,
INITIALIZING,
INTERRUPTED,
PAUSED,
PROCESSING,
QUEUED,
RESUMING>"
}

GET /config/flow_sources/custom_properties/regex_properties/
{regex_property_id}/dependents
Retrieves the objects that depend on the flow regex property.

Retrieves the objects that depend on the flow regex property.

6 REST API V9.0 References 335

Table 672. GET /config/flow_sources/custom_properties/regex_properties/{regex_property_id}/dependents resource
details
MIME Type
application/json

Table 673. GET /config/flow_sources/custom_properties/regex_properties/{regex_property_id}/dependents request

parameter details
Parameter Type Optionality Data Type MIME Type Description
regex_property_id path Required Number (Integer) text/plain null
fields query Optional String text/plain Optional - Use this parameter to
specify which fields you would like
to get back in the response. Fields
that are not named are excluded.
Specify subfields in brackets and
multiple fields in the same object
are separated by commas.

Table 674. GET /config/flow_sources/custom_properties/regex_properties/{regex_property_id}/dependents response

codes
HTTP Response Code Unique Code Description
202 The flow regex property dependents retrieval was accepted and is
in progress.
404 1002 The flow regex property does not exist.
500 1020 An error occurred during the attempt to initiate the flow regex
property dependents retrieval task.

Response Description

A Dependents Task Status object and the location header set to the task status URL "/api/config/
flow_sources/custom_properties/regex_property_dependents_tasks/{task_id}". A Dependent Task Status
object contains the following fields:
v id - Long - The ID of the task.
v message - String - The localized task message.
v status - String - The current state of the task.
v name - String - The name of the task.
v created_by - String - The name of the user who started the task.
v cancelled_by - String - The name of the user who requested to cancel the task.
v created - Long - The time in milliseconds since epoch since the task was created.
v started - Long - The time in milliseconds since epoch since the task was started.
v modified - Long - The time in milliseconds since epoch since the task was modified.
v completed - Long - The time in milliseconds since epoch since the task was completed.
v number_of_dependents - Long - The number of dependents found. The value is null until the task
completes.
v maximum - Long - The maximum number of objects to check for dependency.
v progress - Long - The number of objects that were checked for dependency.
v task_components - Array - An array of task component objects. A task component object contains the
following fields
– message - String - The localized sub-task status message.
– status - String - The current state of the sub-task.
– sub_task_type - String - The type of the sub-task.

336 QRadar API Reference Guide

 – maximum - Long - The maximum number of objects to check for dependency.
– progress - Long - The number of objects that were checked for dependency.
– created - Long - The time in milliseconds since epoch since the sub-task was created.
– started - Long - The time in milliseconds since epoch since the sub-task was started.
– modified - Long - The time in milliseconds since epoch since the sub-task was modified.
– completed - Long - The time in milliseconds since epoch since the sub-task was completed.

Response Sample
{
"cancelled_by": "String",
"completed": 42,
"created": 42,
"created_by": "String",
"id": 42,
"maximum": 42,
"message": "String",
"modified": 42,
"name": "String",
"number_of_dependents": 42,
"progress": 42,
"started": 42,
"status": "String <one of:
CANCELLED,
CANCELING,
CANCEL_REQUESTED,
COMPLETED,
CONFLICT,
EXCEPTION,
INITIALIZING,
INTERRUPTED,
PAUSED,
PROCESSING,
QUEUED,
RESUMING>",
"task_components": [
{
"completed": 42,
"created": 42,
"maximum": 42,
"message": "String",
"modified": 42,
"number_of_dependents": 42,
"progress": 42,
"started": 42,
"status": "String <one of: CANCELLED,
CANCELING,
CANCEL_REQUESTED,
COMPLETED,
CONFLICT,
EXCEPTION,
INITIALIZING,
INTERRUPTED,
PAUSED,
PROCESSING,
QUEUED,
RESUMING>",
"task_sub_type": "String <one of:
FIND_DEPENDENT_ARIEL_SAVED_SEARCHES,
FIND_DEPENDENT_OFFENSE_SAVED_SEARCHES,
FIND_DEPENDENT_ASSET_SAVED_SEARCHES,
FIND_DEPENDENT_VULNERABILITY_SAVED_SEARCHES,
FIND_DEPENDENT_ADE_RULES,
FIND_DEPENDENT_RULES,
FIND_DEPENDENT_CALCULATED_PROPERTIES,

6 REST API V9.0 References 337

 FIND_DEPENDENT_LOG_SOURCE_GROUPS,
FIND_DEPENDENT_CUSTOM_PROPERTIES,
FIND_DEPENDENT_REPORTS,
FIND_DEPENDENT_DASHBOARDS,
FIND_DEPENDENT_STORE_AND_FORWARD_POLICIES,
FIND_DEPENDENT_AUTHORIZED_SERVICES,
FIND_DEPENDENT_OFFENSE_TYPES,
FIND_DEPENDENT_ASSIGNED_OFFENSES,
FIND_DEPENDENT_VULNERABILITIES,
FIND_DEPENDENT_GROUPS,
FIND_DEPENDENT_HISTORICAL_CORRELATION_PROFILES>"
}
]
}

GET /config/flow_sources/custom_properties/
regex_property_dependent_tasks/{task_id}
Retrieves the flow regex property dependent task status.

Retrieves the flow regex property dependent task status.

Table 675. GET /config/flow_sources/custom_properties/regex_property_dependent_tasks/{task_id} resource details
MIME Type
application/json

Table 676. GET /config/flow_sources/custom_properties/regex_property_dependent_tasks/{task_id} request parameter

details
Parameter Type Optionality Data Type MIME Type Description
task_id path Required Number text/plain null
(Integer)
fields query Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.

Table 677. GET /config/flow_sources/custom_properties/regex_property_dependent_tasks/{task_id} response codes

HTTP Response Code Unique Code Description
200 The dependent task status was retrieved.
404 1002 The requested task status cannot be found.
422 1005 The task id is invalid in the request.
500 1020 An error occurred during the attempt to retrieve the task status.

Response Description

A Dependent Task Status object and the location header set to the task status URL "/api/config/
flow_sources/custom_properties/regex_property_dependent_tasks/{task_id}". A Dependent Task Status
object contains the following fields:
v id - Long - The ID of the task.

338 QRadar API Reference Guide

v message - String - The localized task message.
v status - String - The current state of the task.
v name - String - The name of the task.
v created_by - String - The name of the user who started the task.
v cancelled_by - String - The name of the user who requested to cancel the task.
v created - Long - The time in milliseconds since epoch since the task was created.
v started - Long - The time in milliseconds since epoch since the task was started.
v modified - Long - The time in milliseconds since epoch since the task was modified.
v completed - Long - The time in milliseconds since epoch since the task was completed.
v number_of_dependents - Long - The number of dependents found. The value is null until the task
completes.
v maximum - Long - The maximum number of objects to check for dependency.
v progress - Long - The number of objects that were checked for dependency.
v task_components - Array - An array of task component objects. A task component object contains the
following fields
– message - String - The localized sub-task status message.
– status - String - The current state of the sub-task.
– sub_task_type - String - The type of the sub-task.
– maximum - Long - The maximum number of objects to check for dependency.
– progress - Long - The number of objects that were checked for dependency.
– created - Long - The time in milliseconds since epoch since the sub-task was created.
– started - Long - The time in milliseconds since epoch since the sub-task was started.
– modified - Long - The time in milliseconds since epoch since the sub-task was modified.
– completed - Long - The time in milliseconds since epoch since the sub-task was completed.

Response Sample
{
"cancelled_by": "String",
"completed": 42,
"created": 42,
"created_by": "String",
"id": 42,
"maximum": 42,
"message": "String",
"modified": 42,
"name": "String",
"number_of_dependents": 42,
"progress": 42,
"started": 42,
"status": "String <one of:
CANCELLED,
CANCELING,
CANCEL_REQUESTED,
COMPLETED,
CONFLICT,
EXCEPTION,
INITIALIZING,
INTERRUPTED,
PAUSED,
PROCESSING,
QUEUED,
RESUMING>",
"task_components": [
{
"completed": 42,

6 REST API V9.0 References 339

 "created": 42,
"maximum": 42,
"message": "String",
"modified": 42,
"number_of_dependents": 42,
"progress": 42,
"started": 42,
"status": "String <one of: CANCELLED,
CANCELING,
CANCEL_REQUESTED,
COMPLETED,
CONFLICT,
EXCEPTION,
INITIALIZING,
INTERRUPTED,
PAUSED,
PROCESSING,
QUEUED,
RESUMING>",
"task_sub_type": "String <one of:
FIND_DEPENDENT_ARIEL_SAVED_SEARCHES,
FIND_DEPENDENT_OFFENSE_SAVED_SEARCHES,
FIND_DEPENDENT_ASSET_SAVED_SEARCHES,
FIND_DEPENDENT_VULNERABILITY_SAVED_SEARCHES,
FIND_DEPENDENT_ADE_RULES,
FIND_DEPENDENT_RULES,
FIND_DEPENDENT_CALCULATED_PROPERTIES,
FIND_DEPENDENT_LOG_SOURCE_GROUPS,
FIND_DEPENDENT_CUSTOM_PROPERTIES,
FIND_DEPENDENT_REPORTS,
FIND_DEPENDENT_DASHBOARDS,
FIND_DEPENDENT_STORE_AND_FORWARD_POLICIES,
FIND_DEPENDENT_AUTHORIZED_SERVICES,
FIND_DEPENDENT_OFFENSE_TYPES,
FIND_DEPENDENT_ASSIGNED_OFFENSES,
FIND_DEPENDENT_VULNERABILITIES,
FIND_DEPENDENT_GROUPS,
FIND_DEPENDENT_HISTORICAL_CORRELATION_PROFILES>"
}
]
}

POST /config/flow_sources/custom_properties/
regex_property_dependent_tasks/{task_id}
Cancels the flow regex property dependent task.

Cancels the flow regex property dependent task.

Table 678. POST /config/flow_sources/custom_properties/regex_property_dependent_tasks/{task_id} resource details
MIME Type
application/json

Table 679. POST /config/flow_sources/custom_properties/regex_property_dependent_tasks/{task_id} request

parameter details
Parameter Type Optionality Data Type MIME Type Description
task_id path Required Number text/plain null
(Integer)

340 QRadar API Reference Guide

Table 679. POST /config/flow_sources/custom_properties/regex_property_dependent_tasks/{task_id} request
parameter details (continued)
Parameter Type Optionality Data Type MIME Type Description
fields header Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.

Table 680. POST /config/flow_sources/custom_properties/regex_property_dependent_tasks/{task_id} request body

details
Parameter Data Type MIME Type Description Sample
task Object application/ null { "status": "String <one of:
json CANCELLED, CANCELING,
CANCEL_REQUESTED,
COMPLETED, CONFLICT,
EXCEPTION, INITIALIZING,
INTERRUPTED, PAUSED,
PROCESSING, QUEUED,
RESUMING>" }

Table 681. POST /config/flow_sources/custom_properties/regex_property_dependent_tasks/{task_id} response codes

HTTP Response Code Unique Code Description
200 The delete task status was cancelled.
404 1002 The dependent task status does not exist.
409 1004 The task is in a completed state.
422 1005 A request parameter is not valid.
500 1020 An error occurred during the attempt to update the dependent task
status.

Response Description

A Dependent Task Status object and the location header set to the task status URL "/api/config/
flow_sources/custom_properties/regex_property_dependent_tasks/{task_id}". A Dependent Task Status
object contains the following fields:
v id - Long - The ID of the task.
v message - String - The localized task message.
v status - String - The current state of the task.
v name - String - The name of the task.
v created_by - String - The name of the user who started the task.
v cancelled_by - String - The name of the user who requested to cancel the task.
v created - Long - The time in milliseconds since epoch since the task was created.
v started - Long - The time in milliseconds since epoch since the task was started.
v modified - Long - The time in milliseconds since epoch since the task was modified.
v completed - Long - The time in milliseconds since epoch since the task was completed.

6 REST API V9.0 References 341

v number_of_dependents - Long - The number of dependents found. The value is null until the task
completes.
v maximum - Long - The maximum number of objects to check for dependency.
v progress - Long - The number of objects that were checked for dependency.
v task_components - Array - An array of task component objects. A task component object contains the
following fields
– message - String - The localized sub-task status message.
– status - String - The current state of the sub-task.
– sub_task_type - String - The type of the sub-task.
– maximum - Long - The maximum number of objects to check for dependency.
– progress - Long - The number of objects that were checked for dependency.
– created - Long - The time in milliseconds since epoch since the sub-task was created.
– started - Long - The time in milliseconds since epoch since the sub-task was started.
– modified - Long - The time in milliseconds since epoch since the sub-task was modified.
– completed - Long - The time in milliseconds since epoch since the sub-task was completed.

Response Sample
{
"cancelled_by": "String",
"completed": 42,
"created": 42,
"created_by": "String",
"id": 42,
"maximum": 42,
"message": "String",
"modified": 42,
"name": "String",
"number_of_dependents": 42,
"progress": 42,
"started": 42,
"status": "String <one of:
CANCELLED,
CANCELING,
CANCEL_REQUESTED,
COMPLETED,
CONFLICT,
EXCEPTION,
INITIALIZING,
INTERRUPTED,
PAUSED,
PROCESSING,
QUEUED,
RESUMING>",
"task_components": [
{
"completed": 42,
"created": 42,
"maximum": 42,
"message": "String",
"modified": 42,
"number_of_dependents": 42,
"progress": 42,
"started": 42,
"status": "String <one of: CANCELLED,
CANCELING,
CANCEL_REQUESTED,
COMPLETED,
CONFLICT,
EXCEPTION,
INITIALIZING,

342 QRadar API Reference Guide

 INTERRUPTED,
PAUSED,
PROCESSING,
QUEUED,
RESUMING>",
"task_sub_type": "String <one of:
FIND_DEPENDENT_ARIEL_SAVED_SEARCHES,
FIND_DEPENDENT_OFFENSE_SAVED_SEARCHES,
FIND_DEPENDENT_ASSET_SAVED_SEARCHES,
FIND_DEPENDENT_VULNERABILITY_SAVED_SEARCHES,
FIND_DEPENDENT_ADE_RULES,
FIND_DEPENDENT_RULES,
FIND_DEPENDENT_CALCULATED_PROPERTIES,
FIND_DEPENDENT_LOG_SOURCE_GROUPS,
FIND_DEPENDENT_CUSTOM_PROPERTIES,
FIND_DEPENDENT_REPORTS,
FIND_DEPENDENT_DASHBOARDS,
FIND_DEPENDENT_STORE_AND_FORWARD_POLICIES,
FIND_DEPENDENT_AUTHORIZED_SERVICES,
FIND_DEPENDENT_OFFENSE_TYPES,
FIND_DEPENDENT_ASSIGNED_OFFENSES,
FIND_DEPENDENT_VULNERABILITIES,
FIND_DEPENDENT_GROUPS,
FIND_DEPENDENT_HISTORICAL_CORRELATION_PROFILES>"
}
]
}

GET /config/flow_sources/custom_properties/
regex_property_dependent_tasks/{task_id}/results
Retrieves the regex property dependent task results.

Retrieves the regex property dependent task results.

Table 682. GET /config/flow_sources/custom_properties/regex_property_dependent_tasks/{task_id}/results resource
details
MIME Type
application/json

Table 683. GET /config/flow_sources/custom_properties/regex_property_dependent_tasks/{task_id}/results request

parameter details
Parameter Type Optionality Data Type MIME Type Description
task_id path Required Number text/plain null
(Integer)
fields query Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.

6 REST API V9.0 References 343

Table 684. GET /config/flow_sources/custom_properties/regex_property_dependent_tasks/{task_id}/results response
codes
HTTP Response Code Unique Code Description
200 The requested task results was retrieved.
404 1002 The requested task status cannot be found.
500 1020 An error occurred during the attempt to retrieve the task status.

Response Description

A list of Dependent objects. A Dependent object contains the following fields:

v dependent_id - String - The ID of the dependent resource.
v dependent_name - String - The name of the dependent resource (default resources can have localized
names).
v dependent_owner - String - The owner of the dependent resource
v dependent_type - String - The type of the dependent resource
v dependent_database - String - The database of the dependent resource.
v dependent_group_ids - Array of Longs - List of groups that the dependent resource belongs to.
v user_has_edit_permissions - Boolean - True if the user who created the task has permission to edit this
dependent resource.

Response Sample
[
{
"blocking": true,
"dependent_database": "String <one of: EVENTS, FLOWS>",
"dependent_group_ids": [
42
],
"dependent_id": "String",
"dependent_name": "String",
"dependent_owner": "String",
"dependent_type": "String <one of:
ARIEL_SAVED_SEARCH,
ASSET_SAVED_SEARCH,
OFFENSE_SAVED_SEARCH,
VULNERABILITY_SAVED_SEARCH,
QRM_SAVED_SEARCH_GROUP,
ASSET_SAVED_SEARCH_GROUP,
CUSTOM_RULE_GROUP,
EVENT_ARIEL_SAVED_SEARCH_GROUP,
FLOW_ARIEL_SAVED_SEARCH_GROUP,
LOG_SOURCE_GROUP, MODEL_GROUP,
OFFENSE_SAVED_SEARCH_GROUP,
QUESTION_GROUP,
REPORT_GROUP,
SIMULATION_GROUP,
TOPOLOGY_SAVED_SEARCH_GROUP,
VULNERABILITY_SAVED_SEARCH_GROUP,
ASSIGNED_OFFENSE,
ASSIGNED_VULNERABILITY,
AUTHORIZED_SERVICE,
BUILDING_BLOCK,
CRE_RULE,
CRE_ADE_RULE,
EVENT_REGEX_PROPERTY,
EVENT_CALCULATED_PROPERTY,
FLOW_REGEX_PROPERTY,
FLOW_CALCULATED_PROPERTY,

344 QRadar API Reference Guide

 DASHBOARD,
GV_REFERENCE,
REPORT,
REFERENCE_DATA,
REFERENCE_DATA_MAP_OF_SETS,
REFERENCE_DATA_MAPS,
REFERENCE_DATA_SETS,
REFERENCE_DATA_TABLES,
REFERENCE_DATA_RESPONSE,
REFERENCE_SET_RESPONSE,
EVENT_RETENTION_BUCKET,
FLOW_RETENTION_BUCKET,
ROUTING_RULE,
STORE_AND_FORWARD_POLICY,
USER,
HISTORICAL_PROFILE,
OFFENSE_TYPE>",
"user_has_edit_permissions": true
}
]

GET /config/global_system_notifications
Retrieves a list of all deployed global system notifications.

Retrieves the list of deployed global system notifications.

Table 685. GET /config/global_system_notifications resource details
MIME Type
application/json

Table 686. GET /config/global_system_notifications request parameter details

Parameter Type Optionality Data Type MIME Type Description
Range header Optional String text/plain Optional - Use this parameter
to restrict the number of
elements that are returned in
the list to a specified range.
The list is indexed starting at
zero.
filter query Optional String text/plain Optional - This parameter is
used to restrict the elements in
a list base on the contents of
various fields.
fields query Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.

Table 687. GET /config/global_system_notifications response codes

HTTP Response Code Unique Code Description
200 The deployed global system notifications list was successfully
retrieved.

6 REST API V9.0 References 345

Table 687. GET /config/global_system_notifications response codes (continued)
HTTP Response Code Unique Code Description
500 1020 An internal server error occurred during the retrieval of the list of
deployed global system notifications.

Response Description
A list of all deployed global system notifications. A notification contains the following fields:
v id - Long - The ID of the notification.
v name - String - The name of the notification.
v operator - String - The notification criteria operator.
v value - String - The notification criteria value.
v message - Double - The notification message.
v default - Boolean - Whether the notification message is modified by the user or not.
v enabled - Boolean - Whether the notification is enabled or not.

Response Sample
[
{
"default": true,
"enabled": true,
"id": 42,
"message": "String",
"name": "String",
"operator": "String",
"value": 42.5
}
]

GET /config/global_system_notifications/{notification_id}
Retrieves a deployed global system notification by ID.

Retrieves a deployed global system notification by ID.

Table 688. GET /config/global_system_notifications/{notification_id} resource details
MIME Type
application/json

Table 689. GET /config/global_system_notifications/{notification_id} request parameter details

Parameter Type Optionality Data Type MIME Type Description
notification_id path Required Number text/plain ID that is used for retrieving a
(Integer) deployed global system
notification.
fields query Optional String text/plain Optional - Use this parameter to
specify which fields you would
like to get back in the response.
Fields that are not named are
excluded. Specify subfields in
brackets and multiple fields in
the same object are separated by
commas.

346 QRadar API Reference Guide

Table 690. GET /config/global_system_notifications/{notification_id} response codes
HTTP Response Code Unique Code Description
200 The deployed global system notification was successfully retrieved.
404 1002 No deployed global system notification was found for the provided
notification ID.
500 1020 An error occurred while the notification was being retrieved.

Response Description

The associated deployed global system notification object. A notification contains the following fields:
v id - Long - The ID of the notification.
v name - String - The name of the notification.
v operator - String - The notification criteria operator.
v value - String - The notification criteria value.
v message - Double - The notification message.
v default - Boolean - Whether the notification message is modified by the user or not.
v enabled - Boolean - Whether the notification is enabled or not.

Response Sample
{
"default": true,
"enabled": true,
"id": 42,
"message": "String",
"name": "String",
"operator": "String",
"value": 42.5
}

GET /config/network_hierarchy/networks
Retrieves the deployed network hierarchy.

Retrieves the deployed network hierarchy.

Table 691. GET /config/network_hierarchy/networks resource details
MIME Type
application/json

Table 692. GET /config/network_hierarchy/networks request parameter details

Parameter Type Optionality Data Type MIME Type Description
fields query Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.

6 REST API V9.0 References 347

Table 693. GET /config/network_hierarchy/networks response codes
HTTP Response Code Unique Code Description
200 The network hierarchy was returned.
500 1020 An error occurred during the attempt to retrieve the network
hierarchy.

Response Description
Network Hierarchy - A JSON string that contains network_hierarchy objects with the following fields:
v id - Integer - The ID of the network object.
v group - String - The group of the network object.
v name - String - The name of the network object.
v cidr - String - The CIDR range of the network object.
v description - String - The description of the network object.
v domain_id - Integer - The domain ID of the network object.
v location - Optional - JSON object - The GeoJSON location of the network object.
v country_code - Optional - String - The country code of the network object.

Response Sample
[
{
"cidr": "String",
"country_code": "String",
"description": "String",
"domain_id": 42,
"group": "String",
"id": 42,
"location": {
"coordinates": [
42.5
],
"type": "String"
},
"name": "String"
}
]

GET /config/network_hierarchy/staged_networks
Retrieves the staged network hierarchy.

Retrieves the staged network hierarchy.

Table 694. GET /config/network_hierarchy/staged_networks resource details
MIME Type
application/json

348 QRadar API Reference Guide

Table 695. GET /config/network_hierarchy/staged_networks request parameter details
Parameter Type Optionality Data Type MIME Type Description
fields query Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.

Table 696. GET /config/network_hierarchy/staged_networks response codes

HTTP Response Code Unique Code Description
200 The network hierarchy was returned
500 1020 An error occurred during the attempt to retrieve the network
hierarchy

Response Description

Network Hierarchy - A JSON string that contains network_hierarchy objects with the following fields:
v id - Integer - The ID of the network object.
v group - String - The group of the network object.
v name - String - The name of the network object.
v cidr - String - The CIDR range of the network object.
v description - String - The description of the network object.
v domain_id - Integer - The domain ID of the network object.
v location - Optional - JSON object - The GeoJSON location of the network object.
v country_code - Optional - String - The country code of the network object.

Response Sample
[
{
"cidr": "String",
"country_code": "String",
"description": "String",
"domain_id": 42,
"group": "String",
"id": 42,
"location": {
"coordinates": [
42.5
],
"type": "String"
},
"name": "String"
}
]

PUT /config/network_hierarchy/staged_networks
Replaces the current network hierarchy with the input that is provided.

Replaces the current network hierarchy with the input that is provided.

6 REST API V9.0 References 349

Table 697. PUT /config/network_hierarchy/staged_networks resource details
MIME Type
application/json

Table 698. PUT /config/network_hierarchy/staged_networks request parameter details

Parameter Type Optionality Data Type MIME Type Description
fields header Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.

Table 699. PUT /config/network_hierarchy/staged_networks request body details

Parameter Data Type MIME Type Description Sample
network_hierarchy
Array<Object> application/ Required - A JSON String that [ { "id": 4, "group": "DMZ",
json contains network hierarchy "name": "External",
objects with the following "description": "network
fields: description", "cidr":
v id - Optional - Integer - The "0.0.0.1/32", "domain_id": 0,
ID of the network object. "location": {"type": "Point",
"coordinates": [-75.69805556,
v group - Required - String -
45.41111111]}, "country_code":
The group of the network
"CA" }, { "id": 5, "group":
object.
"DMZ", "name": "External",
v name - Required - String - "description": "network
The name of the network description", "cidr":
object. "0.0.0.2/32", "domain_id": 0,
v cidr - Required - String - The "location": {"type": "Point",
CIDR range of the network "coordinates": [-66.646332,
object. 45.964993]}, "country_code":
v description - Optional - "CA" } ]
String - The description of
the network object.
v domain_id - Optional -
Integer - The domain ID of
the network object (required
if domain aware).
v location - Optional - JSON
object - The GeoJSON
location of the network
object.
v country_code - Optional -
String - The country code of
the network object.

Table 700. PUT /config/network_hierarchy/staged_networks response codes

HTTP Response Code Unique Code Description
200 The network hierarchy was successfully replaced.
422 1005 An invalid parameter was passed to the API call.

350 QRadar API Reference Guide

Table 700. PUT /config/network_hierarchy/staged_networks response codes (continued)
HTTP Response Code Unique Code Description
500 1020 An unexpected error occurred during the creation of the network
hierarchy.

Response Description
Network Hierarchy - A JSON string that contains network_hierarchy objects, each with the following
fields:
v id - Integer - The ID of the network object.
v group - String - The group of the network object.
v name - String - The name of the network object.
v cidr - String - The CIDR range of the network object.
v description - String - The description of the network object.
v domain_id - Integer - The domain ID of the network object.
v location - Optional - JSON object - The GeoJSON location of the network object.
v country_code - Optional - String - The country code of the network object.

Response Sample
[
{
"cidr": "String",
"country_code": "String",
"description": "String",
"domain_id": 42,
"group": "String",
"id": 42,
"location": {
"coordinates": [
42.5
],
"type": "String"
},
"name": "String"
}
]

GET /config/remote_networks
Retrieves a list of deployed remote networks.

Retrieves the list of deployed remote networks

Table 701. GET /config/remote_networks resource details
MIME Type
application/json

6 REST API V9.0 References 351

Table 702. GET /config/remote_networks request parameter details
Parameter Type Optionality Data Type MIME Type Description
fields query Optional String text/plain Optional - Use this parameter
to specify which fields you
want to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets. Multiple
fields in the same object are
separated by commas.
filter query Optional String text/plain Optional - This parameter is
used to restrict the elements in
a list based on the contents of
various fields.
Range header Optional String text/plain Optional - Use this parameter
to restrict the number of
elements that are returned in
the list to a specified range.
The list is indexed starting at
zero.

Table 703. GET /config/remote_networks response codes

HTTP Response Code Unique Code Description
200 The deployed remote networks list was successfully retrieved.
500 1020 An internal server error occurred during the retrieval of the list of
deployed remote networks.

Response Description

A list of deployed remote networks.

v id - Long - The ID of the remote network.
v name - String - The name of the remote network.
v description - String - The description of the remote network.
v group - String - The group to which the remote network belongs.
v cidrs - Array of <String> - A list of all the CIDR ranges that belong to the remote network.

Response Sample
[
{
"cidrs": [
"String"
],
"description": "String",
"group": "String",
"id": 42,
"name": "String"
}
]

GET /config/remote_networks/{network_id}
Retrieves a deployed remote network by ID.

Retrieves a deployed remote network by ID.

352 QRadar API Reference Guide

Table 704. GET /config/remote_networks/{network_id} resource details
MIME Type
application/json

Table 705. GET /config/remote_networks/{network_id} request parameter details

Parameter Type Optionality Data Type MIME Type Description
network_id path Required Number text/plain ID that is used to retrieve a
(Integer) deployed remote network.
fields query Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets. Multiple
fields in the same object are
separated by commas.

Table 706. GET /config/remote_networks/{network_id} response codes

HTTP Response Code Unique Code Description
200 The deployed remote network was successfully retrieved.
404 1002 No deployed remote network was found with the provided ID.
500 1020 An error occurred during the retrieval of the remote network.

Response Description

The associated deployed remote network object.

v id - Long - The ID of the remote network.
v name - String - The name of the remote network.
v description - String - The description of the remote network.
v group - String - The group to which the remote network belongs.
v cidrs - Array of <String> - A list of all the CIDR ranges that belong to the remote network.

Response Sample
{
"cidrs": [
"String"
],
"description": "String",
"group": "String",
"id": 42,
"name": "String"
}

GET /config/remote_services
Retrieves a list of deployed remote services.

Retrieves the list of deployed remote services.

Table 707. GET /config/remote_services resource details
MIME Type
application/json

6 REST API V9.0 References 353

Table 708. GET /config/remote_services request parameter details
Parameter Type Optionality Data Type MIME Type Description
fields query Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets. Multiple
fields in the same object are
separated by commas.
filter query Optional String text/plain Optional - This parameter is
used to restrict the elements in
a list base on the contents of
various fields.
Range header Optional String text/plain Optional - Use this parameter
to restrict the number of
elements that are returned in
the list to a specified range.
The list is indexed starting at
zero.

Table 709. GET /config/remote_services response codes

HTTP Response Code Unique Code Description
200 The deployed remote services list was successfully retrieved.
500 1020 An internal server error occurred during the retrieval of the list of
deployed remote services.

Response Description

A list of deployed remote services.

v id - Long - The ID of the remote service.
v name - String - The name of the remote service.
v description - String - The description of the remote service.
v group - String - The group to which the remote service belongs.
v cidrs - Array of <String> - A list of all the CIDR ranges that belong to the remote service.

Response Sample
[
{
"cidrs": [
"String"
],
"description": "String",
"group": "String",
"id": 42,
"name": "String"
}
]

354 QRadar API Reference Guide

GET /config/remote_services/{service_id}
Retrieves a deployed remote service by ID.

Retrieves a deployed remote service by ID.

Table 710. GET /config/remote_services/{service_id} resource details
MIME Type
application/json

Table 711. GET /config/remote_services/{service_id} request parameter details

Parameter Type Optionality Data Type MIME Type Description
service_id path Required Number text/plain ID that is used for retrieving a
(Integer) deployed remote service.
fields query Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets. Multiple
fields in the same object are
separated by commas.

Table 712. GET /config/remote_services/{service_id} response codes

HTTP Response Code Unique Code Description
200 The deployed remote service was successfully retrieved.
404 1002 No deployed remote service was found with the provided ID.
500 1020 An error occurred during the retrieval of the remote service.

Response Description

The associated deployed remote service object.

v id - Long - The ID of the remote service.
v name - String - The name of the remote service.
v description - String - The description of the remote service.
v group - String - The group to which the remote service belongs.
v cidrs - Array of <String> - A list of all the CIDR ranges that belong to the remote service.

Response Sample
{
"cidrs": [
"String"
],
"description": "String",
"group": "String",
"id": 42,
"name": "String"
}

6 REST API V9.0 References 355

GET /config/resource_restrictions
Retrieves a list of all resource restrictions.

Retrieves the list of all resource restrictions.

Table 713. GET /config/resource_restrictions resource details
MIME Type
application/json

Table 714. GET /config/resource_restrictions request parameter details

Parameter Type Optionality Data Type MIME Type Description
Range header Optional String text/plain Optional - Use this parameter
to restrict the number of
elements that are returned in
the list to a specified range.
The list is indexed starting at
zero.
filter query Optional String text/plain Optional - This parameter is
used to restrict the elements in
a list base on the contents of
various fields.
fields query Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.

Table 715. GET /config/resource_restrictions response codes

HTTP Response Code Unique Code Description
200 The resource restriction list was successfully retrieved.
500 1001 An error occurred during the attempt to retrieve the restriction list.

Response Description

A list of all the restrictions.

Response Sample
[
{
"data_window": 42,
"execution_time": 42,
"id": "String",
"record_limit": 42,
"role_id": 42,
"tenant_id": 42,
"user_id": 42
}
]

356 QRadar API Reference Guide

POST /config/resource_restrictions
Creates a new resource restriction.

Creates a new resource restriction.

Table 716. POST /config/resource_restrictions resource details
MIME Type
application/json

Table 717. POST /config/resource_restrictions request parameter details

Parameter Type Optionality Data Type MIME Type Description
fields header Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.

Table 718. POST /config/resource_restrictions request body details

Parameter Data Type MIME Type Description Sample
resourceRestriction Object application/json Required - The resource { "data_window": 42,
restriction to be added. Only one "execution_time": 42, "id":
of the ID fields (user_id, "String", "record_limit": 42,
tenant_id, role_id) can be "role_id": 42, "tenant_id": 42,
provided. "user_id": 42 }

Table 719. POST /config/resource_restrictions response codes

HTTP Response Code Unique Code Description
200 The new resource restriction was successfully created.
404 1009 The consumer (user, tenant, or role) provided was not found.
422 1008 One of: user_id, role_id, or tenant_id
500 1010 An error occurred during the attempt to create a resource
restriction.

Response Description

The associated restriction object.

Response Sample
{
"data_window": 42,
"execution_time": 42,
"id": "String",
"record_limit": 42,
"role_id": 42,
"tenant_id": 42,
"user_id": 42
}

6 REST API V9.0 References 357

GET /config/resource_restrictions/{resource_restriction_id}
Retrieves a resource restriction consumer by ID.

Retrieves a resource restriction consumer by ID.

Table 720. GET /config/resource_restrictions/{resource_restriction_id} resource details
MIME Type
application/json

Table 721. GET /config/resource_restrictions/{resource_restriction_id} request parameter details

Parameter Type Optionality Data Type MIME Type Description
resource_restriction_id path Required String text/plain Required - The resource
restriction ID of the resource
restriction to be retrieved.
Must be of the format
[1-3]-\d+
fields query Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.

Table 722. GET /config/resource_restrictions/{resource_restriction_id} response codes

HTTP Response Code Unique Code Description
200 The resource restriction consumer was successfully retrieved.
404 1003 No such resource restriction consumer (user, tenant, or role) exists
for the given ID.
422 1002 Provided ID is not a valid format. must be [1-3]-\d+
500 1004 An error occurred during the retrtieval resource restrictions.

Response Description

The associated restriction object.

Response Sample
{
"data_window": 42,
"execution_time": 42,
"id": "String",
"record_limit": 42,
"role_id": 42,
"tenant_id": 42,
"user_id": 42
}

DELETE /config/resource_restrictions/{resource_restriction_id}
Deletes a resource restriction consumer by ID.

Deletes a resource restriction consumer by ID.

358 QRadar API Reference Guide

Table 723. DELETE /config/resource_restrictions/{resource_restriction_id} resource details
MIME Type
text/plain

Table 724. DELETE /config/resource_restrictions/{resource_restriction_id} request parameter details

Parameter Type Optionality Data Type MIME Type Description
resource_restriction_id path Required String text/plain Required - The resource
restriction ID of the resource
restriction to be retrieved.
Must be of the format
[1-3]-\d+

Table 725. DELETE /config/resource_restrictions/{resource_restriction_id} response codes

HTTP Response Code Unique Code Description
204 The resource restriction consumer was successfully deleted.
404 1003 null
422 1002 Provided ID is not a valid format. Must be of the format [1-3]-\d+
500 1004 An error occurred during the retrieval of the resource restrictions.

Response Description

The deleted restriction object.

Response Sample

PUT /config/resource_restrictions/{resource_restriction_id}
Updates a resource restriction consumer by ID.

Updates a resource restriction consumer by ID.

Table 726. PUT /config/resource_restrictions/{resource_restriction_id} resource details
MIME Type
application/json

Table 727. PUT /config/resource_restrictions/{resource_restriction_id} request parameter details

Parameter Type Optionality Data Type MIME Type Description
resource_restriction_id path Required String text/plain Required - The resource
restriction ID of the resource
restriction to be updated.
Must be of the format
[1-3]-\d+
fields header Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.

6 REST API V9.0 References 359

Table 728. PUT /config/resource_restrictions/{resource_restriction_id} request body details
Parameter Data Type MIME Type Description Sample
resourceRestriction Object application/json Required - The resource { "data_window": 42,
restrictions to be updated. "execution_time": 42, "id":
"String", "record_limit": 42,
"role_id": 42, "tenant_id": 42,
"user_id": 42 }

Table 729. PUT /config/resource_restrictions/{resource_restriction_id} response codes

HTTP Response Code Unique Code Description
200 The resource restriction consumer was successfully updated.
404 1006 The resource restriction consumer (user, tenant, or role) wasn't
found.
422 1005 Provided ID is not a valid format. Must be of the format [1-3]-\d+
500 1007 An error occurred during the retrieval of the resource restriction.

Response Description

The associated restriction object.

Response Sample
{
"data_window": 42,
"execution_time": 42,
"id": "String",
"record_limit": 42,
"role_id": 42,
"tenant_id": 42,
"user_id": 42
}

GET /config/store_and_forward/policies
Retrieves a list of store and forward policies.

Retrieves a list of store and forward policies.

Table 730. GET /config/store_and_forward/policies resource details
MIME Type
application/json

Table 731. GET /config/store_and_forward/policies request parameter details

Parameter Type Optionality Data Type MIME Type Description
Range header Optional String text/plain Optional - Use this parameter
to restrict the number of
elements that are returned in
the list to a specified range.
The list is indexed starting at
zero.
filter query Optional String text/plain Optional - This parameter is
used to restrict the elements in
a list base on the contents of
various fields.

360 QRadar API Reference Guide

Table 731. GET /config/store_and_forward/policies request parameter details (continued)
Parameter Type Optionality Data Type MIME Type Description
fields query Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.

Table 732. GET /config/store_and_forward/policies response codes

HTTP Response Code Unique Code Description
200 The store and forward policies were retrieved.
422 1010 A request parameter is not valid.
500 1020 An error occurred during the attempt to retrieve the store and
forward policies.

Response Description

An array of Store and Forward Policy objects. An Store and Forward Policy object contains the following
fields:
v id - Long - The ID of the store and forward policy.
v name - String - The name of the store and forward policy.
v description - String - The description of the store and forward policy.
v timezone - String - The timezone of the store and forward policy.
v owner - String - The owner of the store and forward policy.
v store_and_forward_schedule_id - Long - The schedule ID of the store and forward policy.
v created - Long - The time in milliseconds since epoch since the store and forward policy was created.
v modified - Long - The time in milliseconds since epoch since the store and forward policy was last
modified.

Response Sample
[
{
"created": 42,
"description": "String",
"id": 42,
"modified": 42,
"name": "String",
"owner": "String",
"saf_schedule_id": 42,
"timezone": "String"
}
]

GET /config/store_and_forward/policies/{id}
Retrieves a store and forward policy.

Retrieves a store and forward policy.

6 REST API V9.0 References 361

Table 733. GET /config/store_and_forward/policies/{id} resource details
MIME Type
application/json

Table 734. GET /config/store_and_forward/policies/{id} request parameter details

Parameter Type Optionality Data Type MIME Type Description
id path Required Number text/plain null
(Integer)
fields query Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.

Table 735. GET /config/store_and_forward/policies/{id} response codes

HTTP Response Code Unique Code Description
200 The store and forward policy was retrieved.
404 1002 The store and forward policy does not exist.
500 1020 An error occurred during the attempt to retrieve the store and
forward policy.

Response Description
The store and forward policy after it has been retrieved. An Store and Forward Policy object contains the
following fields:
v id - Long - The ID of the store and forward policy.
v name - String - The name of the store and forward policy.
v description - String - The description of the store and forward policy.
v timezone - String - The timezone of the store and forward policy.
v owner - String - The owner of the store and forward policy.
v store_and_forward_schedule_id - Long - The schedule ID of the store and forward policy.
v created - Long - The time in milliseconds since epoch since the store and forward policy was created.
v modified - Long - The time in milliseconds since epoch since the store and forward policy was last
modified.

Response Sample
{
"created": 42,
"description": "String",
"id": 42,
"modified": 42,
"name": "String",
"owner": "String",
"saf_schedule_id": 42,
"timezone": "String"
}

362 QRadar API Reference Guide

POST /config/store_and_forward/policies/{id}
Updates the store and forward policy owner only.

Updates the store and forward policy owner only

Table 736. POST /config/store_and_forward/policies/{id} resource details
MIME Type
application/json

Table 737. POST /config/store_and_forward/policies/{id} request parameter details

Parameter Type Optionality Data Type MIME Type Description
id path Required Number text/plain null
(Integer)
fields header Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.

Table 738. POST /config/store_and_forward/policies/{id} request body details

Parameter Data Type MIME Type Description Sample
policy Object application/ null { "description": "String", "id":
json 42, "name": "String", "owner":
"String", "saf_schedule_id": 42,
"timezone": "String" }

Table 739. POST /config/store_and_forward/policies/{id} response codes

HTTP Response Code Unique Code Description
200 The store and forward policy has been updated.
403 1009 You do not have the required capabilities to update the store and
forward policy.
404 1002 The store and forward policy does not exist.
409 1004 The provided user does not have the required capabilities to own
the store and forward policy.
422 1005 A request parameter is not valid.
500 1020 An error occurred during the attempt to update the store and
forward policy.

Response Description

The store and forward policy after it was updated. An Store and Forward Policy object contains the
following fields:
v id - Long - The ID of the store and forward policy.
v name - String - The name of the store and forward policy.
v description - String - The description of the store and forward policy.

6 REST API V9.0 References 363

v timezone - String - The timezone of the store and forward policy.
v owner - String - The owner of the store and forward policy.
v store_and_forward_schedule_id - Long - The schedule ID of the store and forward policy.
v created - Long - The time in milliseconds since epoch since the store and forward policy was created.
v modified - Long - The time in milliseconds since epoch since the store and forward policy was last
modified.

Response Sample
{
"created": 42,
"description": "String",
"id": 42,
"modified": 42,
"name": "String",
"owner": "String",
"saf_schedule_id": 42,
"timezone": "String"
}

DELETE /config/store_and_forward/policies/{id}
Deletes a store and forward policy.

Deletes a store and forward policy.

Table 740. DELETE /config/store_and_forward/policies/{id} resource details
MIME Type
text/plain

Table 741. DELETE /config/store_and_forward/policies/{id} request parameter details

Parameter Type Optionality Data Type MIME Type Description
id path Required Number text/plain null
(Integer)

Table 742. DELETE /config/store_and_forward/policies/{id} response codes

HTTP Response Code Unique Code Description
204 The Store and Forward Policy has been deleted
403 1009 You do not have the required capabilities to delete the store and
forward policy
404 1002 The Store and Forward Policy does not exist
500 1020 An error occurred during the attempt to delete the store and
forward policy

Response Description

Response Sample

Data classification endpoints

Use the references for REST API V9.0 data classification endpoints.

364 QRadar API Reference Guide

GET /data_classification/dsm_event_mappings
Retrieve a list of DSM event mappings.

Retrieves a list of DSM event mappings.

Table 743. GET /data_classification/dsm_event_mappings resource details
MIME Type
application/json

Table 744. GET /data_classification/dsm_event_mappings request parameter details

Parameter Type Optionality Data Type MIME Type Description
fields query Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.
Range header Optional String text/plain Optional - Use this parameter
to restrict the number of
elements that are returned in
the list to a specified range.
The list is indexed starting at
zero.
filter query Optional String text/plain Optional - This parameter is
used to restrict the elements in
a list base on the contents of
various fields.

Table 745. GET /data_classification/dsm_event_mappings response codes

HTTP Response Code Unique Code Description
200 The requested list of DSM event mappings was retrieved.
500 1020 An error occurred during the attempt to retrieve the list of DSM
event mappings.

Response Description

A list of DSM event mappings. A DSM event mapping contains the following fields:
v id - Number - The ID of the DSM event mapping.
v log_source_type_id - Number - The ID of the Log Source Type this DSM event mapping resource is
associated with.
v log_source_event_id - String - The primary identifying value parsed from an event to be used to look
up the corresponding QID record.
v log_source_event_category - String - The secondary identifying value parsed from an event to be used
to look up the corresponding QID record.
v custom_event - Boolean - Flag to identify if the DSM event mapping is system provided
(custom_event=false) or user-provided (custom_event=true).
v qid_record_id - Number - The ID of the QID record to which this DSM event mapping provides a
mapping.

6 REST API V9.0 References 365

Response Sample
[
{
"custom_event": true,
"id": 42,
"log_source_event_category": "String",
"log_source_event_id": "String",
"log_source_type_id": 42,
"qid_record_id": 42
}
]

POST /data_classification/dsm_event_mappings
Creates a new custom DSM event mapping.

Creates a new custom DSM event mapping.

Table 746. POST /data_classification/dsm_event_mappings resource details
MIME Type
application/json

Table 747. POST /data_classification/dsm_event_mappings request parameter details

Parameter Type Optionality Data Type MIME Type Description
fields header Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.

Table 748. POST /data_classification/dsm_event_mappings request body details

Parameter Data Type MIME Type Description Sample
data Object application/json Required - A DSM event mapping that { "log_source_event_category": "String",
contains the following fields: "log_source_event_id": "String",
v log_source_type_id - Required - "log_source_type_id": 42, "qid_record_id": 42 }
Number - The ID of the Log Source
Type this DSM event mapping resource
is associated with.
v log_source_event_id - Required -
String - The primary identifying value
parsed from an event to be used to
look up the corresponding QID record.
v log_source_event_category - Required
- String - The secondary identifying
value parsed from an event to be used
to look up the corresponding QID
record.
v qid_record_id - Required - Number -
The ID of the QID record to which this
DSM event mapping provides a
mapping.

Table 749. POST /data_classification/dsm_event_mappings response codes

HTTP Response Code Unique Code Description
201 The new custom DSM event mapping was created.

366 QRadar API Reference Guide

Table 749. POST /data_classification/dsm_event_mappings response codes (continued)
HTTP Response Code Unique Code Description
409 1008 There is an existing custom DSM event mapping with same the
log_source_type_id, log_source_event_id and
log_source_event_category combination. Cannot create duplicate
DSM event mapping.
422 1005 Invalid parameter value provided for the new DSM event mapping.
500 1020 An error occurred during the attempt to create a new custom DSM
event mapping.

Response Description

The newly created DSM event mapping that contains the following fields:
v id - Number - The ID of the DSM event mapping.
v log_source_type_id - Number - The ID of the Log Source Type this DSM event mapping resource is
associated with.
v log_source_event_id - String - The primary identifying value parsed from an event to be used to look
up the corresponding QID record.
v log_source_event_category - String - The secondary identifying value parsed from an event to be used
to look up the corresponding QID record.
v custom_event - Boolean - Flag to identify if the DSM event mapping is system provided
(custom_event=false) or user-provided (custom_event=true).
v qid_record_id - Number - The ID of the QID record to which this DSM event mapping provides a
mapping.

Response Sample
{
"custom_event": true,
"id": 42,
"log_source_event_category": "String",
"log_source_event_id": "String",
"log_source_type_id": 42,
"qid_record_id": 42
}

GET /data_classification/dsm_event_mappings/
{dsm_event_mapping_id}
Retrieves a DSM event mapping based on the supplied DSM event mapping ID.

Retrieves a DSM event mapping based on the supplied DSM event mapping ID.
Table 750. GET /data_classification/dsm_event_mappings/{dsm_event_mapping_id} resource details
MIME Type
application/json

Table 751. GET /data_classification/dsm_event_mappings/{dsm_event_mapping_id} request parameter details

Parameter Type Optionality Data Type MIME Type Description
dsm_event_mapping_id path Required Number (Integer) text/plain Required - The ID of the DSM
event mapping.

6 REST API V9.0 References 367

Table 751. GET /data_classification/dsm_event_mappings/{dsm_event_mapping_id} request parameter
details (continued)
Parameter Type Optionality Data Type MIME Type Description
fields query Optional String text/plain Optional - Use this parameter to
specify which fields you would
like to get back in the response.
Fields that are not named are
excluded. Specify subfields in
brackets and multiple fields in the
same object are separated by
commas.

Table 752. GET /data_classification/dsm_event_mappings/{dsm_event_mapping_id} response codes

HTTP Response Code Unique Code Description
200 The requested DSM event mapping was retrieved.
404 1002 The requested DSM event mapping was not found.
500 1020 An error occurred during the attempt to retrieve the DSM event
mapping.

Response Description

A DSM event mapping that contains the following fields:

v id - Number - The ID of the DSM event mapping.
v log_source_type_id - Number - The ID of the Log Source Type this DSM event mapping resource is
associated with.
v log_source_event_id - String - The primary identifying value parsed from an event to be used to look
up the corresponding QID record.
v log_source_event_category - String - The secondary identifying value parsed from an event to be used
to look up the corresponding QID record.
v custom_event - Boolean - Flag to identify if the DSM event mapping is system provided
(custom_event=false) or user-provided (custom_event=true).
v qid_record_id - Number - The ID of the QID record to which this DSM event mapping provides a
mapping.

Response Sample
{
"custom_event": true,
"id": 42,
"log_source_event_category": "String",
"log_source_event_id": "String",
"log_source_type_id": 42,
"qid_record_id": 42
}

POST /data_classification/dsm_event_mappings/
{dsm_event_mapping_id}
Updates an existing custom DSM event mapping.

Updates an existing custom DSM event mapping.

Table 753. POST /data_classification/dsm_event_mappings/{dsm_event_mapping_id} resource details
MIME Type
application/json

368 QRadar API Reference Guide

Table 754. POST /data_classification/dsm_event_mappings/{dsm_event_mapping_id} request parameter details
Parameter Type Optionality Data Type MIME Type Description
dsm_event_mapping_id path Required Number (Integer) text/plain Required - The ID of the DSM
event mapping.
fields header Optional String text/plain Optional - Use this parameter to
specify which fields you would
like to get back in the response.
Fields that are not named are
excluded. Specify subfields in
brackets and multiple fields in the
same object are separated by
commas.

Table 755. POST /data_classification/dsm_event_mappings/{dsm_event_mapping_id} request body details

Parameter Data Type MIME Type Description Sample
data Object application/ Required - The DSM event { "qid_record_id": 42 }
json mapping to be updated that
might contain the following
field:
v qid_record_id - Number -
Required - The ID of the
QID record to which this
DSM event mapping
provides a mapping.

Table 756. POST /data_classification/dsm_event_mappings/{dsm_event_mapping_id} response codes

HTTP Response Code Unique Code Description
200 The DSM event mapping was updated.
404 1002 The requested DSM event mapping was not found.
422 1005 Invalid parameter provided while updating the DSM event
mapping.
500 1020 An error occurred during the attempt to update a DSM event
mapping.

Response Description

The updated DSM event mapping that contains the following fields:
v id - Number - The ID of the DSM event mapping.
v log_source_type_id - Number - The ID of the Log Source Type this DSM event mapping resource is
associated with.
v log_source_event_id - String - The primary identifying value parsed from an event to be used to look
up the corresponding QID record.
v log_source_event_category - String - The secondary identifying value parsed from an event to be used
to look up the corresponding QID record.
v custom_event - Boolean - Flag to identify if the DSM event mapping is system provided
(custom_event=false) or user-provided (custom_event=true).
v qid_record_id - Number - The ID of the QID record to which this DSM event mapping provides a
mapping.

Response Sample
{
"custom_event": true,
"id": 42,

6 REST API V9.0 References 369

 "log_source_event_category": "String",
"log_source_event_id": "String",
"log_source_type_id": 42,
"qid_record_id": 42
}

GET /data_classification/high_level_categories
Retrieves a list of high level categories.

Retrieves a list of high level categories.

Table 757. GET /data_classification/high_level_categories resource details
MIME Type
application/json

Table 758. GET /data_classification/high_level_categories request parameter details

Parameter Type Optionality Data Type MIME Type Description
fields query Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.
sort query Optional String text/plain Optional - This parameter is
used to sort the elements in a
list.
Range header Optional String text/plain Optional - Use this parameter
to restrict the number of
elements that are returned in
the list to a specified range.
The list is indexed starting at
zero.
filter query Optional String text/plain Optional - This parameter is
used to restrict the elements in
a list base on the contents of
various fields.

Table 759. GET /data_classification/high_level_categories response codes

HTTP Response Code Unique Code Description
200 The requested list of high level categories was retrieved.
422 23003 Sorting is only supported for fields "id" or "name".
422 23004 The sort field that was provided does not exist.
422 23005 Sorting on multiple fields is not supported.
500 1020 An error occurred during the attempt to retrieve the list of high
level categories.

370 QRadar API Reference Guide

Response Description

A list of high level categories. A high level category contains the following fields:
v id - Number - The ID of the high level category.
v name - String - The name of the high level category.
v description - String - The description of the high level category.

Response Sample
[
{
"id": 19000,
"name": "Audit",
"description": "Audit"
},
{
"id": 20000,
"name": "Risk",
"description": "Risk"
}
]

GET /data_classification/high_level_categories/
{high_level_category_id}
Retrieves a high level category based on the supplied high level category ID.

Retrieves a high level category based on the supplied high level category ID.
Table 760. GET /data_classification/high_level_categories/{high_level_category_id} resource details
MIME Type
application/json

Table 761. GET /data_classification/high_level_categories/{high_level_category_id} request parameter details

Parameter Type Optionality Data Type MIME Type Description
high_level_category_id path Required Number (Integer) text/plain Required - the ID of the high level
category.
fields query Optional String text/plain Optional - Use this parameter to
specify which fields you would
like to get back in the response.
Fields that are not named are
excluded. Specify subfields in
brackets and multiple fields in the
same object are separated by
commas.

Table 762. GET /data_classification/high_level_categories/{high_level_category_id} response codes

HTTP Response Code Unique Code Description
200 The requested high level category was retrieved.
404 1002 The requested high level category was not found.
422 1005 High level category ID must be a positive integer.
500 1020 An error occurred during the attempt to retrieve the high level
category.

6 REST API V9.0 References 371

Response Description

A high level category that contains the following fields:

v id - Number - The ID of the high level category.
v name - String - The name of the high level category.
v description - String - The description of the high level category.

Response Sample
{
"id": 19000,
"name": "Audit",
"description": "Audit",
}

GET /data_classification/low_level_categories
Retrieves a list of low level categories.

Retrieves a list of low level categories.

Table 763. GET /data_classification/low_level_categories resource details
MIME Type
application/json

Table 764. GET /data_classification/low_level_categories request parameter details

Parameter Type Optionality Data Type MIME Type Description
fields query Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.
sort query Optional String text/plain Optional - This parameter is
used to sort the elements in a
list.
Range header Optional String text/plain Optional - Use this parameter
to restrict the number of
elements that are returned in
the list to a specified range.
The list is indexed starting at
zero.
filter query Optional String text/plain Optional - This parameter is
used to restrict the elements in
a list base on the contents of
various fields.

Table 765. GET /data_classification/low_level_categories response codes

HTTP Response Code Unique Code Description
200 The requested list of low level categories was retrieved.
422 23053 Sorting is only supported for fields "id" or "name"

372 QRadar API Reference Guide

Table 765. GET /data_classification/low_level_categories response codes (continued)
HTTP Response Code Unique Code Description
422 23054 The sort field that was provided does not exist.
422 23055 Sorting on multiple fields is not supported.
500 1020 An error occurred during the attempt to retrieve the list of low
level categories.

Response Description

A list of low level category objects. A low level category contains the following fields:
v id - Number - The ID of the low level category.
v name - String - The name of the low level category.
v description - String - The description of the low level category.
v severity - Number - The severity of the low level category.
v high_level_category_id - Number - The ID of the parent high level category.

Response Sample
[
{
"id": 19001,
"name": "General Audit Event",
"description": "General Audit Event",
"high_level_category_id": 19000,
"severity" : 0
},
{
"id": 19002,
"name": "Built-in Execution",
"description": " Built-in Execution",
"high_level_category_id": 19000,
"severity" : 0
}
]

GET /data_classification/low_level_categories/{low_level_category_id}
Retrieves a low level category based on the supplied low level category ID.

Retrieves a low level category that is based on the supplied low level category ID.
Table 766. GET /data_classification/low_level_categories/{low_level_category_id} resource details
MIME Type
application/json

Table 767. GET /data_classification/low_level_categories/{low_level_category_id} request parameter details

Parameter Type Optionality Data Type MIME Type Description
low_level_category_id path Required Number (Integer) text/plain Required - The id of the low level
category.
fields query Optional String text/plain Optional - Use this parameter to
specify which fields you would
like to get back in the response.
Fields that are not named are
excluded. Specify subfields in
brackets and multiple fields in the
same object are separated by
commas.

6 REST API V9.0 References 373

Table 768. GET /data_classification/low_level_categories/{low_level_category_id} response codes
HTTP Response Code Unique Code Description
200 The requested low level category was retrieved.
404 1002 The requested low level category was not found.
422 1005 Low level category ID must be a positive integer.
500 1020 An error occurred during the attempt to retrieve the low level
category.

Response Description

A low level category that contains the following fields:

v id - Number - The ID of the low level category.
v name - String - The name of the low level category.
v description - String - The description of the low level category.
v severity - Number - The severity of the low level category.
v high_level_category_id - Number - The ID of the parent high level category.

Response Sample
{
"id": 19001,
"name": "General Audit Event",
"description": "General Audit Event",
"high_level_category_id": 19000,
"severity" : 0
}

GET /data_classification/qid_records
Retrieves a list of QID records.

Retrieves a list of QID records.

Table 769. GET /data_classification/qid_records resource details
MIME Type
application/json

Table 770. GET /data_classification/qid_records request parameter details

Parameter Type Optionality Data Type MIME Type Description
fields query Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.

374 QRadar API Reference Guide

Table 770. GET /data_classification/qid_records request parameter details (continued)
Parameter Type Optionality Data Type MIME Type Description
Range header Optional String text/plain Optional - Use this parameter
to restrict the number of
elements that are returned in
the list to a specified range.
The list is indexed starting at
zero.
filter query Optional String text/plain Optional - This parameter is
used to restrict the elements in
a list base on the contents of
various fields.

Table 771. GET /data_classification/qid_records response codes

HTTP Response Code Unique Code Description
200 The requested list of QID records was retrieved.
500 1020 An error occurred during the attempt to retrieve the list of QID
records.

Response Description

A list of QID records. A QID record contains the following fields:

v id - Number - The ID of the QID record.
v qid - Number - The QID of the QID record.
v name - String - The name of the QID record.
v description - String - The description of the QID record.
v severity - Number - The severity of the QID record.
v low_level_category_id - Number - The low level category ID of the QID record.
v log_source_type_id - Number - A placeholder with null value to ensure data structure consistency
among endpoints.

Response Sample
[
{
"id": 64280,
"qid": 2500283,
"name": "DELETED WEB-MISC O’Reilly args.bat access",
"description": "DELETED WEB-MISC O’Reilly args.bat access",
"severity": 2 ,
"low_level_category_id": 1011,
"log_source_type_id": null
},
{
"id": 64297,
"qid": 2500300,
"name": "DELETED WEB-MISC Cisco Web DOS attempt",
"description": "DELETED WEB-MISC Cisco Web DOS attempt",
"severity": 8,
"low_level_category_id": 2009
"log_source_type_id": null
}
]

6 REST API V9.0 References 375

POST /data_classification/qid_records
Creates a new QID record.

Creates a new QID record.

Table 772. POST /data_classification/qid_records resource details
MIME Type
application/json

Table 773. POST /data_classification/qid_records request parameter details

Parameter Type Optionality Data Type MIME Type Description
fields header Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.

Table 774. POST /data_classification/qid_records request body details

Parameter Data Type MIME Type Description Sample
data Object application/ Required - A QID record { "log_source_type_id": 199, "name":
json containing the following fields: "spp_portscan: Portscan Detected",
v log_source_type_id - "description": "spp_portscan: Portscan
Required - Number - The ID Detected", "severity": 4,
of the log source type which "low_level_category_id":1008 }
the QID record is created
for.
v name - Required - String -
The name of the QID
record.
v description - Optional -
String - The description of
the QID record.
v severity - Optional -
Number - The severity of
the QID record. If not
provided, the severity of the
corresponding low level
category is used as the
default value.
v low_level_category_id -
Required - Number - The
low level category ID of the
QID record.

Table 775. POST /data_classification/qid_records response codes

HTTP Response Code Unique Code Description
201 The new QID record was created.
422 1005 Invalid parameter value provided for the new QID record.
500 1020 An error occurred during the attempt to create a new QID record.

376 QRadar API Reference Guide

Response Description

The newly created QID record containing the following fields:

v id - Number - The ID of the QID record.
v qid - Number - The QID of the QID record.
v name - String - The name of the QID record.
v description - String - The description of the QID record.
v severity - Number - The severity of the QID record.
v low_level_category_id - Number - The low level category ID of the QID record.
v log_source_type_id - Number - A placeholder with null value to ensure data structure consistency
among endpoints.

Response Sample
{
"id": 63998,
"qid": 2500001,
"name": "spp_portscan: Portscan Detected",
"description": "spp_portscan: Portscan Detected",
"severity": 4,
"low_level_category_id": 1008,
"log_source_type_id": null
}

GET /data_classification/qid_records/{qid_record_id}
Retrieves a QID record that is based on the supplied qid_record_id.

Retrieves a QID record that is based on the supplied qid_record_id.

Table 776. GET /data_classification/qid_records/{qid_record_id} resource details
MIME Type
application/json

Table 777. GET /data_classification/qid_records/{qid_record_id} request parameter details

Parameter Type Optionality Data Type MIME Type Description
qid_record_id path Required Number text/plain Required - the ID of the
(Integer) QID record.
fields query Optional String text/plain Optional - Use this
parameter to specify which
fields you would like to get
back in the response. Fields
that are not named are
excluded. Specify subfields
in brackets and multiple
fields in the same object are
separated by commas.

Table 778. GET /data_classification/qid_records/{qid_record_id} response codes

HTTP Response Code Unique Code Description
200 The requested QID record was retrieved.
404 1002 The requested QID record was not found.
422 1005 qid_record_id must be a positive integer.

6 REST API V9.0 References 377

Table 778. GET /data_classification/qid_records/{qid_record_id} response codes (continued)
HTTP Response Code Unique Code Description
500 1020 An error occurred during the attempt to retrieve the QID record.

Response Description

A QID record containing the following fields:

v id - Number - The ID of the QID record.
v qid - Number - The QID of the QID record.
v name - String - The name of the QID record.
v description - String - The description of the QID record.
v severity - Number - The severity of the QID record.
v low_level_category_id - Number - The low level category ID of the QID record.
v log_source_type_id - Number - A placeholder with null value to ensure data structure consistency
among endpoints.

Response Sample
{
"id": 63998,
"qid": 2500001,
"name": "spp_portscan: Portscan Detected",
"description": "spp_portscan: Portscan Detected",
"severity": 4,
"low_level_category_id": 1008,
"log_source_type_id": null
}

POST /data_classification/qid_records/{qid_record_id}
Updates an existing QID record.

Updates an existing QID record.

Table 779. POST /data_classification/qid_records/{qid_record_id} resource details
MIME Type
application/json

Table 780. POST /data_classification/qid_records/{qid_record_id} request parameter details

Parameter Type Optionality Data Type MIME Type Description
qid_record_id path Required Number text/plain Required - The ID of the
(Integer) QID record.
fields header Optional String text/plain Optional - Use this
parameter to specify which
fields you would like to get
back in the response. Fields
that are not named are
excluded. Specify subfields
in brackets and multiple
fields in the same object are
separated by commas.

378 QRadar API Reference Guide

Table 781. POST /data_classification/qid_records/{qid_record_id} request body details
Parameter Data Type MIME Type Description Sample
qid_record Object application/json Required - The QID record to be { "name": "spp_portscan: Portscan Detected",
updated, which may contain the "description": "spp_portscan: Portscan Detected",
following fields: "severity": 4, "low_level_category_id":1008 }
v name - Optional - String - The name of
the QID record.
v description - Optional - String - The
description of the QID record.
v severity - Optional - Number - The
severity of the QID record.
v low_level_category_id - Optional -
Number - The low level category ID of
the QID record.

Table 782. POST /data_classification/qid_records/{qid_record_id} response codes

HTTP Response Code Unique Code Description
200 The QID record was updated.
404 1002 The requested QID record was not found.
409 1008 The QID record that was provided cannot be updated because it is
a system-provided QID.
422 1005 Invalid parameter was provided during the update to the QID
record.
500 1020 An error occurred during the attempt to update a QID record.

Response Description

The updated QID record containing the following fields:

v id - Number - The ID of the QID record.
v qid - Number - The QID of the QID record.
v name - String - The name of the QID record.
v description - String - The description of the QID record.
v severity - Number - The severity of the QID record.
v low_level_category_id - Number - The low level category ID of the QID record.
v log_source_type_id - Number - A placeholder with null value to ensure data structure consistency
among endpoints.

Response Sample
{
"id": 63998,
"qid": 2500001,
"name": "spp_portscan: Portscan Detected",
"description": "spp_portscan: Portscan Detected",
"severity": 4,
"low_level_category_id": 1008,
"log_source_type_id": null
}

Forensics endpoints
Use the references for REST API V9.0 forensics endpoints.

6 REST API V9.0 References 379

GET /forensics/capture/recoveries
Retrieves a list of capture recoveries.

Retrieves a list of recoveries.

Table 783. GET /forensics/capture/recoveries resource details
MIME Type
application/json

Table 784. GET /forensics/capture/recoveries request parameter details

Parameter Type Optionality Data Type MIME Type Description
Range header Optional String text/plain Optional - Use this parameter
to restrict the number of
elements that are returned in
the list to a specified range.
The list is indexed starting at
zero.
filter query Optional String text/plain Optional - This parameter is
used to restrict the elements in
a list base on the contents of
various fields.
fields query Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.

Table 785. GET /forensics/capture/recoveries response codes

HTTP Response Code Unique Code Description
200 The Workflow Recovery Jobs were retrieved.
500 1020 An error occurred while the recovery job list was being retrieved.

Response Description

A list of recoveries. A recovery contains the following fields:

v assigned_to - String - The username of the user the recovery is assigned to.
v bpf - String - The Berkeley Packet Filter to pass to the capture device.
v case_id - String - ID of the case where the collection(s) are created.
v collection_name_suffix - String - Suffix that is used to name the collection(s) to store the recovered
data in.
v id - Long - ID for the recovery.
v recovery_task_ids - Long Array - IDs for all recovery tasks belonging to this recovery.
v recovery_window_end_time - Long - End of time range for data recovery.
v recovery_window_start_time - Long - Start of time range for data recovery.

380 QRadar API Reference Guide

v tags - String - Identifiers applied to recovered data to assist with grouping when searching. These are
user supplied string identifiers that are used to mark the data so the user can easily look up the data
later.

Response Sample
[
{
"assigned_to": "String",
"bpf": "String",
"case_id": 42,
"collection_name_suffix": "String",
"id": 42,
"recovery_task_ids": [
42
],
"recovery_window_end_time": 42,
"recovery_window_start_time": 42,
"session_ids": [
"String"
],
"tags": [
"String"
]
}
]

POST /forensics/capture/recoveries
Creates a new capture recovery.

Creates a new recovery.

Table 786. POST /forensics/capture/recoveries resource details
MIME Type
application/json

Table 787. POST /forensics/capture/recoveries request parameter details

Parameter Type Optionality Data Type MIME Type Description
fields header Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.

Table 788. POST /forensics/capture/recoveries request body details

Parameter Data Type MIME Type Description Sample
recovery Object application/ null { "assigned_to": "String", "bpf": "String", "case_id": 42,
json "collection_name_suffix": "String",
"recovery_window_end_time": 42,
"recovery_window_start_time": 42, "session_ids": [
"String" ], "tags": [ "String" ] }

6 REST API V9.0 References 381

Table 789. POST /forensics/capture/recoveries response codes
HTTP Response Code Unique Code Description
201 The workflow recovery job was created.
403 1009 The user or targeted user does not have the capability to perform
this request.
409 1000 null
422 1005 A request parameter is not valid.
500 1020 An error occurred during the creation of the recovery job.

Response Description

The newly created recovery that contains the following fields:

v assigned_to - String - The username of the user the recovery is assigned to. If not supplied the
recovery will be assigned to the user making the request. Requires a valid user with Forensics role. Not
an authorized service.
v bpf - String - The Berkeley Packet Filter to pass to the capture device. A simplified Berkley Packet
Filter expression to pass to the capture device to apply when recovering network data. Maximum
length is 250 characters
v case_id - String - ID of the case where the collection(s) are created.
v collection_name_suffix - String - Suffix that is used to name the collection(s) to store the recovered
data in. Collection name(s) for recovery tasks are derived from this value and capture devices where
network data originates as a recovery task is created for each device. (e.g. A collection name suffix of
"mycollection" and data recovered from capture device IP "10.0.0.2" results in a collection that is named
"10.0.0.2_mycollection"). NOTE: If the collection name already exists in the case the existing collection
is deleted. Maximum length is 100 characters. Alphanumeric and period characters are permitted only.
v id - Long - ID for the recovery.
v recovery_task_ids - Long Array - IDs for all recovery tasks belonging to this recovery.
v recovery_window_end_time - Long - End of time range for data recovery.
v recovery_window_start_time - Long - Start of time range for data recovery.
v tags - String - Identifiers applied to recovered data to assist with grouping when searching. These are
user supplied string identifiers that are used to mark the data so the user can easily look up the data
later. Maximum length 255 alphanumeric characters (all values converted to space separated string)

Response Sample
{
"assigned_to": "String",
"bpf": "String",
"case_id": 42,
"collection_name_suffix": "String",
"id": 42,
"recovery_task_ids": [
42
],
"recovery_window_end_time": 42,
"recovery_window_start_time": 42,
"session_ids": [
"String"
],
"tags": [
"String"
]
}

382 QRadar API Reference Guide

GET /forensics/capture/recoveries/{id}
Retrieves a recovery based on the supplied ID.

Retrieves a recovery based on the supplied ID.

Table 790. GET /forensics/capture/recoveries/{id} resource details
MIME Type
application/json

Table 791. GET /forensics/capture/recoveries/{id} request parameter details

Parameter Type Optionality Data Type MIME Type Description
id path Required Number text/plain Required - The ID of the
(Integer) workflow job to retrieve.
fields query Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.

Table 792. GET /forensics/capture/recoveries/{id} response codes

HTTP Response Code Unique Code Description
404 1002 No recovery job was found for the provided ID.
500 1020 An error occurred during the retrieval of the recovery job.

Response Description

A recovery that contains the following fields:

v assigned_to - String - The username of the user the recovery is assigned to.
v bpf - String - The Berkeley Packet Filter to pass to the capture device.
v case_id - String - ID of the case where the collection(s) are created.
v collection_name_suffix - String - Suffix that is used to name the collection(s) to store the recovered
data in.
v id - Long - ID for the recovery.
v recovery_task_ids - Long Array - IDs for all recovery tasks belonging to this recovery.
v recovery_window_end_time - Long - End of time range for data recovery.
v recovery_window_start_time - Long - Start of time range for data recovery.
v tags - String - Identifiers applied to recovered data to assist with grouping when searching. These are
user supplied string identifiers that are used to mark the data so the user can easily look up the data
later.

Response Sample
{
"assigned_to": "String",
"bpf": "String",
"case_id": 42,
"collection_name_suffix": "String",
"id": 42,

6 REST API V9.0 References 383

 "recovery_task_ids": [
42
],
"recovery_window_end_time": 42,
"recovery_window_start_time": 42,
"session_ids": [
"String"
],
"tags": [
"String"
]
}

GET /forensics/capture/recovery_tasks
Retrieves a list of recovery tasks.

Retrieves a list of recovery tasks.

Table 793. GET /forensics/capture/recovery_tasks resource details
MIME Type
application/json

Table 794. GET /forensics/capture/recovery_tasks request parameter details

Parameter Type Optionality Data Type MIME Type Description
Range header Optional String text/plain Optional - Use this parameter
to restrict the number of
elements that are returned in
the list to a specified range.
The list is indexed starting at
zero.
filter query Optional String text/plain Optional - This parameter is
used to restrict the elements in
a list base on the contents of
various fields.
fields query Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.

Table 795. GET /forensics/capture/recovery_tasks response codes

HTTP Response Code Unique Code Description
200 The workflow recovery job tasks were retrieved.
500 1020 An error occurred while the recovery job task list was being
retrieved.

Response Description

A list of recovery tasks. A recovery task contains the following fields:

v assigned_to - String - The username of the user the recovery task is assigned to.

384 QRadar API Reference Guide

v bpf - String - Berkeley Packet Filter sent to capture device when recovering.
v capture_device_id - String - Capture device where this task collected its data. The IP address of the
capture device at time of recovery.
v case_id - String - ID of case where the collection is created.
v collection_name - String - Name of collection where recovered data is stored. Derived from device
recovery collection name suffix. NOTE: This is used as part of the collection_name to uniquely identify
and index the data at time of recovery and is not updated if the capture device IP address is changed.
v id - Long - ID for the recovery task.
v managed_host_hostname - String - The managed host the recovery task is running on.
v recovery_id - Long - ID of the recovery this task belongs to.
v recovery_window_end_time - Long - End of time range for data recovery window sent to capture
device. Data recovered is from before this time.
v recovery_window_start_time - Long - Start of time range for data recovery window sent to capture
device. Data recovered is from after this time.
v status - String - Current status of this task. Possible values are:
– CANCELED - Recovery from capture device canceled. Any documents recovered before cancellation
remain in the system.
– CANCELLING - Recovery from capture device in process of cancellation
– FAILED - Something went wrong with the recovery.
– IN_PROGRESS - The capture device is processing the recovery.
– NEW - The recovery task was created and is waiting to be picked up by the system.
– PENDING - The recovery task was picked up by the system and is waiting for the capture device to
start processing the recovery.
– SUCCESS - Recovery from capture device successfully completed
v tags - String Array - Identifiers that are applied to recovered data to assist with grouping when
searching. These are user-supplied string identifiers that are used to mark the data so the user can
easily look up the data later.
v task_end_time - Long - Timestamp the recovery task completed.
v task_start_time - Long - Timestamp the recovery task started.

Response Sample
[
{
"assignee": "String",
"bpf": "String",
"capture_device_ip": "String",
"case_id": 42,
"collection_name": "String",
"id": 42,
"managed_host_hostname": "String",
"recovery_id": 42,
"recovery_window_end_time": 42,
"recovery_window_start_time": 42,
"status": "String <one of: CANCELED,
CANCELING,
FAILED,
IN_PROGRESS,
NEW,
PENDING,
SUCCESS>",
"tags": [
"String"
],

6 REST API V9.0 References 385

 "task_end_time": 42,
"task_start_time": 42
}
]

GET /forensics/capture/recovery_tasks/{id}
Retrieves a recovery task based on the supplied ID.

Retrieves a recovery task based on the supplied ID.

Table 796. GET /forensics/capture/recovery_tasks/{id} resource details
MIME Type
application/json

Table 797. GET /forensics/capture/recovery_tasks/{id} request parameter details

Parameter Type Optionality Data Type MIME Type Description
id path Required Number text/plain Required - The ID of the
(Integer) workflow job to retrieve.
fields query Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.

Table 798. GET /forensics/capture/recovery_tasks/{id} response codes

HTTP Response Code Unique Code Description
200 The Workflow Recovery Job was retrieved.
404 1002 No recovery job was found for the provided ID.
500 1020 An error occurred while the recovery job was being retrieved.

Response Description

A recovery task containing the following fields:

v assigned_to - String - The username of the user the recovery task is assigned to.
v bpf - String - Berkeley Packet Filter sent to capture device when recovering.
v capture_device_id - String - Capture device where this task collected its data. The IP address of the
capture device at time of recovery.
v case_id - String - Id of case where the collection is created.
v collection_name - String - Name of collection where recovered data is stored. Derived from device
recovery collection name suffix. NOTE: This is used as part of the collection_name to uniquely identify
and index the data at time of recovery and is not updated if the capture device ip address is changed.
v id - Long - ID for the recovery task.
v managed_host_hostname - String - The managed host where the recovery task runs.
v recovery_id - Long - ID of the recovery this task belongs to.
v recovery_window_end_time - Long - End of time range for data recovery window sent to capture
device. Data recovered is from before this time.

386 QRadar API Reference Guide

v recovery_window_start_time - Long - Start of time range for data recovery window sent to capture
device. Data recovered is from after this time.
v status - String - Current status of this task. Possible values are:
– CANCELED - Recovery from capture device canceled. Any documents recovered before cancellation
remain in the system.
– CANCELLING - Recovery from capture device in process of cancellation.
– FAILED - Something went wrong with the recovery.
– IN_PROGRESS - The capture device is processing the recovery.
– NEW - The recovery task was created and is waiting to be picked up by the system.
– PENDING - The recovery task was picked up by the system and is waiting for the capture device to
start processing the recovery.
– SUCCESS - Recovery from capture device successfully completed
v tags - String Array - Identifiers that are applied to recovered data to assist with grouping when
searching. These are user-supplied string identifiers that are used to mark the data so the user can
easily look up the data later.
v task_end_time - Long - Timestamp the recovery task completed.
v task_start_time - Long - Timestamp the recovery task started.

Response Sample
{
"assignee": "String",
"bpf": "String",
"capture_device_ip": "String",
"case_id": 42,
"collection_name": "String",
"id": 42,
"managed_host_hostname": "String",
"recovery_id": 42,
"recovery_window_end_time": 42,
"recovery_window_start_time": 42,
"status": "String <one of: CANCELED,
CANCELING,
FAILED,
IN_PROGRESS,
NEW,
PENDING,
SUCCESS>",
"tags": [
"String"
],
"task_end_time": 42,
"task_start_time": 42
}

GET /forensics/case_management/case_create_tasks/{id}
Retrieves a case create task based on the supplied id.

Retrieves a case create task based on the supplied id.

Table 799. GET /forensics/case_management/case_create_tasks/{id} resource details
MIME Type
application/json

6 REST API V9.0 References 387

Table 800. GET /forensics/case_management/case_create_tasks/{id} request parameter details
Parameter Type Optionality Data Type MIME Type Description
id path Required Number text/plain Required - The id of the case
(Integer) create task to retrieve.
fields query Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.

Table 801. GET /forensics/case_management/case_create_tasks/{id} response codes

HTTP Response Code Unique Code Description
200 The case create task was retrieved.
404 1002 No case create task was found for the provided ID.
500 1020 An error occurred during the retrieval of the case create task.

Response Description

A case create task containing the following fields:

v assigned_to - String Array - Usernames of users to give access to the case once it is created. Users
must have the FORENSICS role. Authorized services are not allowed.
v case_id - Long - ID for the created case .
v case_name - String - Name to give the created case.
v id - Long - ID for the case create task.
v status - String - Possible values are:
– COMPLETE - The case has been created across all managed hosts.
– PARTIALLY_COMPLETE - The case was created on at least one managed host, but not all of them.
The case is considered to be usable, but functionality might be limited. This usually means one or
more managed hosts are down and the case is not created yet. The task completes after all offending
managed hosts either complete the task, or are removed from the deployment.
– PROCESSING - The task has been picked up by QRadar and is actively being processed. Cases are
being created on the managed hosts.
– WAITING - The task is waiting for its time to be processed. Nothing is being done at this time.

Response Sample
{
"assigned_to": [
"String"
],
"case_id": 42,
"id": 42,
"name": "String",
"state": "String <one of: COMPLETE,
PARTIALLY_COMPLETE,
PROCESSING,
WAITING>"
}

388 QRadar API Reference Guide

GET /forensics/case_management/cases
Retrieves a list of cases.

Retrieves a list of cases.

Table 802. GET /forensics/case_management/cases resource details
MIME Type
application/json

Table 803. GET /forensics/case_management/cases request parameter details

Parameter Type Optionality Data Type MIME Type Description
Range header Optional String text/plain Optional - Use this parameter
to restrict the number of
elements that are returned in
the list to a specified range.
The list is indexed starting at
zero.
filter query Optional String text/plain Optional - This parameter is
used to restrict the elements in
a list base on the contents of
various fields.
fields query Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.

Table 804. GET /forensics/case_management/cases response codes

HTTP Response Code Unique Code Description
200 The cases were retrieved.
500 1020 An error occurred during the retrieval of the case list.

Response Description

A list of cases. A case contains the following fields:

v assigned_to - String Array - Usernames of the users who have access to the case. Users must have the
FORENSICS role. Authorized services are not allowed.
v id - Long - ID for the case.
v name - String - The name of the case.

Response Sample
[
{
"assigned_to": [
"String"
],

6 REST API V9.0 References 389

 "id": 42,
"name": "String"
}
]

POST /forensics/case_management/cases
Creates a new case.

Creates a new case.

Table 805. POST /forensics/case_management/cases resource details
MIME Type
application/json

Table 806. POST /forensics/case_management/cases request parameter details

Parameter Type Optionality Data Type MIME Type Description
fields header Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.

Table 807. POST /forensics/case_management/cases request body details

Parameter Data Type MIME Type Description Sample
case Object application/ null { "assigned_to": [ "String" ],
json "name": "String" }

Table 808. POST /forensics/case_management/cases response codes

HTTP Response Code Unique Code Description
201 The case was created.
403 1009 The user or targeted user does not have the capability to perform
this request.
422 1005 A request parameter is not valid.
500 1020 An error occurred during the creation of the case.

Response Description

The case create status contains the following fields:

v assigned_to - String Array - Usernames of users to give access to the case once it is created. Users
must have the FORENSICS role. Authorized services are not allowed. If the case is not assign to
anyone, it is assigned to the creator if they are a user (not authorized service). Otherwise, it is only
accessible by an administrator. NOTE: During creation the assigned_to list can contain at most one
username.
v case_id - Long - ID for the created case.
v case_name - String - Name to give the created case. The case name must include alphanumeric
characters only, and be 1-15 characters long with no spaces. Case names are unique.

390 QRadar API Reference Guide

v id - Long - ID for the case create task.
v status - String - Possible values are:
– COMPLETE - The case has been created across all managed hosts.
– PARTIALLY_COMPLETE - The case has been created on at least one managed host, but not all of
them. The case is considered to be usable, but functionality might be limited. This usually means
one or more managed hosts are down and the case is not created yet. The task completes after all
offending managed hosts either complete the task or are removed from the deployment.
– PROCESSING - The task was picked up by QRadar and is actively being processed. Cases are
being created on the managed hosts.
– WAITING - The task is waiting for its time to be processed. Nothing is being done at this time.

Response Sample
{
"assigned_to": [
"String"
],
"case_id": 42,
"id": 42,
"name": "String",
"state": "String <one of: COMPLETE,
PARTIALLY_COMPLETE,
PROCESSING,
WAITING>"
}

GET /forensics/case_management/cases/{id}
Retrieves a case based on the supplied id.

Retrieves a case based on the supplied ID.

Table 809. GET /forensics/case_management/cases/{id} resource details
MIME Type
application/json

Table 810. GET /forensics/case_management/cases/{id} request parameter details

Parameter Type Optionality Data Type MIME Type Description
id path Required Number text/plain Required - The ID of the
(Integer) workflow job to retrieve.
fields query Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.

Table 811. GET /forensics/case_management/cases/{id} response codes

HTTP Response Code Unique Code Description
404 1002 No case was found for the provided ID.
500 1020 An error occurred during the retrieval of the case.

6 REST API V9.0 References 391

Response Description

A case that contains the following fields:

v assigned_to - String Array - Usernames of the users who have access to the case. Users must have the
FORENSICS role. Authorized services are not allowed.
v id - Long - ID for the case.
v name - String - The name of the case.

Response Sample
{
"assigned_to": [
"String"
],
"id": 42,
"name": "String"
}

GUI application framework endpoints

Use the references for REST API V9.0 GUI application framework endpoints.

GET /gui_app_framework/application_creation_task
Retrieves the status of all application installs.

Retrieves the status of all application installs.

Table 812. GET /gui_app_framework/application_creation_task resource details
MIME Type
application/json

Table 813. GET /gui_app_framework/application_creation_task request parameter details

Parameter Type Optionality Data Type MIME Type Description
Range header Optional String text/plain Optional - Use this parameter
to restrict the number of
elements that are returned in
the list to a specified range.
The list is indexed starting at
zero.
filter query Optional String text/plain Optional - This parameter is
used to restrict the elements in
a list base on the contents of
various fields.
fields query Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.

392 QRadar API Reference Guide

Table 814. GET /gui_app_framework/application_creation_task response codes
HTTP Response Code Unique Code Description
200 Status list was retrieved.
422 22608 Invalid filter criteria supplied.
422 22609 Only top-level-elements of the root entity can be sorted on.
422 22610 The selected field cannot be used for sorting.
500 1020 The request could not be completed.

Response Description

A list of installation status details. For a description of what each list entry contains, see
/application_creation_task/{application_id}.

Response Sample
[
{
"application_id": 1001,
"status": "ERROR",
"error_messages": "Failed to start Docker container for application."
},
{
"application_id": 1002,
"status": "CREATING"
}
]

POST /gui_app_framework/application_creation_task
Installs a new application.

Initiates the asynchronous installation of a new application within the Application framework.

The returned application identifier should be used in subsequent API calls for that application.
Table 815. POST /gui_app_framework/application_creation_task resource details
MIME Type
application/json

Table 816. POST /gui_app_framework/application_creation_task request body details

Parameter Data Type MIME Type Description Sample
package zip application/zip Required - A zip file that null
contains the application's
manifest and source code files.

Table 817. POST /gui_app_framework/application_creation_task response codes

HTTP Response Code Unique Code Description
201 The installation of the application was initiated successfully.
409 1008 An application with that UUID is already installed.
422 1005 The provided application is invalid.
500 1020 The request could not be completed.

6 REST API V9.0 References 393

Response Description

Installation status details:

v application_id - Integer - Application identifier.
v status - String
– CREATING - the install is in progress.
– ERROR - the install failed. The reason is in error_messages.
– AUTH_REQUIRED - the install is waiting for a response to an authorisation request. See
/application_creation_task/{application_id}/auth for details.
v error_messages - String - Error messages, if status is ERROR.

Response Sample
{
"application_id": 1001,
"status": "CREATING"
}

GET /gui_app_framework/application_creation_task/{application_id}/
auth
Retrieves an authorisation request for an application install.

Retrieves an authorisation request for an application install.

Table 818. GET /gui_app_framework/application_creation_task/{application_id}/auth resource details
MIME Type
application/json

Table 819. GET /gui_app_framework/application_creation_task/{application_id}/auth request parameter details

Parameter Type Optionality Data Type MIME Type Description
application_id path Required Number text/plain Required - The application
(Integer) identifier.

Table 820. GET /gui_app_framework/application_creation_task/{application_id}/auth response codes

HTTP Response Code Unique Code Description
200 Authorisation request was retrieved.
404 1002 The application identifier could not be found, or no authorisation
request exists for the given application identifier.
500 1020 The request could not be completed.

Response Description

Authorisation request details:

v capabilities - Array of String - List of capabilities being requested.

Response Sample
{
"capabilities": ["SEM", "EventViewer"]
}

394 QRadar API Reference Guide

POST /gui_app_framework/application_creation_task/{application_id}/
auth
Responds to an authorisation request for an application install.

The GET operation on /application_creation_task/{application_id}/auth returns the capabilities that were

requested by the app and that can be supplied to this call.

The supplied capabilities list may contain all or a subset of the requested capabilities, but it may not
contain any other capabilities. At least one capability must be supplied.
Table 821. POST /gui_app_framework/application_creation_task/{application_id}/auth resource details
MIME Type
application/json

Table 822. POST /gui_app_framework/application_creation_task/{application_id}/auth request parameter details

Parameter Type Optionality Data Type MIME Type Description
application_id path Required Number text/plain Required - The application
(Integer) identifier.

Table 823. POST /gui_app_framework/application_creation_task/{application_id}/auth request body details

Parameter Data Type MIME Type Description Sample
authorisation Object application/ Required - The granted { "capabilities": ["SEM",
json authorisation: "EventViewer"], "user_id": 1 }
v capabilities - Array of String
- List of granted capabilities.
v user_id - Long - user ID to
be associated with this
application.

Table 824. POST /gui_app_framework/application_creation_task/{application_id}/auth response codes

HTTP Response Code Unique Code Description
200 Authorisation was granted.
404 1002 The application identifier could not be found, or no authorisation
request exists for the given application identifier.
409 1008 The provided authorisation values conflict with those in the
original request.
422 1005 The provided authorisation values are not valid.
500 1020 The request could not be completed.

Response Description

Confirmation of the granted authorisation:

v capabilities - Array of String - List of granted capabilities.
v user_id - Long - Associated user ID.

6 REST API V9.0 References 395

Response Sample
{
"capabilities": ["SEM", "EventViewer"],
"user_id": 1
}

GET /gui_app_framework/application_creation_task/{application_id}
Retrieve a list of status details of a asynchronous request to create application.
Table 825. GET /gui_app_framework/application_creation_task/{application_id} resource details
MIME Type
application/json

Table 826. GET /gui_app_framework/application_creation_task/{application_id} request parameter details

Parameter Type Optionality Data Type MIME Type Description
application_id path Required Number text/plain Required - Get the status details of
(Integer) this application defined by
application_id returned by the
initial POST on
application_creation_task.

Table 827. GET /gui_app_framework/application_creation_task/{application_id} response codes

HTTP Response Code Unique Code Description
200 Application Creation Request list was retrieved.
404 1002 The application_id is invalid or could not be found.
500 1020 An error occurred while attempting to retrieve the list of status
details.

Response Description
The details of the request to create application.

Response Sample
[
{
"application_id":"101",
"status":"String <one of: CREATING,
UPGRADING,
COMPLETED,
CANCELLED,
ERROR>",
"error_messages": [
{
"code":"String <one of: ERROR_DB_UNAVAILABLE,
ERROR_FRAMEWORK_UNAVAILABLE,
ERROR_CREATING_IMAGE,
ERROR_STARTING_CONTAINER>",
"message":"String"
}
]
}
]

396 QRadar API Reference Guide

POST /gui_app_framework/application_creation_task/{application_id}
Cancels an application install.

Cancels the installation of an application within the Application framework.

Table 828. POST /gui_app_framework/application_creation_task/{application_id} resource details
MIME Type
application/json

Table 829. POST /gui_app_framework/application_creation_task/{application_id} request parameter details

Parameter Type Optionality Data Type MIME Type Description
application_id path Required Number text/plain Required - The application
(Integer) identifier.
status query Required String text/plain Required - "CANCELLED".

Table 830. POST /gui_app_framework/application_creation_task/{application_id} response codes

HTTP Response Code Unique Code Description
200 The application installation was cancelled.
404 1002 The application identifier could not be found.
409 1008 The install is in a state that cannot be cancelled.
422 1005 Status is invalid.
500 1020 The request could not be completed.

Response Description

Installation status details:

v application_id - Integer - Application identifier.
v status - String - "CANCELLED".

Response Sample
{
"application_id": 1001,
"status": "CREATING"
}

GET /gui_app_framework/applications
Retrieve list of applications.

Retrieves a list of all installed applications.

Retrieved details include the application manifest and current status.

Table 831. GET /gui_app_framework/applications resource details
MIME Type
application/json

There are no parameters for this endpoint.

6 REST API V9.0 References 397

Table 832. GET /gui_app_framework/applications response codes
HTTP Response Code Unique Code Description
200 Application list was retrieved.
500 1020 The request could not be completed.

Response Description
A list of application details. For a description of what each list entry contains, see GET
/applications/{application_id}.

Response Sample
[
{
"application_state":{
"application_id":"1001",
"status":"RUNNING",
"error_message":"",
"memory":200
},
"manifest":{

"name":"Sample Application",
"description":"An example of how to create an application manifest",
"version":"0.0.1",

"areas": [
{
"id":"Qapp1_HelloWorld",
"url":"http://9.21.118.58:5000",
"text":"QApp1",
"description":"Loading a dockerised web app into a tab inside Qradar",
"required_capabilities":["ADMIN"]
}
],

"dashboard_items": [
{
"text":"Sample Item",
"description":"Sample dashboard item that is a copy of most recent offenses",
"rest_method":"sampleDashboardItem",
"required_capabilities":["ADMIN"]
}
],

"rest_methods": [
{
"name":"sampleDashboardItem",
"url":"/static/sampleDashboardItemResponse.json",
"method":"GET",
"argument_names":[],
"required_capabilities":["ADMIN"]
},
{
"name":"sampleToolbarMethod",
"url":"/static/sampleToolbarButtonResponse.json",
"method":"GET",
"argument_names":["context"],
"required_capabilities":["ADMIN"]
},
{
"name":"sampleIPInformation",
"url":"/static/sampleIPInformationResponse.json",

398 QRadar API Reference Guide

 "method":"GET",
"argument_names":["metaDataContext"],
"required_capabilities":["ADMIN"]
},
{
"name":"sampleUserInformation",
"url":"/static/sampleUserInformationResponse.json",
"method":"GET",
"argument_names":["metaDataContext"],
"required_capabilities":["ADMIN"]
},
{
"name":"sampleURLInformation",
"url":"/static/sampleURLInformationResponse.json",
"method":"GET",
"argument_names":["metaDataContext"],
"required_capabilities":["ADMIN"]
},
{
"name":"addToReferenceSet",
"url":"/addToReferenceSet",
"method":"GET",
"argument_names":["data"]
}
],

"configuration_pages": [
{
"text":"Open IBM.com",
"description":"Loading IBM.com in a new window",
"icon":null,
"url":"https://www.ibm.com/us/en/",
"required_capabilities":["ADMIN"]
}
],

"gui_actions": [
{
"id":"addToReferenceSet",
"text":"Add To Reference Set",
"description":"Adds to a reference set",
"icon":null,
"rest_method":"addToReferenceSet",
"javascript":"alert(result)",
"groups":[ "ipPopup" ],
"required_capabilities":[ "ADMIN" ]
},
{
"id":"sampleToolbarButton",
"text":"Sample Toolbar Button",
"description":"Sample toolbar button that calls a REST method, passing an offense ID along",
"icon":null,
"rest_method":"sampleToolbarMethod",
"javascript":"alert(result)",
"groups":[ "OffenseListToolbar" ],
"required_capabilities":[ "ADMIN" ]
}
],

"page_scripts": [
{
"app_name":"SEM",
"page_id":"OffenseList",
"scripts":["/static/sampleScriptInclude.js"]
}
],

6 REST API V9.0 References 399

 "metadata_providers": [
{
"rest_method":"sampleIPInformation",
"metadata_type":"ip"
},
{
"rest_method":"sampleUserInformation",
"metadata_type":"userName"
},
{
"rest_method":"sampleURLInformation",
"metadata_type":"ariel:URL"
}
]
}
}
]

GET /gui_app_framework/applications/{application_id}
Retrieve an installed application.

Retrieve an installed application.

Retrieved details include the application manifest and current status.

Table 833. GET /gui_app_framework/applications/{application_id} resource details
MIME Type
application/json

Table 834. GET /gui_app_framework/applications/{application_id} request parameter details

Parameter Type Optionality Data Type MIME Type Description
application_id path Required Number text/plain Required - The application
(Integer) identifier.

Table 835. GET /gui_app_framework/applications/{application_id} response codes

HTTP Response Code Unique Code Description
200 The application was retrieved.
404 1002 The application identifier could not be found.
500 1020 The request could not be completed.

Response Description

Application details:
v application_state
– application_id - String - Application identifier.
– status - String
- CREATING - the application install has not yet completed.
- UPGRADING - the application upgrade has not yet completed.
- RUNNING - the application is running.
- STOPPED - the application has been stopped manually.
- ERROR - the application is no longer running due to an error. The reason is in error_message.
– error_message - String - Any error message associated with the application.

400 QRadar API Reference Guide

 – memory - Integer - The amount of memory allocated to the application
v manifest - Object - The application's JSON manifest.

Response Sample
{
"application_state":{
"application_id":"1001",
"status":"RUNNING",
"error_message":"",
"memory":200
},
"manifest":{

"name":"Sample Application",
"description":"An example of how to create an application manifest",
"version":"0.0.1",

"areas": [
{
"id":"Qapp1_HelloWorld",
"url":"http://9.21.118.58:5000",
"text":"QApp1",
"description":"Loading a dockerised web app into a tab inside Qradar",
"required_capabilities":["ADMIN"]
}
],

"dashboard_items": [
{
"text":"Sample Item",
"description":"Sample dashboard item that is a copy of most recent offenses",
"rest_method":"sampleDashboardItem",
"required_capabilities":["ADMIN"]
}
],

"rest_methods": [
{
"name":"sampleDashboardItem",
"url":"/static/sampleDashboardItemResponse.json",
"method":"GET",
"argument_names":[],
"required_capabilities":["ADMIN"]
},
{
"name":"sampleToolbarMethod",
"url":"/static/sampleToolbarButtonResponse.json",
"method":"GET",
"argument_names":["context"],
"required_capabilities":["ADMIN"]
},
{
"name":"sampleIPInformation",
"url":"/static/sampleIPInformationResponse.json",
"method":"GET",
"argument_names":["metaDataContext"],
"required_capabilities":["ADMIN"]
},
{
"name":"sampleUserInformation",
"url":"/static/sampleUserInformationResponse.json",
"method":"GET",
"argument_names":["metaDataContext"],
"required_capabilities":["ADMIN"]
},
{

6 REST API V9.0 References 401

 "name":"sampleURLInformation",
"url":"/static/sampleURLInformationResponse.json",
"method":"GET",
"argument_names":["metaDataContext"],
"required_capabilities":["ADMIN"]
},
{
"name":"addToReferenceSet",
"url":"/addToReferenceSet",
"method":"GET",
"argument_names":["data"]
}
],

"configuration_pages": [
{
"text":"Open IBM.com",
"description":"Loading IBM.com in a new window",
"icon":null,
"url":"https://www.ibm.com/us/en/",
"required_capabilities":["ADMIN"]
}
],

"gui_actions": [
{
"id":"addToReferenceSet",
"text":"Add To Reference Set",
"description":"Adds to a reference set",
"icon":null,
"rest_method":"addToReferenceSet",
"javascript":"alert(result)",
"groups":[ "ipPopup" ],
"required_capabilities":[ "ADMIN" ]
},
{
"id":"sampleToolbarButton",
"text":"Sample Toolbar Button",
"description":"Sample toolbar button that calls a REST method, passing an offense ID along",
"icon":null,
"rest_method":"sampleToolbarMethod",
"javascript":"alert(result)",
"groups":[ "OffenseListToolbar" ],
"required_capabilities":[ "ADMIN" ]
}
],

"page_scripts": [
{
"app_name":"SEM",
"page_id":"OffenseList",
"scripts":["/static/sampleScriptInclude.js"]
}
],

"metadata_providers": [
{
"rest_method":"sampleIPInformation",
"metadata_type":"ip"
},
{
"rest_method":"sampleUserInformation",
"metadata_type":"userName"
},
{
"rest_method":"sampleURLInformation",
"metadata_type":"ariel:URL"

402 QRadar API Reference Guide

 }
]
}
}

POST /gui_app_framework/applications/{application_id}
Updates an application.

Updates an application.

Supply status=RUNNING to start a stopped application.

Supply status=STOPPED to stop a running application.

Supply oauth_user_id to change the OAuth user associated with the application.
Table 836. POST /gui_app_framework/applications/{application_id} resource details
MIME Type
application/json

Table 837. POST /gui_app_framework/applications/{application_id} request parameter details

Parameter Type Optionality Data Type MIME Type Description
application_id path Required Number text/plain Required - The application
(Integer) identifier.
status query Optional String text/plain - The status to set: RUNNING
or STOPPED.
oauth_user_id query Optional Number text/plain - The OAuth user ID to set.
(Integer) This parameter is ignored
when status is supplied.

Table 838. POST /gui_app_framework/applications/{application_id} response codes

HTTP Response Code Unique Code Description
200 The application has been successfully updated.
404 1002 The application identifier could not be found.
409 1008 The application is in a state that does not allow the requested
update.
422 1005 A supplied parameter is invalid.
500 1020 The request could not be completed.

Response Description

Application details, see GET /applications/{application_id}.

Response Sample
{
"application_state":{
"application_id":"1001",
"status":"RUNNING",
"error_message":"",
"memory":200
},
"manifest":{

6 REST API V9.0 References 403

 "name":"Sample Application",
"description":"An example of how to create an application manifest",
"version":"0.0.1",

"areas": [
{
"id":"Qapp1_HelloWorld",
"url":"http://9.21.118.58:5000",
"text":"QApp1",
"description":"Loading a dockerised web app into a tab inside Qradar",
"required_capabilities":["ADMIN"]
}
],

"dashboard_items": [
{
"text":"Sample Item",
"description":"Sample dashboard item that is a copy of most recent offenses",
"rest_method":"sampleDashboardItem",
"required_capabilities":["ADMIN"]
}
],

"rest_methods": [
{
"name":"sampleDashboardItem",
"url":"/static/sampleDashboardItemResponse.json",
"method":"GET",
"argument_names":[],
"required_capabilities":["ADMIN"]
},
{
"name":"sampleToolbarMethod",
"url":"/static/sampleToolbarButtonResponse.json",
"method":"GET",
"argument_names":["context"],
"required_capabilities":["ADMIN"]
},
{
"name":"sampleIPInformation",
"url":"/static/sampleIPInformationResponse.json",
"method":"GET",
"argument_names":["metaDataContext"],
"required_capabilities":["ADMIN"]
},
{
"name":"sampleUserInformation",
"url":"/static/sampleUserInformationResponse.json",
"method":"GET",
"argument_names":["metaDataContext"],
"required_capabilities":["ADMIN"]
},
{
"name":"sampleURLInformation",
"url":"/static/sampleURLInformationResponse.json",
"method":"GET",
"argument_names":["metaDataContext"],
"required_capabilities":["ADMIN"]
},
{
"name":"addToReferenceSet",
"url":"/addToReferenceSet",
"method":"GET",
"argument_names":["data"]
}
],

404 QRadar API Reference Guide

 "configuration_pages": [
{
"text":"Open IBM.com",
"description":"Loading IBM.com in a new window",
"icon":null,
"url":"https://www.ibm.com/us/en/",
"required_capabilities":["ADMIN"]
}
],

"gui_actions": [
{
"id":"addToReferenceSet",
"text":"Add To Reference Set",
"description":"Adds to a reference set",
"icon":null,
"rest_method":"addToReferenceSet",
"javascript":"alert(result)",
"groups":[ "ipPopup" ],
"required_capabilities":[ "ADMIN" ]
},
{
"id":"sampleToolbarButton",
"text":"Sample Toolbar Button",
"description":"Sample toolbar button that calls a REST method, passing an offense ID along",
"icon":null,
"rest_method":"sampleToolbarMethod",
"javascript":"alert(result)",
"groups":[ "OffenseListToolbar" ],
"required_capabilities":[ "ADMIN" ]
}
],

"page_scripts": [
{
"app_name":"SEM",
"page_id":"OffenseList",
"scripts":["/static/sampleScriptInclude.js"]
}
],

"metadata_providers": [
{
"rest_method":"sampleIPInformation",
"metadata_type":"ip"
},
{
"rest_method":"sampleUserInformation",
"metadata_type":"userName"
},
{
"rest_method":"sampleURLInformation",
"metadata_type":"ariel:URL"
}
]
}
}

PUT /gui_app_framework/applications/{application_id}
Upgrade an application.

Upgrade an application.

6 REST API V9.0 References 405

Table 839. PUT /gui_app_framework/applications/{application_id} resource details
MIME Type
application/json

Table 840. PUT /gui_app_framework/applications/{application_id} request parameter details

Parameter Type Optionality Data Type MIME Type Description
application_id path Required Number text/plain null
(Integer)

Table 841. PUT /gui_app_framework/applications/{application_id} request body details

Parameter Data Type MIME Type Description Sample
package zip application/zip A zip file, that contains custom null
code, and a application
manifest JSON file descriptor

Table 842. PUT /gui_app_framework/applications/{application_id} response codes

HTTP Response Code Unique Code Description
202 The request for an application upgrade was accepted.
404 1002 The application_id is invalid or could not be found.
409 1008 The application is locked by another process.
422 1005 The provided application is invalid. See messages for further
details.
500 1020 The application could not be created.

Response Description

application id and status

Response Sample
[
{
"application_id":"101",
"status":"String <one of: CREATING,
UPGRADING,
COMPLETED,
CANCELLED,
ERROR>",
"error_messages": [
{
"code":"String <one of: ERROR_DB_UNAVAILABLE,
ERROR_FRAMEWORK_UNAVAILABLE,
ERROR_CREATING_IMAGE,
ERROR_STARTING_CONTAINER>",
"message":"String"
}
]
}
]

406 QRadar API Reference Guide

DELETE /gui_app_framework/applications/{application_id}
Deletes an Application.

Deletes an Application.
Table 843. DELETE /gui_app_framework/applications/{application_id} resource details
MIME Type
text/plain

Table 844. DELETE /gui_app_framework/applications/{application_id} request parameter details

Parameter Type Optionality Data Type MIME Type Description
application_id path Required Number text/plain Required - The application
(Integer) identifier.

Table 845. DELETE /gui_app_framework/applications/{application_id} response codes

HTTP Response Code Unique Code Description
204 The application has been successfully deleted.
404 1002 The application identifier could not be found.
409 1008 The application is in a state that cannot be deleted.
500 1020 The request could not be completed.

Response Description

Successful response code 204 No content.

Response Sample

GET /gui_app_framework/named_services
Retrieves all named services.

Retrieves a list of all named services registered with the Application Framework.

By using the returned information, the caller can determine what services are available and what facilities
each service provides via its REST endpoints.
Table 846. GET /gui_app_framework/named_services resource details
MIME Type
application/json

There are no parameters for this endpoint.

Response Description
Table 847. GET /gui_app_framework/named_services response codes
HTTP Response Code Unique Code Description
200 The list of named services was returned.
500 1020 An error occurred while trying to retrieve the list of named
services.

6 REST API V9.0 References 407

A list of named services. The documentation for /named_services/{uuid} has a description of the details
returned for a named service instance.

Response Sample
[{
"name": "resourceservice",
"version": "1",
"application_id": 1001,
"uuid": "e4081cd1-c3c8-4089-afc7-c32039bd796c",
"endpoints": [
{
"name": "getResource",
"path": "https://1.1.1.1/console/plugins/1001/
app_proxy:resourceservice/resource/{resource_id}",
"http_method": "GET",
"parameters": [
{ "location": "PATH", "name": "resource_id" }
],
"response": {
"mime_type": "application/json+ld",
"body_type": {
"@type": "http://id.ibm.com/Resource",
"resource_id": "http://id.ibm.com/resourceID",
"resource_name": "http://id.ibm.com/resourceName",
"resource_owner": "http://id.ibm.com/personId"
}
},
"error_mime_type": "text/plain"
},
{
"name": "createResource",
"path": "https://1.1.1.1/console/plugins/1001/
app_proxy:resourceservice/resource",
"http_method": "POST",
"request_mime_type": "application/json+ld",
"request_body_type": {
"@type": "http://id.ibm.com/Resource",
"resource_name": "http://id.ibm.com/resourceName",
"resource_owner": "http://id.ibm.com/personId"
},
"response": {
"mime_type": "application/json+ld",
"body_type": {
"@type": "http://id.ibm.com/Resource",
"resource_id": "http://id.ibm.com/resourceID",
"resource_name": "http://id.ibm.com/resourceName",
"resource_owner": "http://id.ibm.com/personId"
}
},
"error_mime_type": "text/plain"
},
{
"name": "updateResource",
"path": "https://1.1.1.1/console/plugins/1001/
app_proxy:resourceservice/resource/{resource_id}",
"http_method": "PUT",
"request_mime_type": "application/json+ld",
"request_body_type": {
"@type": "http://id.ibm.com/Resource",
"resource_name": "http://id.ibm.com/resourceName",
"resource_owner": "http://id.ibm.com/personId"
},
"parameters": [
{ "location": "PATH", "name": "resource_id" }
],
"response": {

408 QRadar API Reference Guide

 "mime_type": "application/json+ld",
"body_type": {
"@type": "http://id.ibm.com/Resource",
"resource_id": "http://id.ibm.com/resourceID",
"resource_name": "http://id.ibm.com/resourceName",
"resource_owner": "http://id.ibm.com/personId"
}
},
"error_mime_type": "text/plain"
}
]
}]

GET /gui_app_framework/named_services/{uuid}
Retrieves a named service.

Retrieves a named service registered with the Application Framework by using the supplied uuid.
Table 848. GET /gui_app_framework/named_services/{uuid} resource details
MIME Type
application/json

Table 849. GET /gui_app_framework/named_services/{uuid} request parameter details

Parameter Type Optionality Data Type MIME Type Description
uuid path Required String text/plain Required - A named service
uuid.

Response Description
Table 850. GET /gui_app_framework/named_services/{uuid} response codes
HTTP Response Code Unique Code Description
200 The requested named service was returned.
404 1002 The requested named service could not be found.
500 1020 An error occurred while trying to retrieve the requested named
service.

The details of a named service:

v name - String - Service name.
v version - String - Service version.
v application_id - Integer - ID of the application that implements this service.
v uuid - Integer - Unique identifier for this service.
v endpoints - Array - List of endpoints provided by this service.
– name - String - Endpoint name.
– path - String - Endpoint URL.
– http_method - String - One of GET/POST/PUT/DELETE.
– request_mime_type - String - MIME type of request body.
– request_body_type - Object - JSON definition of request body.
– parameters - Array - List of request parameters.
- location - String - Where the parameter goes in the request. One of PATH/QUERY/BODY.
– name - String - Parameter name.

6 REST API V9.0 References 409

 – definition - String - Parameter definition, e.g. "String".
– response - Object - Response definition.
- mime_type - String - MIME type of response body.
- body_type - Object - JSON definition of response body.
– error_mime_type - String - MIME type of response body when an error occurs.

Response Sample
{
"name": "resourceservice",
"version": "1",
"application_id": 1001,
"uuid": "e4081cd1-c3c8-4089-afc7-c32039bd796c",
"endpoints": [
{
"name": "getResource",
"path": "https://1.1.1.1/console/plugins/1001/
app_proxy:resourceservice/resource/{resource_id}",
"http_method": "GET",
"parameters": [
{ "location": "PATH", "name": "resource_id" }
],
"response": {
"mime_type": "application/json+ld",
"body_type": {
"@type": "http://id.ibm.com/Resource",
"resource_id": "http://id.ibm.com/resourceID",
"resource_name": "http://id.ibm.com/resourceName",
"resource_owner": "http://id.ibm.com/personId"
}
},
"error_mime_type": "text/plain"
},
{
"name": "createResource",
"path": "https://1.1.1.1/console/plugins/1001/
app_proxy:resourceservice/resource",
"http_method": "POST",
"request_mime_type": "application/json+ld",
"request_body_type": {
"@type": "http://id.ibm.com/Resource",
"resource_name": "http://id.ibm.com/resourceName",
"resource_owner": "http://id.ibm.com/personId"
},
"response": {
"mime_type": "application/json+ld",
"body_type": {
"@type": "http://id.ibm.com/Resource",
"resource_id": "http://id.ibm.com/resourceID",
"resource_name": "http://id.ibm.com/resourceName",
"resource_owner": "http://id.ibm.com/personId"
}
},
"error_mime_type": "text/plain"
},
{
"name": "updateResource",
"path": "https://1.1.1.1/console/plugins/1001/
app_proxy:resourceservice/resource/{resource_id}",
"http_method": "PUT",
"request_mime_type": "application/json+ld",
"request_body_type": {
"@type": "http://id.ibm.com/Resource",
"resource_name": "http://id.ibm.com/resourceName",
"resource_owner": "http://id.ibm.com/personId"

410 QRadar API Reference Guide

 },
"parameters": [
{ "location": "PATH", "name": "resource_id" }
],
"response": {
"mime_type": "application/json+ld",
"body_type": {
"@type": "http://id.ibm.com/Resource",
"resource_id": "http://id.ibm.com/resourceID",
"resource_name": "http://id.ibm.com/resourceName",
"resource_owner": "http://id.ibm.com/personId"
}
},
"error_mime_type": "text/plain"
}
]
}

Help endpoints
Use the references for REST API V9.0 Help endpoints.

GET /help/endpoints
Retrieves a list of endpoint documentation objects that are currently in the system.

Retrieves a list of endpoint documentation objects that are currently in the system.
Table 851. GET /help/endpoints resource details
MIME Type
application/json

Table 852. GET /help/endpoints request parameter details

Parameter Type Optionality Data Type MIME Type Description
Range header Optional String text/plain Optional - Use this parameter
to restrict the number of
elements that are returned in
the list to a specified range.
The list is indexed starting at
zero.
fields query Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.
filter query Optional String text/plain Optional - This parameter is
used to restrict the elements in
a list base on the contents of
various fields.

Table 853. GET /help/endpoints response codes

HTTP Response Code Unique Code Description
200 The endpoint documentation list was retrieved.

6 REST API V9.0 References 411

Table 853. GET /help/endpoints response codes (continued)
HTTP Response Code Unique Code Description
500 1020 An unexpected error has occurred.

Response Description

An array of endpoint documentation objects. An endpoint documentation object contains the following
fields:
v id - Number - The ID of the endpoint documentation. This ID is not permanent. It might change any
time services are restarted.
v summary - String - A brief summary of the endpoint.
v deprecated - Boolean - Returns true if the endpoint is deprecated. Returns false otherwise.
v http_method - String - The HTTP request type. One of OPTIONS, GET, HEAD, POST, PUT, DELETE,
TRACE, CONNECT, PATCH.
v error_responses - Array of Objects - A list of potential error responses of this endpoint.
v error_responses(response_code) - Number - The HTTP code for this error response.
v error_responses(description) - String - The description for this error response.
v error_responses(unique_code) - Number - The unique code for this error response.
v error_responses(response_code_description) - String - The description of the response.
v response_description - String - The description of the response.
v version - String - The version of this endpoint.
v success_responses - Array of Objects - A list of potential success responses for this endpoint.
v success_responses(response_code) - Number - The HTTP code for this response.
v success_responses(description) - String - The description of this response.
v success_responses(response_code_description) - String - The name for the response code from RFC
2616.
v description - String - A description of this endpoint.
v path - String - The path of this endpoint.
v response_mime_types - Array of Objects - A list of possible response MIME types for this endpoint.
v response_mime_types(mime_type) - String - The MIME type value, e.g. TEXT_PLAIN
v response_mime_types(media_type) - String - The RFC style Media Type, e.g. text/plain This value is
suitable for use in HTTP requests.
v response_mime_types(sample) - String - The sample of this response MIME type.
v parameters - Array of Objects - A list of user parameters for this endpoint.
v parameters(description) - String - A description of this parameter.
v parameters(default_value) - String - The default value of this parameter. Null if there is no default
value for this parameter. This is always a String, regardless of the underlying data type of the
parameter.
v parameters(type) - String - The type of parameter, one of QUERY, HEADER, PATH, BODY.
v parameters(parameter_name) - String - The name of this parameter.
v parameters(mime_types) - Array of Objects - A list of possible mime_types for this parameter.
v parameters(mime_types(data_type)) - String - A description of the data type of this parameter.
v parameters(mime_types(mime_type)) - String - The MIME type of the parameter.
v parameters(mime_types(sample)) - String - The sample for this parameter.
v resource_id - Number - The ID of the associated resource.

412 QRadar API Reference Guide

v last_modified_version - String - The API version this endpoint was last modified. It is less than or
equal to the version in the version field.
v caller_has_access - Boolean - True if the user has the required capabilities to call this endpoint, false
otherwise.

Response Sample
[
{
"caller_has_access": true,
"deprecated": true,
"description": "String",
"error_responses": [
{
"description": "String",
"response_code": 42,
"response_code_description": "String",
"unique_code": 42
}
],
"http_method": "String <one of: OPTIONS, GET, HEAD, POST, PUT, DELETE, TRACE, CONNECT, PATCH>",
"id": 42,
"last_modified_version": "String",
"parameters": [
{
"default_value": "String",
"description": "String",
"mime_types": [
{
"data_type": "String",
"mime_type": "String",
"sample": "String"
}
],
"parameter_name": "String",
"type": "String <one of: QUERY, HEADER, PATH, BODY>"
}
],
"path": "String",
"resource_id": 42,
"response_description": "String",
"response_mime_types": [
{
"mime_type": "String",
"sample": "String",
"media_type": "String"
}
],
"success_responses": [
{
"description": "String",
"response_code": 42,
"response_code_description": "String"
}
],
"summary": "String",
"version": "String"
}
]

GET /help/endpoints/{endpoint_id}
Retrieves a single endpoint documentation object.

Retrieves a single endpoint documentation object.

6 REST API V9.0 References 413

Table 854. GET /help/endpoints/{endpoint_id} resource details
MIME Type
application/json

Table 855. GET /help/endpoints/{endpoint_id} request parameter details

Parameter Type Optionality Data Type MIME Type Description
endpoint_id path Required Number text/plain The endpoint id.
(Integer)
fields query Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.

Table 856. GET /help/endpoints/{endpoint_id} response codes

HTTP Response Code Unique Code Description
200 The endpoint documentation object was retrieved.
404 1002 No endpoint documentation object was found for the provided
endpoint id.
500 1020 An unexpected error has occurred.

Response Description
An endpoint documentation object. An endpoint documentation object contains the following fields:
v id - Number - The ID of the endpoint documentation. This ID is not permanent. It might change any
time services are restarted.
v summary - String - A brief summary of the endpoint.
v deprecated - Boolean - Returns true if the endpoint is deprecated. Returns false otherwise.
v http_method - String - The HTTP request type. One of OPTIONS, GET, HEAD, POST, PUT, DELETE,
TRACE, CONNECT, PATCH.
v error_responses - Array of Objects - A list of potential error responses of this endpoint.
v error_responses(response_code) - Number - The HTTP code for this error response.
v error_responses(description) - String - The description for this error response.
v error_responses(unique_code) - Number - The unique code for this error response.
v error_responses(response_code_description) - String - The description of the response.
v response_description - String - The description of the response.
v version - String - The version of this endpoint.
v success_responses - Array of Objects - A list of potential success responses for this endpoint.
v success_responses(response_code) - Number - The HTTP code for this response.
v success_responses(description) - String - The description of this response.
v success_responses(response_code_description) - String - The name for the response code from RFC
2616.
v description - String - A description of this endpoint.
v path - String - The path of this endpoint.

414 QRadar API Reference Guide

v response_mime_types - Array of Objects - A list of possible response MIME types for this endpoint.
v response_mime_types(mime_type) - String - The MIME type value, e.g. TEXT_PLAIN
v response_mime_types(media_type) - String - The RFC style Media Type, e.g. text/plain This value is
suitable for use in HTTP requests.
v response_mime_types(sample) - String - The sample of this response MIME type.
v parameters - Array of Objects - A list of user parameters for this endpoint.
v parameters(description) - String - A description of this parameter.
v parameters(default_value) - String - The default value of this parameter. Null if there is no default
value for this parameter. This is always a String, regardless of the underlying data type of the
parameter.
v parameters(type) - String - The type of parameter, one of QUERY, HEADER, PATH, BODY.
v parameters(parameter_name) - String - The name of this parameter.
v parameters(mime_types) - Array of Objects - A list of possible mime_types for this parameter.
v parameters(mime_types(data_type)) - String - A description of the data type of this parameter.
v parameters(mime_types(mime_type)) - String - The MIME type of the parameter.
v parameters(mime_types(sample)) - String - The sample for this parameter.
v resource_id - Number - The ID of the associated resource.
v last_modified_version - String - The API version this endpoint was last modified. It will be less than
or equal to the version in the version field.
v caller_has_access - Boolean - Returns true if the user has the required capabilities to call this endpoint.
Returns false otherwise.

Response Sample
{
"caller_has_access": true,
"deprecated": true,
"description": "String",
"error_responses": [
{
"description": "String",
"response_code": 42,
"response_code_description": "String",
"unique_code": 42
}
],
"http_method": "String <one of: OPTIONS, GET, HEAD, POST, PUT, DELETE, TRACE, CONNECT, PATCH>",
"id": 42,
"last_modified_version": "String",
"parameters": [
{
"default_value": "String",
"description": "String",
"mime_types": [
{
"data_type": "String",
"mime_type": "String",
"sample": "String"
}
],
"parameter_name": "String",
"type": "String <one of: QUERY, HEADER, PATH, BODY>"
}
],
"path": "String",
"resource_id": 42,
"response_description": "String",
"response_mime_types": [
{

6 REST API V9.0 References 415

 "mime_type": "String",
"sample": "String"
}
],
"success_responses": [
{
"description": "String",
"response_code": 42,
"response_code_description": "String"
}
],
"summary": "String",
"version": "String"
}

GET /help/resources
Retrieves a list of resource documentation objects currently in the system.

Retrieves a list of resource documentation objects currently in the system.

Table 857. GET /help/resources resource details
MIME Type
application/json

Table 858. GET /help/resources request parameter details

Parameter Type Optionality Data Type MIME Type Description
filter query Optional String text/plain Optional - This parameter is
used to restrict the elements in
a list base on the contents of
various fields.
fields query Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.
Range header Optional String text/plain Optional - Use this parameter
to restrict the number of
elements that are returned in
the list to a specified range.
The list is indexed starting at
zero.

Table 859. GET /help/resources response codes

HTTP Response Code Unique Code Description
200 The resource documentation list was retrieved.
500 1020 An unexpected error has occurred.

Response Description

An array of resource documentation objects. A resource documentation object contains the following
fields:

416 QRadar API Reference Guide

v id - Number - The ID of the resource documentation object. This ID is not permanent. It might change
any time services are restarted.
v child_resource_ids - Array of Numbers - A list of resource documentation IDs that are the children of
this resource.
v endpoint_ids - Array of Numbers - A list of endpoint documentation IDs for endpoints on this
resource.
v resource - String - The current resource.
v path - String - The full path of the current resource.
v parent_resource_id - Number - The resource documentation ID of the parent of this resource. Null if
this is a root resource.
v version - String - The version of this resource.

Response Sample
[
{
"child_resource_ids": [
42
],
"endpoint_ids": [
42
],
"id": 42,
"parent_resource_id": 42,
"path": "String",
"resource": "String",
"version": "String"
}
]

GET /help/resources/{resource_id}
Retrieves a single resource documentation object.

Retrieves a single resource documentation object.

Table 860. GET /help/resources/{resource_id} resource details
MIME Type
application/json

Table 861. GET /help/resources/{resource_id} request parameter details

Parameter Type Optionality Data Type MIME Type Description
resource_id path Required Number text/plain The resource id.
(Integer)
fields query Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.

6 REST API V9.0 References 417

Table 862. GET /help/resources/{resource_id} response codes
HTTP Response Code Unique Code Description
200 The resource documentation object was retrieved.
404 1002 No resource documentation object was found for the provided
resource ID.
500 1020 An unexpected error has occurred.

Response Description

A resource documentation object. A resource documentation object contains the following fields:
v id - Number - The ID of the resource documentation object. This ID is not permanent. It might change
any time services are restarted.
v child_resource_ids - Array of Numbers - A list of resource documentation IDs that are the children of
this resource.
v endpoint_ids - Array of Numbers - A list of endpoint documentation IDs for endpoints on this
resource.
v resource - String - The current resource.
v path - String - The full path of the current resource.
v parent_resource_id - Number - The resource documentation ID of the parent of this resource. Null if
this is a root resource.
v version - String - The version of this resource.

Response Sample
{
"child_resource_ids": [
42
],
"endpoint_ids": [
42
],
"id": 42,
"parent_resource_id": 42,
"path": "String",
"resource": "String",
"version": "String"
}

GET /help/versions
Retrieves a list of version documentation objects currently in the system.

Retrieves a list of version documentation objects currently in the system.

Table 863. GET /help/versions resource details
MIME Type
application/json

Table 864. GET /help/versions request parameter details

Parameter Type Optionality Data Type MIME Type Description
filter query Optional String text/plain Optional - This parameter is
used to restrict the elements in
a list base on the contents of
various fields.

418 QRadar API Reference Guide

Table 864. GET /help/versions request parameter details (continued)
Parameter Type Optionality Data Type MIME Type Description
fields query Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.
Range header Optional String text/plain Optional - Use this parameter
to restrict the number of
elements that are returned in
the list to a specified range.
The list is indexed starting at
zero.

Table 865. GET /help/versions response codes

HTTP Response Code Unique Code Description
200 The version documentation list was retrieved.
500 1020 An unexpected error has occurred.

Response Description

An array of version documentation objects. A version documentation object contains the following fields:
v id - Number - The ID of the version documentation object. This ID is not permanent. It might change
any time services are restarted.
v deprecated - Boolean - Returns true if this version is deprecated. Returns false otherwise.
v removed - Boolean - Returns true if this version is removed. Returns false otherwise. Endpoints cannot
be called from an API version that is removed.
v root_resource_ids - Array of Numbers - Resource IDs of the root resources in this version of the API.
v version - String - The API version that this version documentation represents.

Response Sample
[
{
"deprecated": true,
"id": 42,
"removed": true,
"root_resource_ids": [
42
],
"version": "String"
}
]

GET /help/versions/{version_id}
Retrieves a single version documentation object.

Retrieves a single version documentation object.

6 REST API V9.0 References 419

Table 866. GET /help/versions/{version_id} resource details
MIME Type
application/json

Table 867. GET /help/versions/{version_id} request parameter details

Parameter Type Optionality Data Type MIME Type Description
version_id path Required Number text/plain The ID of the version
(Integer) documentation to retrieve.
fields query Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.

Table 868. GET /help/versions/{version_id} response codes

HTTP Response Code Unique Code Description
200 The version documentation object was retrieved.
404 1002 No version documentation object was found for the provided
version id.
500 1020 An unexpected error has occurred.

Response Description
A version documentation object. A version documentation object contains the following fields:
v id - Number - The ID of the version documentation object. This ID is not permanent. It might change
any time services are restarted.
v deprecated - Boolean - Returns true if this version is deprecated. Returns false otherwise.
v removed - Boolean - Returns true if this version is removed. Returns false otherwise. Endpoints cannot
be called with an API version that is removed.
v root_resource_ids - Array of Numbers - Resource IDs of the root resources in this version of the API.
v version - String - The API version that this version documentation represents.

Response Sample
{
"deprecated": true,
"id": 42,
"removed": true,
"root_resource_ids": [
42
],
"version": "String"
}

IBM Security QRadar Risk Manager endpoints

Use the references for REST API V9.0 QRadar Risk Manager endpoints.

420 QRadar API Reference Guide

GET /qrm/model_groups
Retrieves a list of model groups.

Retrieves a list of model groups.

Table 869. GET /qrm/model_groups resource details
MIME Type
application/json

Table 870. GET /qrm/model_groups request parameter details

Parameter Type Optionality Data Type MIME Type Description
Range header Optional String text/plain Optional - Use this parameter
to restrict the number of
elements that are returned in
the list to a specified range.
The list is indexed starting at
zero.
filter query Optional String text/plain Optional - This parameter is
used to restrict the elements in
a list base on the contents of
various fields.
fields query Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.

Table 871. GET /qrm/model_groups response codes

HTTP Response Code Unique Code Description
200 The model groups were retrieved.
500 1020 An error occurred during the attempt to retrieve the model groups.

Response Description

List of the Group objects. A Group object contains the following fields:
v id - Long - The ID of the group.
v parent_id - Long - The ID of the parent group (default resources can have localized names).
v type - String - The type of the group.
v level - Long - The depth of the group in the group hierarchy.
v name - String - The name of the group (default groups can have localized names).
v description - String - The description of the group (default groups can have localized names).
v owner - String - The owner of the group.
v modified_time - Long - The time in milliseconds since epoch since the group was last modified.
v child_group_ids - Array of Longs - List of the child group IDs.

6 REST API V9.0 References 421

Response Sample
[
{
"child_groups": [
42
],
"child_items": [
"String"
],
"description": "String",
"id": 42,
"level": 42,
"modified_time": 42,
"name": "String",
"owner": "String",
"parent_id": 42,
"type": "String <one of:
LOG_SOURCE_GROUP,
REPORT_GROUP,
RULE_GROUP,
EVENT_SAVED_SEARCH_GROUP,
FLOW_SAVED_SEARCH_GROUP,
OFFENSE_SAVED_SEARCH_GROUP,
QRM_SAVED_SEARCH_GROUP,
MODEL_SAVED_SEARCH_GROUP,
QUESTION_SAVED_SEARCH_GROUP,
SIMULATION_SAVED_SEARCH_GROUP,
TOPOLOGY_SAVED_SEARCH_GROUP,
ASSET_SAVED_SEARCH_GROUP,
VULNERABILITY_SAVED_SEARCH_GROUP>"
}
]

GET /qrm/model_groups/{group_id}
Retrieves a model group.

Retrieves a model group.

Table 872. GET /qrm/model_groups/{group_id} resource details
MIME Type
application/json

Table 873. GET /qrm/model_groups/{group_id} request parameter details

Parameter Type Optionality Data Type MIME Type Description
group_id path Required Number text/plain null
(Integer)
fields query Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.

422 QRadar API Reference Guide

Table 874. GET /qrm/model_groups/{group_id} response codes
HTTP Response Code Unique Code Description
200 The model group was retrieved.
404 1002 The model group does not exist.
500 1020 An error occurred during the attempt to retrieve the model group.

Response Description

A single Group object. A Group object contains the following fields:

v id - Long - The ID of the group.
v parent_id - Long - The ID of the parent group (default resources can have localized names).
v type - String - The type of the group.
v level - Long - The depth of the group in the group hierarchy.
v name - String - The name of the group (default groups can have localized names).
v description - String - The description of the group (default groups can have localized names).
v owner - String - The owner of the group.
v modified_time - Long - The time in milliseconds since epoch since the group was last modified.
v child_group_ids - Array of Longs - List of the child group IDs.

Response Sample
{
"child_groups": [
42
],
"child_items": [
"String"
],
"description": "String",
"id": 42,
"level": 42,
"modified_time": 42,
"name": "String",
"owner": "String",
"parent_id": 42,
"type": "String <one of:
LOG_SOURCE_GROUP,
REPORT_GROUP,
RULE_GROUP,
EVENT_SAVED_SEARCH_GROUP,
FLOW_SAVED_SEARCH_GROUP,
OFFENSE_SAVED_SEARCH_GROUP,
QRM_SAVED_SEARCH_GROUP,
MODEL_SAVED_SEARCH_GROUP,
QUESTION_SAVED_SEARCH_GROUP,
SIMULATION_SAVED_SEARCH_GROUP,
TOPOLOGY_SAVED_SEARCH_GROUP,
ASSET_SAVED_SEARCH_GROUP,
VULNERABILITY_SAVED_SEARCH_GROUP>"
}

POST /qrm/model_groups/{group_id}
Updates the owner of a model group.

Updates the owner of a model group.

6 REST API V9.0 References 423

Table 875. POST /qrm/model_groups/{group_id} resource details
MIME Type
application/json

Table 876. POST /qrm/model_groups/{group_id} request parameter details

Parameter Type Optionality Data Type MIME Type Description
group_id path Required Number text/plain null
(Integer)
fields header Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.

Table 877. POST /qrm/model_groups/{group_id} request body details

Parameter Data Type MIME Type Description Sample
group Object application/ Required - Group object with { "child_groups": [ 42 ], "child_items": [ "String" ], "description":
json the owner set to a valid "String", "id": 42, "level": 42, "name": "String", "owner": "String",
deployed user. "parent_id": 42, "type": "String <one of:
LOG_SOURCE_GROUP, REPORT_GROUP, RULE_GROUP,
EVENT_SAVED_SEARCH_GROUP,
FLOW_SAVED_SEARCH_GROUP,
OFFENSE_SAVED_SEARCH_GROUP,
QRM_SAVED_SEARCH_GROUP,
MODEL_SAVED_SEARCH_GROUP,
QUESTION_SAVED_SEARCH_GROUP,
SIMULATION_SAVED_SEARCH_GROUP,
TOPOLOGY_SAVED_SEARCH_GROUP,
ASSET_SAVED_SEARCH_GROUP,
VULNERABILITY_SAVED_SEARCH_GROUP>" }

Table 878. POST /qrm/model_groups/{group_id} response codes

HTTP Response Code Unique Code Description
200 The model group was updated.
404 1002 The model group does not exist.
409 1004 The provided user does not have the required capabilities to own
the model group.
422 1005 A request parameter is not valid.
500 1020 An error occurred during the attempt to update the model group.

Response Description

The updated Group object. A Group object contains the following fields:
v id - Long - The ID of the group.
v parent_id - Long - The ID of the parent group (default resources can have localized names).
v type - String - The type of the group.
v level - Long - The depth of the group in the group hierarchy.
v name - String - The name of the group (default groups can have localized names).
v description - String - The description of the group (default groups can have localized names).

424 QRadar API Reference Guide

v owner - String - The owner of the group.
v modified_time - Long - The time in milliseconds since epoch since the group was last modified.
v child_group_ids - Array of Longs - List of the child group IDs.

Response Sample
{
"child_groups": [
42
],
"child_items": [
"String"
],
"description": "String",
"id": 42,
"level": 42,
"modified_time": 42,
"name": "String",
"owner": "String",
"parent_id": 42,
"type": "String <one of:
LOG_SOURCE_GROUP,
REPORT_GROUP,
RULE_GROUP,
EVENT_SAVED_SEARCH_GROUP,
FLOW_SAVED_SEARCH_GROUP,
OFFENSE_SAVED_SEARCH_GROUP,
QRM_SAVED_SEARCH_GROUP,
MODEL_SAVED_SEARCH_GROUP,
QUESTION_SAVED_SEARCH_GROUP,
SIMULATION_SAVED_SEARCH_GROUP,
TOPOLOGY_SAVED_SEARCH_GROUP,
ASSET_SAVED_SEARCH_GROUP,
VULNERABILITY_SAVED_SEARCH_GROUP>"
}

DELETE /qrm/model_groups/{group_id}
Deletes a model group.

Deletes a model group.

Table 879. DELETE /qrm/model_groups/{group_id} resource details
MIME Type
text/plain

Table 880. DELETE /qrm/model_groups/{group_id} request parameter details

Parameter Type Optionality Data Type MIME Type Description
group_id path Required Number text/plain null
(Integer)

Table 881. DELETE /qrm/model_groups/{group_id} response codes

HTTP Response Code Unique Code Description
204 The model group was deleted.
404 1002 The model group does not exist.
409 1004 null
500 1020 An error occurred during the attempt to delete the model group.

6 REST API V9.0 References 425

Response Description

Response Sample

GET /qrm/qrm_saved_search_groups
Retrieves a list of QRM saved search groups.

Retrieves a list of QRM saved search groups.

Table 882. GET /qrm/qrm_saved_search_groups resource details
MIME Type
application/json

Table 883. GET /qrm/qrm_saved_search_groups request parameter details

Parameter Type Optionality Data Type MIME Type Description
Range header Optional String text/plain Optional - Use this parameter
to restrict the number of
elements that are returned in
the list to a specified range.
The list is indexed starting at
zero.
filter query Optional String text/plain Optional - This parameter is
used to restrict the elements in
a list base on the contents of
various fields.
fields query Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.

Table 884. GET /qrm/qrm_saved_search_groups response codes

HTTP Response Code Unique Code Description
200 The QRM saved search groups were returned.
500 1020 An error occurred during the attempt to retrieve the QRM saved
search groups.

Response Description
List of the Group objects. A Group object contains the following fields:
v id - Long - The ID of the group.
v parent_id - Long - The ID of the parent group (default resources can have localized names).
v type - String - The type of the group.
v level - Long - The depth of the group in the group hierarchy.
v name - String - The name of the group (default groups can have localized names).
v description - String - The description of the group (default groups can have localized names).
v owner - String - The owner of the group.

426 QRadar API Reference Guide

v modified_time - Long - The time in milliseconds since epoch since the group was last modified.
v child_group_ids - Array of Longs - List of the child group IDs.

Response Sample
[
{
"child_groups": [
42
],
"child_items": [
"String"
],
"description": "String",
"id": 42,
"level": 42,
"modified_time": 42,
"name": "String",
"owner": "String",
"parent_id": 42,
"type": "String <one of:
LOG_SOURCE_GROUP,
REPORT_GROUP,
RULE_GROUP,
EVENT_SAVED_SEARCH_GROUP,
FLOW_SAVED_SEARCH_GROUP,
OFFENSE_SAVED_SEARCH_GROUP,
QRM_SAVED_SEARCH_GROUP,
MODEL_SAVED_SEARCH_GROUP,
QUESTION_SAVED_SEARCH_GROUP,
SIMULATION_SAVED_SEARCH_GROUP,
TOPOLOGY_SAVED_SEARCH_GROUP,
ASSET_SAVED_SEARCH_GROUP,
VULNERABILITY_SAVED_SEARCH_GROUP>"
}
]

GET /qrm/qrm_saved_search_groups/{group_id}
Retrieves a QRM saved search group.

Retrieves a QRM saved search group.

Table 885. GET /qrm/qrm_saved_search_groups/{group_id} resource details
MIME Type
application/json

Table 886. GET /qrm/qrm_saved_search_groups/{group_id} request parameter details

Parameter Type Optionality Data Type MIME Type Description
group_id path Required Number text/plain null
(Integer)
fields query Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.

6 REST API V9.0 References 427

Table 887. GET /qrm/qrm_saved_search_groups/{group_id} response codes
HTTP Response Code Unique Code Description
200 The QRM saved search group was retrieved.
404 1002 The QRM saved search group does not exist.
500 1020 An error occurred during the attempt to retrieve the QRM saved
search group.

Response Description

A single Group object. A Group object contains the following fields:

v id - Long - The ID of the group.
v parent_id - Long - The ID of the parent group (default resources can have localized names).
v type - String - The type of the group.
v level - Long - The depth of the group in the group hierarchy.
v name - String - The name of the group (default groups can have localized names).
v description - String - The description of the group (default groups can have localized names).
v owner - String - The owner of the group.
v modified_time - Long - The time in milliseconds since epoch since the group was last modified.
v child_group_ids - Array of Longs - List of the child group IDs.

Response Sample
{
"child_groups": [
42
],
"child_items": [
"String"
],
"description": "String",
"id": 42,
"level": 42,
"modified_time": 42,
"name": "String",
"owner": "String",
"parent_id": 42,
"type": "String <one of:
LOG_SOURCE_GROUP,
REPORT_GROUP,
RULE_GROUP,
EVENT_SAVED_SEARCH_GROUP,
FLOW_SAVED_SEARCH_GROUP,
OFFENSE_SAVED_SEARCH_GROUP,
QRM_SAVED_SEARCH_GROUP,
MODEL_SAVED_SEARCH_GROUP,
QUESTION_SAVED_SEARCH_GROUP,
SIMULATION_SAVED_SEARCH_GROUP,
TOPOLOGY_SAVED_SEARCH_GROUP,
ASSET_SAVED_SEARCH_GROUP,
VULNERABILITY_SAVED_SEARCH_GROUP>"
}

POST /qrm/qrm_saved_search_groups/{group_id}
Updates the owner of a QRM saved search group.

Updates the owner of a QRM saved search group.

428 QRadar API Reference Guide

Table 888. POST /qrm/qrm_saved_search_groups/{group_id} resource details
MIME Type
application/json

Table 889. POST /qrm/qrm_saved_search_groups/{group_id} request parameter details

Parameter Type Optionality Data Type MIME Type Description
group_id path Required Number text/plain null
(Integer)
fields header Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.

Table 890. POST /qrm/qrm_saved_search_groups/{group_id} request body details

Parameter Data Type MIME Type Description Sample
group Object application/json Required - Group object with the { "child_groups": [ 42 ], "child_items": [ "String" ], "description":
owner set to a valid deployed "String", "id": 42, "level": 42, "name": "String", "owner": "String",
user. "parent_id": 42, "type": "String <one of: LOG_SOURCE_GROUP,
REPORT_GROUP, RULE_GROUP,
EVENT_SAVED_SEARCH_GROUP,
FLOW_SAVED_SEARCH_GROUP,
OFFENSE_SAVED_SEARCH_GROUP,
QRM_SAVED_SEARCH_GROUP,
MODEL_SAVED_SEARCH_GROUP,
QUESTION_SAVED_SEARCH_GROUP,
SIMULATION_SAVED_SEARCH_GROUP,
TOPOLOGY_SAVED_SEARCH_GROUP,
ASSET_SAVED_SEARCH_GROUP,
VULNERABILITY_SAVED_SEARCH_GROUP>" }

Table 891. POST /qrm/qrm_saved_search_groups/{group_id} response codes

HTTP Response Code Unique Code Description
200 The QRM saved search group was updated.
404 1002 The QRM saved search group does not exist.
409 1004 The provided user does not have the required capabilities to own
the QRM saved search group.
422 1005 A request parameter is not valid.
500 1020 An error occurred during the attempt to update the QRM saved
search group.

Response Description

The updated Group object. A Group object contains the following fields:
v id - Long - The ID of the group.
v parent_id - Long - The ID of the parent group (default resources can have localized names).
v type - String - The type of the group.
v level - Long - The depth of the group in the group hierarchy.
v name - String - The name of the group (default groups can have localized names).
v description - String - The description of the group (default groups can have localized names).
v owner - String - The owner of the group.

6 REST API V9.0 References 429

v modified_time - Long - The time in milliseconds since epoch since the group was last modified.
v child_group_ids - Array of Longs - List of the child group IDs.

Response Sample
{
"child_groups": [
42
],
"child_items": [
"String"
],
"description": "String",
"id": 42,
"level": 42,
"modified_time": 42,
"name": "String",
"owner": "String",
"parent_id": 42,
"type": "String <one of:
LOG_SOURCE_GROUP,
REPORT_GROUP,
RULE_GROUP,
EVENT_SAVED_SEARCH_GROUP,
FLOW_SAVED_SEARCH_GROUP,
OFFENSE_SAVED_SEARCH_GROUP,
QRM_SAVED_SEARCH_GROUP,
MODEL_SAVED_SEARCH_GROUP,
QUESTION_SAVED_SEARCH_GROUP,
SIMULATION_SAVED_SEARCH_GROUP,
TOPOLOGY_SAVED_SEARCH_GROUP,
ASSET_SAVED_SEARCH_GROUP,
VULNERABILITY_SAVED_SEARCH_GROUP>"
}

DELETE /qrm/qrm_saved_search_groups/{group_id}
Deletes a QRM saved search group.

Deletes a QRM saved search group.

Table 892. DELETE /qrm/qrm_saved_search_groups/{group_id} resource details
MIME Type
text/plain

Table 893. DELETE /qrm/qrm_saved_search_groups/{group_id} request parameter details

Parameter Type Optionality Data Type MIME Type Description
group_id path Required Number text/plain null
(Integer)

Table 894. DELETE /qrm/qrm_saved_search_groups/{group_id} response codes

HTTP Response Code Unique Code Description
204 The QRM saved search group was deleted.
404 1002 The QRM saved search group does not exist.
409 1004 null
500 1020 An error occurred during the attempt to delete the QRM saved
search group.

430 QRadar API Reference Guide

Response Description

Response Sample

GET /qrm/question_groups
Retrieves a list of question groups.

Retrieves a list of question groups.

Table 895. GET /qrm/question_groups resource details
MIME Type
application/json

Table 896. GET /qrm/question_groups request parameter details

Parameter Type Optionality Data Type MIME Type Description
Range header Optional String text/plain Optional - Use this parameter
to restrict the number of
elements that are returned in
the list to a specified range.
The list is indexed starting at
zero.
filter query Optional String text/plain Optional - This parameter is
used to restrict the elements in
a list base on the contents of
various fields.
fields query Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.

Table 897. GET /qrm/question_groups response codes

HTTP Response Code Unique Code Description
200 The question groups were retrieved.
500 1020 An error occurred during the attempt to retrieve the question
groups.

Response Description
List of the Group objects. A Group object contains the following fields:
v id - Long - The ID of the group.
v parent_id - Long - The ID of the parent group (default resources can have localized names).
v type - String - The type of the group.
v level - Long - The depth of the group in the group hierarchy.
v name - String - The name of the group (default groups can have localized names).
v description - String - The description of the group (default groups can have localized names).
v owner - String - The owner of the group.

6 REST API V9.0 References 431

v modified_time - Long - The time in milliseconds since epoch since the group was last modified.
v child_group_ids - Array of Longs - List of the child group IDs.

Response Sample
[
{
"child_groups": [
42
],
"child_items": [
"String"
],
"description": "String",
"id": 42,
"level": 42,
"modified_time": 42,
"name": "String",
"owner": "String",
"parent_id": 42,
"type": "String <one of:
LOG_SOURCE_GROUP,
REPORT_GROUP,
RULE_GROUP,
EVENT_SAVED_SEARCH_GROUP,
FLOW_SAVED_SEARCH_GROUP,
OFFENSE_SAVED_SEARCH_GROUP,
QRM_SAVED_SEARCH_GROUP,
MODEL_SAVED_SEARCH_GROUP,
QUESTION_SAVED_SEARCH_GROUP,
SIMULATION_SAVED_SEARCH_GROUP,
TOPOLOGY_SAVED_SEARCH_GROUP,
ASSET_SAVED_SEARCH_GROUP,
VULNERABILITY_SAVED_SEARCH_GROUP>"
}
]

GET /qrm/question_groups/{group_id}
Retrieves a question group.

Retrieves a question group.

Table 898. GET /qrm/question_groups/{group_id} resource details
MIME Type
application/json

Table 899. GET /qrm/question_groups/{group_id} request parameter details

Parameter Type Optionality Data Type MIME Type Description
group_id path Required Number text/plain null
(Integer)
fields query Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.

432 QRadar API Reference Guide

Table 900. GET /qrm/question_groups/{group_id} response codes
HTTP Response Code Unique Code Description
200 The question group was retrieved.
404 1002 The question group does not exist.
500 1020 An error occurred during the attempt to retrieve the question
group.

Response Description

A single Group object. A Group object contains the following fields:

v id - Long - The ID of the group.
v parent_id - Long - The ID of the parent group (default resources can have localized names).
v type - String - The type of the group.
v level - Long - The depth of the group in the group hierarchy.
v name - String - The name of the group (default groups can have localized names).
v description - String - The description of the group (default groups can have localized names).
v owner - String - The owner of the group.
v modified_time - Long - The time in milliseconds since epoch since the group was last modified.
v child_group_ids - Array of Longs - List of the child group IDs.

Response Sample
{
"child_groups": [
42
],
"child_items": [
"String"
],
"description": "String",
"id": 42,
"level": 42,
"modified_time": 42,
"name": "String",
"owner": "String",
"parent_id": 42,
"type": "String <one of:
LOG_SOURCE_GROUP,
REPORT_GROUP,
RULE_GROUP,
EVENT_SAVED_SEARCH_GROUP,
FLOW_SAVED_SEARCH_GROUP,
OFFENSE_SAVED_SEARCH_GROUP,
QRM_SAVED_SEARCH_GROUP,
MODEL_SAVED_SEARCH_GROUP,
QUESTION_SAVED_SEARCH_GROUP,
SIMULATION_SAVED_SEARCH_GROUP,
TOPOLOGY_SAVED_SEARCH_GROUP,
ASSET_SAVED_SEARCH_GROUP,
VULNERABILITY_SAVED_SEARCH_GROUP>"
}

POST /qrm/question_groups/{group_id}
Updates the owner of a question group.

Updates the owner of a question group.

6 REST API V9.0 References 433

Table 901. POST /qrm/question_groups/{group_id} resource details
MIME Type
application/json

Table 902. POST /qrm/question_groups/{group_id} request parameter details

Parameter Type Optionality Data Type MIME Type Description
group_id path Required Number text/plain null
(Integer)
fields header Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.

Table 903. POST /qrm/question_groups/{group_id} request body details

Parameter Data Type MIME Type Description Sample
group Object application/ Required - Group object with { "child_groups": [ 42 ], "child_items": [ "String" ], "description":
json the owner set to a valid "String", "id": 42, "level": 42, "name": "String", "owner": "String",
deployed user. "parent_id": 42, "type": "String <one of:
LOG_SOURCE_GROUP, REPORT_GROUP, RULE_GROUP,
EVENT_SAVED_SEARCH_GROUP,
FLOW_SAVED_SEARCH_GROUP,
OFFENSE_SAVED_SEARCH_GROUP,
QRM_SAVED_SEARCH_GROUP,
MODEL_SAVED_SEARCH_GROUP,
QUESTION_SAVED_SEARCH_GROUP,
SIMULATION_SAVED_SEARCH_GROUP,
TOPOLOGY_SAVED_SEARCH_GROUP,
ASSET_SAVED_SEARCH_GROUP,
VULNERABILITY_SAVED_SEARCH_GROUP>" }

Table 904. POST /qrm/question_groups/{group_id} response codes

HTTP Response Code Unique Code Description
200 The question group was updated.
404 1002 The question group does not exist.
409 1004 The provided user does not have the required capabilities to own
the question group.
422 1005 A request parameter is not valid.
500 1020 An error occurred during the attempt to update the question group.

Response Description

The updated Group object. A Group object contains the following fields:
v id - Long - The ID of the group.
v parent_id - Long - The ID of the parent group (default resources can have localized names).
v type - String - The type of the group.
v level - Long - The depth of the group in the group hierarchy.
v name - String - The name of the group (default groups can have localized names).
v description - String - The description of the group (default groups can have localized names).

434 QRadar API Reference Guide

v owner - String - The owner of the group.
v modified_time - Long - The time in milliseconds since epoch since the group was last modified.
v child_group_ids - Array of Longs - List of the child group IDs.

Response Sample
{
"child_groups": [
42
],
"child_items": [
"String"
],
"description": "String",
"id": 42,
"level": 42,
"modified_time": 42,
"name": "String",
"owner": "String",
"parent_id": 42,
"type": "String <one of:
LOG_SOURCE_GROUP,
REPORT_GROUP,
RULE_GROUP,
EVENT_SAVED_SEARCH_GROUP,
FLOW_SAVED_SEARCH_GROUP,
OFFENSE_SAVED_SEARCH_GROUP,
QRM_SAVED_SEARCH_GROUP,
MODEL_SAVED_SEARCH_GROUP,
QUESTION_SAVED_SEARCH_GROUP,
SIMULATION_SAVED_SEARCH_GROUP,
TOPOLOGY_SAVED_SEARCH_GROUP,
ASSET_SAVED_SEARCH_GROUP,
VULNERABILITY_SAVED_SEARCH_GROUP>"
}

DELETE /qrm/question_groups/{group_id}
Deletes a question group.

Deletes a question group.

Table 905. DELETE /qrm/question_groups/{group_id} resource details
MIME Type
text/plain

Table 906. DELETE /qrm/question_groups/{group_id} request parameter details

Parameter Type Optionality Data Type MIME Type Description
group_id path Required Number text/plain null
(Integer)

Table 907. DELETE /qrm/question_groups/{group_id} response codes

HTTP Response Code Unique Code Description
204 The question group was deleted.
404 1002 The question group does not exist.
409 1004 null
500 1020 An error occurred during the attempt to delete the question group.

6 REST API V9.0 References 435

Response Description

Response Sample

GET /qrm/simulation_groups
Retrieves a of list the simulation groups.

Retrieves a list of the simulation groups.

Table 908. GET /qrm/simulation_groups resource details
MIME Type
application/json

Table 909. GET /qrm/simulation_groups request parameter details

Parameter Type Optionality Data Type MIME Type Description
Range header Optional String text/plain Optional - Use this parameter
to restrict the number of
elements that are returned in
the list to a specified range.
The list is indexed starting at
zero.
filter query Optional String text/plain Optional - This parameter is
used to restrict the elements in
a list base on the contents of
various fields.
fields query Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.

Table 910. GET /qrm/simulation_groups response codes

HTTP Response Code Unique Code Description
200 The simulation groups were retrieved.
500 1020 An error occurred during the attempt to retrieve the simulation
groups.

Response Description
List of the Group objects. A Group object contains the following fields:
v id - Long - The ID of the group.
v parent_id - Long - The ID of the parent group (default resources can have localized names).
v type - String - The type of the group.
v level - Long - The depth of the group in the group hierarchy.
v name - String - The name of the group (default groups can have localized names).
v description - String - The description of the group (default groups can have localized names).
v owner - String - The owner of the group.

436 QRadar API Reference Guide

v modified_time - Long - The time in milliseconds since epoch since the group was last modified.
v child_group_ids - Array of Longs - List of the child group IDs.

Response Sample
[
{
"child_groups": [
42
],
"child_items": [
"String"
],
"description": "String",
"id": 42,
"level": 42,
"modified_time": 42,
"name": "String",
"owner": "String",
"parent_id": 42,
"type": "String <one of:
LOG_SOURCE_GROUP,
REPORT_GROUP,
RULE_GROUP,
EVENT_SAVED_SEARCH_GROUP,
FLOW_SAVED_SEARCH_GROUP,
OFFENSE_SAVED_SEARCH_GROUP,
QRM_SAVED_SEARCH_GROUP,
MODEL_SAVED_SEARCH_GROUP,
QUESTION_SAVED_SEARCH_GROUP,
SIMULATION_SAVED_SEARCH_GROUP,
TOPOLOGY_SAVED_SEARCH_GROUP,
ASSET_SAVED_SEARCH_GROUP,
VULNERABILITY_SAVED_SEARCH_GROUP>"
}
]

GET /qrm/simulation_groups/{group_id}
Retrieves a simulation group.

Retrieves a simulation group.

Table 911. GET /qrm/simulation_groups/{group_id} resource details
MIME Type
application/json

Table 912. GET /qrm/simulation_groups/{group_id} request parameter details

Parameter Type Optionality Data Type MIME Type Description
group_id path Required Number text/plain null
(Integer)
fields query Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.

6 REST API V9.0 References 437

Table 913. GET /qrm/simulation_groups/{group_id} response codes
HTTP Response Code Unique Code Description
200 The simulation group were retrieved.
404 1002 The simulation group does not exist.
500 1020 An error occurred during the attempt to retrieve the simulation
group.

Response Description

A single Group object. A Group object contains the following fields:

v id - Long - The ID of the group.
v parent_id - Long - The ID of the parent group (default resources can have localized names).
v type - String - The type of the group.
v level - Long - The depth of the group in the group hierarchy.
v name - String - The name of the group (default groups can have localized names).
v description - String - The description of the group (default groups can have localized names).
v owner - String - The owner of the group.
v modified_time - Long - The time in milliseconds since epoch since the group was last modified.
v child_group_ids - Array of Longs - List of the child group IDs.

Response Sample
{
"child_groups": [
42
],
"child_items": [
"String"
],
"description": "String",
"id": 42,
"level": 42,
"modified_time": 42,
"name": "String",
"owner": "String",
"parent_id": 42,
"type": "String <one of:
LOG_SOURCE_GROUP,
REPORT_GROUP,
RULE_GROUP,
EVENT_SAVED_SEARCH_GROUP,
FLOW_SAVED_SEARCH_GROUP,
OFFENSE_SAVED_SEARCH_GROUP,
QRM_SAVED_SEARCH_GROUP,
MODEL_SAVED_SEARCH_GROUP,
QUESTION_SAVED_SEARCH_GROUP,
SIMULATION_SAVED_SEARCH_GROUP,
TOPOLOGY_SAVED_SEARCH_GROUP,
ASSET_SAVED_SEARCH_GROUP,
VULNERABILITY_SAVED_SEARCH_GROUP>"
}

POST /qrm/simulation_groups/{group_id}
Updates the owner of a simulation group.

Updates the owner of a simulation group.

438 QRadar API Reference Guide

Table 914. POST /qrm/simulation_groups/{group_id} resource details
MIME Type
application/json

Table 915. POST /qrm/simulation_groups/{group_id} request parameter details

Parameter Type Optionality Data Type MIME Type Description
group_id path Required Number text/plain null
(Integer)
fields header Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.

Table 916. POST /qrm/simulation_groups/{group_id} request body details

Parameter Data Type MIME Type Description Sample
group Object application/ Required - Group object with { "child_groups": [ 42 ], "child_items": [ "String" ], "description":
json the owner set to a valid "String", "id": 42, "level": 42, "name": "String", "owner": "String",
deployed user. "parent_id": 42, "type": "String <one of:
LOG_SOURCE_GROUP, REPORT_GROUP, RULE_GROUP,
EVENT_SAVED_SEARCH_GROUP,
FLOW_SAVED_SEARCH_GROUP,
OFFENSE_SAVED_SEARCH_GROUP,
QRM_SAVED_SEARCH_GROUP,
MODEL_SAVED_SEARCH_GROUP,
QUESTION_SAVED_SEARCH_GROUP,
SIMULATION_SAVED_SEARCH_GROUP,
TOPOLOGY_SAVED_SEARCH_GROUP,
ASSET_SAVED_SEARCH_GROUP,
VULNERABILITY_SAVED_SEARCH_GROUP>" }

Table 917. POST /qrm/simulation_groups/{group_id} response codes

HTTP Response Code Unique Code Description
200 The simulation group was updated.
404 1002 The simulation group does not exist.
409 1004 The provided user does not have the required capabilities to own
the simulation group.
422 1005 A request parameter is not valid.
500 1020 An error occurred during the attempt to update the simulation
group.

Response Description

The updated Group object. A Group object contains the following fields:
v id - Long - The ID of the group.
v parent_id - Long - The ID of the parent group (default resources can have localized names).
v type - String - The type of the group.
v level - Long - The depth of the group in the group hierarchy.
v name - String - The name of the group (default groups can have localized names).

6 REST API V9.0 References 439

v description - String - The description of the group (default groups can have localized names).
v owner - String - The owner of the group.
v modified_time - Long - The time in milliseconds since epoch since the group was last modified.
v child_group_ids - Array of Longs - List of the child group IDs.

Response Sample
{
"child_groups": [
42
],
"child_items": [
"String"
],
"description": "String",
"id": 42,
"level": 42,
"modified_time": 42,
"name": "String",
"owner": "String",
"parent_id": 42,
"type": "String <one of:
LOG_SOURCE_GROUP,
REPORT_GROUP,
RULE_GROUP,
EVENT_SAVED_SEARCH_GROUP,
FLOW_SAVED_SEARCH_GROUP,
OFFENSE_SAVED_SEARCH_GROUP,
QRM_SAVED_SEARCH_GROUP,
MODEL_SAVED_SEARCH_GROUP,
QUESTION_SAVED_SEARCH_GROUP,
SIMULATION_SAVED_SEARCH_GROUP,
TOPOLOGY_SAVED_SEARCH_GROUP,
ASSET_SAVED_SEARCH_GROUP,
VULNERABILITY_SAVED_SEARCH_GROUP>"
}

DELETE /qrm/simulation_groups/{group_id}
Deletes a simulation group.

Deletes a simulation group.

Table 918. DELETE /qrm/simulation_groups/{group_id} resource details
MIME Type
text/plain

Table 919. DELETE /qrm/simulation_groups/{group_id} request parameter details

Parameter Type Optionality Data Type MIME Type Description
group_id path Required Number text/plain null
(Integer)

Table 920. DELETE /qrm/simulation_groups/{group_id} response codes

HTTP Response Code Unique Code Description
204 The simulation group has been deleted.
404 1002 The simulation group does not exist.
409 1004 null

440 QRadar API Reference Guide

Table 920. DELETE /qrm/simulation_groups/{group_id} response codes (continued)
HTTP Response Code Unique Code Description
500 1020 An error occurred during the attempt to delete the simulation
group.

Response Description
Response Sample

GET /qrm/topology_saved_search_groups
Retrieves a list of topology saved search groups.

Retrieves a list of topology saved search groups.

Table 921. GET /qrm/topology_saved_search_groups resource details
MIME Type
application/json

Table 922. GET /qrm/topology_saved_search_groups request parameter details

Parameter Type Optionality Data Type MIME Type Description
Range header Optional String text/plain Optional - Use this parameter
to restrict the number of
elements that are returned in
the list to a specified range.
The list is indexed starting at
zero.
filter query Optional String text/plain Optional - This parameter is
used to restrict the elements in
a list base on the contents of
various fields.
fields query Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.

Table 923. GET /qrm/topology_saved_search_groups response codes

HTTP Response Code Unique Code Description
200 The topology saved search groups were returned.
500 1020 An error occurred during the attempt to retrieve the topology saved
search groups.

Response Description

List of the Group objects. A Group object contains the following fields:
v id - Long - The ID of the group.

6 REST API V9.0 References 441

v parent_id - Long - The ID of the parent group (default resources can have localized names).
v type - String - The type of the group.
v level - Long - The depth of the group in the group hierarchy.
v name - String - The name of the group (default groups can have localized names).
v description - String - The description of the group (default groups can have localized names).
v owner - String - The owner of the group.
v modified_time - Long - The time in milliseconds since epoch since the group was last modified.
v child_group_ids - Array of Longs - List of the child group IDs.

Response Sample
[
{
"child_groups": [
42
],
"child_items": [
"String"
],
"description": "String",
"id": 42,
"level": 42,
"modified_time": 42,
"name": "String",
"owner": "String",
"parent_id": 42,
"type": "String <one of:
LOG_SOURCE_GROUP,
REPORT_GROUP,
RULE_GROUP,
EVENT_SAVED_SEARCH_GROUP,
FLOW_SAVED_SEARCH_GROUP,
OFFENSE_SAVED_SEARCH_GROUP,
QRM_SAVED_SEARCH_GROUP,
MODEL_SAVED_SEARCH_GROUP,
QUESTION_SAVED_SEARCH_GROUP,
SIMULATION_SAVED_SEARCH_GROUP,
TOPOLOGY_SAVED_SEARCH_GROUP,
ASSET_SAVED_SEARCH_GROUP,
VULNERABILITY_SAVED_SEARCH_GROUP>"
}
]

GET /qrm/topology_saved_search_groups/{group_id}
Retrieves a topology saved search group.

Retrieves a topology saved search group.

Table 924. GET /qrm/topology_saved_search_groups/{group_id} resource details
MIME Type
application/json

Table 925. GET /qrm/topology_saved_search_groups/{group_id} request parameter details

Parameter Type Optionality Data Type MIME Type Description
group_id path Required Number text/plain null
(Integer)

442 QRadar API Reference Guide

Table 925. GET /qrm/topology_saved_search_groups/{group_id} request parameter details (continued)
Parameter Type Optionality Data Type MIME Type Description
fields query Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.

Table 926. GET /qrm/topology_saved_search_groups/{group_id} response codes

HTTP Response Code Unique Code Description
200 The topology saved search group was retrieved.
404 1002 The topology saved search group does not exist.
500 1020 An error occurred during the attempt to retrieve the topology saved
search group.

Response Description

A single Group object. A Group object contains the following fields:

v id - Long - The ID of the group.
v parent_id - Long - The ID of the parent group (default resources can have localized names).
v type - String - The type of the group.
v level - Long - The depth of the group in the group hierarchy.
v name - String - The name of the group (default groups can have localized names).
v description - String - The description of the group (default groups can have localized names).
v owner - String - The owner of the group.
v modified_time - Long - The time in milliseconds since epoch since the group was last modified.
v child_group_ids - Array of Longs - List of the child group IDs.

Response Sample
{
"child_groups": [
42
],
"child_items": [
"String"
],
"description": "String",
"id": 42,
"level": 42,
"modified_time": 42,
"name": "String",
"owner": "String",
"parent_id": 42,
"type": "String <one of:
LOG_SOURCE_GROUP,
REPORT_GROUP,
RULE_GROUP,
EVENT_SAVED_SEARCH_GROUP,
FLOW_SAVED_SEARCH_GROUP,
OFFENSE_SAVED_SEARCH_GROUP,

6 REST API V9.0 References 443

 QRM_SAVED_SEARCH_GROUP,
MODEL_SAVED_SEARCH_GROUP,
QUESTION_SAVED_SEARCH_GROUP,
SIMULATION_SAVED_SEARCH_GROUP,
TOPOLOGY_SAVED_SEARCH_GROUP,
ASSET_SAVED_SEARCH_GROUP,
VULNERABILITY_SAVED_SEARCH_GROUP>"
}

POST /qrm/topology_saved_search_groups/{group_id}
Updates the owner of an topology saved search group.

Updates the owner of an topology saved search group.

Table 927. POST /qrm/topology_saved_search_groups/{group_id} resource details
MIME Type
application/json

Table 928. POST /qrm/topology_saved_search_groups/{group_id} request parameter details

Parameter Type Optionality Data Type MIME Type Description
group_id path Required Number text/plain null
(Integer)
fields header Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.

Table 929. POST /qrm/topology_saved_search_groups/{group_id} request body details

Parameter Data Type MIME Type Description Sample
group Object application/ Required - Group object with { "child_groups": [ 42 ], "child_items": [ "String" ], "description":
json the owner set to a valid "String", "id": 42, "level": 42, "name": "String", "owner": "String",
deployed user. "parent_id": 42, "type": "String <one of:
LOG_SOURCE_GROUP, REPORT_GROUP, RULE_GROUP,
EVENT_SAVED_SEARCH_GROUP,
FLOW_SAVED_SEARCH_GROUP,
OFFENSE_SAVED_SEARCH_GROUP,
QRM_SAVED_SEARCH_GROUP,
MODEL_SAVED_SEARCH_GROUP,
QUESTION_SAVED_SEARCH_GROUP,
SIMULATION_SAVED_SEARCH_GROUP,
TOPOLOGY_SAVED_SEARCH_GROUP,
ASSET_SAVED_SEARCH_GROUP,
VULNERABILITY_SAVED_SEARCH_GROUP>" }

Table 930. POST /qrm/topology_saved_search_groups/{group_id} response codes

HTTP Response Code Unique Code Description
200 The topology saved search group was updated.
404 1002 The topology saved search group does not exist.
409 1004 The provided user does not have the required capabilities to own
the topology saved search group.
422 1005 A request parameter is not valid.

444 QRadar API Reference Guide

Table 930. POST /qrm/topology_saved_search_groups/{group_id} response codes (continued)
HTTP Response Code Unique Code Description
500 1020 An error occurred during the attempt to update the topology saved
search group.

Response Description
The updated Group object. A Group object contains the following fields:
v id - Long - The ID of the group.
v parent_id - Long - The ID of the parent group (default resources can have localized names).
v type - String - The type of the group.
v level - Long - The depth of the group in the group hierarchy.
v name - String - The name of the group (default groups can have localized names).
v description - String - The description of the group (default groups can have localized names).
v owner - String - The owner of the group.
v modified_time - Long - The time in milliseconds since epoch since the group was last modified.
v child_group_ids - Array of Longs - List of the child group IDs.

Response Sample
{
"child_groups": [
42
],
"child_items": [
"String"
],
"description": "String",
"id": 42,
"level": 42,
"modified_time": 42,
"name": "String",
"owner": "String",
"parent_id": 42,
"type": "String <one of:
LOG_SOURCE_GROUP,
REPORT_GROUP,
RULE_GROUP,
EVENT_SAVED_SEARCH_GROUP,
FLOW_SAVED_SEARCH_GROUP,
OFFENSE_SAVED_SEARCH_GROUP,
QRM_SAVED_SEARCH_GROUP,
MODEL_SAVED_SEARCH_GROUP,
QUESTION_SAVED_SEARCH_GROUP,
SIMULATION_SAVED_SEARCH_GROUP,
TOPOLOGY_SAVED_SEARCH_GROUP,
ASSET_SAVED_SEARCH_GROUP,
VULNERABILITY_SAVED_SEARCH_GROUP>"
}

DELETE /qrm/topology_saved_search_groups/{group_id}
Deletes a topology saved search group.

Deletes a topology saved search group.

6 REST API V9.0 References 445

Table 931. DELETE /qrm/topology_saved_search_groups/{group_id} resource details
MIME Type
text/plain

Table 932. DELETE /qrm/topology_saved_search_groups/{group_id} request parameter details

Parameter Type Optionality Data Type MIME Type Description
group_id path Required Number text/plain null
(Integer)

Table 933. DELETE /qrm/topology_saved_search_groups/{group_id} response codes

HTTP Response Code Unique Code Description
204 The topology saved search group was deleted.
404 1002 The topology saved search group does not exist.
409 1004 null
500 1020 An error occurred during the attempt to delete the topology saved
search group.

Response Description
Response Sample

QRadar Vulnerability Manager endpoints

Use the references for REST API V9.0 QRadar Vulnerability Manager endpoints.

GET /qvm/assets
List the assets with discovered vulnerabilities present in the asset model. The response contains all
available RESTful resources.
Table 934. GET /qvm/assets resource details
MIME Type
application/json

Table 935. GET /qvm/assets request parameter details

Parameter Type Optionality Data Type MIME Type Description
savedSearchId query Optional String text/plain Id of saved search
savedSearchName query Optional String text/plain Saved search name
filters query Optional Array<Object> application/json List of JSON objects for
application of bespoke query
search dataset filter. Format
[{"parameter":"<value>",
"operator":"<value>",
"value":"<value>"}] e.g.
[{"parameter":"IPv4 Address",
"operator":"Equals",
"value":"10.100.85.111"}]

Table 936. GET /qvm/assets response codes

HTTP Response Code Unique Code Description
200 The request to retrieve vulnerabilities by asset completed
successfully
420 9101 Invalid search parameters, search cannot be performed

446 QRadar API Reference Guide

Response Description

list of assets data

Response Sample

GET /qvm/filters
Get a list of the allowable filters that can be used or applied against /qvm endpoints.
v /qvm/assets
v /qvm/vulns
v /qvm/vulninstances
v /qvm/openservices
v /qvm/networks
v queries
Table 937. GET /qvm/filters resource details
MIME Type
application/json

There are no parameters for this endpoint.

Table 938. GET /qvm/filters response codes
HTTP Response Code Unique Code Description
200 The search executed successfully
420 9102 An error occurred while executing the search

Response Description

list of Filters.

Response Sample

GET /qvm/network
List the networks present in the asset model with vulnerabilities present. The response contains all
available RESTful resources
Table 939. GET /qvm/network resource details
MIME Type
application/json

Table 940. GET /qvm/network request parameter details

Parameter Type Optionality Data Type MIME Type Description
savedSearchId query Optional String text/plain Id of saved search
savedSearchName query Optional String text/plain Saved search name

6 REST API V9.0 References 447

Table 940. GET /qvm/network request parameter details (continued)
Parameter Type Optionality Data Type MIME Type Description
filters query Optional Array<Object> application/json List of JSON objects for
application of bespoke query
search dataset filter. Format
[{"parameter":"<value>",
"operator":"<value>",
"value":"<value>"}] e.g.
[{"parameter":"IPv4 Address",
"operator":"Equals",
"value":"10.100.85.111"}]

Table 941. GET /qvm/network response codes

HTTP Response Code Unique Code Description
200 The request to retrieve vulnerabilities by network completed
successfully
420 9101 Invalid search parameters, search cannot be performed

Response Description

list of network related data

Response Sample

GET /qvm/openservices
List the openservices present in the asset model with vulnerabilities present. The response will contain all
available RESTful resources
Table 942. GET /qvm/openservices resource details
MIME Type
application/json

Table 943. GET /qvm/openservices request parameter details

Parameter Type Optionality Data Type MIME Type Description
savedSearchId query Optional String text/plain Id of saved search
savedSearchName query Optional String text/plain Saved search name
filters query Optional Array<Object> application/json List of JSON objects for
application of bespoke query
search dataset filter. Format
[{"parameter":"<value>",
"operator":"<value>",
"value":"<value>"}] e.g.
[{"parameter":"IPv4 Address",
"operator":"Equals",
"value":"10.100.85.111"}]

Table 944. GET /qvm/openservices response codes

HTTP Response Code Unique Code Description
200 The request to retrieve vulnerabilities by open service completed
successfully
420 9101 Invalid search parameters, search cannot be performed

Response Description

list of open services related data

448 QRadar API Reference Guide

Response Sample

GET /qvm/saved_search_groups
Retrieves a list of vulnerability saved search groups.

Retrieves a list of vulnerability saved search groups.

Table 945. GET /qvm/saved_search_groups resource details
MIME Type
application/json

Table 946. GET /qvm/saved_search_groups request parameter details

Parameter Type Optionality Data Type MIME Type Description
fields query Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.
Range header Optional String text/plain Optional - Use this parameter
to restrict the number of
elements that are returned in
the list to a specified range.
The list is indexed starting at
zero.
filter query Optional String text/plain Optional - This parameter is
used to restrict the elements in
a list base on the contents of
various fields.

Table 947. GET /qvm/saved_search_groups response codes

HTTP Response Code Unique Code Description
200 The vulnerability saved search groups were returned.
500 1020 An error occurred during the attempt to retrieve the vulnerability
saved search groups.

Response Description

List of the Group objects. A Group object contains the following fields:
v id - Long - The ID of the group.
v parent_id - Long - The ID of the parent group (default resources can have localized names).
v type - String - The type of the group.
v level - Long - The depth of the group in the group hierarchy.
v name - String - The name of the group (default groups can have localized names).
v description - String - The description of the group (default groups can have localized names).
v owner - String - The owner of the group.
v modified_time - Long - The time in milliseconds since epoch since the group was last modified.

6 REST API V9.0 References 449

v child_group_ids - Array of Longs - List of the child group IDs.

Response Sample
[
{
"child_groups": [
42
],
"child_items": [
"String"
],
"description": "String",
"id": 42,
"level": 42,
"modified_time": 42,
"name": "String",
"owner": "String",
"parent_id": 42,
"type": "String <one of:
LOG_SOURCE_GROUP,
REPORT_GROUP,
RULE_GROUP,
EVENT_SAVED_SEARCH_GROUP,
FLOW_SAVED_SEARCH_GROUP,
OFFENSE_SAVED_SEARCH_GROUP,
QRM_SAVED_SEARCH_GROUP,
MODEL_SAVED_SEARCH_GROUP,
QUESTION_SAVED_SEARCH_GROUP,
SIMULATION_SAVED_SEARCH_GROUP,
TOPOLOGY_SAVED_SEARCH_GROUP,
ASSET_SAVED_SEARCH_GROUP,
VULNERABILITY_SAVED_SEARCH_GROUP>"
}
]

GET /qvm/saved_search_groups/{group_id}
Retrieves a vulnerability saved search group.

Retrieves a vulnerability saved search group.

Table 948. GET /qvm/saved_search_groups/{group_id} resource details
MIME Type
application/json

Table 949. GET /qvm/saved_search_groups/{group_id} request parameter details

Parameter Type Optionality Data Type MIME Type Description
group_id path Required Number text/plain null
(Integer)
fields query Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.

450 QRadar API Reference Guide

Table 950. GET /qvm/saved_search_groups/{group_id} response codes
HTTP Response Code Unique Code Description
200 The vulnerability saved search group was retrieved.
404 1002 The vulnerability saved search group does not exist.
422 1005 null
500 1020 An error occurred during the attempt to retrieve the vulnerability
saved search group.

Response Description

A single Group object. A Group object contains the following fields:

v id - Long - The ID of the group.
v parent_id - Long - The ID of the parent group. (default resources can have localized names).
v type - String - The type of the group.
v level - Long - The depth of the group in the group hierarchy.
v name - String - The name of the group (default groups can have localized names).
v description - String - The description of the group (default groups can have localized names).
v owner - String - The owner of the group.
v modified_time - Long - The time in milliseconds since epoch since the group was last modified.
v child_group_ids - Array of Longs - List of the child group IDs.

Response Sample
{
"child_groups": [
42
],
"child_items": [
"String"
],
"description": "String",
"id": 42,
"level": 42,
"modified_time": 42,
"name": "String",
"owner": "String",
"parent_id": 42,
"type": "String <one of:
LOG_SOURCE_GROUP,
REPORT_GROUP,
RULE_GROUP,
EVENT_SAVED_SEARCH_GROUP,
FLOW_SAVED_SEARCH_GROUP,
OFFENSE_SAVED_SEARCH_GROUP,
QRM_SAVED_SEARCH_GROUP,
MODEL_SAVED_SEARCH_GROUP,
QUESTION_SAVED_SEARCH_GROUP,
SIMULATION_SAVED_SEARCH_GROUP,
TOPOLOGY_SAVED_SEARCH_GROUP,
ASSET_SAVED_SEARCH_GROUP,
VULNERABILITY_SAVED_SEARCH_GROUP>"
}

6 REST API V9.0 References 451

POST /qvm/saved_search_groups/{group_id}
Updates the owner of an vulnerability saved search group.

Updates the owner of an vulnerability saved search group.

Table 951. POST /qvm/saved_search_groups/{group_id} resource details
MIME Type
application/json

Table 952. POST /qvm/saved_search_groups/{group_id} request parameter details

Parameter Type Optionality Data Type MIME Type Description
group_id path Required Number text/plain null
(Integer)
fields header Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.

Table 953. POST /qvm/saved_search_groups/{group_id} request body details

Parameter Data Type MIME Type Description Sample
group Object application/json Required - Group object with the { "child_groups": [ 42 ], "child_items": [ "String" ], "description":
owner set to a valid deployed "String", "id": 42, "level": 42, "name": "String", "owner": "String",
user. "parent_id": 42, "type": "String <one of: LOG_SOURCE_GROUP,
REPORT_GROUP, RULE_GROUP,
EVENT_SAVED_SEARCH_GROUP,
FLOW_SAVED_SEARCH_GROUP,
OFFENSE_SAVED_SEARCH_GROUP,
QRM_SAVED_SEARCH_GROUP,
MODEL_SAVED_SEARCH_GROUP,
QUESTION_SAVED_SEARCH_GROUP,
SIMULATION_SAVED_SEARCH_GROUP,
TOPOLOGY_SAVED_SEARCH_GROUP,
ASSET_SAVED_SEARCH_GROUP,
VULNERABILITY_SAVED_SEARCH_GROUP>" }

Table 954. POST /qvm/saved_search_groups/{group_id} response codes

HTTP Response Code Unique Code Description
200 The vulnerability saved search group was updated.
404 1002 The vulnerability saved search group does not exist.
409 1004 The provided user does not have the required capabilities to own
the vulnerability saved search group.
422 1005 A request parameter is not valid.
500 1020 An error occurred during the attempt to update the vulnerability
saved search group.

Response Description

The updated Group object. A Group object contains the following fields:
v id - Long - The ID of the group.
v parent_id - Long - The ID of the parent group (default resources can have localized names).
v type - String - The type of the group.

452 QRadar API Reference Guide

v level - Long - The depth of the group in the group hierarchy.
v name - String - The name of the group (default groups can have localized names).
v description - String - The description of the group (default groups can have localized names).
v owner - String - The owner of the group.
v modified_time - Long - The time in milliseconds since epoch since the group was last modified.
v child_group_ids - Array of Longs - List of the child group IDs.

Response Sample
{
"child_groups": [
42
],
"child_items": [
"String"
],
"description": "String",
"id": 42,
"level": 42,
"modified_time": 42,
"name": "String",
"owner": "String",
"parent_id": 42,
"type": "String <one of:
LOG_SOURCE_GROUP,
REPORT_GROUP,
RULE_GROUP,
EVENT_SAVED_SEARCH_GROUP,
FLOW_SAVED_SEARCH_GROUP,
OFFENSE_SAVED_SEARCH_GROUP,
QRM_SAVED_SEARCH_GROUP,
MODEL_SAVED_SEARCH_GROUP,
QUESTION_SAVED_SEARCH_GROUP,
SIMULATION_SAVED_SEARCH_GROUP,
TOPOLOGY_SAVED_SEARCH_GROUP,
ASSET_SAVED_SEARCH_GROUP,
VULNERABILITY_SAVED_SEARCH_GROUP>"
}

DELETE /qvm/saved_search_groups/{group_id}
Deletes a vulnerability saved search group.

Deletes a vulnerability saved search group.

Table 955. DELETE /qvm/saved_search_groups/{group_id} resource details
MIME Type
text/plain

Table 956. DELETE /qvm/saved_search_groups/{group_id} request parameter details

Parameter Type Optionality Data Type MIME Type Description
group_id path Required Number text/plain null
(Integer)

Table 957. DELETE /qvm/saved_search_groups/{group_id} response codes

HTTP Response Code Unique Code Description
204 The vulnerability saved search group was deleted.
404 1002 The vulnerability saved search group does not exist.

6 REST API V9.0 References 453

Table 957. DELETE /qvm/saved_search_groups/{group_id} response codes (continued)
HTTP Response Code Unique Code Description
409 1004 null
500 1020 An error occurred during the attempt to delete the vulnerability
saved search group.

Response Description
Response Sample

GET /qvm/saved_searches
Retrieves a list of vulnerability instance saved searches.

Retrieves a list of vulnerability instance saved searches.

Table 958. GET /qvm/saved_searches resource details
MIME Type
application/json

Table 959. GET /qvm/saved_searches request parameter details

Parameter Type Optionality Data Type MIME Type Description
Range header Optional String text/plain Optional - Use this parameter
to restrict the number of
elements that are returned in
the list to a specified range.
The list is indexed starting at
zero.
filter query Optional String text/plain Optional - This parameter is
used to restrict the elements in
a list base on the contents of
various fields.
fields query Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.

Table 960. GET /qvm/saved_searches response codes

HTTP Response Code Unique Code Description
200 The request to retrieve the list of vulnerability instance saved
searches completed successfully.
500 1020 An error occurred while trying to retrieve the list of saved searches.

454 QRadar API Reference Guide

Response Description

A list of vulnerability instance saved searches that can be used or applied against:
v /qvm/saved_searches/{saved_search_id}/vuln_instances
v /qvm/assets
v /qvm/vulns
v /qvm/openservices
v /qvm/networks

Each saved search that is returned includes an ID, name, and list of filters that make up this saved
search.

Response Sample
[
{
"filters": [
{
"operator": "String",
"parameter": "String",
"value": "String"
}
],
"id": 42,
"name": "String"
}
]

GET /qvm/saved_searches/vuln_instances/{task_id}/results/assets
Lists the Vulnerability Instances assets that are returned from the vulnerability instance saved search.

Lists the Vulnerability Instances assets that are returned from the saved search.
Table 961. GET /qvm/saved_searches/vuln_instances/{task_id}/results/assets resource details
MIME Type
application/json

Table 962. GET /qvm/saved_searches/vuln_instances/{task_id}/results/assets request parameter details

Parameter Type Optionality Data Type MIME Type Description
task_id path Required Number text/plain null
(Integer)
Range header Optional String text/plain Optional - Use this parameter
to restrict the number of
elements that are returned in
the list to a specified range.
The list is indexed starting at
zero.
filter query Optional String text/plain Optional - This parameter is
used to restrict the elements in
a list base on the contents of
various fields.

6 REST API V9.0 References 455

Table 962. GET /qvm/saved_searches/vuln_instances/{task_id}/results/assets request parameter details (continued)
Parameter Type Optionality Data Type MIME Type Description
fields query Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.

Table 963. GET /qvm/saved_searches/vuln_instances/{task_id}/results/assets response codes

HTTP Response Code Unique Code Description
200 The request to retrieve vulnerabilities by instance completed
successfully.
404 1002 Resource not found.
500 1020 An error occurred while retrieving results.

Response Description

A list of assets associated with the vulnerability instance data.

Response Sample
[{"risk_policies": [{"passed": true,
"name": "String",
"last_evaluated": 42,
"question_type": "String",
"groups": ["String"]}],
"id": 42,
"domain_id": 42,
"interfaces": [{"first_seen_scanner": 42,
"id": 42,
"first_seen_profiler": 42,
"created": 42,
"last_seen_profiler": 42,
"last_seen_scanner": 42,
"mac_address": "String",
"ip_addresses": [{"first_seen_scanner": 42,
"id": 42,
"first_seen_profiler": 42,
"created": 42,
"value": "String",
"last_seen_profiler": 42,
"last_seen_scanner": 42,
"type": "String",
"network_name": "String"
}]
}],
"hostnames": ["String"],
"properties": [{"id": 42,
"name": "String",
"value": "String",
"last_reported": 42,
"type_id": 42,
"last_reported_by": "String"
}],

456 QRadar API Reference Guide

 "operating_systems": [{"last_seen_date": 42,
"name": "String"
}]
}]

GET /qvm/saved_searches/vuln_instances/{task_id}/results/
vuln_instances
Lists the Vulnerability Instances returned from a vulnerability instance saved search.

Lists the Vulnerability Instances returned from a saved search.

Table 964. GET /qvm/saved_searches/vuln_instances/{task_id}/results/vuln_instances resource details
MIME Type
application/json

Table 965. GET /qvm/saved_searches/vuln_instances/{task_id}/results/vuln_instances request parameter details

Parameter Type Optionality Data Type MIME Type Description
task_id path Required Number text/plain null
(Integer)
fields query Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.
filter query Optional String text/plain Optional - This parameter is
used to restrict the elements in
a list base on the contents of
various fields.
Range header Optional String text/plain Optional - Use this parameter
to restrict the number of
elements that are returned in
the list to a specified range.
The list is indexed starting at
zero.

Table 966. GET /qvm/saved_searches/vuln_instances/{task_id}/results/vuln_instances response codes

HTTP Response Code Unique Code Description
200 The request to retrieve vulnerabilities by instance completed
successfully.
404 1002 Resource not found
500 1020 An error occurred while retrieving results

Response Description

A list of vulnerability instance data.

Response Sample
[{"seen_by_scan_profile": "String", "last_seen_date": 42, "cvss_environmental_score_string": "String", "ports": [42], "do

6 REST API V9.0 References 457

GET /qvm/saved_searches/vuln_instances/{task_id}/results/
vulnerabilities
List the Vulnerability Instances vulnerabilities returned from the saved search.
Table 967. GET /qvm/saved_searches/vuln_instances/{task_id}/results/vulnerabilities resource details
MIME Type
application/json

Table 968. GET /qvm/saved_searches/vuln_instances/{task_id}/results/vulnerabilities request parameter details

Parameter Type Optionality Data Type MIME Type Description
task_id path Required Number text/plain null
(Integer)
fields query Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.
filter query Optional String text/plain Optional - This parameter is
used to restrict the elements in
a list base on the contents of
various fields.
Range header Optional String text/plain Optional - Use this parameter
to restrict the number of
elements that are returned in
the list to a specified range.
The list is indexed starting at
zero.

Table 969. GET /qvm/saved_searches/vuln_instances/{task_id}/results/vulnerabilities response codes

HTTP Response Code Unique Code Description
200 The request to retrieve vulnerabilities by instance completed
successfully
404 1002 Resource not found
500 1020 Error while retrieving results

Response Description

list of vulnerability instance data

Response Sample
[{"severity": {"code": 42, "name": "String <one of: Patch, Urgent, Critical, High, Medium, Low>"}, "patches": [{"security_n

GET /qvm/saved_searches/vuln_instances/{task_id}/status
Retrieves the current status of a vulnerability instance search that was initiated.

Retrieves the current status of a vulnerability instance search that was initiated.

458 QRadar API Reference Guide

Table 970. GET /qvm/saved_searches/vuln_instances/{task_id}/status resource details
MIME Type
application/json

Table 971. GET /qvm/saved_searches/vuln_instances/{task_id}/status request parameter details

Parameter Type Optionality Data Type MIME Type Description
task_id path Required Number text/plain null
(Integer)
fields query Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.

Table 972. GET /qvm/saved_searches/vuln_instances/{task_id}/status response codes

HTTP Response Code Unique Code Description
200 The request to retrieve the current status of the vulnerability
instance search completed successfully.
404 1002 Resource not found.
500 1020 An error occurred while retrieving status.

Response Description
Returns the status of the selected vulnerability instance search.

Response Sample
{
"id": 42,
"retention_period_in_days": 42,
"status": "String <one of: CANCELLED,
CANCELING,
CANCEL_REQUESTED,
COMPLETED, EXCEPTION,
INITIALIZING,
INTERRUPTED,
PAUSED,
PROCESSING,
QUEUED,
RESUMING>"
}

POST /qvm/saved_searches/vuln_instances/{task_id}/status
Updates the status of a vulnerability instance saved search.

Updates the status of a vulnerability instance saved search.

Table 973. POST /qvm/saved_searches/vuln_instances/{task_id}/status resource details
MIME Type
application/json

6 REST API V9.0 References 459

Table 974. POST /qvm/saved_searches/vuln_instances/{task_id}/status request parameter details
Parameter Type Optionality Data Type MIME Type Description
task_id path Required Number (Integer) text/plain Required. The ID of the task to
update.
status query Optional String text/plain Optional. The only accepted value
is CANCELLED. If this value is
provided, the search is cancelled.
retention_period_in_days query Optional Number (Integer) text/plain Optional. Set the data retention
period in days for the results.
Accepted values 0 - 14. Use 0 to
delete a result at the next clean up
cycle. Default data retention
period is 2 days.
fields query Optional String text/plain Optional - Use this parameter to
specify which fields you would
like to get back in the response.
Fields that are not named are
excluded. Specify subfields in
brackets and multiple fields in the
same object are separated by
commas.

Table 975. POST /qvm/saved_searches/vuln_instances/{task_id}/status response codes

HTTP Response Code Unique Code Description
200 The request to retrieve the list of vulnerability instance saved
searches completed successfully.
403 1009 You do not have the proper capabilities to retrieve the Vulnerability
Instance Saved Search.
404 1002 Resource not found.
409 1004 The current status of the search prevented the task from being
cancelled.
422 1005 A request parameter is not valid.
500 1020 An error occurred while retrieving status.

Response Description

Returns the status of the selected Vulnerability Instance search.

Response Sample
{
"id": 42,
"retention_period_in_days": 42,
"status": "String <one of: CANCELLED,
CANCELING,
CANCEL_REQUESTED,
COMPLETED,
CONFLICT,
EXCEPTION,
INITIALIZING,
INTERRUPTED,
PAUSED,
PROCESSING,
QUEUED,
RESUMING>"
}

460 QRadar API Reference Guide

GET /qvm/saved_searches/{saved_search_id}
Retrieves a vulnerability instance saved search.

Retrieves a vulnerability instance saved search.

Table 976. GET /qvm/saved_searches/{saved_search_id} resource details
MIME Type
application/json

Table 977. GET /qvm/saved_searches/{saved_search_id} request parameter details

Parameter Type Optionality Data Type MIME Type Description
saved_search_id path Required Number text/plain null
(Integer)
fields query Optional String text/plain Optional - Use this parameter to
specify which fields you would
like to get back in the response.
Fields that are not named are
excluded. Specify subfields in
brackets and multiple fields in
the same object are separated by
commas.

Table 978. GET /qvm/saved_searches/{saved_search_id} response codes

HTTP Response Code Unique Code Description
200 The request to retrieve the list of vulnerability instance saved
searches completed successfully
404 1002 The Saved Search does not exist
500 1020 An error occurred while trying to retrieve the vulnerability instance
saved search

Response Description

A vulnerability instance saved search that can be used or applied against:

v /qvm/saved_searches/{saved_search_id}/vuln_instances
v /qvm/assets
v /qvm/vulns
v /qvm/openservices
v /qvm/networks

The saved search contains an ID, name, and list of filters that make up this saved search.

Response Sample
{
"filters": [
{
"operator": "String",
"parameter": "String",
"value": "String"
}
],
"id": 42,
"name": "String"
}

6 REST API V9.0 References 461

POST /qvm/saved_searches/{saved_search_id}
Updates the vulnerability saved search owner only.

Updates the vulnerability saved search owner only.

Table 979. POST /qvm/saved_searches/{saved_search_id} resource details
MIME Type
application/json

Table 980. POST /qvm/saved_searches/{saved_search_id} request parameter details

Parameter Type Optionality Data Type MIME Type Description
saved_search_id path Required Number text/plain null
(Integer)
fields header Optional String text/plain Optional - Use this parameter to
specify which fields you would
like to get back in the response.
Fields that are not named are
excluded. Specify subfields in
brackets and multiple fields in
the same object are separated by
commas.

Table 981. POST /qvm/saved_searches/{saved_search_id} request body details

Parameter Data Type MIME Type Description Sample
saved_search Object application/json null { "filters": [ { "operator": "String",
"parameter": "String", "value":
"String" } ], "id": 42, "name":
"String", "owner": "String" }

Table 982. POST /qvm/saved_searches/{saved_search_id} response codes

HTTP Response Code Unique Code Description
200 The vulnerability saved search was updated.
403 1009 You do not have the required capabilities to update the
vulnerability saved search.
404 1002 The vulnerability saved search does not exist.
409 1004 The provided user does not have the required capabilities to own
the vulnerability saved search.
422 1005 A request parameter is not valid.
500 1020 null

Response Description
The vulnerability saved search after it was updated. A Vulnerability Saved Search object contains the
following fields:
v id - Long - The ID of the asset saved search.
v name - String - The name of the asset saved search.
v owner - String - The owner of the asset saved search.
v isShared - Boolean - True if the asset saved search is shared with other users.
v description - String - The description of the asset saved search.
v filters - List of Strings - The asset saved search filters.

462 QRadar API Reference Guide

v columns - List of Strings - The asset saved search columns.

Response Sample
{
"filters": [
{
"operator": "String",
"parameter": "String",
"value": "String"
}
],
"id": 42,
"name": "String",
"owner": "String"
}

DELETE /qvm/saved_searches/{saved_search_id}
Deletes a vulnerability saved search.

Deletes a vulnerability saved search.

Table 983. DELETE /qvm/saved_searches/{saved_search_id} resource details
MIME Type
text/plain

Table 984. DELETE /qvm/saved_searches/{saved_search_id} request parameter details

Parameter Type Optionality Data Type MIME Type Description
saved_search_id path Required Number (Integer) text/plain null

Table 985. DELETE /qvm/saved_searches/{saved_search_id} response codes

HTTP Response Code Unique Code Description
204 The vulnerability saved search was deleted.
403 1009 You do not have the required capabilities to delete the vulnerability
saved search.
404 1002 The vulnerability saved search does not exist.
500 1020 null

Response Description

Response Sample

GET /qvm/saved_searches/{saved_search_id}/vuln_instances
Creates the Vulnerability Instances search. This search returns a maximum of 100,000 results.
Table 986. GET /qvm/saved_searches/{saved_search_id}/vuln_instances resource details
MIME Type
application/json

Table 987. GET /qvm/saved_searches/{saved_search_id}/vuln_instances request parameter details

Parameter Type Optionality Data Type MIME Type Description
saved_search_id path Required Number text/plain ID of saved search
(Integer)

6 REST API V9.0 References 463

Table 987. GET /qvm/saved_searches/{saved_search_id}/vuln_instances request parameter details (continued)
Parameter Type Optionality Data Type MIME Type Description
fields query Optional String text/plain Optional - Use this parameter to
specify which fields you would
like to get back in the response.
Fields that are not named are
excluded. Specify subfields in
brackets and multiple fields in
the same object are separated by
commas.
filter query Optional String text/plain Optional - This parameter is
used to restrict the elements in a
list based on the contents of
various fields.
Range header Optional String text/plain Optional - Specify the range for
the results that you want to
return, up to 100,000 results. For
example, 0-599, 200-99999. The
list is indexed and begins at
zero.

Result pagination example:

To return the first 100,000 rows, follow these steps:

1. Run the GET - /qvm/saved_searches/{saved_search_id}/vuln_instances endpoint with a range of
0-99999 and a saved_search_id that equals 2.
2. Run the GET - /qvm/saved_searches/vuln_instances/{task_id}/status endpoint to check search the
status
3. When the search status changes to COMPLETED, run the GET - /qvm/saved_searches/vuln_instances/
{task_id}/results/vuln_instances to get the vulnerability instances results.
Table 988. GET /qvm/saved_searches/{saved_search_id}/vuln_instances response codes
HTTP Response Code Unique Code Description
201 The vulnerability instance search is queued.
404 1002 null
500 1020 null

Response Description

The response returns a task ID.

Response Sample
{
"id": 42,
"retention_period_in_days": 42,
"status": "String <one of: CANCELLED,
CANCELING,
CANCEL_REQUESTED,
COMPLETED,
EXCEPTION,
INITIALIZING,
INTERRUPTED,
PAUSED,
PROCESSING,
QUEUED,
RESUMING>"
}

464 QRadar API Reference Guide

POST /qvm/tickets/assign
Update the remediation ticket for the assigned vulnerability
Table 989. POST /qvm/tickets/assign resource details
MIME Type
application/json

Table 990. POST /qvm/tickets/assign request body details

Parameter Data Type MIME Type Description Sample
ticket JSON application/json [ { "ticketId":"1000", "status":"Opened",
'ticketId': required. "priority":"Critical", "dueDate":"2015-01-04
12:00:00", "assignedUser":"admin",
"comment":"testComment",
'priority' one of required : Critical,
"commentUser":"admin" } ]
Major, Minor, Warning, Informational.

'status' one of required : Opened,

Fixed, Re-Opened, Closed .

'dueDate' Optional : yyyy-MM-dd

HH:mm:ss.

'assignedUser' required : valid QRadar

user account name or a valid email.

'comment' Optional : text.

'commentUser' Optional : valid

QRadar user account name, if not
included will default current API user.

Table 991. POST /qvm/tickets/assign response codes

HTTP Response Code Unique Code Description
200 The request to assign a ticket completed successfully
420 9104 An error occurred while trying to assign a ticket due to invalid
arguments

Response Description

success message if update succeed

Response Sample

GET /qvm/vulns
List the Vulnerabilities present in the asset model. The response will contain all available RESTful
resources
Table 992. GET /qvm/vulns resource details
MIME Type
application/json

Table 993. GET /qvm/vulns request parameter details

Parameter Type Optionality Data Type MIME Type Description
savedSearchId query Optional String text/plain Id of saved search
savedSearchName query Optional String text/plain Saved search name

6 REST API V9.0 References 465

Table 993. GET /qvm/vulns request parameter details (continued)
Parameter Type Optionality Data Type MIME Type Description
filters query Optional Array<Object> application/json List of JSON objects for
application of bespoke query
search dataset filter. Format
[{"parameter":"<value>",
"operator":"<value>",
"value":"<value>"}] e.g.
[{"parameter":"IPv4 Address",
"operator":"Equals",
"value":"10.100.85.111"}]

Table 994. GET /qvm/vulns response codes

HTTP Response Code Unique Code Description
200 The request to retrieve vulnerabilities completed successfully
420 9101 Invalid search parameters, search cannot be performed

Response Description

list of vulnerability data

Response Sample

Reference data endpoints

Use the references for REST API V9.0 reference data endpoints.

GET /reference_data/map_delete_tasks/{task_id}
Retrieves the delete reference data map task status.

Retrieves the delete reference data map task status.

Table 995. GET /reference_data/map_delete_tasks/{task_id} resource details
MIME Type
application/json

Table 996. GET /reference_data/map_delete_tasks/{task_id} request parameter details

Parameter Type Optionality Data Type MIME Type Description
task_id path Required Number text/plain null
(Integer)
fields query Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.

Table 997. GET /reference_data/map_delete_tasks/{task_id} response codes

HTTP Response Code Unique Code Description
200 The delete task status was retrieved.
404 1002 The delete task status does not exist.

466 QRadar API Reference Guide

Table 997. GET /reference_data/map_delete_tasks/{task_id} response codes (continued)
HTTP Response Code Unique Code Description
500 1020 An error occurred during the attempt to retrieve the delete task
status.

Response Description
A Delete Task Status object and the location header set to the task status url "/api/reference_data/maps/
map_delete_tasks/{task_id}". A Delete Task Status object contains the following fields:
v id - Long - The ID of the task.
v message - String - The localized task message.
v status - String - The current state of the task.
v name - String - The name of the task.
v created_by - String - The name of the user who started the task.
v created - Long - The time in milliseconds since epoch since the task was created.
v started - Long - The time in milliseconds since epoch since the task was started.
v modified - Long - The time in milliseconds since epoch since the task was modified.
v completed - Long - The time in milliseconds since epoch since the task was completed.

Response Sample
{
"completed": 42,
"created": 42,
"created_by": "String",
"id": 42,
"message": "String",
"modified": 42,
"name": "String",
"started": 42,
"status": "String <one of:
CANCELLED,
CANCELING,
CANCEL_REQUESTED,
COMPLETED,
CONFLICT,
EXCEPTION,
INITIALIZING,
INTERRUPTED,
PAUSED,
PROCESSING,
QUEUED,
RESUMING>"
}

GET /reference_data/map_dependent_tasks/{task_id}
Retrieves the dependent reference data map task status.

Retrieves the dependent reference data map task status.

Table 998. GET /reference_data/map_dependent_tasks/{task_id} resource details
MIME Type
application/json

6 REST API V9.0 References 467

Table 999. GET /reference_data/map_dependent_tasks/{task_id} request parameter details
Parameter Type Optionality Data Type MIME Type Description
task_id path Required Number text/plain null
(Integer)
fields query Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.

Table 1000. GET /reference_data/map_dependent_tasks/{task_id} response codes

HTTP Response Code Unique Code Description
200 The delete task status was retrieved.
404 1002 The delete task status does not exist.
500 1020 An error occurred during the attempt to retrieve the delete task
status.

Response Description

A Dependent Task Status object and the location header set to the task status url "/api/reference_data/
maps/map_dependent_tasks/{task_id}". A Dependent Task Status object contains the following fields:
v id - Long - The ID of the task.
v message - String - The localized task message.
v status - String - The current state of the task.
v name - String - The name of the task.
v created_by - String - The name of the user who started the task.
v cancelled_by - String - The name of the user who requested the cancellation the task.
v created - Long - The time in milliseconds since epoch since the task was created.
v started - Long - The time in milliseconds since epoch since the task was started.
v modified - Long - The time in milliseconds since epoch since the task was modified.
v completed - Long - The time in milliseconds since epoch since the task was completed.
v number_of_dependents - Long - The number of dependents found. The value is null until the task
completes.
v maximum - Long - The maximum number of objects to check for dependency.
v progress - Long - The number of objects that were checked for dependency.
v task_components - Array - An array of task component objects. A task component object contains the
following fields
– message - String - The localized sub-task status message.
– status - String - The current state of the sub-task.
– sub_task_type - String - The type of the sub-task
– maximum - Long - The maximum number of objects to check for dependency.
– progress - Long - The number of objects that were checked for dependency.
– created - Long - The time in milliseconds since epoch since the sub-task was created.
– started - Long - The time in milliseconds since epoch since the sub-task was started.

468 QRadar API Reference Guide

 – modified - Long - The time in milliseconds since epoch since the sub-task was modified.
– completed - Long - The time in milliseconds since epoch since the sub-task was completed.

Response Sample
{
"cancelled_by": "String",
"completed": 42,
"created": 42,
"created_by": "String",
"id": 42,
"maximum": 42,
"message": "String",
"modified": 42,
"name": "String",
"number_of_dependents": 42,
"progress": 42,
"started": 42,
"status": "String <one of:
CANCELLED,
CANCELING,
CANCEL_REQUESTED,
COMPLETED,
CONFLICT,
EXCEPTION,
INITIALIZING,
INTERRUPTED,
PAUSED,
PROCESSING,
QUEUED,
RESUMING>",
"task_components": [
{
"completed": 42,
"created": 42,
"maximum": 42,
"message": "String",
"modified": 42,
"number_of_dependents": 42,
"progress": 42,
"started": 42,
"status": "String <one of: CANCELLED,
CANCELING,
CANCEL_REQUESTED,
COMPLETED,
CONFLICT,
EXCEPTION,
INITIALIZING,
INTERRUPTED,
PAUSED,
PROCESSING,
QUEUED,
RESUMING>",
"task_sub_type": "String <one of:
FIND_DEPENDENT_ARIEL_SAVED_SEARCHES,
FIND_DEPENDENT_OFFENSE_SAVED_SEARCHES,
FIND_DEPENDENT_ASSET_SAVED_SEARCHES,
FIND_DEPENDENT_VULNERABILITY_SAVED_SEARCHES,
FIND_DEPENDENT_ADE_RULES,
FIND_DEPENDENT_RULES,
FIND_DEPENDENT_CALCULATED_PROPERTIES,
FIND_DEPENDENT_LOG_SOURCE_GROUPS,
FIND_DEPENDENT_CUSTOM_PROPERTIES,
FIND_DEPENDENT_REPORTS,
FIND_DEPENDENT_DASHBOARDS,
FIND_DEPENDENT_STORE_AND_FORWARD_POLICIES,
FIND_DEPENDENT_AUTHORIZED_SERVICES,

6 REST API V9.0 References 469

 FIND_DEPENDENT_OFFENSE_TYPES,
FIND_DEPENDENT_ASSIGNED_OFFENSES,
FIND_DEPENDENT_VULNERABILITIES,
FIND_DEPENDENT_GROUPS,
FIND_DEPENDENT_HISTORICAL_CORRELATION_PROFILES>"
}
]
}

POST /reference_data/map_dependent_tasks/{task_id}
Cancels the dependent reference data map task.

Cancels the dependent reference data map task.

Table 1001. POST /reference_data/map_dependent_tasks/{task_id} resource details
MIME Type
application/json

Table 1002. POST /reference_data/map_dependent_tasks/{task_id} request parameter details

Parameter Type Optionality Data Type MIME Type Description
task_id path Required Number text/plain null
(Integer)
fields header Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.

Table 1003. POST /reference_data/map_dependent_tasks/{task_id} request body details

Parameter Data Type MIME Type Description Sample
task Object application/ null { "status": "String <one of:
json CANCELLED, CANCELING,
CANCEL_REQUESTED,
COMPLETED, CONFLICT,
EXCEPTION, INITIALIZING,
INTERRUPTED, PAUSED,
PROCESSING, QUEUED,
RESUMING>" }

Table 1004. POST /reference_data/map_dependent_tasks/{task_id} response codes

HTTP Response Code Unique Code Description
200 The Delete task status was retrieved.
404 1002 The dependent task status does not exist.
409 1004 The task is in a completed state
422 1005 A request parameter is not valid
500 1020 An error occurred during the attempt to update the dependent task
status.

470 QRadar API Reference Guide

Response Description

A Dependent Task Status object and the location header set to the task status url "/api/reference_data/
maps/map_dependent_tasks/{task_id}". A Dependent Task Status object contains the following fields:
v id - Long - The ID of the task.
v message - String - The localized task message.
v status - String - The current state of the task.
v name - String - The name of the task.
v created_by - String - The name of the user who started the task.
v cancelled_by - String - The name of the user who requested the cancellation the task.
v created - Long - The time in milliseconds since epoch since the task was created.
v started - Long - The time in milliseconds since epoch since the task was started.
v modified - Long - The time in milliseconds since epoch since the task was modified.
v completed - Long - The time in milliseconds since epoch since the task was completed.
v number_of_dependents - Long - The number of dependents found. The value is null until the task
completes.
v maximum - Long - The maximum number of objects to check for dependency.
v progress - Long - The number of objects that were checked for dependency.
v task_components - Array - An array of task component objects. A task component object contains the
following fields
– message - String - The localized sub-task status message.
– status - String - The current state of the sub-task.
– sub_task_type - String - The type of the sub-task
– maximum - Long - The maximum number of objects to check for dependency.
– progress - Long - The number of objects that were checked for dependency.
– created - Long - The time in milliseconds since epoch since the sub-task was created.
– started - Long - The time in milliseconds since epoch since the sub-task was started.
– modified - Long - The time in milliseconds since epoch since the sub-task was modified.
– completed - Long - The time in milliseconds since epoch since the sub-task was completed.

Response Sample
{
"cancelled_by": "String",
"completed": 42,
"created": 42,
"created_by": "String",
"id": 42,
"maximum": 42,
"message": "String",
"modified": 42,
"name": "String",
"number_of_dependents": 42,
"progress": 42,
"started": 42,
"status": "String <one of:
CANCELLED,
CANCELING,
CANCEL_REQUESTED,
COMPLETED,
CONFLICT,
EXCEPTION,
INITIALIZING,
INTERRUPTED,
PAUSED,

6 REST API V9.0 References 471

 PROCESSING,
QUEUED,
RESUMING>",
"task_components": [
{
"completed": 42,
"created": 42,
"maximum": 42,
"message": "String",
"modified": 42,
"number_of_dependents": 42,
"progress": 42,
"started": 42,
"status": "String <one of: CANCELLED,
CANCELING,
CANCEL_REQUESTED,
COMPLETED,
CONFLICT,
EXCEPTION,
INITIALIZING,
INTERRUPTED,
PAUSED,
PROCESSING,
QUEUED,
RESUMING>",
"task_sub_type": "String <one of:
FIND_DEPENDENT_ARIEL_SAVED_SEARCHES,
FIND_DEPENDENT_OFFENSE_SAVED_SEARCHES,
FIND_DEPENDENT_ASSET_SAVED_SEARCHES,
FIND_DEPENDENT_VULNERABILITY_SAVED_SEARCHES,
FIND_DEPENDENT_ADE_RULES,
FIND_DEPENDENT_RULES,
FIND_DEPENDENT_CALCULATED_PROPERTIES,
FIND_DEPENDENT_LOG_SOURCE_GROUPS,
FIND_DEPENDENT_CUSTOM_PROPERTIES,
FIND_DEPENDENT_REPORTS,
FIND_DEPENDENT_DASHBOARDS,
FIND_DEPENDENT_STORE_AND_FORWARD_POLICIES,
FIND_DEPENDENT_AUTHORIZED_SERVICES,
FIND_DEPENDENT_OFFENSE_TYPES,
FIND_DEPENDENT_ASSIGNED_OFFENSES,
FIND_DEPENDENT_VULNERABILITIES,
FIND_DEPENDENT_GROUPS,
FIND_DEPENDENT_HISTORICAL_CORRELATION_PROFILES>"
}
]
}

GET /reference_data/map_dependent_tasks/{task_id}/results
Retrieves the reference data map dependent task results.

Retrieves the reference data map dependent task results.

Table 1005. GET /reference_data/map_dependent_tasks/{task_id}/results resource details
MIME Type
application/json

Table 1006. GET /reference_data/map_dependent_tasks/{task_id}/results request parameter details

Parameter Type Optionality Data Type MIME Type Description
task_id path Required Number text/plain null
(Integer)

472 QRadar API Reference Guide

Table 1006. GET /reference_data/map_dependent_tasks/{task_id}/results request parameter details (continued)
Parameter Type Optionality Data Type MIME Type Description
fields query Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.

Table 1007. GET /reference_data/map_dependent_tasks/{task_id}/results response codes

HTTP Response Code Unique Code Description
200 The reference data map dependents were retrieved.
404 1002 The dependent task status does not exist.
500 1020 An error occurred during the attempt to retrieve the reference data
maps.

Response Description

An list of Dependent objects. A Dependent object contains the following fields:

v dependent_id - String - The ID of the dependent resource.
v dependent_name - String - The name of the dependent resource. ( Default resources can have localized
names )
v dependent_owner - String - The owner of the dependent resource
v dependent_type - String - The type of the dependent resource
v dependent_database - String - The database of the dependent resource.
v dependent_group_ids - Array of Longs - List of groups that the dependent resource belongs to.
v user_has_edit_permissions - Boolean - The true if the user who created the task has permission to edit
this dependent resource.

Response Sample
[
{
"blocking": true,
"dependent_database": "String <one of: EVENTS, FLOWS>",
"dependent_group_ids": [
42
],
"dependent_id": "String",
"dependent_name": "String",
"dependent_owner": "String",
"dependent_type": "String <one of:
ARIEL_SAVED_SEARCH,
ASSET_SAVED_SEARCH,
OFFENSE_SAVED_SEARCH,
VULNERABILITY_SAVED_SEARCH,
QRM_SAVED_SEARCH_GROUP,
ASSET_SAVED_SEARCH_GROUP,
CUSTOM_RULE_GROUP,
EVENT_ARIEL_SAVED_SEARCH_GROUP,
FLOW_ARIEL_SAVED_SEARCH_GROUP,
LOG_SOURCE_GROUP, MODEL_GROUP,
OFFENSE_SAVED_SEARCH_GROUP,

6 REST API V9.0 References 473

 QUESTION_GROUP,
REPORT_GROUP,
SIMULATION_GROUP,
TOPOLOGY_SAVED_SEARCH_GROUP,
VULNERABILITY_SAVED_SEARCH_GROUP,
ASSIGNED_OFFENSE,
ASSIGNED_VULNERABILITY,
AUTHORIZED_SERVICE,
BUILDING_BLOCK,
CRE_RULE,
CRE_ADE_RULE,
EVENT_REGEX_PROPERTY,
EVENT_CALCULATED_PROPERTY,
FLOW_REGEX_PROPERTY,
FLOW_CALCULATED_PROPERTY,
DASHBOARD,
GV_REFERENCE,
REPORT,
REFERENCE_DATA,
REFERENCE_DATA_MAP_OF_SETS,
REFERENCE_DATA_MAPS,
REFERENCE_DATA_SETS,
REFERENCE_DATA_TABLES,
REFERENCE_DATA_RESPONSE,
REFERENCE_SET_RESPONSE,
EVENT_RETENTION_BUCKET,
FLOW_RETENTION_BUCKET,
ROUTING_RULE,
STORE_AND_FORWARD_POLICY,
USER,
HISTORICAL_PROFILE,
OFFENSE_TYPE>",
"user_has_edit_permissions": true
}
]

GET /reference_data/map_of_sets
Retrieve a list of all reference map of sets.
Table 1008. GET /reference_data/map_of_sets resource details
MIME Type
application/json

Table 1009. GET /reference_data/map_of_sets request parameter details

Parameter Type Optionality Data Type MIME Type Description
fields query Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.
Range header Optional String text/plain Optional - Use this parameter
to restrict the number of
elements that are returned in
the list to a specified range.
The list is indexed starting at
zero.

474 QRadar API Reference Guide

Table 1009. GET /reference_data/map_of_sets request parameter details (continued)
Parameter Type Optionality Data Type MIME Type Description
filter query Optional String text/plain Optional - This parameter is
used to restrict the elements in
a list base on the contents of
various fields.

Table 1010. GET /reference_data/map_of_sets response codes

HTTP Response Code Unique Code Description
200 The reference map of sets list has been retrieved
500 1020 An error occurred while attempting to retrieve all of the reference
map of sets

Response Description

A list of all of the reference map of sets. This returns information about the map of sets but not the
contained data.

Response Sample
[
{
"creation_time": 42,
"element_type": "String <one of: ALN, NUM, IP, PORT, ALNIC, DATE>",
"key_label": "String",
"name": "String",
"number_of_elements": 42,
"time_to_live": "String",
"timeout_type": "String <one of: UNKNOWN, FIRST_SEEN, LAST_SEEN>",
"value_label": "String"
}
]

POST /reference_data/map_of_sets
Create a new reference map of sets.
Table 1011. POST /reference_data/map_of_sets resource details
MIME Type
application/json

Table 1012. POST /reference_data/map_of_sets request parameter details

Parameter Type Optionality Data Type MIME Type Description
name query Required String text/plain Required - The name of the
reference map of sets to create
element_type query Required String text/plain Required - The element type for
the values allowed in the
reference map of sets. The
allowed values are: ALN
(alphanumeric), ALNIC
(alphanumeric ignore case), IP
(IP address), NUM (numeric),
PORT (port number) or DATE.
Note that date values need to be
represented in milliseconds
since the Unix Epoch January
1st 1970.

6 REST API V9.0 References 475

Table 1012. POST /reference_data/map_of_sets request parameter details (continued)
Parameter Type Optionality Data Type MIME Type Description
key_label query Optional String text/plain Optional - The label to describe
the keys
value_label query Optional String text/plain Optional - The label to describe
the data values
timeout_type query Optional String text/plain Optional - The allowed values
are "FIRST_SEEN",
"LAST_SEEN" and
"UNKNOWN". The default
value is "UNKNOWN". This
indicates if the time_to_live
interval is based on when the
data was first seen or last seen.
time_to_live query Optional String text/plain Optional - The time to live
interval, for example: "1 month"
or "5 minutes"
fields query Optional String text/plain Optional - Use this parameter to
specify which fields you would
like to get back in the response.
Fields that are not named are
excluded. Specify subfields in
brackets and multiple fields in
the same object are separated by
commas.

Table 1013. POST /reference_data/map_of_sets response codes

HTTP Response Code Unique Code Description
201 A new reference map of sets was successfully created
409 1004 The reference map of sets could not be created, the name provided
is already in use. Please change the name and try again.
422 1005 A request parameter is not valid
500 1020 An error occurred while attempting to create the reference map of
sets

Response Description

Information about the newly created reference map of sets.

Response Sample
{
"creation_time": 42,
"element_type": "String <one of: ALN, NUM, IP, PORT, ALNIC, DATE>",
"key_label": "String",
"name": "String",
"number_of_elements": 42,
"time_to_live": "String",
"timeout_type": "String <one of: UNKNOWN, FIRST_SEEN, LAST_SEEN>",
"value_label": "String"
}

POST /reference_data/map_of_sets/bulk_load/{name}
Adds or updates data in a reference map of sets.

Adds or updates data in a reference map of sets.

476 QRadar API Reference Guide

Table 1014. POST /reference_data/map_of_sets/bulk_load/{name} resource details
MIME Type
application/json

Table 1015. POST /reference_data/map_of_sets/bulk_load/{name} request parameter details

Parameter Type Optionality Data Type MIME Type Description
name path Required String text/plain Required - The name of the
map of sets to add or update
data in.
fields header Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.

Table 1016. POST /reference_data/map_of_sets/bulk_load/{name} request body details

Parameter Data Type MIME Type Description Sample
data Array application/ Required - The {"key1":["Data11","Data12"],
json JSON-formatted data to "key2":["Data21","Data22"],
add or update in the "key3":["Data31","Data32"],
reference map of sets. "key4":["Data41","Data42"],
"key5":["Data51","Data52"],
"key6":["Data61","Data62"]}

Table 1017. POST /reference_data/map_of_sets/bulk_load/{name} response codes

HTTP Response Code Unique Code Description
200 Data was successfully added or updated in the reference map of
sets.
400 1001 An error occurred parsing the JSON-formatted message body.
404 1002 The reference map of sets does not exist.
422 1005 A request parameter is not valid.
500 1020 An error occurred during the attempt to add or update data in the
reference map of sets.

Response Description
Information about the reference map of sets where data was added or updated. This returns information
about the reference map of sets but not the data that it contains.

Response Sample
{
"creation_time": 42,
"element_type": "String <one of: ALN, NUM, IP, PORT, ALNIC, DATE>",
"name": "String",
"number_of_elements": 42,
"time_to_live": "String",
"timeout_type": "String <one of: UNKNOWN, FIRST_SEEN, LAST_SEEN>"
}

6 REST API V9.0 References 477

GET /reference_data/map_of_sets/{name}
Return the reference map of sets identified by name.

Return the reference map of sets identified by name. If provided, limit specifies the number of records to
return starting at the record that is specified by offset. If the number is not specified, then the first 20
records is returned.
Table 1018. GET /reference_data/map_of_sets/{name} resource details
MIME Type
application/json

Table 1019. GET /reference_data/map_of_sets/{name} request parameter details

Parameter Type Optionality Data Type MIME Type Description
name path Required String text/plain Required - The name of the
reference map of sets to
retrieve
fields query Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.
Range header Optional String text/plain Optional - Use this parameter
to restrict the number of
elements that are returned in
the list to a specified range.
The list is indexed starting at
zero.

Table 1020. GET /reference_data/map_of_sets/{name} response codes

HTTP Response Code Unique Code Description
200 The reference map of sets has been retrieved
404 1002 The reference map of sets does not exist
422 1005 A request parameter is not valid
500 1020 An error occurred while attempting to retrieve the reference map of
sets

Response Description

The reference map of sets identified by the name specified in the request. The portion of the reference
map of sets' data returned is dependent on the limit and offset specified in the request.

Response Sample
{
"creation_time": 42,
"data": {
"String": [
{
"first_seen": 42,
"last_seen": 42,

478 QRadar API Reference Guide

 "source": "String",
"value": "String"
}
]
},
"element_type": "String <one of: ALN, NUM, IP, PORT, ALNIC, DATE>",
"key_label": "String",
"name": "String",
"number_of_elements": 42,
"time_to_live": "String",
"timeout_type": "String <one of: UNKNOWN, FIRST_SEEN, LAST_SEEN>",
"value_label": "String"
}

POST /reference_data/map_of_sets/{name}
Add or update an element in a reference map of sets.
Table 1021. POST /reference_data/map_of_sets/{name} resource details
MIME Type
application/json

Table 1022. POST /reference_data/map_of_sets/{name} request parameter details

Parameter Type Optionality Data Type MIME Type Description
name path Required String text/plain Required - The name of the
reference map of sets to add or
update an element in
key query Required String text/plain Required - The key of the set
to add or update
value query Required String text/plain Required - The value to add or
update in the reference map of
sets. Note: Date values must
be represented in milliseconds
since the Unix Epoch January
1st 1970.
source query Optional String text/plain Optional - This indicates
where the data originated. The
default value is 'reference data
api'
fields query Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.

Table 1023. POST /reference_data/map_of_sets/{name} response codes

HTTP Response Code Unique Code Description
200 The reference map of sets has had an element added or updated
404 1002 The reference map of sets does not exist
422 1005 A request parameter is not valid

6 REST API V9.0 References 479

Table 1023. POST /reference_data/map_of_sets/{name} response codes (continued)
HTTP Response Code Unique Code Description
500 1020 An error occurred while attempting to add or update data in the
reference map of sets

Response Description
Information about the reference map of sets that has had an element added or updated. This returns
information about the reference map of sets but not the contained data.

Response Sample
{
"creation_time": 42,
"element_type": "String <one of: ALN, NUM, IP, PORT, ALNIC, DATE>",
"key_label": "String",
"name": "String",
"number_of_elements": 42,
"time_to_live": "String",
"timeout_type": "String <one of: UNKNOWN, FIRST_SEEN, LAST_SEEN>",
"value_label": "String"
}

DELETE /reference_data/map_of_sets/{name}
Remove a map of sets or purge its contents.
Table 1024. DELETE /reference_data/map_of_sets/{name} resource details
MIME Type
application/json

Table 1025. DELETE /reference_data/map_of_sets/{name} request parameter details

Parameter Type Optionality Data Type MIME Type Description
name path Required String text/plain Required - The name of the
reference map of sets to
remove or purge
purge_only query Optional String text/plain Optional - The allowed values
are "false" or "true". The
default value is false. This
indicates if the reference map
of sets should have its contents
purged (true), keeping the
reference map of sets structure.
If the value is "false" or not
specified the reference map of
sets will be removed
completely.
fields query Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.

480 QRadar API Reference Guide

Table 1026. DELETE /reference_data/map_of_sets/{name} response codes
HTTP Response Code Unique Code Description
202 The Reference Data Map of Sets deletion or purge request has been
accepted and is in progress
404 1002 The reference map of sets does not exist
422 1005 A request parameter is not valid
500 1020 An error occurred while attempting to remove or purge values
from the reference map of sets

Response Description

A status_id to retrieve the Reference Data Map of Sets deletion or purge status with at
/api/system/task_management/task/{status_id}. You can also find the url in the Location header

Response Sample
{
"current_status": {
"cancel_requested": true,
"cancelled_by": "String",
"child_tasks": [
42
],
"completed": 42,
"created": 42,
"created_by": "String",
"id": 42,
"maximum": 42,
"message": "String",
"modified": 42,
"name": "String",
"progress": 42,
"result_url": "String",
"started": 42,
"status": "String <one of: CANCELLED,
CANCELING,
CANCEL_REQUESTED,
COMPLETED,
EXCEPTION,
INITIALIZING,
INTERRUPTED,
PAUSED,
PROCESSING,
QUEUED,
RESUMING>",
"task_components": [
{
"completed": 42,
"created": 42,
"maximum": 42,
"message": "String",
"modified": 42,
"progress": 42,
"started": 42,
"status": "String <one of: CANCELLED,
CANCELING,
CANCEL_REQUESTED,
COMPLETED,
EXCEPTION,
INITIALIZING,
INTERRUPTED,
PAUSED,

6 REST API V9.0 References 481

 PROCESSING,
QUEUED,
RESUMING>"
}
]
},
"message": "String",
"status_location": "String"
}

GET /reference_data/map_of_sets/{name}/dependents
Retrieves the dependents of the Map of Sets.

Initiates the retrieval of dependents of the Map of Sets

Table 1027. GET /reference_data/map_of_sets/{name}/dependents resource details
MIME Type
application/json

Table 1028. GET /reference_data/map_of_sets/{name}/dependents request parameter details

Parameter Type Optionality Data Type MIME Type Description
name path Required String text/plain Required - The name of the
reference map of sets retrieve
dependents for
fields query Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.

Table 1029. GET /reference_data/map_of_sets/{name}/dependents response codes

HTTP Response Code Unique Code Description
202 The Reference Data Map of Sets dependent retrieval request has
been accepted and is in progress
404 1002 The reference map of sets does not exist
422 1005 A request parameter is not valid
500 1020 An error occurred while attempting to get the dependents for the
reference map of sets

Response Description
A status_id to retrieve the Reference Data Map of Sets dependent retrieval status with at
/api/system/task_management/task/{status_id}. You can also find the url in the Location header

Response Sample
{
"current_status": {
"cancel_requested": true,
"cancelled_by": "String",
"child_tasks": [

482 QRadar API Reference Guide

 42
],
"completed": 42,
"created": 42,
"created_by": "String",
"id": 42,
"maximum": 42,
"message": "String",
"modified": 42,
"name": "String",
"progress": 42,
"result_url": "String",
"started": 42,
"status": "String <one of: CANCELLED,
CANCELING,
CANCEL_REQUESTED,
COMPLETED,
EXCEPTION,
INITIALIZING,
INTERRUPTED,
PAUSED,
PROCESSING,
QUEUED,
RESUMING>",
"task_components": [
{
"completed": 42,
"created": 42,
"maximum": 42,
"message": "String",
"modified": 42,
"progress": 42,
"started": 42,
"status": "String <one of: CANCELLED,
CANCELING,
CANCEL_REQUESTED,
COMPLETED,
EXCEPTION,
INITIALIZING,
INTERRUPTED,
PAUSED,
PROCESSING,
QUEUED,
RESUMING>"
}
]
},
"message": "String",
"status_location": "String"
}

DELETE /reference_data/map_of_sets/{name}/{key}
Remove a value from a reference map of sets.

Remove a value from a reference map of sets.

Table 1030. DELETE /reference_data/map_of_sets/{name}/{key} resource details
MIME Type
application/json

6 REST API V9.0 References 483

Table 1031. DELETE /reference_data/map_of_sets/{name}/{key} request parameter details
Parameter Type Optionality Data Type MIME Type Description
name path Required String text/plain Required - The name of the
reference map of sets to
remove a value from
key path Required String text/plain Required - The key of the
value to remove
value query Required String text/plain Required - The value to
remove from the reference
map of sets. Note: Date values
must be represented in
milliseconds since the Unix
Epoch January 1st 1970.
fields query Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.

Table 1032. DELETE /reference_data/map_of_sets/{name}/{key} response codes

HTTP Response Code Unique Code Description
200 The reference map of sets has had a value removed
404 1002 The reference map of sets does not exist
404 1003 The record does not exist in the reference map of sets
422 1005 A request parameter is not valid
500 1020 An error occurred while attempting to remove the reference map of
sets value

Response Description

Information about the reference map of sets that had a value removed. This returns information about the
reference map of sets but not the contained data.

Response Sample
{
"creation_time": 42,
"element_type": "String <one of: ALN, NUM, IP, PORT, ALNIC, DATE>",
"key_label": "String",
"name": "String",
"number_of_elements": 42,
"time_to_live": "String",
"timeout_type": "String <one of: UNKNOWN, FIRST_SEEN, LAST_SEEN>",
"value_label": "String"
}

GET /reference_data/map_of_sets_delete_tasks/{task_id}
Retrieves the delete reference data map of sets task status.

Retrieves the delete reference data map of sets task status.

484 QRadar API Reference Guide

Table 1033. GET /reference_data/map_of_sets_delete_tasks/{task_id} resource details
MIME Type
application/json

Table 1034. GET /reference_data/map_of_sets_delete_tasks/{task_id} request parameter details

Parameter Type Optionality Data Type MIME Type Description
task_id path Required Number text/plain null
(Integer)
fields query Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.

Table 1035. GET /reference_data/map_of_sets_delete_tasks/{task_id} response codes

HTTP Response Code Unique Code Description
200 The delete task status was retrieved.
404 1002 The delete task status does not exist.
500 1020 An error occurred during the attempt to retrieve the delete task
status.

Response Description
A Delete Task Status object and the location header set to the task status url "/api/reference_data/
map_of_sets/map_of_sets_delete_tasks/{task_id}". A Delete Task Status object contains the following
fields:
v id - Long - The ID of the task.
v message - String - The localized task message.
v status - String - The current state of the task.
v name - String - The name of the task.
v created_by - String - The name of the user who started the task.
v created - Long - The time in milliseconds since epoch since the task was created.
v started - Long - The time in milliseconds since epoch since the task was started.
v modified - Long - The time in milliseconds since epoch since the task was modified.
v completed - Long - The time in milliseconds since epoch since the task was completed.

Response Sample
{
"completed": 42,
"created": 42,
"created_by": "String",
"id": 42,
"message": "String",
"modified": 42,
"name": "String",
"started": 42,
"status": "String <one of: CANCELLED,

6 REST API V9.0 References 485

 CANCELING,
CANCEL_REQUESTED,
COMPLETED,
CONFLICT,
EXCEPTION,
INITIALIZING,
INTERRUPTED,
PAUSED,
PROCESSING,
QUEUED,
RESUMING>"
}

GET /reference_data/map_of_sets_dependent_tasks/{task_id}
Retrieves the dependent reference data map of sets task status.

Retrieves the dependent reference data map of sets task status.

Table 1036. GET /reference_data/map_of_sets_dependent_tasks/{task_id} resource details
MIME Type
application/json

Table 1037. GET /reference_data/map_of_sets_dependent_tasks/{task_id} request parameter details

Parameter Type Optionality Data Type MIME Type Description
task_id path Required Number text/plain null
(Integer)
fields query Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.

Table 1038. GET /reference_data/map_of_sets_dependent_tasks/{task_id} response codes

HTTP Response Code Unique Code Description
200 The dependent task status was retrieved.
404 1002 The dependent task status does not exist.
500 1020 An error occurred during the attempt to retrieve the dependent task
status.

Response Description

A Dependent Task Status object and the location header set to the task status URL "/api/reference_data/
map_of_sets/map_of_sets_dependent_tasks/{task_id}". A Dependent Task Status object contains the
following fields:
v id - Long - The ID of the task.
v message - String - The localized task message.
v status - String - The current state of the task
v name - String - The name of the task.
v created_by - String - The name of the user who started the task.
486 QRadar API Reference Guide
v cancelled_by - String - The name of the user who requested to cancel the task.
v created - Long - The time in milliseconds since epoch since the task was created.
v started - Long - The time in milliseconds since epoch since the task was started.
v modified - Long - The time in milliseconds since epoch since the task was modified.
v completed - Long - The time in milliseconds since epoch since the task was completed.
v number_of_dependents - Long - The number of dependents found. The value is null until the task
completes.
v maximum - Long - The maximum number of objects to check for dependency.
v progress - Long - The number of objects that were checked for dependency.
v task_components - Array - An array of task component objects. A task component object contains the
following fields
– message - String - The localized sub-task status message.
– status - String - The current state of the sub-task.
– sub_task_type - String - The type of the sub-task.
– maximum - Long - The maximum number of objects to check for dependency.
– progress - Long - The number of objects that were checked for dependency.
– created - Long - The time in milliseconds since epoch since the sub-task was created.
– started - Long - The time in milliseconds since epoch since the sub-task was started.
– modified - Long - The time in milliseconds since epoch since the sub-task was modified.
– completed - Long - The time in milliseconds since epoch since the sub-task was completed.

Response Sample
{
"cancelled_by": "String",
"completed": 42,
"created": 42,
"created_by": "String",
"id": 42,
"maximum": 42,
"message": "String",
"modified": 42,
"name": "String",
"number_of_dependents": 42,
"progress": 42,
"started": 42,
"status": "String <one of: CANCELLED,
CANCELING,
CANCEL_REQUESTED,
COMPLETED,
CONFLICT,
EXCEPTION,
INITIALIZING,
INTERRUPTED,
PAUSED,
PROCESSING,
QUEUED,
RESUMING>",
"task_components": [
{
"completed": 42,
"created": 42,
"maximum": 42,
"message": "String",
"modified": 42,
"number_of_dependents": 42,
"progress": 42,
"started": 42,

6 REST API V9.0 References 487

 "status": "String <one of: CANCELLED,
CANCELING,
CANCEL_REQUESTED,
COMPLETED,
CONFLICT,
EXCEPTION,
INITIALIZING,
INTERRUPTED,
PAUSED,
PROCESSING,
QUEUED,
RESUMING>",
"task_sub_type": "String <one of:
FIND_DEPENDENT_ARIEL_SAVED_SEARCHES,
FIND_DEPENDENT_OFFENSE_SAVED_SEARCHES,
FIND_DEPENDENT_ASSET_SAVED_SEARCHES,
FIND_DEPENDENT_VULNERABILITY_SAVED_SEARCHES,
FIND_DEPENDENT_ADE_RULES,
FIND_DEPENDENT_RULES,
FIND_DEPENDENT_CALCULATED_PROPERTIES,
FIND_DEPENDENT_LOG_SOURCE_GROUPS,
FIND_DEPENDENT_CUSTOM_PROPERTIES,
FIND_DEPENDENT_REPORTS,
FIND_DEPENDENT_DASHBOARDS,
FIND_DEPENDENT_STORE_AND_FORWARD_POLICIES,
FIND_DEPENDENT_AUTHORIZED_SERVICES,
FIND_DEPENDENT_OFFENSE_TYPES,
FIND_DEPENDENT_ASSIGNED_OFFENSES,
FIND_DEPENDENT_VULNERABILITIES,
FIND_DEPENDENT_GROUPS,
FIND_DEPENDENT_HISTORICAL_CORRELATION_PROFILES>"
}
]
}

POST /reference_data/map_of_sets_dependent_tasks/{task_id}
Cancels the dependent reference data map of sets task.

Cancels the dependent reference data map of sets task.

Table 1039. POST /reference_data/map_of_sets_dependent_tasks/{task_id} resource details
MIME Type
application/json

Table 1040. POST /reference_data/map_of_sets_dependent_tasks/{task_id} request parameter details

Parameter Type Optionality Data Type MIME Type Description
task_id path Required Number text/plain null
(Integer)
fields header Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.

488 QRadar API Reference Guide

Table 1041. POST /reference_data/map_of_sets_dependent_tasks/{task_id} request body details
Parameter Data Type MIME Type Description Sample
task Object application/ null { "status": "String <one of:
json CANCELLED, CANCELING,
CANCEL_REQUESTED,
COMPLETED, CONFLICT,
EXCEPTION, INITIALIZING,
INTERRUPTED, PAUSED,
PROCESSING, QUEUED,
RESUMING>" }

Table 1042. POST /reference_data/map_of_sets_dependent_tasks/{task_id} response codes

HTTP Response Code Unique Code Description
200 The dependent task status was retrieved.
404 1002 The dependent task status does not exist.
409 1004 The task is in a completed state.
422 1005 A request parameter is not valid.
500 1020 An error occurred during the attempt to update the dependent task
status.

Response Description

A Dependent Task Status object and the location header set to the task status url "/api/reference_data/
map_of_sets/map_of_sets_dependent_tasks/{task_id}". A Dependent Task Status object contains the
following fields:
v id - Long - The ID of the task.
v message - String - The localized task message.
v status - String - The current state of the task.
v name - String - The name of the task.
v created_by - String - The name of the user who started the task.
v cancelled_by - String - The name of the user who requested to cancel the task.
v created - Long - The time in milliseconds since epoch since the task was created.
v started - Long - The time in milliseconds since epoch since the task was started.
v modified - Long - The time in milliseconds since epoch since the task was modified.
v completed - Long - The time in milliseconds since epoch since the task was completed.
v number_of_dependents - Long - The number of dependents found. The value is null until the task
completes.
v maximum - Long - The maximum number of objects to check for dependency.
v progress - Long - The number of objects that were checked for dependency.
v task_components - Array - An array of task component objects. A task component object contains the
following fields
– message - String - The localized sub-task status message.
– status - String - The current state of the sub-task.
– sub_task_type - String - The type of the sub-task.
– maximum - Long - The maximum number of objects to check for dependency.
– progress - Long - The number of objects that were checked for dependency.
– created - Long - The time in milliseconds since epoch since the sub-task was created.

6 REST API V9.0 References 489

 – started - Long - The time in milliseconds since epoch since the sub-task was started.
– modified - Long - The time in milliseconds since epoch since the sub-task was modified.
– completed - Long - The time in milliseconds since epoch since the sub-task was completed.

Response Sample
{
"cancelled_by": "String",
"completed": 42,
"created": 42,
"created_by": "String",
"id": 42,
"maximum": 42,
"message": "String",
"modified": 42,
"name": "String",
"number_of_dependents": 42,
"progress": 42,
"started": 42,
"status": "String <one of: CANCELLED,
CANCELING,
CANCEL_REQUESTED,
COMPLETED,
CONFLICT,
EXCEPTION,
INITIALIZING,
INTERRUPTED,
PAUSED,
PROCESSING,
QUEUED,
RESUMING>",
"task_components": [
{
"completed": 42,
"created": 42,
"maximum": 42,
"message": "String",
"modified": 42,
"number_of_dependents": 42,
"progress": 42,
"started": 42,
"status": "String <one of: CANCELLED,
CANCELING,
CANCEL_REQUESTED,
COMPLETED,
CONFLICT,
EXCEPTION,
INITIALIZING,
INTERRUPTED,
PAUSED,
PROCESSING,
QUEUED,
RESUMING>",
"task_sub_type": "String <one of:
FIND_DEPENDENT_ARIEL_SAVED_SEARCHES,
FIND_DEPENDENT_OFFENSE_SAVED_SEARCHES,
FIND_DEPENDENT_ASSET_SAVED_SEARCHES,
FIND_DEPENDENT_VULNERABILITY_SAVED_SEARCHES,
FIND_DEPENDENT_ADE_RULES,
FIND_DEPENDENT_RULES,
FIND_DEPENDENT_CALCULATED_PROPERTIES,
FIND_DEPENDENT_LOG_SOURCE_GROUPS,
FIND_DEPENDENT_CUSTOM_PROPERTIES,
FIND_DEPENDENT_REPORTS,
FIND_DEPENDENT_DASHBOARDS,
FIND_DEPENDENT_STORE_AND_FORWARD_POLICIES,

490 QRadar API Reference Guide

 FIND_DEPENDENT_AUTHORIZED_SERVICES,
FIND_DEPENDENT_OFFENSE_TYPES,
FIND_DEPENDENT_ASSIGNED_OFFENSES,
FIND_DEPENDENT_VULNERABILITIES,
FIND_DEPENDENT_GROUPS,
FIND_DEPENDENT_HISTORICAL_CORRELATION_PROFILES>"
}
]
}

GET /reference_data/map_of_sets_dependent_tasks/{task_id}/results
Retrieves the reference data map of sets dependent task results.

Retrieves the reference data map of sets dependent task results.

Table 1043. GET /reference_data/map_of_sets_dependent_tasks/{task_id}/results resource details
MIME Type
application/json

Table 1044. GET /reference_data/map_of_sets_dependent_tasks/{task_id}/results request parameter details

Parameter Type Optionality Data Type MIME Type Description
task_id path Required Number text/plain null
(Integer)
fields query Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.

Table 1045. GET /reference_data/map_of_sets_dependent_tasks/{task_id}/results response codes

HTTP Response Code Unique Code Description
200 The reference data map of sets dependents have been retrieved.
404 1002 The dependent task status does not exist.
500 1020 An error occurred during the attempt to retrieve the reference data
map of sets.

Response Description

An list of Dependent objects. A Dependent object contains the following fields:

v dependent_id - String - The ID of the dependent resource.
v dependent_name - String - The name of the dependent resource default resources can have localized
names).
v dependent_owner - String - The owner of the dependent resource.
v dependent_type - String - The type of the dependent resource.
v dependent_database - String - The database of the dependent resource.
v dependent_group_ids - Array of Longs - List of groups that the dependent resource belongs to.
v user_has_edit_permissions - Boolean - True if the user who created the task has permission to edit this
dependent resource.
6 REST API V9.0 References 491
Response Sample
[
{
"blocking": true,
"dependent_database": "String <one of: EVENTS, FLOWS>",
"dependent_group_ids": [
42
],
"dependent_id": "String",
"dependent_name": "String",
"dependent_owner": "String",
"dependent_type": "String <one of:
ARIEL_SAVED_SEARCH,
ASSET_SAVED_SEARCH,
OFFENSE_SAVED_SEARCH,
VULNERABILITY_SAVED_SEARCH,
QRM_SAVED_SEARCH_GROUP,
ASSET_SAVED_SEARCH_GROUP,
CUSTOM_RULE_GROUP,
EVENT_ARIEL_SAVED_SEARCH_GROUP,
FLOW_ARIEL_SAVED_SEARCH_GROUP,
LOG_SOURCE_GROUP, MODEL_GROUP,
OFFENSE_SAVED_SEARCH_GROUP,
QUESTION_GROUP,
REPORT_GROUP,
SIMULATION_GROUP,
TOPOLOGY_SAVED_SEARCH_GROUP,
VULNERABILITY_SAVED_SEARCH_GROUP,
ASSIGNED_OFFENSE,
ASSIGNED_VULNERABILITY,
AUTHORIZED_SERVICE,
BUILDING_BLOCK,
CRE_RULE,
CRE_ADE_RULE,
EVENT_REGEX_PROPERTY,
EVENT_CALCULATED_PROPERTY,
FLOW_REGEX_PROPERTY,
FLOW_CALCULATED_PROPERTY,
DASHBOARD,
GV_REFERENCE,
REPORT,
REFERENCE_DATA,
REFERENCE_DATA_MAP_OF_SETS,
REFERENCE_DATA_MAPS,
REFERENCE_DATA_SETS,
REFERENCE_DATA_TABLES,
REFERENCE_DATA_RESPONSE,
REFERENCE_SET_RESPONSE,
EVENT_RETENTION_BUCKET,
FLOW_RETENTION_BUCKET,
ROUTING_RULE,
STORE_AND_FORWARD_POLICY,
USER,
HISTORICAL_PROFILE,
OFFENSE_TYPE>",
"user_has_edit_permissions": true
}
]

492 QRadar API Reference Guide

GET /reference_data/maps
Retrieve a list of all reference maps.
Table 1046. GET /reference_data/maps resource details
MIME Type
application/json

Table 1047. GET /reference_data/maps request parameter details

Parameter Type Optionality Data Type MIME Type Description
fields query Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.
Range header Optional String text/plain Optional - Use this parameter
to restrict the number of
elements that are returned in
the list to a specified range.
The list is indexed starting at
zero.
filter query Optional String text/plain Optional - This parameter is
used to restrict the elements in
a list base on the contents of
various fields.

Table 1048. GET /reference_data/maps response codes

HTTP Response Code Unique Code Description
200 The reference map list has been retrieved
500 1020 An error occurred while attempting to retrieve all of the reference
maps

Response Description
A list of all of the reference maps. This returns information about the maps but not the contained data.

Response Sample
[
{
"creation_time": 42,
"element_type": "String <one of: ALN, NUM, IP, PORT, ALNIC, DATE>",
"key_label": "String",
"name": "String",
"number_of_elements": 42,
"time_to_live": "String",
"timeout_type": "String <one of: UNKNOWN, FIRST_SEEN, LAST_SEEN>",
"value_label": "String"
}
]

6 REST API V9.0 References 493

POST /reference_data/maps
Create a new reference map.
Table 1049. POST /reference_data/maps resource details
MIME Type
application/json

Table 1050. POST /reference_data/maps request parameter details

Parameter Type Optionality Data Type MIME Type Description
name query Required String text/plain Required - The name of the
reference map to create
key_label query Optional String text/plain Optional - The label to describe
the keys
value_label query Optional String text/plain Optional - The label to describe
the data values
element_type query Required String text/plain Required - The element type for
the values allowed in the
reference map. The allowed
values are: ALN (alphanumeric),
ALNIC (alphanumeric ignore
case), IP (IP address), NUM
(numeric), PORT (port number)
or DATE. Note that date values
need to be represented in
milliseconds since the Unix
Epoch January 1st 1970.
timeout_type query Optional String text/plain Optional - The allowed values
are "FIRST_SEEN",
"LAST_SEEN" and
"UNKNOWN". The default
value is "UNKNOWN". This
indicates if the time_to_live
interval is based on when the
data was first seen or last seen.
time_to_live query Optional String text/plain Optional - The time to live
interval, for example: "1 month"
or "5 minutes"
fields query Optional String text/plain Optional - Use this parameter to
specify which fields you would
like to get back in the response.
Fields that are not named are
excluded. Specify subfields in
brackets and multiple fields in
the same object are separated by
commas.

Table 1051. POST /reference_data/maps response codes

HTTP Response Code Unique Code Description
201 A new reference map was successfully created
409 1004 The reference map could not be created, the name provided is
already in use. Please change the name and try again.
422 1005 A request parameter is not valid
500 1020 An error occurred while attempting to create the reference map

494 QRadar API Reference Guide

Response Description

Information about the newly created reference map.

Response Sample
{
"creation_time": 42,
"element_type": "String <one of: ALN, NUM, IP, PORT, ALNIC, DATE>",
"key_label": "String",
"name": "String",
"number_of_elements": 42,
"time_to_live": "String",
"timeout_type": "String <one of: UNKNOWN, FIRST_SEEN, LAST_SEEN>",
"value_label": "String"
}

POST /reference_data/maps/bulk_load/{name}
Adds or updates data in a reference map.

Adds or updates data in a reference map.

Table 1052. POST /reference_data/maps/bulk_load/{name} resource details
MIME Type
application/json

Table 1053. POST /reference_data/maps/bulk_load/{name} request parameter details

Parameter Type Optionality Data Type MIME Type Description
name path Required String text/plain Required - The name of map
to add or update data in.
fields header Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.

Table 1054. POST /reference_data/maps/bulk_load/{name} request body details

Parameter Data Type MIME Type Description Sample
data Array application/ Required - The JSON-formatted {"key1":"Data1", "key2":"Data2",
json data to add or update in the "key3":"Data3", "key4":"Data4",
reference map. "key5":"Data5", "key6":"Data6"}

Table 1055. POST /reference_data/maps/bulk_load/{name} response codes

HTTP Response Code Unique Code Description
200 Data was successfully added or updated in the reference map.
400 1001 An error occurred parsing the JSON-formatted message body.
404 1002 The reference map does not exist.
422 1005 A request parameter is not valid.

6 REST API V9.0 References 495

Table 1055. POST /reference_data/maps/bulk_load/{name} response codes (continued)
HTTP Response Code Unique Code Description
500 1020 An error occurred during the attempt to add or update data in the
reference map.

Response Description
Information about the reference map where data was added or updated. This returns information about
the reference map but not the data that it contains.

Response Sample
{
"creation_time": 42,
"element_type": "String <one of: ALN, NUM, IP, PORT, ALNIC, DATE>",
"name": "String",
"number_of_elements": 42,
"time_to_live": "String",
"timeout_type": "String <one of: UNKNOWN, FIRST_SEEN, LAST_SEEN>"
}

GET /reference_data/maps/{name}
Retrieve the reference map identified by name.

Retrieve the reference map identified by name. If it is provided, limit specifies the number of records to
return starting at record that is specified by offset. If the number is not specified, then the first 20 records
are returned.
Table 1056. GET /reference_data/maps/{name} resource details
MIME Type
application/json

Table 1057. GET /reference_data/maps/{name} request parameter details

Parameter Type Optionality Data Type MIME Type Description
name path Required String text/plain Required - The name of the
reference map to retrieve
fields query Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.
Range header Optional String text/plain Optional - Use this parameter
to restrict the number of
elements that are returned in
the list to a specified range.
The list is indexed starting at
zero.
filter query Optional String text/plain Optional - This parameter is
used to restrict the elements in
a list base on the contents of
various fields.

496 QRadar API Reference Guide

Table 1058. GET /reference_data/maps/{name} response codes
HTTP Response Code Unique Code Description
200 The reference map has been retrieved
404 1002 The reference map does not exist
422 1005 A request parameter is not valid
500 1020 An error occurred while attempting to retrieve the reference map

Response Description

The reference map identified by the name specified in the request. The portion of the reference map's
data returned is dependent on the limit and offset specified in the request.

Response Sample
{
"creation_time": 42,
"data": {
"String": {
"first_seen": 42,
"last_seen": 42,
"source": "String",
"value": "String"
}
},
"element_type": "String <one of: ALN, NUM, IP, PORT, ALNIC, DATE>",
"key_label": "String",
"name": "String",
"number_of_elements": 42,
"time_to_live": "String",
"timeout_type": "String <one of: UNKNOWN, FIRST_SEEN, LAST_SEEN>",
"value_label": "String"
}

POST /reference_data/maps/{name}
Add or update an element in a reference map.
Table 1059. POST /reference_data/maps/{name} resource details
MIME Type
application/json

Table 1060. POST /reference_data/maps/{name} request parameter details

Parameter Type Optionality Data Type MIME Type Description
name path Required String text/plain Required - The name of the
reference map to add or
update an element in
key query Required String text/plain Required - The key who's
value we want to add or
update

6 REST API V9.0 References 497

Table 1060. POST /reference_data/maps/{name} request parameter details (continued)
Parameter Type Optionality Data Type MIME Type Description
value query Required String text/plain Required - The value to add or
update in the reference map.
Note: Date values must be
represented in milliseconds
since the Unix Epoch January
1st 1970.
source query Optional String text/plain Optional - An indication of
where the data originated. The
default value is 'reference data
api'
fields query Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.

Table 1061. POST /reference_data/maps/{name} response codes

HTTP Response Code Unique Code Description
200 The reference map has had an element added or updated
404 1002 The reference map does not exist
422 1005 A request parameter is not valid
500 1020 An error occurred while attempting to add or update data in the
reference map

Response Description

Information about the reference map that had an element added or updated. This returns information
about reference map but not the contained data.

Response Sample
{
"creation_time": 42,
"element_type": "String <one of: ALN, NUM, IP, PORT, ALNIC, DATE>",
"key_label": "String",
"name": "String",
"number_of_elements": 42,
"time_to_live": "String",
"timeout_type": "String <one of: UNKNOWN, FIRST_SEEN, LAST_SEEN>",
"value_label": "String"
}

DELETE /reference_data/maps/{name}
Remove a reference map or purge its contents.
Table 1062. DELETE /reference_data/maps/{name} resource details
MIME Type
application/json

498 QRadar API Reference Guide

Table 1063. DELETE /reference_data/maps/{name} request parameter details
Parameter Type Optionality Data Type MIME Type Description
name path Required String text/plain Required - The name of the
reference map to remove or
purge
purge_only query Optional String text/plain Optional - The allowed values
are "false" or "true". The
default value is false. This
indicates if the reference map
should have its contents
purged (true), keeping the
reference map structure. If the
value is "false" or not specified
the reference map will be
removed completely.
fields query Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.

Table 1064. DELETE /reference_data/maps/{name} response codes

HTTP Response Code Unique Code Description
202 The Reference Data Maps deletion or purge request has been
accepted and is in progress
404 1002 The reference map does not exist
422 1005 A request parameter is not valid
500 1020 An error occurred while attempting to remove or purge values
from the reference map

Response Description
A status_id to retrieve the Reference Data Maps deletion or purge status with at /api/system/
task_management/task/{status_id}. You can also find the url in the Location header

Response Sample
{
"current_status": {
"cancel_requested": true,
"cancelled_by": "String",
"child_tasks": [
42
],
"completed": 42,
"created": 42,
"created_by": "String",
"id": 42,
"maximum": 42,
"message": "String",
"modified": 42,
"name": "String",
"progress": 42,

6 REST API V9.0 References 499

 "result_url": "String",
"started": 42,
"status": "String <one of: CANCELLED,
CANCELING,
CANCEL_REQUESTED,
COMPLETED,
EXCEPTION,
INITIALIZING,
INTERRUPTED,
PAUSED,
PROCESSING,
QUEUED,
RESUMING>",
"task_components": [
{
"completed": 42,
"created": 42,
"maximum": 42,
"message": "String",
"modified": 42,
"progress": 42,
"started": 42,
"status": "String <one of: CANCELLED,
CANCELING,
CANCEL_REQUESTED,
COMPLETED,
EXCEPTION,
INITIALIZING,
INTERRUPTED,
PAUSED,
PROCESSING,
QUEUED,
RESUMING>"
}
]
},
"message": "String",
"status_location": "String"
}

GET /reference_data/maps/{name}/dependents
Retrieves the dependents of the Map.
Table 1065. GET /reference_data/maps/{name}/dependents resource details
MIME Type
application/json

Table 1066. GET /reference_data/maps/{name}/dependents request parameter details

Parameter Type Optionality Data Type MIME Type Description
name path Required String text/plain Required - The name of the
reference map retrieve
dependents for
fields query Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.

500 QRadar API Reference Guide

Table 1067. GET /reference_data/maps/{name}/dependents response codes
HTTP Response Code Unique Code Description
202 The Reference Data Maps dependent retrieval request has been
accepted and is in progress
404 1002 The reference Map does not exist
422 1005 A request parameter is not valid
500 1020 An error occurred while attempting to get the dependents for the
reference map

Response Description

A status_id to retrieve the Reference Data Maps dependent retrieval status with at /api/system/
task_management/task/{status_id}. You can also find the url in the Location header

Response Sample
{
"current_status": {
"cancel_requested": true,
"cancelled_by": "String",
"child_tasks": [
42
],
"completed": 42,
"created": 42,
"created_by": "String",
"id": 42,
"maximum": 42,
"message": "String",
"modified": 42,
"name": "String",
"progress": 42,
"result_url": "String",
"started": 42,
"status": "String <one of: CANCELLED,
CANCELING,
CANCEL_REQUESTED,
COMPLETED,
EXCEPTION,
INITIALIZING,
INTERRUPTED,
PAUSED,
PROCESSING,
QUEUED,
RESUMING>",
"task_components": [
{
"completed": 42,
"created": 42,
"maximum": 42,
"message": "String",
"modified": 42,
"progress": 42,
"started": 42,
"status": "String <one of: CANCELLED,
CANCELING,
CANCEL_REQUESTED,
COMPLETED,
EXCEPTION,
INITIALIZING,

6 REST API V9.0 References 501

 INTERRUPTED,
PAUSED,
PROCESSING,
QUEUED,
RESUMING>"
}
]
},
"message": "String",
"status_location": "String"
}

DELETE /reference_data/maps/{name}/{key}
Remove a value from a reference map.

Remove a value from a reference map.

Table 1068. DELETE /reference_data/maps/{name}/{key} resource details
MIME Type
application/json

Table 1069. DELETE /reference_data/maps/{name}/{key} request parameter details

Parameter Type Optionality Data Type MIME Type Description
name path Required String text/plain Required - The name of the
reference map to remove a
value from
key path Required String text/plain Required - The key of the
value to remove
value query Required String text/plain Required - The value to
remove from the reference
map. Note: Date values must
be represented in milliseconds
since the Unix Epoch January
1st 1970.
fields query Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.

Table 1070. DELETE /reference_data/maps/{name}/{key} response codes

HTTP Response Code Unique Code Description
200 The reference map has had a value removed
404 1002 The reference map does not exist
404 1003 The record does not exist in the reference map
422 1005 A request parameter is not valid
500 1020 An error occurred while attempting to remove the value from the
reference map

502 QRadar API Reference Guide

Response Description

Information about the reference map that had an element removed. This returns information about map
but not the contained data.

Response Sample
{
"creation_time": 42,
"element_type": "String <one of: ALN, NUM, IP, PORT, ALNIC, DATE>",
"key_label": "String",
"name": "String",
"number_of_elements": 42,
"time_to_live": "String",
"timeout_type": "String <one of: UNKNOWN, FIRST_SEEN, LAST_SEEN>",
"value_label": "String"
}

GET /reference_data/set_delete_tasks/{task_id}
Retrieves the delete reference data set task status.

Retrieves the delete reference data set task status.

Table 1071. GET /reference_data/set_delete_tasks/{task_id} resource details
MIME Type
application/json

Table 1072. GET /reference_data/set_delete_tasks/{task_id} request parameter details

Parameter Type Optionality Data Type MIME Type Description
task_id path Required Number text/plain null
(Integer)
fields query Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.

Table 1073. GET /reference_data/set_delete_tasks/{task_id} response codes

HTTP Response Code Unique Code Description
200 The delete task status was retrieved.
404 1002 The delete task status does not exist.
500 1020 An error occurred during the attempt to retrieve the delete task
status.

Response Description

A Delete Task Status object and the location header set to the task status url "/api/reference_data/sets/
set_delete_tasks/{task_id}". A Delete Task Status object contains the following fields:
v id - Long - The ID of the task.
v message - String - The localized task message.

6 REST API V9.0 References 503

v status - String - The current state of the task.
v name - String - The name of the task.
v created_by - String - The name of the user who started the task.
v created - Long - The time in milliseconds since epoch since the task was created.
v started - Long - The time in milliseconds since epoch since the task was started.
v modified - Long - The time in milliseconds since epoch since the task was modified.
v completed - Long - The time in milliseconds since epoch since the task was completed.

Response Sample
{
"completed": 42,
"created": 42,
"created_by": "String",
"id": 42,
"message": "String",
"modified": 42,
"name": "String",
"started": 42,
"status": "String <one of:
CANCELLED,
CANCELING,
CANCEL_REQUESTED,
COMPLETED,
CONFLICT,
EXCEPTION,
INITIALIZING,
INTERRUPTED,
PAUSED,
PROCESSING,
QUEUED,
RESUMING>"
}

GET /reference_data/set_dependent_tasks/{task_id}
Retrieves the dependent reference data set task status.

Retrieves the dependent reference data set task status.

Table 1074. GET /reference_data/set_dependent_tasks/{task_id} resource details
MIME Type
application/json

Table 1075. GET /reference_data/set_dependent_tasks/{task_id} request parameter details

Parameter Type Optionality Data Type MIME Type Description
task_id path Required Number text/plain null
(Integer)
fields query Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.

504 QRadar API Reference Guide

Table 1076. GET /reference_data/set_dependent_tasks/{task_id} response codes
HTTP Response Code Unique Code Description
200 The dependent task status was retrieved.
404 1002 The dependent task status does not exist.
500 1020 An error occurred during the attempt to retrieve the dependent task
status.

Response Description

A Dependent Task Status object and the location header set to the task status URL "/api/reference_data/
sets/set_dependent_tasks/{task_id}". A Dependent Task Status object contains the following fields:
v id - Long - The ID of the task.
v message - String - The localized task message.
v status - String - The current state of the task.
v name - String - The name of the task.
v created_by - String - The name of the user who started the task.
v cancelled_by - String - The name of the user who requested cancellation of the task.
v created - Long - The time in milliseconds since epoch since the task was created.
v started - Long - The time in milliseconds since epoch since the task was started.
v modified - Long - The time in milliseconds since epoch since the task was modified.
v completed - Long - The time in milliseconds since epoch since the task was completed.
v number_of_dependents - Long - The number of dependents found. The value is null until the task
completes.
v maximum - Long - The maximum number of objects to check for dependency.
v progress - Long - The number of objects that were checked for dependency.
v task_components - Array - An array of task component objects. A task component object contains the
following fields
– message - String - The localized sub-task status message.
– status - String - The current state of the sub-task.
– sub_task_type - String - The type of the sub-task
– maximum - Long - The maximum number of objects to check for dependency.
– progress - Long - The number of objects that were checked for dependency.
– created - Long - The time in milliseconds since epoch since the sub-task was created.
– started - Long - The time in milliseconds since epoch since the sub-task was started.
– modified - Long - The time in milliseconds since epoch since the sub-task was modified.
– completed - Long - The time in milliseconds since epoch since the sub-task was completed.

Response Sample
{
"cancelled_by": "String",
"completed": 42,
"created": 42,
"created_by": "String",
"id": 42,
"maximum": 42,
"message": "String",
"modified": 42,
"name": "String",
"number_of_dependents": 42,
"progress": 42,

6 REST API V9.0 References 505

 "started": 42,
"status": "String <one of: CANCELLED,
CANCELING,
CANCEL_REQUESTED,
COMPLETED,
CONFLICT,
EXCEPTION,
INITIALIZING,
INTERRUPTED,
PAUSED,
PROCESSING,
QUEUED,
RESUMING>",
"task_components": [
{
"completed": 42,
"created": 42,
"maximum": 42,
"message": "String",
"modified": 42,
"number_of_dependents": 42,
"progress": 42,
"started": 42,
"status": "String <one of: CANCELLED,
CANCELING,
CANCEL_REQUESTED,
COMPLETED,
CONFLICT,
EXCEPTION,
INITIALIZING,
INTERRUPTED,
PAUSED,
PROCESSING,
QUEUED,
RESUMING>",
"task_sub_type": "String <one of:
FIND_DEPENDENT_ARIEL_SAVED_SEARCHES,
FIND_DEPENDENT_OFFENSE_SAVED_SEARCHES,
FIND_DEPENDENT_ASSET_SAVED_SEARCHES,
FIND_DEPENDENT_VULNERABILITY_SAVED_SEARCHES,
FIND_DEPENDENT_ADE_RULES,
FIND_DEPENDENT_RULES,
FIND_DEPENDENT_CALCULATED_PROPERTIES,
FIND_DEPENDENT_LOG_SOURCE_GROUPS,
FIND_DEPENDENT_CUSTOM_PROPERTIES,
FIND_DEPENDENT_REPORTS,
FIND_DEPENDENT_DASHBOARDS,
FIND_DEPENDENT_STORE_AND_FORWARD_POLICIES,
FIND_DEPENDENT_AUTHORIZED_SERVICES,
FIND_DEPENDENT_OFFENSE_TYPES,
FIND_DEPENDENT_ASSIGNED_OFFENSES,
FIND_DEPENDENT_VULNERABILITIES,
FIND_DEPENDENT_GROUPS,
FIND_DEPENDENT_HISTORICAL_CORRELATION_PROFILES>"
}
]
}

POST /reference_data/set_dependent_tasks/{task_id}
Cancels the dependent reference data set task.

Cancels the dependent reference data set task.

506 QRadar API Reference Guide

Table 1077. POST /reference_data/set_dependent_tasks/{task_id} resource details
MIME Type
application/json

Table 1078. POST /reference_data/set_dependent_tasks/{task_id} request parameter details

Parameter Type Optionality Data Type MIME Type Description
task_id path Required Number text/plain null
(Integer)
fields header Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.

Table 1079. POST /reference_data/set_dependent_tasks/{task_id} request body details

Parameter Data Type MIME Type Description Sample
task Object application/ null { "status": "String <one of:
json CANCELLED, CANCELING,
CANCEL_REQUESTED,
COMPLETED, CONFLICT,
EXCEPTION, INITIALIZING,
INTERRUPTED, PAUSED,
PROCESSING, QUEUED,
RESUMING>" }

Table 1080. POST /reference_data/set_dependent_tasks/{task_id} response codes

HTTP Response Code Unique Code Description
200 The dependent task status was retrieved.
404 1002 The dependent task status does not exist.
409 1004 The task is in a completed state.
422 1005 A request parameter is not valid.
500 1020 An error occurred during the attempt to update the dependent task
status.

Response Description
A Dependent Task Status object and the location header set to the task status url "/api/reference_data/
sets/set_dependent_tasks/{task_id}". A Dependent Task Status object contains the following fields:
v id - Long - The ID of the task.
v message - String - The localized task message.
v status - String - The current state of the task.
v name - String - The name of the task.
v created_by - String - The name of the user who started the task.
v cancelled_by - String - The name of the user who requested cancellation of the task.
v created - Long - The time in milliseconds since epoch since the task was created.

6 REST API V9.0 References 507

v started - Long - The time in milliseconds since epoch since the task was started.
v modified - Long - The time in milliseconds since epoch since the task was modified.
v completed - Long - The time in milliseconds since epoch since the task was completed.
v number_of_dependents - Long - The number of dependents found. The value is null until the task
completes.
v maximum - Long - The maximum number of objects to check for dependency.
v progress - Long - The number of objects that were checked for dependency.
v task_components - Array - An array of task component objects. A task component object contains the
following fields
– message - String - The localized sub-task status message.
– status - String - The current state of the sub-task.
– sub_task_type - String - The type of the sub-task
– maximum - Long - The maximum number of objects to check for dependency.
– progress - Long - The number of objects that were checked for dependency.
– created - Long - The time in milliseconds since epoch since the sub-task was created.
– started - Long - The time in milliseconds since epoch since the sub-task was started.
– modified - Long - The time in milliseconds since epoch since the sub-task was modified.
– completed - Long - The time in milliseconds since epoch since the sub-task was completed.

Response Sample
{
"cancelled_by": "String",
"completed": 42,
"created": 42,
"created_by": "String",
"id": 42,
"maximum": 42,
"message": "String",
"modified": 42,
"name": "String",
"number_of_dependents": 42,
"progress": 42,
"started": 42,
"status": "String <one of: CANCELLED,
CANCELING,
CANCEL_REQUESTED,
COMPLETED,
CONFLICT,
EXCEPTION,
INITIALIZING,
INTERRUPTED,
PAUSED,
PROCESSING,
QUEUED,
RESUMING>",
"task_components": [
{
"completed": 42,
"created": 42,
"maximum": 42,
"message": "String",
"modified": 42,
"number_of_dependents": 42,
"progress": 42,
"started": 42,
"status": "String <one of: CANCELLED,
CANCELING,
CANCEL_REQUESTED,

508 QRadar API Reference Guide

 COMPLETED,
CONFLICT,
EXCEPTION,
INITIALIZING,
INTERRUPTED,
PAUSED,
PROCESSING,
QUEUED,
RESUMING>",
"task_sub_type": "String <one of:
FIND_DEPENDENT_ARIEL_SAVED_SEARCHES,
FIND_DEPENDENT_OFFENSE_SAVED_SEARCHES,
FIND_DEPENDENT_ASSET_SAVED_SEARCHES,
FIND_DEPENDENT_VULNERABILITY_SAVED_SEARCHES,
FIND_DEPENDENT_ADE_RULES,
FIND_DEPENDENT_RULES,
FIND_DEPENDENT_CALCULATED_PROPERTIES,
FIND_DEPENDENT_LOG_SOURCE_GROUPS,
FIND_DEPENDENT_CUSTOM_PROPERTIES,
FIND_DEPENDENT_REPORTS,
FIND_DEPENDENT_DASHBOARDS,
FIND_DEPENDENT_STORE_AND_FORWARD_POLICIES,
FIND_DEPENDENT_AUTHORIZED_SERVICES,
FIND_DEPENDENT_OFFENSE_TYPES,
FIND_DEPENDENT_ASSIGNED_OFFENSES,
FIND_DEPENDENT_VULNERABILITIES,
FIND_DEPENDENT_GROUPS,
FIND_DEPENDENT_HISTORICAL_CORRELATION_PROFILES>"
}
]
}

GET /reference_data/set_dependent_tasks/{task_id}/results
Retrieves the reference data set dependent task results.

Retrieves the reference data set dependent task results.

Table 1081. GET /reference_data/set_dependent_tasks/{task_id}/results resource details
MIME Type
application/json

Table 1082. GET /reference_data/set_dependent_tasks/{task_id}/results request parameter details

Parameter Type Optionality Data Type MIME Type Description
task_id path Required Number text/plain null
(Integer)
fields query Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.

Table 1083. GET /reference_data/set_dependent_tasks/{task_id}/results response codes

HTTP Response Code Unique Code Description
200 The reference data set dependents were retrieved.

6 REST API V9.0 References 509

Table 1083. GET /reference_data/set_dependent_tasks/{task_id}/results response codes (continued)
HTTP Response Code Unique Code Description
404 1002 The dependent task status does not exist.
500 1020 An error occurred during the attempt to retrieve the reference data
sets.

Response Description
An list of Dependent objects. A Dependent object contains the following fields:
v dependent_id - String - The ID of the dependent resource.
v dependent_name - String - The name of the dependent resource (default resources can have localized
names).
v dependent_owner - String - The owner of the dependent resource.
v dependent_type - String - The type of the dependent resource
v dependent_database - String - The database of the dependent resource.
v dependent_group_ids - Array of Longs - List of groups that the dependent resource belongs to.
v user_has_edit_permissions - Boolean - True if the user who created the task has permission to edit this
dependent resource.

Response Sample
[
{
"blocking": true,
"dependent_database": "String <one of: EVENTS, FLOWS>",
"dependent_group_ids": [
42
],
"dependent_id": "String",
"dependent_name": "String",
"dependent_owner": "String",
"dependent_type": "String <one of:
ARIEL_SAVED_SEARCH,
ASSET_SAVED_SEARCH,
OFFENSE_SAVED_SEARCH,
VULNERABILITY_SAVED_SEARCH,
QRM_SAVED_SEARCH_GROUP,
ASSET_SAVED_SEARCH_GROUP,
CUSTOM_RULE_GROUP,
EVENT_ARIEL_SAVED_SEARCH_GROUP,
FLOW_ARIEL_SAVED_SEARCH_GROUP,
LOG_SOURCE_GROUP, MODEL_GROUP,
OFFENSE_SAVED_SEARCH_GROUP,
QUESTION_GROUP,
REPORT_GROUP,
SIMULATION_GROUP,
TOPOLOGY_SAVED_SEARCH_GROUP,
VULNERABILITY_SAVED_SEARCH_GROUP,
ASSIGNED_OFFENSE,
ASSIGNED_VULNERABILITY,
AUTHORIZED_SERVICE,
BUILDING_BLOCK,
CRE_RULE,
CRE_ADE_RULE,
EVENT_REGEX_PROPERTY,
EVENT_CALCULATED_PROPERTY,
FLOW_REGEX_PROPERTY,
FLOW_CALCULATED_PROPERTY,
DASHBOARD,

510 QRadar API Reference Guide

 GV_REFERENCE,
REPORT,
REFERENCE_DATA,
REFERENCE_DATA_MAP_OF_SETS,
REFERENCE_DATA_MAPS,
REFERENCE_DATA_SETS,
REFERENCE_DATA_TABLES,
REFERENCE_DATA_RESPONSE,
REFERENCE_SET_RESPONSE,
EVENT_RETENTION_BUCKET,
FLOW_RETENTION_BUCKET,
ROUTING_RULE,
STORE_AND_FORWARD_POLICY,
USER,
HISTORICAL_PROFILE,
OFFENSE_TYPE>",
"user_has_edit_permissions": true
}
]

GET /reference_data/sets
Retrieve a list of all reference sets.
Table 1084. GET /reference_data/sets resource details
MIME Type
application/json

Table 1085. GET /reference_data/sets request parameter details

Parameter Type Optionality Data Type MIME Type Description
fields query Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.
Range header Optional String text/plain Optional - Use this parameter
to restrict the number of
elements that are returned in
the list to a specified range.
The list is indexed starting at
zero.
filter query Optional String text/plain Optional - This parameter is
used to restrict the elements in
a list base on the contents of
various fields.

Table 1086. GET /reference_data/sets response codes

HTTP Response Code Unique Code Description
200 The reference set list has been retrieved
500 1020 An error occurred while attempting to retrieve all of the reference
sets

6 REST API V9.0 References 511

Response Description

A list of all of the reference sets. This returns information about the sets but not the contained data.

Response Sample
[
{
"creation_time": 42,
"element_type": "String <one of: ALN, NUM, IP, PORT, ALNIC, DATE>",
"name": "String",
"number_of_elements": 42,
"time_to_live": "String",
"timeout_type": "String <one of: UNKNOWN, FIRST_SEEN, LAST_SEEN>"
}
]

POST /reference_data/sets
Create a new reference set.
Table 1087. POST /reference_data/sets resource details
MIME Type
application/json

Table 1088. POST /reference_data/sets request parameter details

Parameter Type Optionality Data Type MIME Type Description
name query Required String text/plain Required - The name of the
reference set being created
element_type query Required String text/plain Required - The element type for
the values allowed in the
reference set. The allowed
values are: ALN (alphanumeric),
ALNIC (alphanumeric ignore
case), IP (IP address), NUM
(numeric), PORT (port number)
or DATE. Note that date values
need to be represented in
milliseconds since the Unix
Epoch January 1st 1970.
timeout_type query Optional String text/plain Optional - The allowed values
are "FIRST_SEEN",
"LAST_SEEN" and
"UNKNOWN". The default
value is "UNKNOWN". This
indicates if the time_to_live
interval is based on when the
data was first seen or last seen.
time_to_live query Optional String text/plain Optional - The time to live
interval, for example: "1 month"
or "5 minutes"
fields query Optional String text/plain Optional - Use this parameter to
specify which fields you would
like to get back in the response.
Fields that are not named are
excluded. Specify subfields in
brackets and multiple fields in
the same object are separated by
commas.

512 QRadar API Reference Guide

Table 1089. POST /reference_data/sets response codes
HTTP Response Code Unique Code Description
201 A new reference set was successfully created
409 1004 The reference set could not be created, the name provided is
already in use. Please change the name and try again.
422 1005 A request parameter is not valid
500 1020 An error occurred while attempting to create the reference set

Response Description

Information about the newly created reference set.

Response Sample
{
"creation_time": 42,
"element_type": "String <one of: ALN, NUM, IP, PORT, ALNIC, DATE>",
"name": "String",
"number_of_elements": 42,
"time_to_live": "String",
"timeout_type": "String <one of: UNKNOWN, FIRST_SEEN, LAST_SEEN>"
}

POST /reference_data/sets/bulk_load/{name}
Add or update data in a reference set.
Table 1090. POST /reference_data/sets/bulk_load/{name} resource details
MIME Type
application/json

Table 1091. POST /reference_data/sets/bulk_load/{name} request parameter details

Parameter Type Optionality Data Type MIME Type Description
name path Required String text/plain Required - The name of set to
add or update data in
fields header Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.

Table 1092. POST /reference_data/sets/bulk_load/{name} request body details

Parameter Data Type MIME Type Description Sample
data Array application/json Required - The JSON formated ["String", "String", "String",
data to add or update in the "String", "String", "String",
reference set "String", "String", "String",
"String", "String"]

6 REST API V9.0 References 513

Table 1093. POST /reference_data/sets/bulk_load/{name} response codes
HTTP Response Code Unique Code Description
200 The reference set has had data added or updated
400 1001 An error occurred parsing the JSON formatted message body
404 1002 The reference set does not exist
422 1005 A request parameter is not valid
500 1020 An error occurred while attempting to add or update data in the
reference set

Response Description

Information about the reference set that had data added or updated. This returns information about the
reference set but not the contained data.

Response Sample
{
"creation_time": 42,
"element_type": "String <one of: ALN, NUM, IP, PORT, ALNIC, DATE>",
"name": "String",
"number_of_elements": 42,
"time_to_live": "String",
"timeout_type": "String <one of: UNKNOWN, FIRST_SEEN, LAST_SEEN>"
}

GET /reference_data/sets/{name}
Retrieve the reference set identified by name.

Retrieve the reference set that is identified by name. If it is provided, limit specifies the number of
records to return starting at the record that is specified by offset. If the number is not specified, then the
first 20 records are returned.
Table 1094. GET /reference_data/sets/{name} resource details
MIME Type
application/json

Table 1095. GET /reference_data/sets/{name} request parameter details

Parameter Type Optionality Data Type MIME Type Description
name path Required String text/plain Required - The name of the
reference set to retrieve
fields query Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.

514 QRadar API Reference Guide

Table 1095. GET /reference_data/sets/{name} request parameter details (continued)
Parameter Type Optionality Data Type MIME Type Description
Range header Optional String text/plain Optional - Use this parameter
to restrict the number of
elements that are returned in
the list to a specified range.
The list is indexed starting at
zero.
filter query Optional String text/plain Optional - This parameter is
used to restrict the elements in
a list base on the contents of
various fields.

Table 1096. GET /reference_data/sets/{name} response codes

HTTP Response Code Unique Code Description
200 The reference set has been retrieved
404 1002 The reference set does not exist.
422 1005 A request parameter is not valid
500 1020 An error occurred while attempting to retrieve the reference set

Response Description

The reference set identified by the name specified in the request. The portion of the set's data returned is
dependent on the limit and offset specified in the request.

Response Sample
{
"creation_time": 42,
"data": [
{
"first_seen": 42,
"last_seen": 42,
"source": "String",
"value": "String"
}
],
"element_type": "String <one of: ALN, NUM, IP, PORT, ALNIC, DATE>",
"name": "String",
"number_of_elements": 42,
"time_to_live": "String",
"timeout_type": "String <one of: UNKNOWN, FIRST_SEEN, LAST_SEEN>"
}

POST /reference_data/sets/{name}
Add or update an element in a reference set.
Table 1097. POST /reference_data/sets/{name} resource details
MIME Type
application/json

6 REST API V9.0 References 515

Table 1098. POST /reference_data/sets/{name} request parameter details
Parameter Type Optionality Data Type MIME Type Description
name path Required String text/plain Required - The name of the
reference set to add or update
an element in
value query Required String text/plain Required - The value to add or
update in the reference set.
Note: Date values must be
represented in milliseconds
since the Unix Epoch January
1st 1970.
source query Optional String text/plain Optional - An indication of
where the data originated. The
default value is 'reference data
api'
fields query Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.

Table 1099. POST /reference_data/sets/{name} response codes

HTTP Response Code Unique Code Description
200 The reference set has had an element added or updated
404 1002 The reference set does not exist
422 1005 A request parameter is not valid
500 1020 An error occurred while attempting to add or update an element in
the reference set

Response Description

Information about the reference set that had an element added or updated. This returns information
about the reference set but not the contained data.

Response Sample
{
"creation_time": 42,
"element_type": "String <one of: ALN, NUM, IP, PORT, ALNIC, DATE>",
"name": "String",
"number_of_elements": 42,
"time_to_live": "String",
"timeout_type": "String <one of: UNKNOWN, FIRST_SEEN, LAST_SEEN>"
}

516 QRadar API Reference Guide

DELETE /reference_data/sets/{name}
Remove a reference set or purge its contents.
Table 1100. DELETE /reference_data/sets/{name} resource details
MIME Type
application/json

Table 1101. DELETE /reference_data/sets/{name} request parameter details

Parameter Type Optionality Data Type MIME Type Description
name path Required String text/plain Required - The name of the set
to remove or purge
purge_only query Optional String text/plain Optional - The allowed values
are "false" or "true". The
default value is false. This
indicates if the reference set
should have its contents
purged (true), keeping the
reference set structure. If the
value is "false" or not specified
the reference set will be
removed completely.
fields query Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.

Table 1102. DELETE /reference_data/sets/{name} response codes

HTTP Response Code Unique Code Description
202 The Reference Data Sets deletion or purge request has been
accepted and is in progress
404 1002 The reference set does not exist
422 1005 A request parameter is not valid
500 1020 An error occurred while attempting to remove or purge values
from the reference set

Response Description

A status_id to retrieve the Reference Data Sets deletion or purge status with at /api/system/
task_management/task/{status_id}. You can also find the url in the Location header

Response Sample
{
"current_status": {
"cancel_requested": true,
"cancelled_by": "String",
"child_tasks": [
42
],

6 REST API V9.0 References 517

 "completed": 42,
"created": 42,
"created_by": "String",
"id": 42,
"maximum": 42,
"message": "String",
"modified": 42,
"name": "String",
"progress": 42,
"result_url": "String",
"started": 42,
"status": "String <one of: CANCELLED,
CANCELING,
CANCEL_REQUESTED,
COMPLETED,
EXCEPTION,
INITIALIZING,
INTERRUPTED,
PAUSED,
PROCESSING,
QUEUED,
RESUMING>",
"task_components": [
{
"completed": 42,
"created": 42,
"maximum": 42,
"message": "String",
"modified": 42,
"progress": 42,
"started": 42,
"status": "String <one of: CANCELLED,
CANCELING,
CANCEL_REQUESTED,
COMPLETED,
EXCEPTION,
INITIALIZING,
INTERRUPTED,
PAUSED,
PROCESSING,
QUEUED,
RESUMING>"
}
]
},
"message": "String",
"status_location": "String"
}

DELETE /reference_data/sets/{name}/{value}
Remove a value from a reference set.

Remove a value from a reference set.

Table 1103. DELETE /reference_data/sets/{name}/{value} resource details
MIME Type
application/json

518 QRadar API Reference Guide

Table 1104. DELETE /reference_data/sets/{name}/{value} request parameter details
Parameter Type Optionality Data Type MIME Type Description
name path Required String text/plain Required - The name of the
reference set to remove a value
from
value path Required String text/plain Required - The value to
remove from the reference set.
Note: Date values must be
represented in milliseconds
since the Unix Epoch January
1st 1970.
fields query Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.

Table 1105. DELETE /reference_data/sets/{name}/{value} response codes

HTTP Response Code Unique Code Description
200 The reference set that had a value removed
404 1002 The reference set does not exist
404 1003 The record does not exist in the reference set
422 1005 A request parameter is not valid
500 1020 An error occurred while attempting to remove the value from the
reference set.

Response Description

Information about the reference set that had an value removed. This returns information about the
reference set but not the contained data.

Response Sample
{
"creation_time": 42,
"element_type": "String <one of: ALN, NUM, IP, PORT, ALNIC, DATE>",
"name": "String",
"number_of_elements": 42,
"time_to_live": "String",
"timeout_type": "String <one of: UNKNOWN, FIRST_SEEN, LAST_SEEN>"
}

GET /reference_data/sets/{name}/dependents
Retrieves the dependents of the set.
Table 1106. GET /reference_data/sets/{name}/dependents resource details
MIME Type
application/json

6 REST API V9.0 References 519

Table 1107. GET /reference_data/sets/{name}/dependents request parameter details
Parameter Type Optionality Data Type MIME Type Description
name path Required String text/plain Required - The name of the
Reference Set retrieve
dependents for
fields query Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.

Table 1108. GET /reference_data/sets/{name}/dependents response codes

HTTP Response Code Unique Code Description
202 The Reference Data Sets dependent retrieval request has been
accepted and is in progress
404 1002 The Reference Set does not exist
422 1005 A request parameter is not valid
500 1020 An error occurred while attempting to get the dependents for the
Reference Set

Response Description
A status_id to retrieve the Reference Data Sets dependent retrieval status with at /api/system/
task_management/task/{status_id}. You can also find the url in the Location header

Response Sample
{
"current_status": {
"cancel_requested": true,
"cancelled_by": "String",
"child_tasks": [
42
],
"completed": 42,
"created": 42,
"created_by": "String",
"id": 42,
"maximum": 42,
"message": "String",
"modified": 42,
"name": "String",
"progress": 42,
"result_url": "String",
"started": 42,
"status": "String <one of: CANCELLED,
CANCELING,
CANCEL_REQUESTED,
COMPLETED,
EXCEPTION,
INITIALIZING,
INTERRUPTED,
PAUSED,
PROCESSING,

520 QRadar API Reference Guide

 QUEUED,
RESUMING>",
"task_components": [
{
"completed": 42,
"created": 42,
"maximum": 42,
"message": "String",
"modified": 42,
"progress": 42,
"started": 42,
"status": "String <one of: CANCELLED,
CANCELING,
CANCEL_REQUESTED,
COMPLETED,
EXCEPTION,
INITIALIZING,
INTERRUPTED,
PAUSED,
PROCESSING,
QUEUED,
RESUMING>"
}
]
},
"message": "String",
"status_location": "String"
}

GET /reference_data/tables_delete_tasks/{task_id}
Retrieve the delete the Reference Data Tables task status.

Retrieve the delete Reference Data Tables task status.

Table 1109. GET /reference_data/tables_delete_tasks/{task_id} resource details
MIME Type
application/json

Table 1110. GET /reference_data/tables_delete_tasks/{task_id} request parameter details

Parameter Type Optionality Data Type MIME Type Description
task_id path Required Number text/plain null
(Integer)
fields query Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.

Table 1111. GET /reference_data/tables_delete_tasks/{task_id} response codes

HTTP Response Code Unique Code Description
200 The Delete Task Status has been retrieved.
404 1002 The Delete Task Status does not exist.

6 REST API V9.0 References 521

Table 1111. GET /reference_data/tables_delete_tasks/{task_id} response codes (continued)
HTTP Response Code Unique Code Description
500 1020 An error occurred while attempting to retrieve the Delete Task
Status.

Response Description
A Delete Task Status object and the location header set to the task status url "/api/reference_data/tables/
tables_delete_tasks/{task_id}". A Delete Task Status object contains the following fields:
v id - Long - The ID of the task.
v message - String - The localized task message.
v status - String - The current state that the task is in.
v name - String - The name of the task.
v created_by - String - The name of the user who started the task.
v created - Long - The time in milliseconds since epoch of when the task was created.
v started - Long - The time in milliseconds since epoch of when the task was started.
v modified - Long - The time in milliseconds since epoch of when the task was modified.
v completed - Long - The time in milliseconds since epoch of when the task was completed.

Response Sample
{
"completed": 42,
"created": 42,
"created_by": "String",
"id": 42,
"message": "String",
"modified": 42,
"name": "String",
"started": 42,
"status": "String <one of: CANCELLED, CANCELING, CANCEL_REQUESTED, COMPLETED, CONFLICT, EXCEPTION, INITIALIZING, INTERR
}

GET /reference_data/tables_dependent_tasks/{task_id}
Retrieve the dependent the Reference Data Tables task status.

Retrieve the dependent Reference Data Tables task status.

Table 1112. GET /reference_data/tables_dependent_tasks/{task_id} resource details
MIME Type
application/json

Table 1113. GET /reference_data/tables_dependent_tasks/{task_id} request parameter details

Parameter Type Optionality Data Type MIME Type Description
task_id path Required Number text/plain null
(Integer)

522 QRadar API Reference Guide

Table 1113. GET /reference_data/tables_dependent_tasks/{task_id} request parameter details (continued)
Parameter Type Optionality Data Type MIME Type Description
fields query Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.

Table 1114. GET /reference_data/tables_dependent_tasks/{task_id} response codes

HTTP Response Code Unique Code Description
200 The Delete Task Status has been retrieved.
404 1002 The Delete Task Status does not exist.
500 1020 An error occurred while attempting to retrieve the Delete Task
Status.

Response Description

A Dependent Task Status object and the location header set to the task status url "/api/reference_data/
tables/tables_dependent_tasks/{task_id}". A Dependent Task Status object contains the following fields:
v id - Long - The ID of the task.
v message - String - The localized task message.
v status - String - The current state that the task is in.
v name - String - The name of the task.
v created_by - String - The name of the user who started the task.
v cancelled_by - String - The name of the user who requested to cancel the task.
v created - Long - The time in milliseconds since epoch of when the task was created.
v started - Long - The time in milliseconds since epoch of when the task was started.
v modified - Long - The time in milliseconds since epoch of when the task was modified.
v completed - Long - The time in milliseconds since epoch of when the task was completed.
v number_of_dependents - Long - The number of dependents found. Value is null until task completes.
v maximum - Long - The maximum number of objects to check for dependency.
v progress - Long - The number of objects checked for dependency.
v task_components - Array - An array of task component objects. A task component object contains the
following fields
– message - String - The localized sub-task status message.
– status - String - The current state the sub-task is in.
– sub_task_type - String - The type of the sub-task
– maximum - Long - The maximum number of objects to check for dependency.
– progress - Long - The number of objects checked for dependency.
– created - Long - The time in milliseconds since epoch of when the sub-task was created.
– started - Long - The time in milliseconds since epoch of when the sub-task was started.
– modified - Long - The time in milliseconds since epoch of when the sub-task was modified.
– completed - Long - The time in milliseconds since epoch of when the sub-task was completed.

6 REST API V9.0 References 523

Response Sample
{
"cancelled_by": "String",
"completed": 42,
"created": 42,
"created_by": "String",
"id": 42,
"maximum": 42,
"message": "String",
"modified": 42,
"name": "String",
"number_of_dependents": 42,
"progress": 42,
"started": 42,
"status": "String <one of: CANCELLED, CANCELING, CANCEL_REQUESTED, COMPLETED, CONFLICT, EXCEPTION, INITIALIZING, INTERR
"task_components": [
{
"completed": 42,
"created": 42,
"maximum": 42,
"message": "String",
"modified": 42,
"number_of_dependents": 42,
"progress": 42,
"started": 42,
"status": "String <one of: CANCELLED, CANCELING, CANCEL_REQUESTED, COMPLETED, CONFLICT, EXCEPTION, INITIALIZING
"task_sub_type": "String <one of: FIND_DEPENDENT_ARIEL_SAVED_SEARCHES, FIND_DEPENDENT_OFFENSE_SAVED_SEARCHES, F
}
]
}

POST /reference_data/tables_dependent_tasks/{task_id}
Cancel the dependent the Reference Data Tables task.

Cancel the dependent Reference Data Tables task.

Table 1115. POST /reference_data/tables_dependent_tasks/{task_id} resource details
MIME Type
application/json

Table 1116. POST /reference_data/tables_dependent_tasks/{task_id} request parameter details

Parameter Type Optionality Data Type MIME Type Description
task_id path Required Number text/plain null
(Integer)
fields header Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.

524 QRadar API Reference Guide

Table 1117. POST /reference_data/tables_dependent_tasks/{task_id} request body details
Parameter Data Type MIME Type Description Sample
task Object application/ null { "status": "String <one of:
json CANCELLED, CANCELING,
CANCEL_REQUESTED,
COMPLETED, CONFLICT,
EXCEPTION, INITIALIZING,
INTERRUPTED, PAUSED,
PROCESSING, QUEUED,
RESUMING>" }

Table 1118. POST /reference_data/tables_dependent_tasks/{task_id} response codes

HTTP Response Code Unique Code Description
200 The Delete Task Status has been retrieved.
404 1002 The Dependent Task Status does not exist.
409 1004 The task is in a completed state
422 1005 A request parameter is not valid
500 1020 An error occurred while attempting to update the Dependent Task
Status.

Response Description

A Dependent Task Status object and the location header set to the task status url "/api/reference_data/
tables/tables_dependent_tasks/{task_id}". A Dependent Task Status object contains the following fields:
v id - Long - The ID of the task.
v message - String - The localized task message.
v status - String - The current state that the task is in.
v name - String - The name of the task.
v created_by - String - The name of the user who started the task.
v cancelled_by - String - The name of the user who requested to cancel the task.
v created - Long - The time in milliseconds since epoch of when the task was created.
v started - Long - The time in milliseconds since epoch of when the task was started.
v modified - Long - The time in milliseconds since epoch of when the task was modified.
v completed - Long - The time in milliseconds since epoch of when the task was completed.
v number_of_dependents - Long - The number of dependents found. Value is null until task completes.
v maximum - Long - The maximum number of objects to check for dependency.
v progress - Long - The number of objects checked for dependency.
v task_components - Array - An array of task component objects. A task component object contains the
following fields
– message - String - The localized sub-task status message.
– status - String - The current state the sub-task is in.
– sub_task_type - String - The type of the sub-task
– maximum - Long - The maximum number of objects to check for dependency.
– progress - Long - The number of objects checked for dependency.
– created - Long - The time in milliseconds since epoch of when the sub-task was created.
– started - Long - The time in milliseconds since epoch of when the sub-task was started.
– modified - Long - The time in milliseconds since epoch of when the sub-task was modified.

6 REST API V9.0 References 525

 – completed - Long - The time in milliseconds since epoch of when the sub-task was completed.

Response Sample
{
"cancelled_by": "String",
"completed": 42,
"created": 42,
"created_by": "String",
"id": 42,
"maximum": 42,
"message": "String",
"modified": 42,
"name": "String",
"number_of_dependents": 42,
"progress": 42,
"started": 42,
"status": "String <one of: CANCELLED, CANCELING, CANCEL_REQUESTED, COMPLETED, CONFLICT, EXCEPTION, INITIALIZING, INTERR
"task_components": [
{
"completed": 42,
"created": 42,
"maximum": 42,
"message": "String",
"modified": 42,
"number_of_dependents": 42,
"progress": 42,
"started": 42,
"status": "String <one of: CANCELLED, CANCELING, CANCEL_REQUESTED, COMPLETED, CONFLICT, EXCEPTION, INITIALIZING
"task_sub_type": "String <one of: FIND_DEPENDENT_ARIEL_SAVED_SEARCHES, FIND_DEPENDENT_OFFENSE_SAVED_SEARCHES, F
}
]
}

GET /reference_data/tables_dependent_tasks/{task_id}/results
Retrieve the Reference Data Tables Dependent Task Results

Retrieve the Reference Data Tables Dependent Task Results

Table 1119. GET /reference_data/tables_dependent_tasks/{task_id}/results resource details
MIME Type
application/json

Table 1120. GET /reference_data/tables_dependent_tasks/{task_id}/results request parameter details

Parameter Type Optionality Data Type MIME Type Description
task_id path Required Number text/plain null
(Integer)
fields query Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.

526 QRadar API Reference Guide

Table 1121. GET /reference_data/tables_dependent_tasks/{task_id}/results response codes
HTTP Response Code Unique Code Description
200 The Reference Data Tables Dependents have been retrieved
404 1002 The Dependent Task Status does not exist.
500 1020 An error occurred while attempting to retrieve the Reference Data
Tables

Response Description

An list of Dependent objects. A Dependent object contains the following fields:

v dependent_id - String - The ID of the dependent resource.
v dependent_name - String - The name of the dependent resource. ( Default resources can have localized
names )
v dependent_owner - String - The owner of the dependent resource
v dependent_type - String - The type of the dependent resource
v dependent_database - String - The database of the dependent resource.
v dependent_group_ids - Array of Longs - List of groups that the dependent resource belongs to.
v user_has_edit_permissions - Boolean - The true if the user who created the task has permission to edit
this dependent resource.

Response Sample
[
{
"blocking": true,
"dependent_database": "String <one of: EVENTS, FLOWS>",
"dependent_group_ids": [
42
],
"dependent_id": "String",
"dependent_name": "String",
"dependent_owner": "String",
"dependent_type": "String <one of: ARIEL_SAVED_SEARCH, ASSET_SAVED_SEARCH, OFFENSE_SAVED_SEARCH, VULNERABILITY_SA
"user_has_edit_permissions": true
}
]

POST /reference_data/tables/bulk_load/{name}
Adds or updates data in a reference table.

Adds or updates data in a reference table.

Table 1122. POST /reference_data/tables/bulk_load/{name} resource details
MIME Type
application/json

Table 1123. POST /reference_data/tables/bulk_load/{name} request parameter details

Parameter Type Optionality Data Type MIME Type Description
name path Required String text/plain Required - The name of table
to add or update data in.

6 REST API V9.0 References 527

Table 1123. POST /reference_data/tables/bulk_load/{name} request parameter details (continued)
Parameter Type Optionality Data Type MIME Type Description
fields header Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.

Table 1124. POST /reference_data/tables/bulk_load/{name} request body details

Parameter Data Type MIME Type Description Sample
data Array application/ Required - The JSON-formatted {"key1":{"col1":"Data11","col2":"Data12",
json data to add or update in the "col3":"Data13","col4":"Data14"},
reference table. "key2":{"col1":"Data21","col2":"Data22",
"col3":"Data23","col4":"Data24"},
"key3":{"col1":"Data31","col2":"Data32",
"col3":"Data33","col4":"Data34"},
"key4":{"col1":"Data41","col2":"Data42",
"col3":"Data43","col4":"Data44"},
"key5":{"col1":"Data51","col2":"Data52",
"col3":"Data53","col4":"Data54"},
"key6":{"col1":"Data61","col2":"Data62",
"col3":"Data63","col4":"Data64"}}

Table 1125. POST /reference_data/tables/bulk_load/{name} response codes

HTTP Response Code Unique Code Description
200 Data was successfully added or updated in the reference table.
400 1001 An error occurred parsing the JSON-formatted message body.
404 1002 The reference table does not exist.
422 1005 A request parameter is not valid.
500 1020 An error occurred during the attempt to add or update data in the
reference table.

Response Description

Information about the reference table where data was added or updated. This returns information about
the reference table but not the data that it contains.

Response Sample
{
"creation_time": 42,
"element_type": "String <one of: ALN, NUM, IP, PORT, ALNIC, DATE>",
"name": "String",
"number_of_elements": 42,
"time_to_live": "String",
"timeout_type": "String <one of: UNKNOWN, FIRST_SEEN, LAST_SEEN>"
}

528 QRadar API Reference Guide

GET /reference_data/tables
Retrieve a list of all reference tables.
Table 1126. GET /reference_data/tables resource details
MIME Type
application/json

Table 1127. GET /reference_data/tables request parameter details

Parameter Type Optionality Data Type MIME Type Description
fields query Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.
Range header Optional String text/plain Optional - Use this parameter
to restrict the number of
elements that are returned in
the list to a specified range.
The list is indexed starting at
zero.
filter query Optional String text/plain Optional - This parameter is
used to restrict the elements in
a list base on the contents of
various fields.

Table 1128. GET /reference_data/tables response codes

HTTP Response Code Unique Code Description
200 The reference table list has been retrieved
500 1020 An error occurred while attempting to retrieve all of the reference
tables

Response Description
A list of all of the reference tables. This returns information about the tables but not the contained data.

Response Sample
[
{
"creation_time": 42,
"element_type": "String <one of: ALN, NUM, IP, PORT, ALNIC, DATE>",
"key_label": "String",
"key_name_types": {
"String": "String <one of: ALN, NUM, IP, PORT, ALNIC, DATE>"
},
"name": "String",
"number_of_elements": 42,
"time_to_live": "String",
"timeout_type": "String <one of: UNKNOWN, FIRST_SEEN, LAST_SEEN>"
}
]

6 REST API V9.0 References 529

GET /reference_data/tables/{name}
Return the reference table identified by name.

Return the reference table that is identified by name. If it is provided, limit specifies the number of
records to return starting at the record that is specified by offset. If the number is not specified, then the
first 20 records are returned.
Table 1129. GET /reference_data/tables/{name} resource details
MIME Type
application/json

Table 1130. GET /reference_data/tables/{name} request parameter details

Parameter Type Optionality Data Type MIME Type Description
name path Required String text/plain Required - The name of the
reference table to retrieve
fields query Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.
Range header Optional String text/plain Optional - Use this parameter
to restrict the number of
elements that are returned in
the list to a specified range.
The list is indexed starting at
zero.

Table 1131. GET /reference_data/tables/{name} response codes

HTTP Response Code Unique Code Description
200 The reference table has been retrieved
404 1002 The reference table does not exist
422 1005 A request parameter is not valid
500 1020 An error occurred while attempting to retrieve the reference table

Response Description
The reference table identified by the name specified in the request. The portion of the reference table's
data returned is dependent on the limit and offset specified in the request.

Response Sample
{
"creation_time": 42,
"data": {
"String": {
"String": {
"first_seen": 42,
"last_seen": 42,
"source": "String",
"value": "String"

530 QRadar API Reference Guide

 }
}
},
"element_type": "String <one of: ALN, NUM, IP, PORT, ALNIC, DATE>",
"key_label": "String",
"key_name_types": {
"String": "String <one of: ALN, NUM, IP, PORT, ALNIC, DATE>"
},
"name": "String",
"number_of_elements": 42,
"time_to_live": "String",
"timeout_type": "String <one of: UNKNOWN, FIRST_SEEN, LAST_SEEN>"
}

POST /reference_data/tables/{name}
Add or update an element in a reference table.

Add or update an element in a reference table. The value to be added must be of the appropriate type.
Either the type that corresponds to the innerKey that is predefined for the reference table, or the default
elementType of the reference table
Table 1132. POST /reference_data/tables/{name} resource details
MIME Type
application/json

Table 1133. POST /reference_data/tables/{name} request parameter details

Parameter Type Optionality Data Type MIME Type Description
name path Required String text/plain Required - The name of the
reference table to add or
update an element in
outer_key query Required String text/plain Required - The outer key for
the element to add or update
inner_key query Required String text/plain Required - The inner key for
the element to add or update
value query Required String text/plain Required - The value to add or
update in the reference table.
Note: Date values must be
represented in milliseconds
since the Unix Epoch January
1st 1970.
source query Optional String text/plain Optional - An indication of
where the data originated. The
default value is 'reference data
api'
fields query Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.

6 REST API V9.0 References 531

Table 1134. POST /reference_data/tables/{name} response codes
HTTP Response Code Unique Code Description
200 The reference table has had an element added or updated
404 1002 The reference table does not exist
422 1005 A request parameter is not valid
500 1020 An error occurred while attempting to add or update data in the
reference table

Response Description

Information about the reference table that had an element added or updated. This returns information
about the reference table but not the contained data.

Response Sample
{
"creation_time": 42,
"element_type": "String <one of: ALN, NUM, IP, PORT, ALNIC, DATE>",
"key_label": "String",
"key_name_types": {
"String": "String <one of: ALN, NUM, IP, PORT, ALNIC, DATE>"
},
"name": "String",
"number_of_elements": 42,
"time_to_live": "String",
"timeout_type": "String <one of: UNKNOWN, FIRST_SEEN, LAST_SEEN>"
}

DELETE /reference_data/tables/{name}
Removes a reference table or purge its contents.
Table 1135. DELETE /reference_data/tables/{name} resource details
MIME Type
application/json

Table 1136. DELETE /reference_data/tables/{name} request parameter details

Parameter Type Optionality Data Type MIME Type Description
name path Required String text/plain Required - The name of the
reference table to remove or
purge
purge_only query Optional String text/plain Optional - The allowed values
are "false" or "true". The
default value is false. This
indicates if the reference table
should have its contents
purged (true), keeping the
reference table structure. If the
value is "false" or not specified
the reference table will be
removed completely.

532 QRadar API Reference Guide

Table 1136. DELETE /reference_data/tables/{name} request parameter details (continued)
Parameter Type Optionality Data Type MIME Type Description
fields query Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.

Table 1137. DELETE /reference_data/tables/{name} response codes

HTTP Response Code Unique Code Description
202 The Reference Data Tables deletion or purge request has been
accepted and is in progress
404 1002 The reference table does not exist
422 1005 A request parameter is not valid
500 1020 An error occurred while attempting to remove or purge values
from the reference table

Response Description

A status_id to retrieve the Reference Data Tables deletion or purge status with at /api/system/
task_management/task/{status_id}. You can also find the url in the Location header

Response Sample
{
"current_status": {
"cancel_requested": true,
"cancelled_by": "String",
"child_tasks": [
42
],
"completed": 42,
"created": 42,
"created_by": "String",
"id": 42,
"maximum": 42,
"message": "String",
"modified": 42,
"name": "String",
"progress": 42,
"result_url": "String",
"started": 42,
"status": "String <one of: CANCELLED,
CANCELING,
CANCEL_REQUESTED,
COMPLETED,
EXCEPTION,
INITIALIZING,
INTERRUPTED,
PAUSED,
PROCESSING,
QUEUED,
RESUMING>",
"task_components": [
{

6 REST API V9.0 References 533

 "completed": 42,
"created": 42,
"maximum": 42,
"message": "String",
"modified": 42,
"progress": 42,
"started": 42,
"status": "String <one of: CANCELLED,
CANCELING,
CANCEL_REQUESTED,
COMPLETED,
EXCEPTION,
INITIALIZING,
INTERRUPTED,
PAUSED,
PROCESSING,
QUEUED,
RESUMING>"
}
]
},
"message": "String",
"status_location": "String"
}

GET /reference_data/tables/{name}/dependents
Retrieves the dependents of the table.
Table 1138. GET /reference_data/tables/{name}/dependents resource details
MIME Type
application/json

Table 1139. GET /reference_data/tables/{name}/dependents request parameter details

Parameter Type Optionality Data Type MIME Type Description
name path Required String text/plain Required - The name of the
reference map of sets retrieve
dependents for
fields query Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.

Table 1140. GET /reference_data/tables/{name}/dependents response codes

HTTP Response Code Unique Code Description
202 The Reference Data Tables dependent retrieval request has been
accepted and is in progress
404 1002 The reference map of sets does not exist
422 1005 A request parameter is not valid
500 1020 An error occurred while attempting to get the dependents for the
reference map of sets

534 QRadar API Reference Guide

Response Description

A status_id to retrieve the Reference Data Tables dependent retrieval status with at /api/system/
task_management/task/{status_id}. You can also find the url in the Location header

Response Sample
{
"current_status": {
"cancel_requested": true,
"cancelled_by": "String",
"child_tasks": [
42
],
"completed": 42,
"created": 42,
"created_by": "String",
"id": 42,
"maximum": 42,
"message": "String",
"modified": 42,
"name": "String",
"progress": 42,
"result_url": "String",
"started": 42,
"status": "String <one of: CANCELLED,
CANCELING,
CANCEL_REQUESTED,
COMPLETED,
EXCEPTION,
INITIALIZING,
INTERRUPTED,
PAUSED,
PROCESSING,
QUEUED,
RESUMING>",
"task_components": [
{
"completed": 42,
"created": 42,
"maximum": 42,
"message": "String",
"modified": 42,
"progress": 42,
"started": 42,
"status": "String <one of: CANCELLED,
CANCELING,
CANCEL_REQUESTED,
COMPLETED,
EXCEPTION,
INITIALIZING,
INTERRUPTED,
PAUSED,
PROCESSING,
QUEUED,
RESUMING>"
}
]
},
"message": "String",
"status_location": "String"
}

6 REST API V9.0 References 535

DELETE /reference_data/tables/{name}/{outer_key}/{inner_key}
Removes a value from a reference table.

Remove a value from a reference table.

Table 1141. DELETE /reference_data/tables/{name}/{outer_key}/{inner_key} resource details
MIME Type
application/json

Table 1142. DELETE /reference_data/tables/{name}/{outer_key}/{inner_key} request parameter details

Parameter Type Optionality Data Type MIME Type Description
name path Required String text/plain Required - The name of the
reference table to remove a
value from
outer_key path Required String text/plain Required - The outer key of
the value to remove
inner_key path Required String text/plain Required - The inner key of
the value to remove
value query Required String text/plain Required - The value to
remove from the reference
table. Note: Date values must
be represented in milliseconds
since the Unix Epoch January
1st 1970.
fields query Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.

Table 1143. DELETE /reference_data/tables/{name}/{outer_key}/{inner_key} response codes

HTTP Response Code Unique Code Description
200 The reference table had had a value removed
404 1002 The reference table does not exist
404 1003 The record does not exist in the reference table
422 1005 A request parameter is not valid
500 1020 An error occurred while attempting to remove the reference table
value

Response Description

Information about the reference table that had an element removed. This returns information about table
but not the contained data.

536 QRadar API Reference Guide

Response Sample
{
"creation_time": 42,
"element_type": "String <one of: ALN, NUM, IP, PORT, ALNIC, DATE>",
"key_label": "String",
"key_name_types": {
"String": "String <one of: ALN, NUM, IP, PORT, ALNIC, DATE>"
},
"name": "String",
"number_of_elements": 42,
"time_to_live": "String",
"timeout_type": "String <one of: UNKNOWN, FIRST_SEEN, LAST_SEEN>"
}

POST /reference_data/tables
Create a new reference table.
Table 1144. POST /reference_data/tables resource details
MIME Type
application/json

Table 1145. POST /reference_data/tables request parameter details

Parameter Type Optionality Data Type MIME Type Description
name query Required String text/plain Required - The name of the
reference table to create
element_type query Required String text/plain Required - The default element
type for the values allowed in the
reference table. This is used when
values are added or updated in
the reference table who's inner
key was not defined in the
key_name_types parameter. The
allowed values are: ALN
(alphanumeric), ALNIC
(alphanumeric ignore case), IP (IP
address), NUM (numeric), PORT
(port number) or DATE. Note that
date values need to be
represented in milliseconds since
the Unix Epoch January 1st 1970.
outer_key_label query Optional String text/plain Optional - The label to describe
the outer keys
timeout_type query Optional String text/plain Optional - The allowed values are
"FIRST_SEEN", "LAST_SEEN" and
"UNKNOWN". The default value
is "UNKNOWN". This indicates if
the time_to_live interval is based
on when the data was first seen
or last seen.
time_to_live query Optional String text/plain Optional - The time to live
interval, for example: "1 month"
or "5 minutes"
key_name_types query Optional Array<Object> application/json Optional - A JSON formatted
string. This array creates the inner
key names and corresponding
value types for the table
fields query Optional String text/plain Optional - Use this parameter to
specify which fields you would
like to get back in the response.
Fields that are not named are
excluded. Specify subfields in
brackets and multiple fields in the
same object are separated by
commas.

Table 1146. POST /reference_data/tables response codes

HTTP Response Code Unique Code Description
201 A new reference table was successfully created

6 REST API V9.0 References 537

Table 1146. POST /reference_data/tables response codes (continued)
HTTP Response Code Unique Code Description
409 1004 The reference table could not be created, the name provided is
already in use. Please change the name and try again.
422 1005 A request parameter is not valid
500 1020 An error occurred while attempting to create the reference table

Response Description

Information about the newly created reference table.

Response Sample
{
"creation_time": 42,
"element_type": "String <one of: ALN, NUM, IP, PORT, ALNIC, DATE>",
"key_label": "String",
"key_name_types": {
"String": "String <one of: ALN, NUM, IP, PORT, ALNIC, DATE>"
},
"name": "String",
"number_of_elements": 42,
"time_to_live": "String",
"timeout_type": "String <one of: UNKNOWN, FIRST_SEEN, LAST_SEEN>"
}

Scanner endpoints
Use the references for REST API V9.0 scanner endpoints.

GET /scanner/profiles
Retrieves all of the currently created scan profiles.

No parameters are required and the following information should be retrieved for each scan profile.
v scanProfileId
v scanProfileName
v description
v scanType
v scannerName
Table 1147. GET /scanner/profiles resource details
MIME Type
application/json

There are no parameters for this endpoint.

Table 1148. GET /scanner/profiles response codes
HTTP Response Code Unique Code Description
200 The list of scan profiles was successfully returned
500 1030 Occurs when an attempt is made to list scan profiles when certain
conditions are not met, or when too many scan requests have been
made

538 QRadar API Reference Guide

Response Description

The list of scan profiles currently configured in QVM

Response Sample

POST /scanner/profiles/create
Initiates a request to create a new Scan Profile.

The request takes one parameter - createScanRequest, which is just a POJO. To create the scan, you will
need to build up a JSON object that contains the Scan Profile name and IP addresses to scan. For
example:
{’name’:’New Scan Profile’, ’ips’:[’10.100.85.135’]}

Table 1149. POST /scanner/profiles/create resource details

MIME Type
text/plain

Table 1150. POST /scanner/profiles/create request body details

Parameter Data Type MIME Type Description Sample
scanProfile JSON application/json null null

Table 1151. POST /scanner/profiles/create response codes

HTTP Response Code Unique Code Description
200 The scan has been successfully created
419 9101 Occurs when a parameter is missing or invalid
500 1030 Occurs when an attempt is made to create a scan when certain
conditions are not met, or when too many scan requests have been
made

Response Description
An indicator of whether the scan has been created successfully or not.

Response Sample
String

POST /scanner/profiles/start
Initiates a request to start an already created scanProfile.

The request takes one parameter - scanProfileId. To get a list of scanProfileIds, get a list of the current
scan profiles by initiating a 'profiles' request on the scanner endpoint. The scanProfileId is validated and
an appropriate message is returned.
Table 1152. POST /scanner/profiles/start resource details
MIME Type
text/plain

6 REST API V9.0 References 539

Table 1153. POST /scanner/profiles/start request parameter details
Parameter Type Optionality Data Type MIME Type Description
scanProfileId query Required String text/plain The unique id of the scan profile
we want to start

Table 1154. POST /scanner/profiles/start response codes

HTTP Response Code Unique Code Description
200 The scan has been successfully started
403 1000 Occurs if the user does not have permission to start a scan, or the
scan is in progress
500 1030 Occurs when an attempt is made to start a scan when certain
conditions are not met, or when too many scan requests have been
made

Response Description

An indicator of whether the scan has been started successfully or not.

Response Sample
String

GET /scanner/scanprofiles
Retrieves all of the currently created scan profiles.

No parameters are required and the following information should be retrieved for each scan profile.
v scanProfileId
v scanProfileName
v description
v scanType
v scannerName
v schedule
v status
v progress
v endTime
v duration
Table 1155. GET /scanner/scanprofiles resource details
MIME Type
application/json

540 QRadar API Reference Guide

Table 1156. GET /scanner/scanprofiles request parameter details
Parameter Type Optionality Data Type MIME Type Description
fields query Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.
filter query Optional String text/plain Optional - This parameter is
used to restrict the elements in
a list base on the contents of
various fields.
Range header Optional String text/plain Optional - Use this parameter
to restrict the number of
elements that are returned in
the list to a specified range.
The list is indexed starting at
zero.

Table 1157. GET /scanner/scanprofiles response codes

HTTP Response Code Unique Code Description
200 The list of scan profiles was successfully returned
500 1030 Occurs when an attempt is made to list scan profiles when certain
conditions are not met, or when too many scan requests have been
made

Response Description

The list of scan profiles currently configured in QVM

Response Sample
[
{
"description": "String",
"duration": {
"days": 42,
"hours": 42,
"minutes": 42,
"months": 42,
"seconds": 42.5,
"type": "String",
"value": "String",
"years": 42
},
"endTime": {
"date": 42,
"day": 42,
"hours": 42,
"minutes": 42,
"month": 42,
"seconds": 42,
"time": 42,
"timezoneOffset": 42,
"year": 42

6 REST API V9.0 References 541

 },
"progress": 42,
"scanProfileId": 42,
"scanProfileName": "String",
"scanType": "String",
"scannerName": "String",
"schedule": "String",
"status": "String"
}
]

POST /scanner/scanprofiles
Initiates a request to create a new scanProfile.

The request takes one parameter - createScanRequest, which is just a POJO. To create the scan, you will
need to build up a JSON object that contains the Scan Profile name and hosts to scan. For example:
{’name’:’New Scan Profile’, ’hosts’:[’10.100.85.135’]}
Table 1158. POST /scanner/scanprofiles resource details
MIME Type
text/plain

Table 1159. POST /scanner/scanprofiles request body details

Parameter Data Type MIME Type Description Sample
scanProfile Object application/json null { "description": "String",
"hosts": [ "String" ], "name":
"String" }

Table 1160. POST /scanner/scanprofiles response codes

HTTP Response Code Unique Code Description
200 The scan has been successfully created
500 1030 Occurs when an attempt is made to create a scan when certain
conditions are not met, or when too many scan requests have been
made

Response Description

An indicator of whether the scan has been created successfully or not.

Response Sample
String

GET /scanner/scanprofiles/{profileid}
Retrieves a scan profile for a given Scan Profile ID.

No parameters are required and the following information should be retrieved for each scan profile.
v scanProfileId
v name
v description
v scanType
v scannerName
v schedule

542 QRadar API Reference Guide

v status
v progress
v endTime
v duration
Table 1161. GET /scanner/scanprofiles/{profileid} resource details
MIME Type
application/json

Table 1162. GET /scanner/scanprofiles/{profileid} request parameter details

Parameter Type Optionality Data Type MIME Type Description
profileid path Required String text/plain The unique id of the scan
profile we need to retrieve
information for
fields query Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.
filter query Optional String text/plain Optional - This parameter is
used to restrict the elements in
a list base on the contents of
various fields.
Range header Optional String text/plain Optional - Use this parameter
to restrict the number of
elements that are returned in
the list to a specified range.
The list is indexed starting at
zero.

Table 1163. GET /scanner/scanprofiles/{profileid} response codes

HTTP Response Code Unique Code Description
200 The scan profile was successfully returned
500 1030 Occurs when an attempt is made to list a scan profile when certain
conditions are not met, or when too many scan requests have been
made

Response Description

The list of scan profiles currently configured in QVM

Response Sample
[
{
"description": "String",
"duration": {
"days": 42,
"hours": 42,
"minutes": 42,

6 REST API V9.0 References 543

 "months": 42,
"seconds": 42.5,
"type": "String",
"value": "String",
"years": 42
},
"endTime": {
"date": 42,
"day": 42,
"hours": 42,
"minutes": 42,
"month": 42,
"seconds": 42,
"time": 42,
"timezoneOffset": 42,
"year": 42
},
"progress": 42,
"scanProfileId": 42,
"scanProfileName": "String",
"scanType": "String",
"scannerName": "String",
"schedule": "String",
"status": "String"
}
]

POST /scanner/scanprofiles/{profileid}
Update a scan profile. The Scan Profile ID is required.

The following information on a scan profile can be updated:

v name
v description
v IP addresses

For example:
{’name’:’Updated Scan Profile’, ’ips’:[’10.100.85.135’]}
Table 1164. POST /scanner/scanprofiles/{profileid} resource details
MIME Type
application/json

Table 1165. POST /scanner/scanprofiles/{profileid} request parameter details

Parameter Type Optionality Data Type MIME Type Description
profileid path Required String text/plain The unique id of the scan
profile used to update

Table 1166. POST /scanner/scanprofiles/{profileid} request body details

Parameter Data Type MIME Type Description Sample
scanProfile JSON application/json null null

Table 1167. POST /scanner/scanprofiles/{profileid} response codes

HTTP Response Code Unique Code Description
202 The scan profile was successfully updated

544 QRadar API Reference Guide

Table 1167. POST /scanner/scanprofiles/{profileid} response codes (continued)
HTTP Response Code Unique Code Description
500 1030 Occurs when an attempt is made to update a scan profile when
certain conditions are not met, or when too many scan requests
have been made

Response Description
A message to indicate whether the scan profile has updated or not.

Response Sample

DELETE /scanner/scanprofiles/{profileid}
Initiates a request to delete a scanProfile.

The request takes one parameter - the Scan Profile ID.

Table 1168. DELETE /scanner/scanprofiles/{profileid} resource details
MIME Type
text/plain

Table 1169. DELETE /scanner/scanprofiles/{profileid} request parameter details

Parameter Type Optionality Data Type MIME Type Description
profileid path Required String text/plain null

Table 1170. DELETE /scanner/scanprofiles/{profileid} response codes

HTTP Response Code Unique Code Description
204 The scan has been successfully deleted
500 1030 Occurs when an attempt is made to delete a scan when certain
conditions are not met, or when too many scan requests have been
made

Response Description

An indicator of whether the scan has been deleted successfully or not.

Response Sample
String

GET /scanner/scanprofiles/{profileid}/runs
Table 1171. GET /scanner/scanprofiles/{profileid}/runs resource details
MIME Type
application/json

6 REST API V9.0 References 545

Table 1172. GET /scanner/scanprofiles/{profileid}/runs request parameter details
Parameter Type Optionality Data Type MIME Type Description
profileid path Required Number text/plain null
(Integer)
Range header Optional String text/plain Optional - Use this parameter
to restrict the number of
elements that are returned in
the list to a specified range.
The list is indexed starting at
zero.
fields query Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.

Table 1173. GET /scanner/scanprofiles/{profileid}/runs response codes

HTTP Response Code Unique Code Description
404 1002 null
422 1005 null
500 1030 null

Response Description

Response Sample
[
{
"end_time": 42,
"id": 42,
"scan_profile_id": 42,
"start_time": 42
}
]

GET /scanner/scanprofiles/{profileid}/runs/{run_id}
Table 1174. GET /scanner/scanprofiles/{profileid}/runs/{run_id} resource details
MIME Type
application/json

Table 1175. GET /scanner/scanprofiles/{profileid}/runs/{run_id} request parameter details

Parameter Type Optionality Data Type MIME Type Description
profileid path Required Number text/plain null
(Integer)
run_id path Required Number text/plain null
(Integer)

546 QRadar API Reference Guide

Table 1175. GET /scanner/scanprofiles/{profileid}/runs/{run_id} request parameter details (continued)
Parameter Type Optionality Data Type MIME Type Description
fields query Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.

Table 1176. GET /scanner/scanprofiles/{profileid}/runs/{run_id} response codes

HTTP Response Code Unique Code Description
404 1002 null
500 1030 null

Response Description

Response Sample
{
"end_time": 42,
"id": 42,
"scan_profile_id": 42,
"start_time": 42
}

GET /scanner/scanprofiles/{profileid}/runs/{run_id}/results
Table 1177. GET /scanner/scanprofiles/{profileid}/runs/{run_id}/results resource details
MIME Type
application/json

Table 1178. GET /scanner/scanprofiles/{profileid}/runs/{run_id}/results request parameter details

Parameter Type Optionality Data Type MIME Type Description
profileid path Required Number text/plain null
(Integer)
run_id path Required Number text/plain null
(Integer)
Range header Optional String text/plain Optional - Use this parameter
to restrict the number of
elements that are returned in
the list to a specified range.
The list is indexed starting at
zero.

6 REST API V9.0 References 547

Table 1178. GET /scanner/scanprofiles/{profileid}/runs/{run_id}/results request parameter details (continued)
Parameter Type Optionality Data Type MIME Type Description
fields query Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.

Table 1179. GET /scanner/scanprofiles/{profileid}/runs/{run_id}/results response codes

HTTP Response Code Unique Code Description
404 1002 null
422 1005 null
500 1030 null

Response Description

Response Sample
[
{
"base_score": 42,
"critical_details": "String",
"cve_ids": [
"String"
],
"hostname": "String",
"informative_details": "String",
"ip_address": "String",
"open_services": [
"String"
],
"port": 42,
"temporal_score": 42,
"vulnerability": "String"
}
]

POST /scanner/scanprofiles/{profileid}/start
Initiates a request to start an already created scanProfile.

The request takes one parameter, scanProfileId, and one optional parameter, ips. To get a list of
scanProfileIds, simply get a list of the current scan profiles by initiating a 'profiles' request on the scanner
endpoint. The scanProfileId, is validated and an appropriate message returned.
Table 1180. POST /scanner/scanprofiles/{profileid}/start resource details
MIME Type
text/plain

548 QRadar API Reference Guide

Table 1181. POST /scanner/scanprofiles/{profileid}/start request parameter details
Parameter Type Optionality Data Type MIME Type Description
profileid path Required String text/plain The unique id of the scan
profile we want to start

Table 1182. POST /scanner/scanprofiles/{profileid}/start request body details

Parameter Data Type MIME Type Description Sample
ips JSON application/json null null

Table 1183. POST /scanner/scanprofiles/{profileid}/start response codes

HTTP Response Code Unique Code Description
202 The scan has been successfully started
403 1000 Occurs if the user does not have permission to start a scan, or the
scan is in progress
500 1030 Occurs when an attempt is made to start a scan when certain
conditions are not met, or when too many scan requests have been
made

Response Description
An indicator of whether the scan has been started successfully or not.

Response Sample
String

Services endpoints
Use the references for REST API V9.0 services endpoints.

POST /services/dig_lookups
Creates a new DIG lookup.

Creates a new DIG lookup. Lookup completes in the background.

Table 1184. POST /services/dig_lookups resource details
MIME Type
application/json

Table 1185. POST /services/dig_lookups request parameter details

Parameter Type Optionality Data Type MIME Type Description
IP query Required String text/plain Used to retrieve the DIG
lookup.

6 REST API V9.0 References 549

Table 1185. POST /services/dig_lookups request parameter details (continued)
Parameter Type Optionality Data Type MIME Type Description
fields query Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.

Table 1186. POST /services/dig_lookups response codes

HTTP Response Code Unique Code Description
201 The DIG lookup was created successfully.
500 1020 An internal server error occurred during the creation of the DIG
lookup.

Response Description

A DIG Lookup object, and the location header that is set to the task status URL "/services/dig_lookups/
{dig_lookup_id}". A DIG Lookup object contains the following fields:
v id - Long - The ID of the DIG lookup.
v ip - String - The IP address to be investigated.
v message - String - The result of the DIG lookup when it is complete.
v status - String - The current state of the task.

Response Sample
{
"id": 42,
"ip": "String",
"message": "String",
"status": "String <one of: CANCELLED,
CANCELING,
CANCEL_REQUESTED,
COMPLETED,
CONFLICT,
EXCEPTION,
INITIALIZING,
INTERRUPTED,
PAUSED,
PROCESSING,
QUEUED,
RESUMING>"
}

GET /services/dig_lookups/{dig_lookup_id}
Retrieves the DIG lookup status.

Retrieves the DIG Lookup status and result. The result is included if the lookup completed.
Table 1187. GET /services/dig_lookups/{dig_lookup_id} resource details
MIME Type
application/json

550 QRadar API Reference Guide

Table 1188. GET /services/dig_lookups/{dig_lookup_id} request parameter details
Parameter Type Optionality Data Type MIME Type Description
dig_lookup_id path Required Number text/plain Required - The ID of the Dig
(Integer) lookup to be retrieved.
fields query Optional String text/plain Optional - Use this parameter to
specify which fields you would
like to get back in the response.
Fields that are not named are
excluded. Specify subfields in
brackets and multiple fields in
the same object are separated by
commas.

Table 1189. GET /services/dig_lookups/{dig_lookup_id} response codes

HTTP Response Code Unique Code Description
200 The DIG lookup Status was retrieved.
404 1002 The DIG lookup status does not exist.
500 1020 An error occurred during the attempt to retrieve the DIG lookup
status.

Response Description

A DIG Lookup object, and the location header that is set to the task status URL "/services/dig_lookups/
{dig_lookup_id}". A DIG Lookup object contains the following fields:
v id - Long - The ID of the DIG lookup.
v ip - String - The IP address to be investigated.
v message - String - The result of the DIG lookup when it is complete.
v status - String - The current state of the task.

Response Sample
{
"id": 42,
"ip": "String",
"message": "String",
"status": "String <one of: CANCELLED,
CANCELING,
CANCEL_REQUESTED,
COMPLETED,
CONFLICT,
EXCEPTION,
INITIALIZING,
INTERRUPTED,
PAUSED,
PROCESSING,
QUEUED,
RESUMING>"
}

POST /services/dns_lookups
Creates a new DNS lookup.

Creates a new DNS lookup. Lookup completes in the background.

6 REST API V9.0 References 551

Table 1190. POST /services/dns_lookups resource details
MIME Type
application/json

Table 1191. POST /services/dns_lookups request parameter details

Parameter Type Optionality Data Type MIME Type Description
IP query Required String text/plain Used to retrieve the DNS
lookup.
fields query Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.

Table 1192. POST /services/dns_lookups response codes

HTTP Response Code Unique Code Description
201 The DNS lookup was successfully created.
500 1020 An internal server error occurred during the creation of the DNS
lookup.

Response Description

A DNS Lookup object and the location header set to the task status URL "/services/dns_lookups/
{dns_lookup_id}". A DNS status object contains the following fields:
v id - Long - The ID of the DNS lookup.
v ip - String - The IP address to be investigated.
v message - String - The result of the DNS lookup when it is complete.
v status - String - The current state of the task.

Response Sample
{
"id": 42,
"ip": "String",
"message": "String",
"status": "String <one of: CANCELLED,
CANCELING,
CANCEL_REQUESTED,
COMPLETED,
CONFLICT,
EXCEPTION,
INITIALIZING,
INTERRUPTED,
PAUSED,
PROCESSING,
QUEUED,
RESUMING>"
}

552 QRadar API Reference Guide

GET /services/dns_lookups/{dns_lookup_id}
Retrieves the DNS lookup status.

Retrieves the DNS Lookup status. The result is included if the lookup completes.
Table 1193. GET /services/dns_lookups/{dns_lookup_id} resource details
MIME Type
application/json

Table 1194. GET /services/dns_lookups/{dns_lookup_id} request parameter details

Parameter Type Optionality Data Type MIME Type Description
dns_lookup_id path Required Number text/plain Required - The ID of the DNS
(Integer) lookup to be retrieved.
fields query Optional String text/plain Optional - Use this parameter to
specify which fields you would
like to get back in the response.
Fields that are not named are
excluded. Specify subfields in
brackets and multiple fields in
the same object are separated by
commas.

Table 1195. GET /services/dns_lookups/{dns_lookup_id} response codes

HTTP Response Code Unique Code Description
200 The DNS lookup status was retrieved.
404 1002 The DNS lookup status does not exist.
500 1020 An error occurred during the attempt to retrieve the DNS lookup
status.

Response Description

A DNS Lookup object, and the location header set to the task status URL "/services/dns_lookups/
{dns_lookup_id}". A DNS status object contains the following fields:
v id - Long - The ID of the DNS lookup.
v ip - String - The IP address to be investigated.
v message - String - The result of the DNS lookup when it is complete.
v status - String - The current state of the task.

Response Sample
{
"id": 42,
"ip": "String",
"message": "String",
"status": "String <one of: CANCELLED,
CANCELING,
CANCEL_REQUESTED,
COMPLETED,
CONFLICT,
EXCEPTION,
INITIALIZING,
INTERRUPTED,
PAUSED,

6 REST API V9.0 References 553

 PROCESSING,
QUEUED,
RESUMING>"
}

GET /services/geolocations
Retrieves the MaxMind geoip data for the given IP address.

Retrieves the MaxMind geoip location data for the given IP address. A filter is required to identify which
IP address to lookup. Only EQUALS or IN is supported. Samples:
v ip_address = "127.0.0.1"
v ip_address IN ( "127.0.0.1", "127.0.0.2" )
Table 1196. GET /services/geolocations resource details
MIME Type
application/json

Table 1197. GET /services/geolocations request parameter details

Parameter Type Optionality Data Type MIME Type Description
fields query Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.
filter query Optional String text/plain Optional - This parameter is
used to restrict the elements in
a list base on the contents of
various fields.

Table 1198. GET /services/geolocations response codes

HTTP Response Code Unique Code Description
200 The location data was retrieved.
404 1002 The IP address does not exist in the database.
422 1005 The provided IP address is invalid.
422 1010 A request parameter is not valid.
500 1020 An error occurred while looking up the geodata.

Response Description

The location data after it has been retrieved. A location object contains the following fields:
v ip_address - String - The IP address to lookup.
v city - City - Object containing details about the city that is associated with the IP address.
– name - String - The name of the city.
– geo_id - Integer - A unique identifier for the city as specified by GeoNames.
– confidence - Integer - A value from 0-100 that represents MaxMind's confidence that the city is
correct.

554 QRadar API Reference Guide

v continent - Continent - Object containing details about the continent that is associated with the IP
address.
– name - String - The name of the continent.
– geo_id - Integer - A unique identifier for the continent as specified by GeoNames.
– code - String - A two-character code for the continent associated with the IP address.
v physical_country - Country - Object containing details about the country where MaxMind believes the
end user is located.
– name - String - The name of the country.
– geo_id - Integer - A unique identifier for the country as specified by GeoNames.
– iso_code - String - A two-character ISO 3166-1 country code for the country associated with the IP
address.
– confidence - Integer - A value from 0-100 that represents MaxMind's confidence that the country is
correct.
v registered_country - Country - Object containing details about the country in which the ISP has
registered the IP address.
– name - String - The name of the country.
– geo_id - Integer - A unique identifier for the country as specified by GeoNames.
– iso_code - String - A two-character ISO 3166-1 country code for the country associated with the IP
address.
– confidence - Integer - A value from 0-100 that represents MaxMind's confidence that the country is
correct.
v represented_country - Country - Object containing details about the country which is represented by
users of the IP address. For instance, the country represented by an overseas military base.
– name - String - The name of the country.
– geo_id - Integer - A unique identifier for the country as specified by GeoNames.
– iso_code - String - A two-character ISO 3166-1 country code for the country associated with the IP
address.
– confidence - Integer - A value from 0-100 that represents MaxMind's confidence that the country is
correct.
– type - String - The type of represented country. Currently limited to military but may include other
types in the future.
v location - Location - Object containing details about the city that is associated with the IP address.
– accuracy_radius - Integer - The approximate accuracy radius in kilometers around the latitude and
longitude for the IP address. This is the radius where MaxMind has a 67% confidence that the
device using the IP address resides within the circle centered at the latitude and longitude with the
provided radius.
– average_income - Integer - The average income associated with the IP address.
– latitude - Double - The approximate latitude of the location associated with the IP address. Latitude
and Longitude are often near the center of population.
– longitude - Double - The approximate longitude of the location associated with the IP address.
Latitude and Longitude are often near the center of population.
– metro_code - Integer - The metro code associated with the IP address. These are only available for
IP addresses in the US. Returns the same metro codes as the Google AdWords API.
– population_density - Integer - The estimated number of people per square kilometer.
– time_zone - String - The time zone associated with location, as specified by the IANA Time Zone
Database. For example, “America/New_York”.
v postal - Postal - Object containing details about the postal code that is associated with the IP address.
– postal_code - String - The postal code associated with the IP address. These are available for some
IP addresses in Australia, Canada, France, Germany, Italy, Spain, Switzerland, United Kingdom, and

6 REST API V9.0 References 555

 the US. Returns the first 3 characters for Canadian postal codes. Returns the the first 2-4 characters
(outward code) for postal codes in the United Kingdom.
– confidence - Integer - A value from 0-100 that represents MaxMind's confidence that the postal code
is correct.
v subdivision - List of Subdivisions - Each of these objects contains details about a subdivision of the
country in which the IP address resides. Subdivisions are arranged from largest to smallest.
– name - String - The name of the subdivision.
– geo_id - Integer - A unique identifier for the region as specified by GeoNames.
– iso_code - String - A string of up to three characters that contains the region-portion of theISO
3166-2 code for the region associated with the IP address.
– confidence - Integer - A value from 0-100 that represents MaxMind's confidence that the region is
correct.
v traits - Traits - Object containing general traits that is associated with the IP address.
– autonomous_system_number - Integer - The autonomous system number associated with the IP
address.
– autonomous_system_organization - String - The organization associated with the registered
autonomous system number for the IP address.
– domain - String - The second level domain associated with the IP address.
– internet_service_provider - String - The name of the Internet Service Provider associated with the IP
address.
– organization - String - The name of the organization associated with the IP address.
– user_type - String - The user type associated with the IP address.
v geo_json - GeoJSON - A standardize GeoJSON point object for the IP address.
– type - String - The type of GeoJSON. The default is "Point".
– coordinates - Array of Double - Latitude and Longitude from the Maxmind Location object.
v is_local - Boolean - True if the IP address is defined in the network hierarchy.
v network - String - The local network that the IP address belongs to.
v domain_id - Integer - The domain id of the local network.

Response Sample
[
{
"city": {
"confidence": 42,
"geo_id": 42,
"name": "String"
},
"continent": {
"code": "String",
"geo_id": 42,
"name": "String"
},
"domain_id": 42,
"geo_json": {
"coordinates": [
42.5
],
"type": "String"
},
"ip_address": "String",
"is_local": true,
"location": {
"accuracy_radius": 42,
"average_income": 42,
"latitude": 42.5,

556 QRadar API Reference Guide

 "longitude": 42.5,
"metro_code": 42,
"population_density": 42,
"timezone": "String"
},
"network": "String",
"physical_country": {
"confidence": 42,
"geo_id": 42,
"iso_code": "String",
"name": "String"
},
"postal": {
"confidence": 42,
"postal_code": "String"
},
"registered_country": {
"confidence": 42,
"geo_id": 42,
"iso_code": "String",
"name": "String"
},
"represented_country": {
"confidence": 42,
"geo_id": 42,
"iso_code": "String",
"name": "String"
},
"subdivisions": [
{
"confidence": 42,
"geo_id": 42,
"iso_code": "String",
"name": "String"
}
],
"traits": {
"autonomous_system_number": 42,
"autonomous_system_organization": "String",
"domain": "String",
"internet_service_provider": "String",
"organization": "String",
"user_type": "String"
}
}
]

POST /services/port_scans
Creates a new PortScans lookup. Port scan completes in the background.

Creates a new port scan lookup. This endpoint is not available on SaaS systems. It return a 404 error.
Table 1199. POST /services/port_scans resource details
MIME Type
application/json

Table 1200. POST /services/port_scans request parameter details

Parameter Type Optionality Data Type MIME Type Description
IP query Required String text/plain Used to retrieve the port scan
lookup.

6 REST API V9.0 References 557

Table 1200. POST /services/port_scans request parameter details (continued)
Parameter Type Optionality Data Type MIME Type Description
fields query Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.

Table 1201. POST /services/port_scans response codes

HTTP Response Code Unique Code Description
201 he PortScans lookup was created successfully.
500 1020 An internal server error occurred during the creation of the port
scan lookup.

Response Description

A port scan object and the location header set to the task status URL "/services/port_scans/
{port_scan_id}". A port scan status object contains the following fields:
v id - Long - The ID of the port scan.
v ip - String - The IP address to be investigated.
v message - String - The result of the port scan when it is complete.
v status - String - The current state of the task.

Response Sample
{
"id": 42,
"ip": "String",
"message": "String",
"status": "String <one of: CANCELLED,
CANCELING,
CANCEL_REQUESTED,
COMPLETED,
CONFLICT,
EXCEPTION,
INITIALIZING,
INTERRUPTED,
PAUSED,
PROCESSING,
QUEUED,
RESUMING>"
}

GET /services/port_scans/{port_scan_id}
Retrieves the port scan status. The result is included if the port scan completes.

Retrieves the port scan status.

Table 1202. GET /services/port_scans/{port_scan_id} resource details
MIME Type
application/json

558 QRadar API Reference Guide

Table 1203. GET /services/port_scans/{port_scan_id} request parameter details
Parameter Type Optionality Data Type MIME Type Description
port_scan_id path Required Number text/plain Required - The ID of the port
(Integer) scan to be retrieved.
fields query Optional String text/plain Optional - Use this parameter to
specify which fields you would
like to get back in the response.
Fields that are not named are
excluded. Specify subfields in
brackets and multiple fields in
the same object are separated by
commas.

Table 1204. GET /services/port_scans/{port_scan_id} response codes

HTTP Response Code Unique Code Description
200 The port scan status was retrieved.
404 1002 The port scan sStatus does not exist.
500 1020 An error occurred during the attempt to retrieve the port scan
status.

Response Description

A port scan object and the location header set to the task status url "/services/port_scans/
{port_scan_id}". A port scan status object contains the following fields:
v id - Long - The ID of the port scan.
v message - String - The result of the port scan when complete.
v status - String - The current state of the task.

Response Sample
{
"id": 42,
"ip": "String",
"message": "String",
"status": "String <one of: CANCELLED,
CANCELING,
CANCEL_REQUESTED,
COMPLETED,
CONFLICT,
EXCEPTION,
INITIALIZING,
INTERRUPTED,
PAUSED,
PROCESSING,
QUEUED,
RESUMING>"
}

POST /services/whois_lookups
Creates a new WHOIS lookup.

Creates a new WHOIS lookup. Lookup completes in the background.

6 REST API V9.0 References 559

Table 1205. POST /services/whois_lookups resource details
MIME Type
application/json

Table 1206. POST /services/whois_lookups request parameter details

Parameter Type Optionality Data Type MIME Type Description
IP query Required String text/plain Used to retrieve the WHOIS
lookup.
fields query Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.

Table 1207. POST /services/whois_lookups response codes

HTTP Response Code Unique Code Description
201 The WHOIS lookup was created successfully.
500 1020 An internal server error occurred during the creation of the WHOIS
lookup.

Response Description

A WHOIS lookup object, and the location header that is set to the task status URL "/services/
whois_lookups/{whois_lookup_id}". A WHOIS status object contains the following fields:
v id - Long - The ID of the WHOIS lookup.
v ip - String - The IP address to be investigated.
v message - String - The result of the WHOIS lookup when complete.
v status - String - The current state of the task.

Response Sample
{
"id": 42,
"ip": "String",
"message": "String",
"status": "String <one of: CANCELLED,
CANCELING,
CANCEL_REQUESTED,
COMPLETED,
CONFLICT,
EXCEPTION,
INITIALIZING,
INTERRUPTED,
PAUSED,
PROCESSING,
QUEUED,
RESUMING>"
}

560 QRadar API Reference Guide

GET /services/whois_lookups/{whois_lookup_id}
Retrieves the WHOIS lookup status.

Retrieves the WHOIS lookup status. The result is included if the lookup completes.
Table 1208. GET /services/whois_lookups/{whois_lookup_id} resource details
MIME Type
application/json

Table 1209. GET /services/whois_lookups/{whois_lookup_id} request parameter details

Parameter Type Optionality Data Type MIME Type Description
whois_lookup_id path Required Number text/plain Required - The ID of the
(Integer) WHOIS lookup to be retrieved.
fields query Optional String text/plain Optional - Use this parameter to
specify which fields you would
like to get back in the response.
Fields that are not named are
excluded. Specify subfields in
brackets and multiple fields in
the same object are separated by
commas.

Table 1210. GET /services/whois_lookups/{whois_lookup_id} response codes

HTTP Response Code Unique Code Description
200 The WHOIS lookup status was retrieved.
404 1002 The WHOIS lookup status does not exist.
500 1020 An error occurred during the attempt to retrieve the WHOIS
lookup status.

Response Description

A WHOIS lookup object, and the location header that is set to the task status URL "/services/
whois_lookups/{whois_lookup_id}". A WHOIS status object contains the following fields:
v id - Long - The ID of the WHOIS lookup.
v ip - String - The IP address to be investigated.
v message - String - The result of the WHOIS lookup when it is complete.
v status - String - The current state of the task.

Response Sample
{
"id": 42,
"ip": "String",
"message": "String",
"status": "String <one of: CANCELLED,
CANCELING,
CANCEL_REQUESTED,
COMPLETED,
CONFLICT,
EXCEPTION,
INITIALIZING,
INTERRUPTED,
PAUSED,

6 REST API V9.0 References 561

 PROCESSING,
QUEUED,
RESUMING>"
}

SIEM endpoints
Use the references for REST API V9.0 SIEM endpoints.

GET /siem/local_destination_addresses
Retrieve a list offense local destination addresses currently in the system.
Table 1211. GET /siem/local_destination_addresses resource details
MIME Type
application/json

Table 1212. GET /siem/local_destination_addresses request parameter details

Parameter Type Optionality Data Type MIME Type Description
fields query Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.
Range header Optional String text/plain Optional - Use this parameter
to restrict the number of
elements that are returned in
the list to a specified range.
The list is indexed starting at
zero.
filter query Optional String text/plain Optional - This parameter is
used to restrict the elements in
a list base on the contents of
various fields.

Table 1213. GET /siem/local_destination_addresses response codes

HTTP Response Code Unique Code Description
200 The local destination address list was retrieved.
422 1005 A request parameter is not valid.
422 1010 The filter parameter is not valid.
500 1020 An error occurred while the local destination address list was being
retrieved.

Response Description

An array of local destination address objects. A local destination address object contains the following
fields:
v id - Number - The ID of the destination address.
v local_destination_ip - String - The IP address.

562 QRadar API Reference Guide

v magnitude - Number - The magnitude of the destination address.
v network - String - The network of the destination address.
v offense_ids - Array of Numbers - List of offense IDs the destination address is part of.
v source_address_ids - Array of Numbers - List of source address IDs associated with the destination
address.
v event_flow_count - Number - The number of events and flows that are associated with the destination
address.
v first_event_flow_seen - Number - The number of milliseconds since epoch when the first event or
flow was seen.
v last_event_flow_seen - Number - The number of milliseconds since epoch when the last event or flow
was seen.
v domain_id - Number - The ID of associated domain.

Response Sample
[
{
"domain_id": 42,
"event_flow_count": 42,
"first_event_flow_seen": 42,
"id": 42,
"last_event_flow_seen": 42,
"local_destination_ip": "String",
"magnitude": 42,
"network": "String",
"offense_ids": [
42
],
"source_address_ids": [
42
]
}
]

GET /siem/local_destination_addresses/{local_destination_address_id}
Retrieve an offense local destination address.
Table 1214. GET /siem/local_destination_addresses/{local_destination_address_id} resource details
MIME Type
application/json

Table 1215. GET /siem/local_destination_addresses/{local_destination_address_id} request parameter details

Parameter Type Optionality Data Type MIME Type Description
local_destination_address_id path Required Number text/plain Required - The ID of the local
(Integer) destination address to retrieve.
fields query Optional String text/plain Optional - Use this parameter to
specify which fields you would
like to get back in the response.
Fields that are not named are
excluded. Specify subfields in
brackets and multiple fields in
the same object are separated by
commas.

Table 1216. GET /siem/local_destination_addresses/{local_destination_address_id} response codes

HTTP Response Code Unique Code Description
200 The local destination was retrieved.

6 REST API V9.0 References 563

Table 1216. GET /siem/local_destination_addresses/{local_destination_address_id} response codes (continued)
HTTP Response Code Unique Code Description
404 1002 No local destination address was found for the provided
local_destination_address_id.
422 1005 A request parameter is not valid.
500 1020 An error occurred while the local destination address was being
retrieved.

Response Description

A local destination address object. A local destination address object contains the following fields:
v id - Number - The ID of the destination address.
v local_destination_ip - String - The IP address.
v magnitude - Number - The magnitude of the destination address.
v network - String - The network of the destination address.
v offense_ids - Array of Numbers - List of offense IDs the destination address is part of.
v source_address_ids - Array of Numbers - List of source address IDs associated with the destination
address.
v event_flow_count - Number - The number of events and flows that are associated with the destination
address.
v first_event_flow_seen - Number - The number of milliseconds since epoch when the first event or
flow was seen.
v last_event_flow_seen - Number - The number of milliseconds since epoch when the last event or flow
was seen.
v domain_id - Number - The ID of associated domain.

Response Sample
{
"domain_id": 42,
"event_flow_count": 42,
"first_event_flow_seen": 42,
"id": 42,
"last_event_flow_seen": 42,
"local_destination_ip": "String",
"magnitude": 42,
"network": "String",
"offense_ids": [
42
],
"source_address_ids": [
42
]
}

GET /siem/offense_closing_reasons
Retrieve a list of all offense closing reasons.
Table 1217. GET /siem/offense_closing_reasons resource details
MIME Type
application/json

564 QRadar API Reference Guide

Table 1218. GET /siem/offense_closing_reasons request parameter details
Parameter Type Optionality Data Type MIME Type Description
include_reserved query Optional Boolean text/plain Optional - If true, reserved
closing reasons are included
in the response. Defaults to
false. Reserved closing reasons
cannot be used to close an
offense.
include_deleted query Optional Boolean text/plain Optional - If true, deleted
closing reasons are included
in the response. Defaults to
false. Deleted closing reasons
cannot be used to close an
offense.
fields query Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.
Range header Optional String text/plain Optional - Use this parameter
to restrict the number of
elements that are returned in
the list to a specified range.
The list is indexed starting at
zero.
filter query Optional String text/plain Optional - This parameter is
used to restrict the elements
in a list base on the contents
of various fields.

Table 1219. GET /siem/offense_closing_reasons response codes

HTTP Response Code Unique Code Description
200 The closing reasons list was retrieved.
500 1020 An error occurred while the closing reasons list was being
retrieved.

Response Description

An array of ClosingReason objects. A closing reason object contains the following fields:
v id - Number - The ID of the closing reason.
v text - String - The text of the closing reason.
v is_deleted - Boolean - Determines whether the closing reason is deleted. Deleted closing reasons cannot
be used to close an offense.
v is_reserved - Boolean - Determines whether the closing reason is reserved. Reserved closing reasons
cannot be used to close an offense.

Response Sample
[
{
"id": 42,
"is_deleted": true,

6 REST API V9.0 References 565

 "is_reserved": true,
"text": "String"
}
]

POST /siem/offense_closing_reasons
Create an offense closing reason.
Table 1220. POST /siem/offense_closing_reasons resource details
MIME Type
application/json

Table 1221. POST /siem/offense_closing_reasons request parameter details

Parameter Type Optionality Data Type MIME Type Description
reason query Required String text/plain Required - The text of the
offense closing reason must be
5 - 60 characters in length.
fields query Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.

Table 1222. POST /siem/offense_closing_reasons response codes

HTTP Response Code Unique Code Description
201 The closing reason was created.
409 1004 The closing reason already exists.
422 1005 A request parameter is not valid.
500 1020 An error occurred while attempting to create the closing reason.

Response Description

A ClosingReason object. A closing reason object contains the following fields:

v id - Number - The ID of the closing reason.
v text - String - The text of the closing reason.
v is_deleted - Boolean - Determines whether the closing reason is deleted. Deleted closing reasons cannot
be used to close an offense.
v is_reserved - Boolean - Determines whether the closing reason is reserved. Reserved closing reasons
cannot be used to close an offense.

Response Sample
{
"id": 42,
"is_deleted": true,
"is_reserved": true,
"text": "String"
}

566 QRadar API Reference Guide

GET /siem/offense_closing_reasons/{closing_reason_id}
Retrieve an offense closing reason.
Table 1223. GET /siem/offense_closing_reasons/{closing_reason_id} resource details
MIME Type
application/json

Table 1224. GET /siem/offense_closing_reasons/{closing_reason_id} request parameter details

Parameter Type Optionality Data Type MIME Type Description
closing_reason_id path Required Number text/plain Required - The closing reason
(Integer) ID.
fields query Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.

Table 1225. GET /siem/offense_closing_reasons/{closing_reason_id} response codes

HTTP Response Code Unique Code Description
200 The closing reason was retrieved.
404 1002 No closing reason was found for the provided closing_reason_id.
422 1005 A request parameter is not valid.
500 1020 An error occurred while attempting to retrieve the closing reason.

Response Description

A ClosingReason object. A closing reason object contains the following fields:

v id - Number - The ID of the closing reason.
v text - String - The text of the closing reason.
v is_deleted - Boolean - Determines whether the closing reason is deleted. Deleted closing reasons cannot
be used to close an offense.
v is_reserved - Boolean - Determines whether the closing reason is reserved. Reserved closing reasons
cannot be used to close an offense.

Response Sample
{
"id": 42,
"is_deleted": true,
"is_reserved": true,
"text": "String"
}

GET /siem/offense_saved_search_delete_tasks/{task_id}
Retrieves the delete the offense saved search task status.

Retrieves the delete offense saved search task status.

6 REST API V9.0 References 567

Table 1226. GET /siem/offense_saved_search_delete_tasks/{task_id} resource details
MIME Type
application/json

Table 1227. GET /siem/offense_saved_search_delete_tasks/{task_id} request parameter details

Parameter Type Optionality Data Type MIME Type Description
task_id path Required Number text/plain null
(Integer)
fields query Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.

Table 1228. GET /siem/offense_saved_search_delete_tasks/{task_id} response codes

HTTP Response Code Unique Code Description
200 The delete task status was retrieved.
404 1002 The delete task status does not exist.
500 1020 An error occurred during the attempt to retrieve the delete task
status.

Response Description
A Delete Task Status object and the location header set to the task status url "/api/siem/
offense_saved_search_delete_tasks/{task_id}". A Delete Task Status object contains the following fields:
v id - Long - The ID of the task.
v message - String - The localized task message.
v status - String - The current state of the task.
v name - String - The name of the task.
v created_by - String - The name of the user who started the task.
v created - Long - The time in milliseconds since epoch since the task was created.
v started - Long - The time in milliseconds since epoch since the task was started.
v modified - Long - The time in milliseconds since epoch since the task was modified.
v completed - Long - The time in milliseconds since epoch since the task was completed.

Response Sample
{
"completed": 42,
"created": 42,
"created_by": "String",
"id": 42,
"message": "String",
"modified": 42,
"name": "String",
"started": 42,
"status": "String <one of: CANCELLED,
CANCELING,

568 QRadar API Reference Guide

 CANCEL_REQUESTED,
COMPLETED,
CONFLICT,
EXCEPTION,
INITIALIZING,
INTERRUPTED,
PAUSED,
PROCESSING,
QUEUED,
RESUMING>",
}

GET /siem/offense_saved_search_dependent_tasks/{task_id}
Retrieves the dependent the offense saved search task status.

Retrieves the dependent offense saved search task status.

Table 1229. GET /siem/offense_saved_search_dependent_tasks/{task_id} resource details
MIME Type
application/json

Table 1230. GET /siem/offense_saved_search_dependent_tasks/{task_id} request parameter details

Parameter Type Optionality Data Type MIME Type Description
task_id path Required Number (Integer) text/plain null
fields query Optional String text/plain Optional - Use this parameter to
specify which fields you would
like to get back in the response.
Fields that are not named are
excluded. Specify subfields in
brackets and multiple fields in the
same object are separated by
commas.

Table 1231. GET /siem/offense_saved_search_dependent_tasks/{task_id} response codes

HTTP Response Code Unique Code Description
200 The delete task status was retrieved.
404 1002 The delete task status does not exist.
500 1020 An error occurred during the attempt to retrieve the delete task
status.

Response Description

A Dependent Task Status object and the location header set to the task status url "/api/siem/
offense_saved_search_dependent_tasks/{task_id}". A Dependent Task Status object contains the following
fields:
v id - Long - The ID of the task.
v message - String - The localized task message.
v status - String - The current state of the task.
v name - String - The name of the task.
v created_by - String - The name of the user who started the task.
v cancelled_by - String - The name of the user who requested to cancel the task.
v created - Long - The time in milliseconds since epoch since the task was created.
v started - Long - The time in milliseconds since epoch since the task was started.

6 REST API V9.0 References 569

v modified - Long - The time in milliseconds since epoch since the task was modified.
v completed - Long - The time in milliseconds since epoch since the task was completed.
v number_of_dependents - Long - The number of dependents found. The value is null until the task
completes.
v maximum - Long - The maximum number of objects to check for dependency.
v progress - Long - The number of objects checked for dependency.
v task_components - Array - An array of task component objects. A task component object contains the
following fields:
– message - String - The localized sub-task status message.
– status - String - The current state of the sub-task.
– sub_task_type - String - The type of the sub-task.
– maximum - Long - The maximum number of objects to check for dependency.
– progress - Long - The number of objects that were checked for dependency.
– created - Long - The time in milliseconds since epoch since the sub-task was created.
– started - Long - The time in milliseconds since epoch since the sub-task was started.
– modified - Long - The time in milliseconds since epoch since the sub-task was modified.
– completed - Long - The time in milliseconds since epoch since the sub-task was completed.

Response Sample
{
"cancelled_by": "String",
"completed": 42,
"created": 42,
"created_by": "String",
"id": 42,
"maximum": 42,
"message": "String",
"modified": 42,
"name": "String",
"number_of_dependents": 42,
"progress": 42,
"started": 42,
"status": "String <one of: CANCELLED,
CANCELING,
CANCEL_REQUESTED,
COMPLETED,
CONFLICT,
EXCEPTION,
INITIALIZING,
INTERRUPTED,
PAUSED,
PROCESSING,
QUEUED,
RESUMING>",
"task_components": [
{
"completed": 42,
"created": 42,
"maximum": 42,
"message": "String",
"modified": 42,
"number_of_dependents": 42,
"progress": 42,
"started": 42,
"status": "String <one of: CANCELLED,
CANCELING,
CANCEL_REQUESTED,
COMPLETED,
CONFLICT,

570 QRadar API Reference Guide

 EXCEPTION,
INITIALIZING,
INTERRUPTED,
PAUSED,
PROCESSING,
QUEUED,
RESUMING>",
"task_sub_type": "String <one of:
FIND_DEPENDENT_ARIEL_SAVED_SEARCHES,
FIND_DEPENDENT_OFFENSE_SAVED_SEARCHES,
FIND_DEPENDENT_ASSET_SAVED_SEARCHES,
FIND_DEPENDENT_VULNERABILITY_SAVED_SEARCHES,
FIND_DEPENDENT_ADE_RULES,
FIND_DEPENDENT_RULES,
FIND_DEPENDENT_CALCULATED_PROPERTIES,
FIND_DEPENDENT_LOG_SOURCE_GROUPS,
FIND_DEPENDENT_CUSTOM_PROPERTIES,
FIND_DEPENDENT_REPORTS,
FIND_DEPENDENT_DASHBOARDS,
FIND_DEPENDENT_STORE_AND_FORWARD_POLICIES,
FIND_DEPENDENT_AUTHORIZED_SERVICES,
FIND_DEPENDENT_OFFENSE_TYPES,
FIND_DEPENDENT_ASSIGNED_OFFENSES,
FIND_DEPENDENT_VULNERABILITIES,
FIND_DEPENDENT_GROUPS,
FIND_DEPENDENT_HISTORICAL_CORRELATION_PROFILES>"
}
]
}

POST /siem/offense_saved _search_dependent_tasks/{task_id}

Cancels the dependent the offense saved search task.

Cancels the dependent offense saved search task.

Table 1232. POST /siem/offense_saved_search_dependent_tasks/{task_id} resource details
MIME Type
application/json

Table 1233. POST /siem/offense_saved_search_dependent_tasks/{task_id} request parameter details

Parameter Type Optionality Data Type MIME Type Description
task_id path Required Number text/plain null
(Integer)
fields header Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.

6 REST API V9.0 References 571

Table 1234. POST /siem/offense_saved_search_dependent_tasks/{task_id} request body details
Parameter Data Type MIME Type Description Sample
task Object application/ null { "status": "String <one of:
json CANCELLED, CANCELING,
CANCEL_REQUESTED,
COMPLETED, CONFLICT,
EXCEPTION, INITIALIZING,
INTERRUPTED, PAUSED,
PROCESSING, QUEUED,
RESUMING>" }

Table 1235. POST /siem/offense_saved_search_dependent_tasks/{task_id} response codes

HTTP Response Code Unique Code Description
200 The dependent task status was retrieved.
404 1002 The dependent task status does not exist.
409 1004 The task is in a completed state.
422 1005 A request parameter is not valid.
500 1020 An error occurred during the attempt to update the dependent task
status.

Response Description

A Dependent Task Status object and the location header set to the task status url "/api/siem/
offense_saved_search_dependent_tasks/{task_id}". A Dependent Task Status object contains the following
fields:
v id - Long - The ID of the task.
v message - String - The localized task message.
v status - String - The current state of the task.
v name - String - The name of the task.
v created_by - String - The name of the user who started the task.
v cancelled_by - String - The name of the user who requested to cancel the task.
v created - Long - The time in milliseconds since epoch since the task was created.
v started - Long - The time in milliseconds since epoch since the task was started.
v modified - Long - The time in milliseconds since epoch since the task was modified.
v completed - Long - The time in milliseconds since epoch since the task was completed.
v number_of_dependents - Long - The number of dependents found. The value is null until the task
completes.
v maximum - Long - The maximum number of objects to check for dependency.
v progress - Long - The number of objects checked for dependency.
v task_components - Array - An array of task component objects. A task component object contains the
following fields:
– message - String - The localized sub-task status message.
– status - String - The current state the sub-task is in.
– sub_task_type - String - The type of the sub-task
– maximum - Long - The maximum number of objects to check for dependency.
– progress - Long - The number of objects that were checked for dependency.
– created - Long - The time in milliseconds since epoch since the sub-task was created.

572 QRadar API Reference Guide

 – started - Long - The time in milliseconds since epoch since the sub-task was started.
– modified - Long - The time in milliseconds since epoch since the sub-task was modified.
– completed - Long - The time in milliseconds since epoch since the sub-task was completed.

Response Sample
{
"cancelled_by": "String",
"completed": 42,
"created": 42,
"created_by": "String",
"id": 42,
"maximum": 42,
"message": "String",
"modified": 42,
"name": "String",
"number_of_dependents": 42,
"progress": 42,
"started": 42,
"status": "String <one of: CANCELLED,
CANCELING,
CANCEL_REQUESTED,
COMPLETED,
CONFLICT,
EXCEPTION,
INITIALIZING,
INTERRUPTED,
PAUSED,
PROCESSING,
QUEUED,
RESUMING>",
"task_components": [
{
"completed": 42,
"created": 42,
"maximum": 42,
"message": "String",
"modified": 42,
"number_of_dependents": 42,
"progress": 42,
"started": 42,
"status": "String <one of: CANCELLED,
CANCELING,
CANCEL_REQUESTED,
COMPLETED,
CONFLICT,
EXCEPTION,
INITIALIZING,
INTERRUPTED,
PAUSED,
PROCESSING,
QUEUED,
RESUMING>",
"task_sub_type": "String <one of:
FIND_DEPENDENT_ARIEL_SAVED_SEARCHES,
FIND_DEPENDENT_OFFENSE_SAVED_SEARCHES,
FIND_DEPENDENT_ASSET_SAVED_SEARCHES,
FIND_DEPENDENT_VULNERABILITY_SAVED_SEARCHES,
FIND_DEPENDENT_ADE_RULES,
FIND_DEPENDENT_RULES,
FIND_DEPENDENT_CALCULATED_PROPERTIES,
FIND_DEPENDENT_LOG_SOURCE_GROUPS,
FIND_DEPENDENT_CUSTOM_PROPERTIES,
FIND_DEPENDENT_REPORTS,
FIND_DEPENDENT_DASHBOARDS,
FIND_DEPENDENT_STORE_AND_FORWARD_POLICIES,

6 REST API V9.0 References 573

 FIND_DEPENDENT_AUTHORIZED_SERVICES,
FIND_DEPENDENT_OFFENSE_TYPES,
FIND_DEPENDENT_ASSIGNED_OFFENSES,
FIND_DEPENDENT_VULNERABILITIES,
FIND_DEPENDENT_GROUPS,
FIND_DEPENDENT_HISTORICAL_CORRELATION_PROFILES>"
}
]
}

GET /siem/offense_saved _search_dependent_tasks/{task_id}/results

Retrieves the offense saved search dependent task results.

Retrieves the offense saved search dependent task results.

Table 1236. GET /siem/offense_saved_search_dependent_tasks/{task_id}/results resource details
MIME Type
application/json

Table 1237. GET /siem/offense_saved_search_dependent_tasks/{task_id}/results request parameter details

Parameter Type Optionality Data Type MIME Type Description
task_id path Required Number text/plain null
(Integer)
fields query Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.

Table 1238. GET /siem/offense_saved_search_dependent_tasks/{task_id}/results response codes

HTTP Response Code Unique Code Description
200 The offense saved search dependents were retrieved
404 1002 The dependent task status does not exist.
500 1020 An error occurred during the attempt to retrieve the offense saved
searches.

Response Description

An list of Dependent objects. A Dependent object contains the following fields:

v dependent_id - String - The ID of the dependent resource.
v dependent_name - String - The name of the dependent resource (default resources can have localized
names).
v dependent_owner - String - The owner of the dependent resource
v dependent_type - String - The type of the dependent resource
v dependent_database - String - The database of the dependent resource.
v dependent_group_ids - Array of Longs - List of groups that the dependent resource belongs to.
v user_has_edit_permissions - Boolean - True if the user who created the task has permission to edit this
dependent resource.
574 QRadar API Reference Guide
Response Sample
[
{
"blocking": true,
"dependent_database": "String <one of: EVENTS, FLOWS>",
"dependent_group_ids": [
42
],
"dependent_id": "String",
"dependent_name": "String",
"dependent_owner": "String",
"dependent_type": "String <one of:
ARIEL_SAVED_SEARCH,
ASSET_SAVED_SEARCH,
OFFENSE_SAVED_SEARCH,
VULNERABILITY_SAVED_SEARCH,
QRM_SAVED_SEARCH_GROUP,
ASSET_SAVED_SEARCH_GROUP,
CUSTOM_RULE_GROUP,
EVENT_ARIEL_SAVED_SEARCH_GROUP,
FLOW_ARIEL_SAVED_SEARCH_GROUP,
LOG_SOURCE_GROUP, MODEL_GROUP,
OFFENSE_SAVED_SEARCH_GROUP,
QUESTION_GROUP,
REPORT_GROUP,
SIMULATION_GROUP,
TOPOLOGY_SAVED_SEARCH_GROUP,
VULNERABILITY_SAVED_SEARCH_GROUP,
ASSIGNED_OFFENSE,
ASSIGNED_VULNERABILITY,
AUTHORIZED_SERVICE,
BUILDING_BLOCK,
CRE_RULE,
CRE_ADE_RULE,
EVENT_REGEX_PROPERTY,
EVENT_CALCULATED_PROPERTY,
FLOW_REGEX_PROPERTY,
FLOW_CALCULATED_PROPERTY,
DASHBOARD,
GV_REFERENCE,
REPORT,
REFERENCE_DATA,
REFERENCE_DATA_MAP_OF_SETS,
REFERENCE_DATA_MAPS,
REFERENCE_DATA_SETS,
REFERENCE_DATA_TABLES,
REFERENCE_DATA_RESPONSE,
REFERENCE_SET_RESPONSE,
EVENT_RETENTION_BUCKET,
FLOW_RETENTION_BUCKET,
ROUTING_RULE,
STORE_AND_FORWARD_POLICY,
USER,
HISTORICAL_PROFILE,
OFFENSE_TYPE>",
"user_has_edit_permissions": true
}
]

GET /siem/offense_saved_search_groups
Retrieves a list of offense saved search groups.

Retrieves a list of offense saved search groups.

6 REST API V9.0 References 575

Table 1239. GET /siem/offense_saved_search_groups resource details
MIME Type
application/json

Table 1240. GET /siem/offense_saved_search_groups request parameter details

Parameter Type Optionality Data Type MIME Type Description
Range header Optional String text/plain Optional - Use this parameter
to restrict the number of
elements that are returned in
the list to a specified range.
The list is indexed starting at
zero.
filter query Optional String text/plain Optional - This parameter is
used to restrict the elements in
a list base on the contents of
various fields.
fields query Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.

Table 1241. GET /siem/offense_saved_search_groups response codes

HTTP Response Code Unique Code Description
200 The offense saved search groups were returned.
500 1020 An error occurred during the attempt to retrieve the offense saved
search groups.

Response Description

List of the Group objects. A Group object contains the following fields:
v id - Long - The ID of the group.
v parent_id - Long - The ID of the parent group (default resources can have localized names).
v type - String - The type of the group.
v level - Long - The depth of the group in the group hierarchy.
v name - String - The name of the group (default resources can have localized names).
v description - String - The description of the group (default resources can have localized names).
v owner - String - The owner of the group.
v modified_time - Long - The time in milliseconds since epoch since the group was last modified.
v child_group_ids - Array of Longs - List of the child group IDs.

Response Sample
[
{
"child_groups": [
42
],

576 QRadar API Reference Guide

 "child_items": [
"String"
],
"description": "String",
"id": 42,
"level": 42,
"modified_time": 42,
"name": "String",
"owner": "String",
"parent_id": 42,
"type": "String <one of: LOG_SOURCE_GROUP,
REPORT_GROUP,
RULE_GROUP,
EVENT_SAVED_SEARCH_GROUP,
FLOW_SAVED_SEARCH_GROUP,
OFFENSE_SAVED_SEARCH_GROUP,
QRM_SAVED_SEARCH_GROUP,
MODEL_SAVED_SEARCH_GROUP,
QUESTION_SAVED_SEARCH_GROUP,
SIMULATION_SAVED_SEARCH_GROUP,
TOPOLOGY_SAVED_SEARCH_GROUP,
ASSET_SAVED_SEARCH_GROUP,
VULNERABILITY_SAVED_SEARCH_GROUP>"
}
]

GET /siem/offense_saved_search_groups/{group_id}
Retrieves an offense saved search group.

Retrieves an offense saved search group.

Table 1242. GET /siem/offense_saved_search_groups/{group_id} resource details
MIME Type
application/json

Table 1243. GET /siem/offense_saved_search_groups/{group_id} request parameter details

Parameter Type Optionality Data Type MIME Type Description
group_id path Required Number text/plain null
(Integer)
fields query Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.

Table 1244. GET /siem/offense_saved_search_groups/{group_id} response codes

HTTP Response Code Unique Code Description
200 The offense saved search group was retrieved.
404 1002 The offense saved search group does not exist.
500 1020 An error occurred during the attempt to retrieve the offense saved
search group.

6 REST API V9.0 References 577

Response Description

A single Group object. A Group object contains the following fields:

v id - Long - The ID of the group.
v parent_id - Long - The ID of the parent group (default resources can have localized names).
v type - String - The type of the group.
v level - Long - The depth of the group in the group hierarchy.
v name - String - The name of the group (default resources can have localized names).
v description - String - The description of the group (default resources can have localized names).
v owner - String - The owner of the group.
v modified_time - Long - The time in milliseconds since epoch since the group was last modified.
v child_group_ids - Array of Longs - List of the child group IDs.

Response Sample
{
"child_groups": [
42
],
"child_items": [
"String"
],
"description": "String",
"id": 42,
"level": 42,
"modified_time": 42,
"name": "String",
"owner": "String",
"parent_id": 42,
"type": "String <one of: LOG_SOURCE_GROUP,
REPORT_GROUP,
RULE_GROUP,
EVENT_SAVED_SEARCH_GROUP,
FLOW_SAVED_SEARCH_GROUP,
OFFENSE_SAVED_SEARCH_GROUP,
QRM_SAVED_SEARCH_GROUP,
MODEL_SAVED_SEARCH_GROUP,
QUESTION_SAVED_SEARCH_GROUP,
SIMULATION_SAVED_SEARCH_GROUP,
TOPOLOGY_SAVED_SEARCH_GROUP,
ASSET_SAVED_SEARCH_GROUP,
VULNERABILITY_SAVED_SEARCH_GROUP>"
}

POST /siem/offense_saved_search_groups/{group_id}
Updates the owner of an offense saved search group.

Updates the owner of an offense saved search group.

Table 1245. POST /siem/offense_saved_search_groups/{group_id} resource details
MIME Type
application/json

Table 1246. POST /siem/offense_saved_search_groups/{group_id} request parameter details

Parameter Type Optionality Data Type MIME Type Description
group_id path Required Number text/plain null
(Integer)

578 QRadar API Reference Guide

Table 1246. POST /siem/offense_saved_search_groups/{group_id} request parameter details (continued)
Parameter Type Optionality Data Type MIME Type Description
fields header Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.

Table 1247. POST /siem/offense_saved_search_groups/{group_id} request body details

Parameter Data Type MIME Type Description Sample
group Object application/ Required - Group object with { "child_groups": [ 42 ], "child_items": [ "String" ], "description":
json the owner set to a valid "String", "id": 42, "level": 42, "name": "String", "owner": "String",
deployed user. "parent_id": 42, "type": "String <one of:
LOG_SOURCE_GROUP, REPORT_GROUP, RULE_GROUP,
EVENT_SAVED_SEARCH_GROUP,
FLOW_SAVED_SEARCH_GROUP,
OFFENSE_SAVED_SEARCH_GROUP,
QRM_SAVED_SEARCH_GROUP,
MODEL_SAVED_SEARCH_GROUP,
QUESTION_SAVED_SEARCH_GROUP,
SIMULATION_SAVED_SEARCH_GROUP,
TOPOLOGY_SAVED_SEARCH_GROUP,
ASSET_SAVED_SEARCH_GROUP,
VULNERABILITY_SAVED_SEARCH_GROUP>" }

Table 1248. POST /siem/offense_saved_search_groups/{group_id} response codes

HTTP Response Code Unique Code Description
200 The offense saved search group was updated.
404 1002 The offense saved search group does not exist.
409 1004 The provided user does not have the required capabilities to own
the offense saved search group.
422 1005 A request parameter is not valid.
500 1020 An error occurred during the attempt to update the offense saved
search group.

Response Description

The updated Group object. A Group object contains the following fields:
v id - Long - The ID of the group.
v parent_id - Long - The ID of the parent group (default resources can have localized names).
v type - String - The type of the group.
v level - Long - The depth of the group in the group hierarchy.
v name - String - The name of the group (default resources can have localized names).
v description - String - The description of the group (default resources can have localized names).
v owner - String - The owner of the group.
v modified_time - Long - The time in milliseconds since epoch since the group was last modified.
v child_group_ids - Array of Longs - List of the child group IDs.

6 REST API V9.0 References 579

Response Sample
{
"child_groups": [
42
],
"child_items": [
"String"
],
"description": "String",
"id": 42,
"level": 42,
"modified_time": 42,
"name": "String",
"owner": "String",
"parent_id": 42,
"type": "String <one of: LOG_SOURCE_GROUP,
REPORT_GROUP,
RULE_GROUP,
EVENT_SAVED_SEARCH_GROUP,
FLOW_SAVED_SEARCH_GROUP,
OFFENSE_SAVED_SEARCH_GROUP,
QRM_SAVED_SEARCH_GROUP,
MODEL_SAVED_SEARCH_GROUP,
QUESTION_SAVED_SEARCH_GROUP,
SIMULATION_SAVED_SEARCH_GROUP,
TOPOLOGY_SAVED_SEARCH_GROUP,
ASSET_SAVED_SEARCH_GROUP,
VULNERABILITY_SAVED_SEARCH_GROUP>"
}

DELETE /siem/offense_saved_search_groups/{group_id}
Deletes an offense saved search group.

Deletes an offense saved search group.

Table 1249. DELETE /siem/offense_saved_search_groups/{group_id} resource details
MIME Type
text/plain

Table 1250. DELETE /siem/offense_saved_search_groups/{group_id} request parameter details

Parameter Type Optionality Data Type MIME Type Description
group_id path Required Number text/plain null
(Integer)

Table 1251. DELETE /siem/offense_saved_search_groups/{group_id} response codes

HTTP Response Code Unique Code Description
204 The offense saved search group has been deleted.
404 1002 The offense saved search group does not exist.
409 1004 null
500 1020 An error occurred during the attempt to delete the offense saved
search group.

580 QRadar API Reference Guide

Response Description

Response Sample

GET /siem/offense_saved_searches
Retrieves a list of offense saved searches.

Retrieves a list of offense saved searches.

Table 1252. GET /siem/offense_saved_searches resource details
MIME Type
application/json

Table 1253. GET /siem/offense_saved_searches request parameter details

Parameter Type Optionality Data Type MIME Type Description
Range header Optional String text/plain Optional - Use this parameter
to restrict the number of
elements that are returned in
the list to a specified range.
The list is indexed starting at
zero.
filter query Optional String text/plain Optional - This parameter is
used to restrict the elements in
a list base on the contents of
various fields.
fields query Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.

Table 1254. GET /siem/offense_saved_searches response codes

HTTP Response Code Unique Code Description
200 The offense saved searches were retrieved.
500 1020 An error occurred during the attempt to retrieve the offense saved
searches.

Response Description
An array of offense saved search objects. An offense saved search object contains the following fields:
v id - Long - The ID of the offense saved search.
v name - String - The name of the offense saved search.
v owner - String - The owner of the offense saved search.

Response Sample
[
{
"id": 42,

6 REST API V9.0 References 581

 "name": "String",
"owner": "String"
}
]

GET /siem/offense_saved_searches/{id}
Retrieves an offense saved search.

Retrieves an offense saved search.

Table 1255. GET /siem/offense_saved_searches/{id} resource details
MIME Type
application/json

Table 1256. GET /siem/offense_saved_searches/{id} request parameter details

Parameter Type Optionality Data Type MIME Type Description
id path Required Number text/plain null
(Integer)
Range header Optional String text/plain Optional - Use this parameter
to restrict the number of
elements that are returned in
the list to a specified range.
The list is indexed starting at
zero.
filter query Optional String text/plain Optional - This parameter is
used to restrict the elements in
a list base on the contents of
various fields.
fields query Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.

Table 1257. GET /siem/offense_saved_searches/{id} response codes

HTTP Response Code Unique Code Description
200 The offense saved search was retrieved.
404 1002 The offense saved search does not exist.
500 1020 An error occurred during the attempt to retrieve the offense saved
search.

Response Description

The offense saved search after it has been retrieved. An offense saved search object contains the following
fields:
v id - Long - The ID of the offense saved search.
v name - String - The name of the offense saved search.
v owner - String - The owner of the offense saved search.

582 QRadar API Reference Guide

Response Sample
{
"id": 42,
"name": "String",
"owner": "String"
}

POST /siem/offense_saved_searches/{id}
Updates the offense saved search owner only.

Updates the offense saved search owner only.

Table 1258. POST /siem/offense_saved_searches/{id} resource details
MIME Type
application/json

Table 1259. POST /siem/offense_saved_searches/{id} request parameter details

Parameter Type Optionality Data Type MIME Type Description
id path Required Number text/plain null
(Integer)
Range header Optional String text/plain Optional - Use this parameter
to restrict the number of
elements that are returned in
the list to a specified range.
The list is indexed starting at
zero.
filter header Optional String text/plain Optional - This parameter is
used to restrict the elements
in a list base on the contents
of various fields.
fields header Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.

Table 1260. POST /siem/offense_saved_searches/{id} request body details

Parameter Data Type MIME Type Description Sample
saved_search Object application/ null { "id": "1", "name": "String",
json "is_shared": true, "owner":
"String" }

Table 1261. POST /siem/offense_saved_searches/{id} response codes

HTTP Response Code Unique Code Description
200 The offense saved search was updated.
403 1009 You do not have the required capabilities to update the offense
saved search.
404 1002 The offense saved search does not exist.

6 REST API V9.0 References 583

Table 1261. POST /siem/offense_saved_searches/{id} response codes (continued)
HTTP Response Code Unique Code Description
409 1004 The provided user does not have the required capabilities to own
the offense saved search.
422 1005 A request parameter is not valid.
500 1020 An error occurred during the attempt to update the offense saved
search.

Response Description

The offense saved search after it is updated. An offense saved search object contains the following fields:
v id - Long - The ID of the offense saved search.
v name - String - The name of the offense saved search.
v owner - String - The owner of the offense saved search.

Response Sample
{
"id": 42,
"name": "String",
"owner": "String"
}

DELETE /siem/offense_saved_searches/{id}
Deletes an offense saved search. To ensure safe deletion, a dependency check is carried out. This check
might take some time. An asynchronous task to do is started for this check.

Deletes an offense saved search. To ensure safe deletion, a dependency check is carried out. This check
might take some time. An asynchronous task to do is started for this check.
Table 1262. DELETE /siem/offense_saved_searches/{id} resource details
MIME Type
application/json

Table 1263. DELETE /siem/offense_saved_searches/{id} request parameter details

Parameter Type Optionality Data Type MIME Type Description
id path Required Number text/plain null
(Integer)
Range header Optional String text/plain Optional - Use this parameter
to restrict the number of
elements that are returned in
the list to a specified range.
The list is indexed starting at
zero.
filter query Optional String text/plain Optional - This parameter is
used to restrict the elements in
a list base on the contents of
various fields.

584 QRadar API Reference Guide

Table 1263. DELETE /siem/offense_saved_searches/{id} request parameter details (continued)
Parameter Type Optionality Data Type MIME Type Description
fields query Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.

Table 1264. DELETE /siem/offense_saved_searches/{id} response codes

HTTP Response Code Unique Code Description
202 The offense saved search delete command was accepted and is in
progress.
403 1009 You do not have the required capabilities to delete the offense
saved search.
404 1002 The offense saved search does not exist.
500 1020 An error occurred during the attempt to delete the offense saved
search.

Response Description

A Delete Task Status object and the location header set to the task status url "/api/siem/
offense_saved_search_delete_tasks/{task_id}". A Delete Task Status object contains the following fields:
v id - Long - The ID of the task.
v message - String - The localized task message.
v status - String - The current state of the task.
v name - String - The name of the task.
v created_by - String - The name of the user who started the task.
v created - Long - The time in milliseconds since epoch since the task was created.
v started - Long - The time in milliseconds since epoch since the task was started.
v modified - Long - The time in milliseconds since epoch since the task was modified.
v completed - Long - The time in milliseconds since epoch since the task was completed.

Response Sample
{
"completed": 42,
"created": 42,
"created_by": "String",
"id": 42,
"message": "String",
"modified": 42,
"name": "String",
"started": 42,
"status": "String <one of: CANCELLED,
CANCELING,
CANCEL_REQUESTED,
COMPLETED,
CONFLICT,
EXCEPTION,
INITIALIZING,

6 REST API V9.0 References 585

 INTERRUPTED,
PAUSED,
PROCESSING,
QUEUED,
RESUMING>"
}

GET /siem/offense_saved_searches/{id}/dependents
Retrieves the objects that depend on an offense saved search.

Retrieves the objects that depend on an offense saved search.

Table 1265. GET /siem/offense_saved_searches/{id}/dependents resource details
MIME Type
application/json

Table 1266. GET /siem/offense_saved_searches/{id}/dependents request parameter details

Parameter Type Optionality Data Type MIME Type Description
id path Required Number text/plain null
(Integer)
fields query Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.

Table 1267. GET /siem/offense_saved_searches/{id}/dependents response codes

HTTP Response Code Unique Code Description
202 The offense saved search dependents retrieval was accepted and is
in progress.
404 1002 The offense saved search does not exist.
500 1020 An error occurred during the attempt to initiate the offense saved
search dependents retrieval task.

Response Description

A Dependents Task Status object and the location header set to the task status url "/api/siem/
offense_saved_search_dependents_tasks/{task_id}". A Dependent Task Status object contains the following
fields:
v id - Long - The ID of the task.
v message - String - The localized task message.
v status - String - The current state of the task.
v name - String - The name of the task.
v created_by - String - The name of the user who started the task.
v cancelled_by - String - The name of the user who requested to cancel the task.
v created - Long - The time in milliseconds since epoch since the task was created.
v started - Long - The time in milliseconds since epoch since the task was started.

586 QRadar API Reference Guide

v modified - Long - The time in milliseconds since epoch since the task was modified.
v completed - Long - The time in milliseconds since epoch since the task was completed.
v number_of_dependents - Long - The number of dependents found. The value is null until the task
completes.
v maximum - Long - The maximum number of objects to check for dependency.
v progress - Long - The number of objects checked for dependency.
v task_components - Array - An array of task component objects. A task component object contains the
following fields:
– message - String - The localized sub-task status message.
– status - String - The current state of the sub-task.
– sub_task_type - String - The type of the sub-task
– maximum - Long - The maximum number of objects to check for dependency.
– progress - Long - The number of objects that were checked for dependency.
– created - Long - The time in milliseconds since epoch since the sub-task was created.
– started - Long - The time in milliseconds since epoch since the sub-task was started.
– modified - Long - The time in milliseconds since epoch since the sub-task was modified.
– completed - Long - The time in milliseconds since epoch since the sub-task was completed.

Response Sample
{
"cancelled_by": "String",
"completed": 42,
"created": 42,
"created_by": "String",
"id": 42,
"maximum": 42,
"message": "String",
"modified": 42,
"name": "String",
"number_of_dependents": 42,
"progress": 42,
"started": 42,
"status": "String <one of: CANCELLED,
CANCELING,
CANCEL_REQUESTED,
COMPLETED,
CONFLICT,
EXCEPTION,
INITIALIZING,
INTERRUPTED,
PAUSED,
PROCESSING,
QUEUED,
RESUMING>",
"task_components": [
{
"completed": 42,
"created": 42,
"maximum": 42,
"message": "String",
"modified": 42,
"number_of_dependents": 42,
"progress": 42,
"started": 42,
"status": "String <one of: CANCELLED,
CANCELING,
CANCEL_REQUESTED,
COMPLETED,
CONFLICT,

6 REST API V9.0 References 587

 EXCEPTION,
INITIALIZING,
INTERRUPTED,
PAUSED,
PROCESSING,
QUEUED,
RESUMING>",
"task_sub_type": "String <one of:
FIND_DEPENDENT_ARIEL_SAVED_SEARCHES,
FIND_DEPENDENT_OFFENSE_SAVED_SEARCHES,
FIND_DEPENDENT_ASSET_SAVED_SEARCHES,
FIND_DEPENDENT_VULNERABILITY_SAVED_SEARCHES,
FIND_DEPENDENT_ADE_RULES,
FIND_DEPENDENT_RULES,
FIND_DEPENDENT_CALCULATED_PROPERTIES,
FIND_DEPENDENT_LOG_SOURCE_GROUPS,
FIND_DEPENDENT_CUSTOM_PROPERTIES,
FIND_DEPENDENT_REPORTS,
FIND_DEPENDENT_DASHBOARDS,
FIND_DEPENDENT_STORE_AND_FORWARD_POLICIES,
FIND_DEPENDENT_AUTHORIZED_SERVICES,
FIND_DEPENDENT_OFFENSE_TYPES,
FIND_DEPENDENT_ASSIGNED_OFFENSES,
FIND_DEPENDENT_VULNERABILITIES,
FIND_DEPENDENT_GROUPS,
FIND_DEPENDENT_HISTORICAL_CORRELATION_PROFILES>"
}
]
}

GET /siem/offenses
Retrieve a list of offenses currently in the system.

Retrieve a list of offenses currently in the system.

Table 1268. GET /siem/offenses resource details
MIME Type
application/json

Table 1269. GET /siem/offenses request parameter details

Parameter Type Optionality Data Type MIME Type Description
fields query Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.
sort query Optional String text/plain Optional - This parameter is
used to sort the elements in a
list.
Range header Optional String text/plain Optional - Use this parameter
to restrict the number of
elements that are returned in
the list to a specified range.
The list is indexed starting at
zero.

588 QRadar API Reference Guide

Table 1269. GET /siem/offenses request parameter details (continued)
Parameter Type Optionality Data Type MIME Type Description
filter query Optional String text/plain Optional - This parameter is
used to restrict the elements in
a list base on the contents of
various fields.

Table 1270. GET /siem/offenses response codes

HTTP Response Code Unique Code Description
200 The offense list was retrieved.
422 1005 A request parameter is not valid.
422 1030 The sort field or order is not valid
422 1010 The filter parameter is not valid.
500 1020 An error occurred while the offense list was being retrieved.

Response Description

An array of Offense objects. An Offense object contains the following fields:

v id - Number - The ID of the offense. (Filterable. Sortable.)
v description - String - The description of the offense.
v assigned_to - String - The user the offense is assigned to. (Filterable. Sortable.)
v categories - Array of strings - Event categories that are associated with the offense. (Filterable.
Sortable.)
v category_count - Number - The number of event categories that are associated with the offense.
(Filterable. Sortable.)
v policy_category_count - Number - The number of policy event categories that are associated with the
offense. (Filterable. Sortable.)
v security_category_count - Number - The number of security event categories that are associated with
the offense. (Filterable. Sortable.)
v close_time - Number - The number of milliseconds since epoch when the offense was closed.
(Filterable. Sortable.)
v closing_user - String - The user that closed the offense. (Filterable. Sortable.)
v closing_reason_id - Number - The ID of the offense closing reason. The reason the offense was closed.
(Filterable. Sortable.)
v credibility - Number - The credibility of the offense. (Filterable. Sortable.)
v relevance - Number - The relevance of the offense. (Filterable. Sortable.)
v severity - Number - The severity of the offense. (Filterable. Sortable.)
v magnitude - Number - The magnitude of the offense. (Filterable. Sortable.)
v destination_networks - Array of strings - The destination networks that are associated with the
offense. (Filterable.)
v source_network - String - The source network that is associated with the offense.
v device_count - Number - The number of devices that are associated with the offense. (Filterable.
Sortable.)
v event_count - Number - The number of events that are associated with the offense. (Filterable.
Sortable.)
v flow_count - Number - The number of flows that are associated with the offense. (Filterable. Sortable.)
v inactive - Boolean - True if the offense is inactive. (Filterable. Sortable.)

6 REST API V9.0 References 589

v last_updated_time - Number - The number of milliseconds since epoch when the offense was last
updated. (Filterable. Sortable.)
v local_destination_count - Number - The number of local destinations that are associated with the
offense. (Filterable.)
v offense_source - String - The source of the offense. (Sortable.)
v offense_type - Number - A number that represents the offense type. Use GET /siem/offense_types to
retrieve the list. (Filterable. Sortable.)
v protected - Boolean - True if the offense is protected. (Filterable. Sortable.)
v follow_up - Boolean - True if the offense is marked for follow up. (Filterable. Sortable.)
v remote_destination_count - Number - The number of remote destinations that are associated wit the
offense. (Filterable. Sortable.)
v source_count - Number - The number of sources that are associated with the offense. (Filterable.)
v start_time - Number - The number of milliseconds since epoch when the offense was started.
(Filterable. Sortable.)
v status - String - The status of the offense. One of "OPEN", "HIDDEN", or "CLOSED". (Filterable, but the
following operators are not supported: <, >, <=, >=, BETWEEN. Sortable.)
v username_count - Number - The number of usernames that are associated with the offense. (Filterable.
Sortable.)
v source_address_ids - Array of numbers -The source address IDs that are associated with the offense.
(Filterable.)
v local_destination_address_ids - Array of numbers - The local destination address IDs that are
associated with the offense. (Filterable.)
v domain_id - Number - Optional. ID of associated domain if the offense is associated with a single
domain. (Filterable.)
v rules - Array - An array of rules that contributed to the offense:
– id - Long - The id of the rule.
– type - String - The type of rule. One of "ADE_RULE", "BUILDING_BLOCK_RULE", or "CRE_RULE".

Response Sample
[{"username_count": 42, "description": "String", "rules": [{"id": 42, "type": "String <one of: ADE_RULE, BUILDING_BLOCK_RUL

GET /siem/offenses/{offense_id}
Retrieve an offense structure that describes properties of an offense

Retrieve an offense structure that describes properties of an offense

Table 1271. GET /siem/offenses/{offense_id} resource details
MIME Type
application/json

Table 1272. GET /siem/offenses/{offense_id} request parameter details

Parameter Type Optionality Data Type MIME Type Description
offense_id path Required Number text/plain Required - The offense ID.
(Integer)

590 QRadar API Reference Guide

Table 1272. GET /siem/offenses/{offense_id} request parameter details (continued)
Parameter Type Optionality Data Type MIME Type Description
fields query Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.

Table 1273. GET /siem/offenses/{offense_id} response codes

HTTP Response Code Unique Code Description
200 The offense was retrieved.
404 1002 No offense was found for the provided offense_id.
422 1005 A request parameter is not valid.
500 1020 An error occurred while the offense was being retrieved.

Response Description

An Offense object. An Offense object contains the following fields:

v id - Number - The ID of the offense.
v description - String - The description of the offense.
v assigned_to - String - The user the offense is assigned to.
v categories - Array of strings - Event categories that are associated with the offense.
v category_count - Number - The number of event categories that are associated with the offense.
v policy_category_count - Number - The number of policy event categories that are associated with the
offense.
v security_category_count - Number - The number of security event categories that are associated with
the offense.
v close_time - Number - The number of milliseconds since epoch when the offense was closed.
v closing_user - String - The user that closed the offense.
v closing_reason_id - Number - The ID of the offense closing reason. The reason the offense was closed.
v credibility - Number - The credibility of the offense.
v relevance - Number - The relevance of the offense.
v severity - Number - The severity of the offense.
v magnitude - Number - The magnitude of the offense.
v destination_networks - Array of strings - The destination networks that are associated with the
offense.
v source_network - String - The source network that is associated with the offense.
v device_count - Number - The number of devices that are associated with the offense.
v event_count - Number - The number of events that are associated with the offense.
v flow_count - Number - The number of flows that are associated with the offense.
v inactive - Boolean - True if the offense is inactive.
v last_updated_time - Number - The number of milliseconds since epoch when the offense was last
updated.

6 REST API V9.0 References 591

v local_destination_count - Number - The number of local destinations that are associated with the
offense.
v offense_source - String - The source of the offense.
v offense_type - Number - A number that represents the offense type. Use GET /siem/offense_types to
retrieve the list.
v protected - Boolean - True if the offense is protected.
v follow_up - Boolean - True if the offense is marked for follow up.
v remote_destination_count - Number - The number of remote destinations that are associated wit the
offense.
v source_count - Number - The number of sources that are associated with the offense.
v start_time - Number - The number of milliseconds since epoch when the offense was started.
v status - String - The status of the offense. One of "OPEN", "HIDDEN", or "CLOSED".
v username_count - The number of usernames that are associated with the offense.
v source_address_ids - Array of numbers -The source address IDs that are associated with the offense.
v local_destination_address_ids - Array of numbers - The local destination address IDs that are
associated with the offense.
v domain_id - Number - Optional. ID of associated domain if the offense is associated with a single
domain.
v rules - Array - An array of rules that contributed to the offense:
– id - Long - The id of the rule.
– type - String - The type of rule. One of "ADE_RULE", "BUILDING_BLOCK_RULE", or "CRE_RULE".

Response Sample
{
"assigned_to": "String",
"categories": [
"String"
],
"category_count": 42,
"close_time": 42,
"closing_reason_id": 42,
"closing_user": "String",
"credibility": 42,
"description": "String",
"destination_networks": [
"String"
],
"device_count": 42,
"domain_id": 42,
"event_count": 42,
"flow_count": 42,
"follow_up": true,
"id": 42,
"inactive": true,
"last_updated_time": 42,
"local_destination_address_ids": [
42
],
"local_destination_count": 42,
"magnitude": 42,
"offense_source": "String",
"offense_type": 42,
"policy_category_count": 42,
"protected": true,
"relevance": 42,
"remote_destination_count": 42,
"rules": [
{

592 QRadar API Reference Guide

 "id": 42,
"type": "String <one of: ADE_RULE, BUILDING_BLOCK_RULE, CRE_RULE>"
}
],
"security_category_count": 42,
"severity": 42,
"source_address_ids": [
42
],
"source_count": 42,
"source_network": "String",
"start_time": 42,
"status": "String <one of: OPEN, HIDDEN, CLOSED>",
"username_count": 42
}

GET /siem/offenses/{offense_id}/notes
Retrieve a list of notes for an offense.
Table 1274. GET /siem/offenses/{offense_id}/notes resource details
MIME Type
application/json

Table 1275. GET /siem/offenses/{offense_id}/notes request parameter details

Parameter Type Optionality Data Type MIME Type Description
offense_id path Required Number text/plain Required - The offense ID to
(Integer) retrieve the notes for.
fields query Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.
Range header Optional String text/plain Optional - Use this parameter
to restrict the number of
elements that are returned in
the list to a specified range.
The list is indexed starting at
zero.
filter query Optional String text/plain Optional - This parameter is
used to restrict the elements in
a list base on the contents of
various fields.

Table 1276. GET /siem/offenses/{offense_id}/notes response codes

HTTP Response Code Unique Code Description
200 The note list was retrieved.
404 1002 No offense was found for the provided offense_id.
422 1005 A request parameter is not valid.
500 1020 An error occurred while the note list was being retrieved.

6 REST API V9.0 References 593

Response Description

An array of Note objects. A Note object contains the following fields:

v id - Number - The ID of the note.
v create_time - Number - The number of milliseconds since epoch when the note was created.
v username - String - The user or authorized service that created the note.
v note_text - String - The note text.

Response Sample
[
{
"create_time": 42,
"id": 42,
"note_text": "String",
"username": "String"
}
]

GET /siem/offenses/{offense_id}/notes/{note_id}
Retrieve a note for an offense.
Table 1277. GET /siem/offenses/{offense_id}/notes/{note_id} resource details
MIME Type
application/json

Table 1278. GET /siem/offenses/{offense_id}/notes/{note_id} request parameter details

Parameter Type Optionality Data Type MIME Type Description
offense_id path Required Number text/plain Required - The offense ID to
(Integer) retrieve the note from.
note_id path Required Number text/plain Required - The note ID.
(Integer)
fields query Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.

Table 1279. GET /siem/offenses/{offense_id}/notes/{note_id} response codes

HTTP Response Code Unique Code Description
200 The note was retrieved.
404 1002 No offense was found for the provided offense_id.
404 1003 No note was found for the provided note_id.
422 1005 A request parameter is not valid.
500 1020 An error occurred while attempting to retrieve the note.

594 QRadar API Reference Guide

Response Description

The Note object for the note ID. A Note object contains the following fields:
v id - Number - The ID of the note.
v create_time - Number - The number of milliseconds since epoch when the note was created.
v username - String - The user or authorized service that created the note.
v note_text - String - The note text.

Response Sample
{
"create_time": 42,
"id": 42,
"note_text": "String",
"username": "String"
}

POST /siem/offenses/{offense_id}/notes
Create a note on an offense.
Table 1280. POST /siem/offenses/{offense_id}/notes resource details
MIME Type
application/json

Table 1281. POST /siem/offenses/{offense_id}/notes request parameter details

Parameter Type Optionality Data Type MIME Type Description
offense_id path Required Number text/plain Required - The offense ID to
(Integer) add the note to.
note_text query Required String text/plain Required - The note text.
fields query Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.

Table 1282. POST /siem/offenses/{offense_id}/notes response codes

HTTP Response Code Unique Code Description
201 The note was created.
404 1002 No offense was found for the provided offense_id.
422 1005 A request parameter is not valid.
500 1020 An error occurred while attempting to create the note.

Response Description

The Note object that was created. A Note object contains the following fields:
v id - Number - The ID of the note.
v create_time - Number - The number of milliseconds since epoch when the note was created.

6 REST API V9.0 References 595

v username - String - The user or authorized service that created the note.
v note_text - String - The note text.

Response Sample
{
"create_time": 42,
"id": 42,
"note_text": "String",
"username": "String"
}

POST /siem/offenses/{offense_id}
Update an offense.

Update an offense.
Table 1283. POST /siem/offenses/{offense_id} resource details
MIME Type
application/json

Table 1284. POST /siem/offenses/{offense_id} request parameter details

Parameter Type Optionality Data Type MIME Type Description
offense_id path Required Number text/plain Required - The ID of the
(Integer) offense to update.
protected query Optional Boolean text/plain Optional - Set to true to
protect the offense.
follow_up query Optional Boolean text/plain Optional - Set to true to set the
follow up flag on the offense.
status query Optional String text/plain Optional - The new status for
the offense. Set to one of:
OPEN, HIDDEN, CLOSED.
When the status of an offense
is being set to CLOSED, a
valid closing_reason_id must
be provided. To hide an
offense, use the HIDDEN
status. To show a previously
hidden offense, use the OPEN
status.
closing_reason_idquery Optional Number text/plain Optional - The ID of a closing
(Integer) reason. You must provide a
valid closing_reason_id when
you close an offense.
assigned_to query Optional String text/plain Optional - A user to assign the
offense to.
fields query Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.

596 QRadar API Reference Guide

Table 1285. POST /siem/offenses/{offense_id} response codes
HTTP Response Code Unique Code Description
200 The offense was updated.
403 1009 User does not have the required capability to assign an offense.
404 1002 No offense was found for the provided offense_id.
409 1008 Request cannot be completed due to the state of the offense.
422 1005 A request parameter is not valid.
500 1020 An error occurred while the offense was being updated.

Response Description

An updated Offense object. An Offense object contains the following fields:

v id - Number - The ID of the offense.
v description - String - The description of the offense.
v assigned_to - String - The user the offense is assigned to.
v categories - Array of strings - Event categories that are associated with the offense.
v category_count - Number - The number of event categories that are associated with the offense.
v policy_category_count - Number - The number of policy event categories that are associated with the
offense.
v security_category_count - Number - The number of security event categories that are associated with
the offense.
v close_time - Number - The number of milliseconds since epoch when the offense was closed.
v closing_user - String - The user that closed the offense.
v closing_reason_id - Number - The ID of the offense closing reason. The reason the offense was closed.
v credibility - Number - The credibility of the offense.
v relevance - Number - The relevance of the offense.
v severity - Number - The severity of the offense.
v magnitude - Number - The magnitude of the offense.
v destination_networks - Array of strings - The destination networks that are associated with the
offense.
v source_network - String - The source network that is associated with the offense.
v device_count - Number - The number of devices that are associated with the offense.
v event_count - Number - The number of events that are associated with the offense.
v flow_count - Number - The number of flows that are associated with the offense.
v inactive - Boolean - True if the offense is inactive.
v last_updated_time - Number - The number of milliseconds since epoch when the offense was last
updated.
v local_destination_count - Number - The number of local destinations that are associated with the
offense.
v offense_source - String - The source of the offense.
v offense_type - Number - A number that represents the offense type. Use GET /siem/offense_types to
retrieve the list.
v protected - Boolean - True if the offense is protected.
v follow_up - Boolean - True if the offense is marked for follow up.
v remote_destination_count - Number - The number of remote destinations that are associated wit the
offense.

6 REST API V9.0 References 597

v source_count - Number - The number of sources that are associated with the offense.
v start_time - Number - The number of milliseconds since epoch when the offense was started.
v status - String - The status of the offense. One of "OPEN", "HIDDEN", or "CLOSED".
v username_count - The number of usernames that are associated with the offense.
v source_address_ids - Array of numbers -The source address IDs that are associated with the offense.
v local_destination_address_ids - Array of numbers - The local destination address IDs that are
associated with the offense.
v domain_id - Number - Optional. ID of associated domain if the offense is associated with a single
domain.
v rules - Array - An array of rules that contributed to the offense:
– id - Long - The id of the rule.
– type - String - The type of rule. One of "ADE_RULE", "BUILDING_BLOCK_RULE", or "CRE_RULE".

Response Sample
{
"assigned_to": "String",
"categories": [
"String"
],
"category_count": 42,
"close_time": 42,
"closing_reason_id": 42,
"closing_user": "String",
"credibility": 42,
"description": "String",
"destination_networks": [
"String"
],
"device_count": 42,
"domain_id": 42,
"event_count": 42,
"flow_count": 42,
"follow_up": true,
"id": 42,
"inactive": true,
"last_updated_time": 42,
"local_destination_address_ids": [
42
],
"local_destination_count": 42,
"magnitude": 42,
"offense_source": "String",
"offense_type": 42,
"policy_category_count": 42,
"protected": true,
"relevance": 42,
"remote_destination_count": 42,
"rules": [
{
"id": 42,
"type": "String <one of: ADE_RULE, BUILDING_BLOCK_RULE, CRE_RULE>"
}
],
"security_category_count": 42,
"severity": 42,
"source_address_ids": [
42
],
"source_count": 42,
"source_network": "String",

598 QRadar API Reference Guide

 "start_time": 42,
"status": "String <one of: OPEN, HIDDEN, CLOSED>",
"username_count": 42
}

GET /siem/offense_types
Retrieve all the Offense Types

Retrieve all Offense Types

Table 1286. GET /siem/offense_types resource details
MIME Type
application/json

Table 1287. GET /siem/offense_types request parameter details

Parameter Type Optionality Data Type MIME Type Description
filter query Optional String text/plain Optional - This parameter is
used to restrict the elements in
a list base on the contents of
various fields.
fields query Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.
Range header Optional String text/plain Optional - Use this parameter
to restrict the number of
elements that are returned in
the list to a specified range.
The list is indexed starting at
zero.
sort query Optional String text/plain Optional - This parameter is
used to sort the elements in a
list.

Table 1288. GET /siem/offense_types response codes

HTTP Response Code Unique Code Description
200 The requested offense types list has been retrieved.
422 1005 A request parameter is not valid.
422 1012 The selected field cannot be used for sorting or it does not exist.
500 1020 An error occurred while attempting to retrieve the offense type list.

Response Description

The Offense Types that exist at the moment. Offense types may include custom flow/event properties
only if they have been selected as part of a rule action or rule response limiter.
v id - Number - The ID of the offense type and what is presented in the offense's offense_type.

6 REST API V9.0 References 599

v property_name - String - The name of the event or flow property represented by this offense type for
flow or event properties or the unique identifier for custom flow or event properties.
v name - String - The offense type's name.
v database_type - String - Database where this type is present. Possible values are: EVENTS, FLOWS, or
COMMON (if it belongs to both events and flows)
v custom - boolean - True if the offense type is based on a custom flow or event property.
The following field can be sorted on: id.

Response Sample
[
{
"custom": true,
"database_type": "String <one of: EVENTS,
FLOWS,
COMMON>",
"id": 42,
"name": "String",
"property_name": "String"
}
]

GET /siem/offense_types/{offense_type_id}
Retrieve an offense type structure that describes the properties of an offense type.

Retrieve an Offense Type

Table 1289. GET /siem/offense_types/{offense_type_id} resource details
MIME Type
application/json

Table 1290. GET /siem/offense_types/{offense_type_id} request parameter details

Parameter Type Optionality Data Type MIME Type Description
offense_type_id path Required Number text/plain Required - int - The offense type
(Integer) id.
fields query Optional String text/plain Optional - Use this parameter to
specify which fields you would
like to get back in the response.
Fields that are not named are
excluded. Specify subfields in
brackets and multiple fields in
the same object are separated by
commas.

Table 1291. GET /siem/offense_types/{offense_type_id} response codes

HTTP Response Code Unique Code Description
200 The requested offense type has been retrieved.
404 1002 The requested offense type cannot be found.
422 1005 A request parameter is not valid.
500 1020 An error occurred while attempting to retrieve the requested
offense type.

600 QRadar API Reference Guide

Response Description

The Offense Type with the entered offense_type_id.

v id - Number - The ID of the offense type and what is presented in the offense's offense_type.
v property_name - String - The name of the of the event or flow property represented by this offense
type for flow or event properties or the unique identifier for custom flow or event properties.
v name - String - The offense type's name.
v database_type - String - Database where this type is present. Possible values are: EVENTS, FLOWS, or
COMMON (if it belongs to both events and flows)
v custom - boolean - True if the offense type is based on a custom flow or event property.

Response Sample
{
"custom": true,
"database_type": "String <one of: EVENTS,
FLOWS,
COMMON>",
"id": 42,
"name": "String",
"property_name": "String"
}

GET /siem/source_addresses
Retrieve a list offense source addresses currently in the system.
Table 1292. GET /siem/source_addresses resource details
MIME Type
application/json

Table 1293. GET /siem/source_addresses request parameter details

Parameter Type Optionality Data Type MIME Type Description
fields query Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.
Range header Optional String text/plain Optional - Use this parameter
to restrict the number of
elements that are returned in
the list to a specified range.
The list is indexed starting at
zero.
filter query Optional String text/plain Optional - This parameter is
used to restrict the elements in
a list base on the contents of
various fields.

6 REST API V9.0 References 601

Table 1294. GET /siem/source_addresses response codes
HTTP Response Code Unique Code Description
200 The source address list was retrieved.
422 1005 A request parameter is not valid.
422 1010 The filter parameter is not valid.
500 1020 An error occurred while the source address list was being retrieved.

Response Description

An array of source address objects. A source address object contains the following fields:
v id - Number - The ID of the source.
v source_ip - String - The IP address.
v magnitude - Number - The magnitude of the source address.
v network - String - The network of the source address.
v offense_ids - Array of Numbers - List of offense IDs the source is part of.
v local_destination_address_ids - Array of Numbers - List of local destination address IDs associated
with the source address.
v event_flow_count - Number - The number of events and flows that are associated with the source.
v first_event_flow_seen - Number - The number of milliseconds since epoch when the first event or
flow was seen.
v last_event_flow_seen - Number - The number of milliseconds since epoch when the last event or flow
was seen.
v domain_id - Number - The ID of associated domain.

Response Sample
[
{
"domain_id": 42,
"event_flow_count": 42,
"first_event_flow_seen": 42,
"id": 42,
"last_event_flow_seen": 42,
"local_destination_address_ids": [
42
],
"magnitude": 42,
"network": "String",
"offense_ids": [
42
],
"source_ip": "String"
}
]

GET /siem/source_addresses/{source_address_id}
Retrieve an offense source address.
Table 1295. GET /siem/source_addresses/{source_address_id} resource details
MIME Type
application/json

602 QRadar API Reference Guide

Table 1296. GET /siem/source_addresses/{source_address_id} request parameter details
Parameter Type Optionality Data Type MIME Type Description
source_address_id path Required Number text/plain Required - The ID of the source
(Integer) address to retrieve.
fields query Optional String text/plain Optional - Use this parameter to
specify which fields you would
like to get back in the response.
Fields that are not named are
excluded. Specify subfields in
brackets and multiple fields in
the same object are separated by
commas.

Table 1297. GET /siem/source_addresses/{source_address_id} response codes

HTTP Response Code Unique Code Description
200 The source address was retrieved.
404 1002 No source address was found for the provided source_address_id.
422 1005 A request parameter is not valid.
500 1020 An error occurred while the source address was being retrieved.

Response Description
A source address object. A source address object contains the following fields:
v id - Number - The ID of the source.
v source_ip - String - The IP address.
v magnitude - Number - The magnitude of the source address.
v network - String - The network of the source address.
v offense_ids - Array of Numbers - List of offense IDs the source is part of.
v local_destination_address_ids - Array of Numbers - List of local destination address IDs associated
with the source address.
v event_flow_count - Number - The number of events and flows that are associated with the source.
v first_event_flow_seen - Number - The number of milliseconds since epoch when the first event or
flow was seen.
v last_event_flow_seen - Number - The number of milliseconds since epoch when the last event or flow
was seen.
v domain_id - Number - The ID of associated domain.

Response Sample
{
"domain_id": 42,
"event_flow_count": 42,
"first_event_flow_seen": 42,
"id": 42,
"last_event_flow_seen": 42,
"local_destination_address_ids": [
42
],
"magnitude": 42,
"network": "String",
"offense_ids": [
42
],
"source_ip": "String"
}

6 REST API V9.0 References 603

Staged configuration endpoints
Use the references for REST API V9.0 staged configuration endpoints.

GET /staged_config/access/user_delete_tasks/{task_id}
Retrieves the delete user task status.

Retrieves the delete user task status.

Table 1298. GET /staged_config/access/user_delete_tasks/{task_id} resource details
MIME Type
application/json

Table 1299. GET /staged_config/access/user_delete_tasks/{task_id} request parameter details

Parameter Type Optionality Data Type MIME Type Description
task_id path Required Number text/plain null
(Integer)
fields query Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.

Table 1300. GET /staged_config/access/user_delete_tasks/{task_id} response codes

HTTP Response Code Unique Code Description
200 The Delete Task Status was retrieved.
404 1002 The Delete Task Status does not exist.
500 1020 An error occurred during the attempt to retrieve the Delete Task
Status.

Response Description

A Delete Task Status object and the location header set to the task status url "/api/staged_config/access/
user_delete_tasks/{task_id}". A Delete Task Status object contains the following fields:
v id - Long - The ID of the task.
v message - String - The localized task message.
v status - String - The current state of the task.
v name - String - The name of the task.
v created_by - String - The name of the user who started the task.
v created - Long - The time in milliseconds since epoch since the task was created.
v started - Long - The time in milliseconds since epoch since the task was started.
v modified - Long - The time in milliseconds since epoch since the task was modified.
v completed - Long - The time in milliseconds since epoch since the task was completed.

604 QRadar API Reference Guide

Response Sample
{
"completed": 42,
"created": 42,
"created_by": "String",
"id": 42,
"message": "String",
"modified": 42,
"name": "String",
"started": 42,
"status": "String <one of: CANCELLED, CANCELING, CANCEL_REQUESTED, COMPLETED, CONFLICT, EXCEPTION, INITIALIZING, INTE
}

GET /staged_config/access/users
Retrieves a list of staged users.

Retrieves a list of staged users.

Table 1301. GET /staged_config/access/users resource details
MIME Type
application/json

Table 1302. GET /staged_config/access/users request parameter details

Parameter Type Optionality Data Type MIME Type Description
fields query Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.
Range header Optional String text/plain Optional - Use this parameter
to restrict the number of
elements that are returned in
the list to a specified range.
The list is indexed starting at
zero.
filter query Optional String text/plain Optional - This parameter is
used to restrict the elements in
a list base on the contents of
various fields.

Table 1303. GET /staged_config/access/users response codes

HTTP Response Code Unique Code Description
200 The users was retrieved
500 1020 An error occurred during the attempt to retrieve the Users

Response Description
An array of User objects. An User object contains the following fields:
v id - Long - The ID of the user.

6 REST API V9.0 References 605

v name - String - The name of the user.

Response Sample
[
{
"id": 42,
"username": "String"
}
]

DELETE /staged_config/access/users/{id}
Deletes a user from staging. To ensure safe deletion, dependencies are checked. This might take some
time. An asynchronous task is started to do this check.

Deletes a user from staging. To ensure safe deletion, dependencies are checked. This might take some
time. An asynchronous task is started to do this check.
Table 1304. DELETE /staged_config/access/users/{id} resource details
MIME Type
application/json

Table 1305. DELETE /staged_config/access/users/{id} request parameter details

Parameter Type Optionality Data Type MIME Type Description
id path Required Number text/plain null
(Integer)
fields query Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.

Table 1306. DELETE /staged_config/access/users/{id} response codes

HTTP Response Code Unique Code Description
202 The User delete command has been accepted and is in progress
403 1009 You do not have the proper capabilities to delete the User
404 1002 The User does not exist
500 1020 An error occurred while attempting to delete the User

Response Description

A Delete Task Status object and the location header set to the task status url "/api/staged_config/access/
user_delete_tasks/{task_id}". A Delete Task Status object contains the following fields:
v id - Long - The ID of the task.
v message - String - The localized task message.
v status - String - The current state of the task.
v name - String - The name of the task.
v created_by - String - The name of the user who started the task.

606 QRadar API Reference Guide

v created - Long - The time in milliseconds since epoch since the task was created.
v started - Long - The time in milliseconds since epoch since the task was started.
v modified - Long - The time in milliseconds since epoch since the task was modified.
v completed - Long - The time in milliseconds since epoch since the task was completed.

Response Sample
{
"completed": 42,
"created": 42,
"created_by": "String",
"id": 42,
"message": "String",
"modified": 42,
"name": "String",
"started": 42,
"status": "String <one of: CANCELLED, CANCELING, CANCEL_REQUESTED, COMPLETED, CONFLICT, EXCEPTION, INITIALIZING, INTE
}

GET /staged_config/access/users/{id}
Retrieves a staged user.

Retrieves a staged user.

Table 1307. GET /staged_config/access/users/{id} resource details
MIME Type
application/json

Table 1308. GET /staged_config/access/users/{id} request parameter details

Parameter Type Optionality Data Type MIME Type Description
id path Required Number text/plain null
(Integer)
fields query Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.

Table 1309. GET /staged_config/access/users/{id} response codes

HTTP Response Code Unique Code Description
200 The User was retrieved
404 1002 The User does not exist
500 1020 An error occurred while attempting to retrieve the User

Response Description

The User after it has been retrieved. An User object contains the following fields:
v id - Long - The ID of the user.
v name - String - The name of the user.

6 REST API V9.0 References 607

Response Sample
{
"id": 42,
"username": "String"
}

GET /staged_config/deploy_status
Retrieves the status of a deploy in progress.

Retrieves the status of a deploy in progress.

Table 1310. GET /staged_config/deploy_status resource details
MIME Type
application/json

There are no parameters for this endpoint.

Table 1311. GET /staged_config/deploy_status response codes
HTTP Response Code Unique Code Description
200 The event Ariel saved search group was updated.
500 1020 An error occurred during the attempt to retrieve the status of the
running deploy,

Response Description

The deploy status object. A deploy status object contains the following fields:
v initiated_by - String - The name of the user who initiated the deploy.
v initiated_from - String - The hostname from where the deploy was initiated.
v type - String - The type of deploy: FULL or INCREMENTAL.
v status - String - The status of the deploy: UNKNOWN, START, DONE.
v hosts - Map of < String, List of String > - A map of status states and a list of hosts.
v error_message - String - The deployment error message.
v has_errors - Boolean - True if the deploy has encountered an error.
v percent_complete - Integer - The percentage of completion of the deploy. ( 0 - 100 )

Response Sample
{
"hosts": [
{
"host_status": "String <one of: SUCCESS,
INITIATING,
IN_PROGRESS,
TIMED_OUT, ERROR>",
"ip": "String",
"status": "String <one of: SUCCESS,
INITIATING,
IN_PROGRESS,
TIMED_OUT, ERROR>"
}
],
"initiated_by": "String",
"initiated_from": "String",
"percent_complete": 42,
"status": "String <one of: INITIALIZING,

608 QRadar API Reference Guide

 IN_PROGRESS,
COMPLETE>",
"type": "String <one of: INCREMENTAL, FULL>"
}

POST /staged_config/deploy_status
Executes a deploy.

Executes a deploy.
Table 1312. POST /staged_config/deploy_status resource details
MIME Type
application/json

Table 1313. POST /staged_config/deploy_status request body details

Parameter Data Type MIME Type Description Sample
deploy_status Object application/ null { "hosts": [ { "host_status":
json "String <one of: SUCCESS,
INITIATING, IN_PROGRESS,
TIMED_OUT, ERROR>", "ip":
"String", "status": "String
<one of: SUCCESS,
INITIATING, IN_PROGRESS,
TIMED_OUT, ERROR>" } ],
"initiated_by": "String",
"initiated_from": "String",
"percent_complete": 42,
"status": "String <one of:
INITIALIZING,
IN_PROGRESS,
COMPLETE>", "type":
"String <one of:
INCREMENTAL, FULL>" }

Table 1314. POST /staged_config/deploy_status response codes

HTTP Response Code Unique Code Description
200 The deploy was scheduled.
409 1002 Theere already exists a deploy in action, or there are no changes to
deploy.
409 1003 null
409 1004 null
422 1005 null
500 1020 An error occurred during the attempt to run the deploy

Response Description

The deploy status object. A deploy status object contains the following fields:
v initiated_by - String - The name of the user who initiated the deploy.
v initiated_from - String - The hostname from where the deploy was initiated.
v type - String - The type of deploy: FULL or INCREMENTAL.
v status - String - The status of the deploy: UNKNOWN, START, DONE.

6 REST API V9.0 References 609

v hosts - Map of < String, List of String > - A map of status states and a list of hosts.
v error_message - String - The deployment error message.
v has_errors - Boolean - True if the deploy has encountered an error.
v percent_complete - Integer - The percentage of completion of the deploy. ( 0 - 100 )

Response Sample
{
"hosts": [
{
"host_status": "String <one of: SUCCESS,
INITIATING,
IN_PROGRESS,
TIMED_OUT, ERROR>",
"ip": "String",
"status": "String <one of: SUCCESS,
INITIATING,
IN_PROGRESS,
TIMED_OUT, ERROR>"
}
],
"initiated_by": "String",
"initiated_from": "String",
"percent_complete": 42,
"status": "String <one of: INITIALIZING,
IN_PROGRESS,
COMPLETE>",
"type": "String <one of: INCREMENTAL, FULL>"
}

GET /staged_config/deployment/hosts
Retrieves a list of all staged hosts.

Retrieves the list of all staged hosts.

Table 1315. GET /staged_config/deployment/hosts resource details
MIME Type
application/json

Table 1316. GET /staged_config/deployment/hosts request parameter details

Parameter Type Optionality Data Type MIME Type Description
fields query Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.
Range header Optional String text/plain Optional - Use this parameter
to restrict the number of
elements that are returned in
the list to a specified range.
The list is indexed starting at
zero.

610 QRadar API Reference Guide

Table 1316. GET /staged_config/deployment/hosts request parameter details (continued)
Parameter Type Optionality Data Type MIME Type Description
filter query Optional String text/plain Optional - This parameter is
used to restrict the elements in
a list base on the contents of
various fields.

Table 1317. GET /staged_config/deployment/hosts response codes

HTTP Response Code Unique Code Description
200 The host list was successfully retrieved.
500 1005 An error occurred during the attempt to retrieve the host list.

Response Description
A list of all the hosts. Each Host object has the following fields:
v id - The ID of this managed host.
v hostname - The host name of this managed host.
v private_ip - The private IP of this managed host.
v public_ip - The public IP of this managed host.
v appliance - An object that represents the appliance type ID and description of this managed host.
v version - The installed version on this managed host.
v status - The status of this managed host.
v eps_rate_hardware_limit - The upper limit for eps_allocation based on hardware constraints for this
managed host.
v eps_allocation - The allocated eps rate of this managed host.
v average_eps - The average eps rate of this managed host over the previous month.
v peak_eps - The peak eps rate that was experienced by this managed host over the previous month.
v fpm_rate_hardware_limit - The upper limit for fpm_allocation based on hardware constraints for this
managed host.
v fpm_allocation - The allocated fpm rate of this managed host.
v average_fpm - The average fpm rate of this managed host over the previous month.
v peak_fpm - The peak fpm rate that was experienced by this managed host over the previous month.
v primary_server_id - The ID for the primary server host for this managed host.
v secondary_server_id - If configured, the ID for the secondary server host for this managed host.
v license_serial_number - The serial number that is associated with this managed host's license.
v components - A list of components that are associated with this managed host.
v compression_enabled - Whether or not compression is enabled for this managed host.
v encryption_enabled - Whether or not encryption is enabled for this managed host.

Response Sample
[
{
"appliance": {
"id": "String",
"type": "String"
},
"average_eps": 42,
"average_fpm": 42,
"components": [

6 REST API V9.0 References 611

 "String <one of: eventcollector,
eventprocessor,
dataNode,
magistrate,
ariel_query_server,
ariel_proxy_server,
vis,
assetprofiler,
qflow,
hostcontext,
tunnel,
setuptunnel,
ecs-ec,
ecs-ep,
resolveragent,
resolver_manager,
offsiteSource,
offsiteTarget,
accumulator,
offline_forwarder,
qvm,
qvmprocessor,
qvmscanner,
qvmhostedscanner,
qvmsiteprotector,
arc_builder,
tomcat-rm,
ziptie-server,
qrm,
asset_change_publisher,
forensicsnode,
forensics_realtime,
masterdaemon>"
],
"compression_enabled": true,
"encryption_enabled": true,
"eps_allocation": 42,
"eps_rate_hardware_limit": 42,
"fpm_allocation": 42,
"fpm_rate_hardware_limit": 42,
"hostname": "String",
"id": 42,
"license_serial_number": "String",
"peak_eps": 42,
"peak_fpm": 42,
"primary_server_id": 42,
"private_ip": "String",
"public_ip": "String",
"secondary_server_id": 42,
"status": "String <one of: Active,
ADDING,
Deleted,
Deleting,
ADD_FAILED,
New,
ADD_FAILED_VERSION_CHECK,
ADD_FAILED_DEPLOY_IN_PROGRESS,
ADD_FAILED_RETRY_CONNECTION,
ADD_FAILED_HA,
ADD_FAILED_CHECK_LOGS>",
"version": "String"
}
]

612 QRadar API Reference Guide

GET /staged_config/deployment/hosts/{id}
Retrieves a staged host by ID.

Retrieves a staged host by ID.

Table 1318. GET /staged_config/deployment/hosts/{id} resource details
MIME Type
application/json

Table 1319. GET /staged_config/deployment/hosts/{id} request parameter details

Parameter Type Optionality Data Type MIME Type Description
id path Required Number text/plain Required - The ID of the
(Integer) staged host to be retrieved.
fields query Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.

Table 1320. GET /staged_config/deployment/hosts/{id} response codes

HTTP Response Code Unique Code Description
200 The host was successfully retrieved.
404 1006 No such staged host for the given ID
422 1007 The provided ID was a negative number or zero.
500 1008 An error occurred during the retrieval of the host.

Response Description

The associated staged host object. The Host object has the following fields:
v id - The ID of this managed host.
v hostname - The host name of this managed host.
v private_ip - The private IP of this managed host.
v public_ip - The public IP of this managed host.
v appliance - An object that represents the appliance type ID and description of this managed host.
v version - The installed version on this managed host.
v status - The status of this managed host.
v eps_rate_hardware_limit - The upper limit for eps_allocation based on hardware constraints for this
managed host.
v eps_allocation - The allocated eps rate of this managed host.
v average_eps - The average eps rate of this managed host over the previous month.
v peak_eps - The peak eps rate that was experienced by this managed host over the previous month.
v fpm_rate_hardware_limit - The upper limit for fpm_allocation based on hardware constraints for this
managed host.
v fpm_allocation - The allocated fpm rate of this managed host.

6 REST API V9.0 References 613

v average_fpm - The average fpm rate of this managed host over the previous month.
v peak_fpm - The peak fpm rate that was experienced by this managed host over the previous month.
v primary_server_id - The ID for the primary server host for this managed host.
v secondary_server_id - If configured, the ID for the secondary server host for this managed host.
v license_serial_number - The serial number that is associated with this managed host's license.
v components - A list of components that are associated with this managed host.
v compression_enabled - Whether or not compression is enabled for this managed host.
v encryption_enabled - Whether or not encryption is enabled for this managed host.

Response Sample
{
"appliance": {
"id": "String",
"type": "String"
},
"average_eps": 42,
"average_fpm": 42,
"components": [
"String <one of: eventcollector,
eventprocessor,
dataNode,
magistrate,
ariel_query_server,
ariel_proxy_server,
vis,
assetprofiler,
qflow,
hostcontext,
tunnel,
setuptunnel,
ecs-ec,
ecs-ep,
resolveragent,
resolver_manager,
offsiteSource,
offsiteTarget,
accumulator,
offline_forwarder,
qvm,
qvmprocessor,
qvmscanner,
qvmhostedscanner,
qvmsiteprotector,
arc_builder,
tomcat-rm,
ziptie-server,
qrm,
asset_change_publisher,
forensicsnode,
forensics_realtime,
masterdaemon>"
],
"compression_enabled": true,
"encryption_enabled": true,
"eps_allocation": 42,
"eps_rate_hardware_limit": 42,
"fpm_allocation": 42,
"fpm_rate_hardware_limit": 42,
"hostname": "String",
"id": 42,
"license_serial_number": "String",
"peak_eps": 42,
"peak_fpm": 42,

614 QRadar API Reference Guide

 "primary_server_id": 42,
"private_ip": "String",
"public_ip": "String",
"secondary_server_id": 42,
"status": "String <one of: Active,
ADDING,
Deleted,
Deleting,
ADD_FAILED,
New,
ADD_FAILED_VERSION_CHECK,
ADD_FAILED_DEPLOY_IN_PROGRESS,
ADD_FAILED_RETRY_CONNECTION,
ADD_FAILED_HA,
ADD_FAILED_CHECK_LOGS>",
"version": "String"
}

GET /staged_config/global_system_notifications
Retrieves a list of all staged global system notifications.

Retrieves the list of staged global system notifications.

Table 1321. GET /staged_config/global_system_notifications resource details
MIME Type
application/json

Table 1322. GET /staged_config/global_system_notifications request parameter details. .

Parameter Type Optionality Data Type MIME Type Description
Range header Optional String text/plain Optional - Use this parameter
to restrict the number of
elements that are returned in
the list to a specified range.
The list is indexed starting at
zero.
filter query Optional String text/plain Optional - This parameter is
used to restrict the elements in
a list base on the contents of
various fields.
fields query Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.

Table 1323. GET /staged_config/global_system_notifications response codes

HTTP Response Code Unique Code Description
200 The staged global system notifications list was successfully
retrieved.
500 1020 An internal server error occurred during retrieval of the list of
staged global system notifications.

6 REST API V9.0 References 615

Response Description

A list of all staged global system notifications. A notification contains the following fields:
v id - Long - The ID of the notification.
v name - String - The name of the notification.
v operator - String - The notification criteria operator.
v value - String - The notification criteria value.
v message - Double - The notification message.
v default - Boolean - Whether the notification message is modified by the user or not.
v enabled - Boolean - Whether the notification is enabled or not.

Response Sample
[
{
"default": true,
"enabled": true,
"id": 42,
"message": "String",
"name": "String",
"operator": "String",
"value": 42.5
}
]

GET /staged_config/global_system_notifications/{notification_id}
Retrieves a staged global system notification by ID.

Retrieves a staged global system notification by ID.

Table 1324. GET /staged_config/global_system_notifications/{notification_id} resource details
MIME Type
application/json

Table 1325. GET /staged_config/global_system_notifications/{notification_id} request parameter details

Parameter Type Optionality Data Type MIME Type Description
notification_id path Required Number text/plain ID that is used for retrieving a
(Integer) staged global system notification.
fields query Optional String text/plain Optional - Use this parameter to
specify which fields you would
like to get back in the response.
Fields that are not named are
excluded. Specify subfields in
brackets and multiple fields in
the same object are separated by
commas.

Table 1326. GET /staged_config/global_system_notifications/{notification_id} response codes

HTTP Response Code Unique Code Description
200 The staged global system notification was successfully retrieved.
404 1002 No staged global system notification was found for the provided
notification ID.
500 1020 An error occurred during the retrieval of the notification.

616 QRadar API Reference Guide

Response Description

The associated staged global system notification object. A notification contains the following fields:
v id - Long - The ID of the notification.
v name - String - The name of the notification.
v operator - String - The notification criteria operator.
v value - String - The notification criteria value.
v message - Double - The notification message.
v default - Boolean - Whether the notification message is modified by the user or not.
v enabled - Boolean - Whether the notification is enabled or not.

Response Sample
{
"default": true,
"enabled": true,
"id": 42,
"message": "String",
"name": "String",
"operator": "String",
"value": 42.5
}

POST /staged_config/global_system_notifications/{notification_id}
Updates an existing staged global system notification.

Updates an existing staged global system notification.

Table 1327. POST /staged_config/global_system_notifications/{notification_id} resource details
MIME Type
application/json

Table 1328. POST /staged_config/global_system_notifications/{notification_id} request parameter details

Parameter Type Optionality Data Type MIME Type Description
notification_id path Required Number text/plain ID that is used for updating a
(Integer) staged global system notification.
fields header Optional String text/plain Optional - Use this parameter to
specify which fields you would
like to get back in the response.
Fields that are not named are
excluded. Specify subfields in
brackets and multiple fields in
the same object are separated by
commas.

Table 1329. POST /staged_config/global_system_notifications/{notification_id} request body details

Parameter Data Type MIME Type Description Sample
notification Object application/ The updated global system { "id": 1, "name": "Systemloadover1minute",
json notification object. "operator": "GT", "value": 3.6, "message": "If
your system continues to exhibit this behavior,
please contact Customer Support.", "enabled":
true, "isDefault": true }

6 REST API V9.0 References 617

Table 1330. POST /staged_config/global_system_notifications/{notification_id} response codes
HTTP Response Code Unique Code Description
200 The staged global system notification was successfully updated.
404 1002 No staged global system notification was found for the provided
notification ID.
422 1005 A request parameter is invalid.
500 1020 An error occurred during the retrieval of the notification.

Response Description

The associated updated staged global system notification object. A notification contains the following
fields:
v id - Long - The ID of the notification.
v name - String - The name of the notification.
v operator - String - The notification criteria operator.
v value - String - The notification criteria value.
v message - Double - The notification message.
v default - Boolean - Whether the notification message is modified by the user or not.
v enabled - Boolean - Whether the notification is enabled or not.

Response Sample
{
"default": true,
"enabled": true,
"id": 42,
"message": "String",
"name": "String",
"operator": "String",
"value": 42.5
}

GET /staged_config/remote_networks
Retrieves a list of staged remote networks.

Retrieves the list of staged remote networks.

Table 1331. GET /staged_config/remote_networks resource details
MIME Type
application/json

Table 1332. GET /staged_config/remote_networks request parameter details

Parameter Type Optionality Data Type MIME Type Description
fields query Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets. Multiple
fields in the same object are
separated by commas.

618 QRadar API Reference Guide

Table 1332. GET /staged_config/remote_networks request parameter details (continued)
Parameter Type Optionality Data Type MIME Type Description
filter query Optional String text/plain Optional - This parameter is
used to restrict the elements in
a list base on the contents of
various fields.
Range header Optional String text/plain Optional - Use this parameter
to restrict the number of
elements that are returned in
the list to a specified range.
The list is indexed starting at
zero.

Table 1333. GET /staged_config/remote_networks response codes

HTTP Response Code Unique Code Description
200 The staged remote networks list was successfully retrieved.
500 1020 An internal server error occurred during the retrieval of the list of
staged remote networks.

Response Description

A list of staged remote networks.

v id - Long - The ID of the remote network.
v name - String - The name of the remote network.
v description - String - The description of the remote network.
v group - String - The group to which the remote network belongs.
v cidrs - Array of <String> - A list of all the CIDR ranges that belong to the remote network.

Response Sample
[
{
"cidrs": [
"String"
],
"description": "String",
"group": "String",
"id": 42,
"name": "String"
}
]

POST /staged_config/remote_networks
Adds a new staged remote network.

Creates a new staged remote network.

Table 1334. POST /staged_config/remote_networks resource details
MIME Type
application/json

6 REST API V9.0 References 619

Table 1335. POST /staged_config/remote_networks request parameter details
Parameter Type Optionality Data Type MIME Type Description
fields header Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets. Multiple
fields in the same object are
separated by commas.

Table 1336. POST /staged_config/remote_networks request body details

Parameter Data Type MIME Type Description Sample
network Object application/ The new remote network { "cidrs": [ "String" ],
json object. "description": "String", "group":
"String", "id": 42, "name":
"String" }

Table 1337. POST /staged_config/remote_networks response codes

HTTP Response Code Unique Code Description
201 The new staged remote network was successfully created.
409 1008 The remote network name already exists in the selected group.
422 1005 A request parameter is invalid.
500 1020 An error occurred during the creation of the remote network.

Response Description
The associated new created staged remote network object.
v id - Long - The ID of the remote network.
v name - String - The name of the remote network.
v description - String - The description of the remote network.
v group - String - The group to which the remote network belongs.
v cidrs - Array of <String> - A list of all the CIDR ranges that belong to the remote network.

Response Sample
{
"cidrs": [
"String"
],
"description": "String",
"group": "String",
"id": 42,
"name": "String"
}

GET /staged_config/remote_networks/{network_id}
Retrieves a staged remote network by ID.

Retrieves a staged remote network by ID.

620 QRadar API Reference Guide

Table 1338. GET /staged_config/remote_networks/{network_id} resource details
MIME Type
application/json

Table 1339. GET /staged_config/remote_networks/{network_id} request parameter details

Parameter Type Optionality Data Type MIME Type Description
network_id path Required Number text/plain ID that is used to retrieve a
(Integer) staged remote network.
fields query Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets. Multiple
fields in the same object are
separated by commas.

Table 1340. GET /staged_config/remote_networks/{network_id} response codes

HTTP Response Code Unique Code Description
200 The staged remote network was successfully retrieved.
404 1002 No staged remote network was found with the provided ID.
500 1020 An error occurred during the retrieval of the remote network.

Response Description

The associated staged remote network object.

v id - Long - The ID of the remote network.
v name - String - The name of the remote network.
v description - String - The description of the remote network.
v group - String - The group to which the remote network belongs.
v cidrs - Array of <String> - A list of all the CIDR ranges that belong to the remote network.

Response Sample
{
"cidrs": [
"String"
],
"description": "String",
"group": "String",
"id": 42,
"name": "String"
}

POST /staged_config/remote_networks/{network_id}
Updates an existing staged remote network.

Updates an existing staged remote network.

Table 1341. POST /staged_config/remote_networks/{network_id} resource details
MIME Type
application/json

6 REST API V9.0 References 621

Table 1342. POST /staged_config/remote_networks/{network_id} request parameter details
Parameter Type Optionality Data Type MIME Type Description
network_id path Required Number text/plain ID that is used to update a
(Integer) staged remote network.
fields header Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets. Multiple
fields in the same object are
separated by commas.

Table 1343. POST /staged_config/remote_networks/{network_id} request body details

Parameter Data Type MIME Type Description Sample
network Object application/ The updated remote network { "cidrs": [ "String" ],
json object. "description": "String", "group":
"String", "id": 42, "name":
"String" }

Table 1344. POST /staged_config/remote_networks/{network_id} response codes

HTTP Response Code Unique Code Description
200 The staged remote network was successfully updated.
404 1002 No staged remote network was found for the provided network ID.
409 1008 The remote network name already exists in the selected group.
422 1005 A request parameter is invalid.
500 1020 An error occurred during the update of the remote network.

Response Description

The associated updated staged remote network object.

v id - Long - The ID of the remote network.
v name - String - The name of the remote network.
v description - String - The description of the remote network.
v group - String - The group to which the remote network belongs.
v cidrs - Array of <String> - A list of all the CIDR ranges that belong to the remote network.

Response Sample
{
"cidrs": [
"String"
],
"description": "String",
"group": "String",
"id": 42,
"name": "String"
}

622 QRadar API Reference Guide

DELETE /staged_config/remote_networks/{network_id}
Deletes an existing staged remote network.

Deletes an existing staged remote network.

Table 1345. DELETE /staged_config/remote_networks/{network_id} resource details
MIME Type
text/plain

Table 1346. DELETE /staged_config/remote_networks/{network_id} request parameter details

Parameter Type Optionality Data Type MIME Type Description
network_id path Required Number text/plain ID that is used to locate the
(Integer) staged remote network.

Table 1347. DELETE /staged_config/remote_networks/{network_id} response codes

HTTP Response Code Unique Code Description
204 The staged remote network was successfully deleted.
404 1002 No staged remote network was found for the provided network ID.
500 1020 An error occurred during the deletion of the remote network.

Response Description

Response Sample

GET /staged_config/remote_services
Retrieves a list of staged remote services.

Retrieves the list of staged remote services

Table 1348. GET /staged_config/remote_services resource details
MIME Type
application/json

Table 1349. GET /staged_config/remote_services request parameter details

Parameter Type Optionality Data Type MIME Type Description
fields query Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets. Multiple
fields in the same object are
separated by commas.
filter query Optional String text/plain Optional - This parameter is
used to restrict the elements in
a list base on the contents of
various fields.

6 REST API V9.0 References 623

Table 1349. GET /staged_config/remote_services request parameter details (continued)
Parameter Type Optionality Data Type MIME Type Description
Range header Optional String text/plain Optional - Use this parameter
to restrict the number of
elements that are returned in
the list to a specified range.
The list is indexed starting at
zero.

Table 1350. GET /staged_config/remote_services response codes

HTTP Response Code Unique Code Description
200 The staged remote services list was successfully retrieved.
500 1020 An internal server error occurred during the retrieval of the list of
staged remote services.

Response Description
A list of staged remote services.
v id - Long - The ID of the remote service.
v name - String - The name of the remote service.
v description - String - The description of the remote service.
v group - String - The group to which the remote service belongs.
v cidrs - Array of <String> - A list of all the CIDR ranges that belong to the remote service.

Response Sample
[
{
"cidrs": [
"String"
],
"description": "String",
"group": "String",
"id": 42,
"name": "String"
}
]

POST /staged_config/remote_services
Adds a staged remote service.

Creates a staged remote service.

Table 1351. POST /staged_config/remote_services resource details
MIME Type
application/json

624 QRadar API Reference Guide

Table 1352. POST /staged_config/remote_services request parameter details
Parameter Type Optionality Data Type MIME Type Description
fields header Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets. Multiple
fields in the same object are
separated by commas.

Table 1353. POST /staged_config/remote_services request body details

Parameter Data Type MIME Type Description Sample
service Object application/ The new remote service object. { "cidrs": [ "String" ],
json "description": "String", "group":
"String", "id": 42, "name":
"String" }

Table 1354. POST /staged_config/remote_services response codes

HTTP Response Code Unique Code Description
201 The new staged remote service was successfully created.
409 1008 The remote service name already exists in the selected group.
422 1005 A request parameter is invalid.
500 1020 An error occurred during the creation of the remote service.

Response Description
The associated new created staged remote service object.
v id - Long - The ID of the remote service.
v name - String - The name of the remote service.
v description - String - The description of the remote service.
v group - String - The group to which the remote service belongs.
v cidrs - Array of <String> - A list of all the CIDR ranges that belong to the remote service.

Response Sample
{
"cidrs": [
"String"
],
"description": "String",
"group": "String",
"id": 42,
"name": "String"
}

GET /staged_config/remote_services/{service_id}
Retrieves a staged remote service by ID.

Retrieves a staged remote service by ID.

6 REST API V9.0 References 625

Table 1355. GET /staged_config/remote_services/{service_id} resource details
MIME Type
application/json

Table 1356. GET /staged_config/remote_services/{service_id} request parameter details

Parameter Type Optionality Data Type MIME Type Description
service_id path Required Number text/plain ID that is used for the retrieval
(Integer) of a staged remote service.
fields query Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets. Multiple
fields in the same object are
separated by commas.

Table 1357. GET /staged_config/remote_services/{service_id} response codes

HTTP Response Code Unique Code Description
200 The staged remote service was successfully retrieved.
404 1002 No staged remote service was found with the provided ID.
500 1020 An error occurred during the retrieval of the remote service.

Response Description

The associated staged remote service object.

v id - Long - The ID of the remote service.
v name - String - The name of the remote service.
v description - String - The description of the remote service.
v group - String - The group to which the remote service belongs.
v cidrs - Array of <String> - A list of all the CIDR ranges that belong to the remote service.

Response Sample
{
"cidrs": [
"String"
],
"description": "String",
"group": "String",
"id": 42,
"name": "String"
}

POST /staged_config/remote_services/{service_id}
Updates an existing staged remote service.

Updates an existing staged remote service.

Table 1358. POST /staged_config/remote_services/{service_id} resource details
MIME Type
application/json

626 QRadar API Reference Guide

Table 1359. POST /staged_config/remote_services/{service_id} request parameter details
Parameter Type Optionality Data Type MIME Type Description
service_id path Required Number text/plain ID that is used for updating a
(Integer) staged remote service.
fields header Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets. Multiple
fields in the same object are
separated by commas.

Table 1360. POST /staged_config/remote_services/{service_id} request body details

Parameter Data Type MIME Type Description Sample
service Object application/ null { "cidrs": [ "String" ],
json "description": "String", "group":
"String", "id": 42, "name":
"String" }

Table 1361. POST /staged_config/remote_services/{service_id} response codes

HTTP Response Code Unique Code Description
200 The staged remote service was successfully updated.
404 1002 No staged remote service was found for the provided service ID.
409 1008 The remote service name already exists in the selected group.
422 1005 A request parameter is invalid.
500 1020 An error occurred during the update of the remote service.

Response Description

The associated updated staged remote service object.

v id - Long - The ID of the remote service.
v name - String - The name of the remote service.
v description - String - The description of the remote service.
v group - String - The group to which the remote service belongs.
v cidrs - Array of <String> - A list of all the CIDR ranges that belong to the remote service.

Response Sample
{
"cidrs": [
"String"
],
"description": "String",
"group": "String",
"id": 42,
"name": "String"
}

6 REST API V9.0 References 627

DELETE /staged_config/remote_services/{service_id}
Deletes an existing staged remote service.

Deletes an existing staged remote service.

Table 1362. DELETE /staged_config/remote_services/{service_id} resource details
MIME Type
text/plain

Table 1363. DELETE /staged_config/remote_services/{service_id} request parameter details

Parameter Type Optionality Data Type MIME Type Description
service_id path Required Number text/plain ID that is used for locating the
(Integer) staged remote service.

Table 1364. DELETE /staged_config/remote_services/{service_id} response codes

HTTP Response Code Unique Code Description
204 The staged remote service was successfully deleted.
404 1002 No staged remote service was found for the provided service ID.
500 1020 An error occurred during the deletion of the remote service.

Response Description

Response Sample

DELETE /staged_config/yara_rules
Deletes all Yara rules from the QRadar system.

Deletes all Yara rules from the QRadar system.

Table 1365. DELETE /staged_config/yara_rules resource details
MIME Type
text/plain

There are no parameters for this endpoint.

Table 1366. DELETE /staged_config/yara_rules response codes
HTTP Response Code Unique Code Description
204 Yara rules were successfully deleted from the system.
500 1020 An error occurred during the attempt to delete the Yara rules.

Response Description

In case of an error, the method returns an exception.

628 QRadar API Reference Guide

Response Sample

PUT /staged_config/yara_rules
Uploads the supplied Yara rule file to the QRadar system. If the provided Yara file is empty - all rules are
deleted from the system.

Uploads the supplied Yara rule file to the QRadar system.

Table 1367. PUT /staged_config/yara_rules resource details
MIME Type
text/plain

Table 1368. PUT /staged_config/yara_rules request body details

Parameter Data Type MIME Type Description Sample
file File application/zip Required - The Yara rule file. File
Must be properly-formed Yara
rule content, either a TEXT file,
or a TEXT file within a ZIP or
TAR.GZ archive. Must be
provided with MIME type
text/plain, application/zip,
application/x-gzip or
multipart/form-data

Table 1369. PUT /staged_config/yara_rules response codes

HTTP Response Code Unique Code Description
200 The supplied Yara rule file was uploaded.
422 1101 Must be a correctly-formatted Yara rule file.
422 1103 The archive file must only contain a single Yara rule file.
422 1107 Invalid archive file was provided.
500 1104 Failed to extract the contents of the archive file.
500 1105 Yara validator script was terminated owing to timeout.
500 1106 Yara validator script encountered an unknown exception.

Response Description

In case of an error, the method returns an exception.

Response Sample

System endpoints
Use the references for REST API V9.0 system endpoints.

GET /system/authorization/password_policies
Retrieves a list of Password Policies that exist on the system

View a list of all the Password Policies available on the system. Currently this is limited to exactly 1
policy. A policy defines the requirements for passwords that are stored locally, and that will be enforced
on login or while creating a new user, or while a user is updating their password.

6 REST API V9.0 References 629

Note: This only applies when using System Authentication and does not apply to external passwords.
Table 1370. GET /system/authorization/password_policies resource details
MIME Type
application/json

Table 1371. GET /system/authorization/password_policies request parameter details

Parameter Type Optionality Data Type MIME Type Description
fields query Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.
Range header Optional String text/plain Optional - Use this parameter
to restrict the number of
elements that are returned in
the list to a specified range.
The list is indexed starting at
zero.
filter query Optional String text/plain Optional - This parameter is
used to restrict the elements in
a list base on the contents of
various fields.

Table 1372. GET /system/authorization/password_policies response codes

HTTP Response Code Unique Code Description
200 The Password Policy list was retrieved

Response Description

An array of Password Policy objects. Passwords stored in the system must adhere to the policy. A
Password Policy object has the following fields:
v id - Number - The ID of the Password Policy
v minimum_length - The minimum length that passwords on the system must adhere to
v variance_rules - Contains a subset of the following values: UPPER_CASE, LOWER_CASE, NUMBER,
OTHER.
v variance_rules_required_count - The number of variance_rules that must be met before a password is
said to 'pass'. This must be a number between 0 and 4.
v password_history_size - The number of password_expiry_intervals that passwords are remembered
and not allowed to be reused. Must be greater than 0, or 'null'. For example, with a
password_history_size of 3 and a password_expiry_interval of 90 (days), 270 days must pass before a
password can be reused. If a user changes their password four times in one day, they still cannot use
the first password because 270 days have not passed.
v password_expiry_interval - The number of milliseconds before a password must be changed. Setting
this field to 'null' means passwords never expire.
v disallow_repeating_characters - Set this value to true to disallow more than 2 repeating characters. For
example, "abbc" is allowed, where "abbbc" is not.

630 QRadar API Reference Guide

Response Sample
[
{
"disallow_repeating_characters": true,
"id": 42,
"minimum_length": 42,
"password_expiry_interval": 42,
"password_history_size": 42,
"variance_rules": [
"String <one of: UPPER_CASE, LOWER_CASE, NUMBER, OTHER>"
],
"variance_rules_required_count": 42
}
]

GET /system/authorization/password_policies/{id}
Retrieves a single Password Policies that exist on the system

View a single Password Policies available on the system. A policy defines the requirements for passwords
that are stored locally, and that will be enforced on login or while creating a new user, or while a user is
updating their password.

Note: This only applies when using System Authentication and does not apply to external passwords.
Table 1373. GET /system/authorization/password_policies/{id} resource details
MIME Type
application/json

Table 1374. GET /system/authorization/password_policies/{id} request parameter details

Parameter Type Optionality Data Type MIME Type Description
id path Required Number text/plain Required. The ID of the
(Integer) Password Policy to retrieve.
This can only be 1
fields query Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.

Table 1375. GET /system/authorization/password_policies/{id} response codes

HTTP Response Code Unique Code Description
200 The Password Policy was retrieved
404 1002 When the ID parameter is not 1

Response Description

A single Password Policy object has the following fields:

v id - Number - The ID of the Password Policy
v minimum_length - The minimum length that passwords on the system must adhere to

6 REST API V9.0 References 631

v variance_rules - Contains a subset of the following values: UPPER_CASE, LOWER_CASE, NUMBER,
OTHER.
v variance_rules_required_count - The number of variance_rules that must be met before a password is
said to 'pass'. This must be a number between 0 and 4.
v password_history_size - The number of password_expiry_intervals that passwords are remembered
and not allowed to be reused. Must be greater than 0, or 'null'. For example, with a
password_history_size of 3 and a password_expiry_interval of 90 (days), 270 days must pass before a
password can be reused. If a user changes their password four times in one day, they still cannot use
the first password because 270 days have not passed.
v password_expiry_interval - The number of milliseconds before a password must be changed. Setting
this field to 'null' means passwords never expire.
v disallow_repeating_characters - Set this value to true to disallow more than 2 repeating characters. For
example, "abbc" is allowed, where "abbbc" is not.

Response Sample
{
"disallow_repeating_characters": true,
"id": 42,
"minimum_length": 42,
"password_expiry_interval": 42,
"password_history_size": 42,
"variance_rules": [
"String <one of: UPPER_CASE, LOWER_CASE, NUMBER, OTHER>"
],
"variance_rules_required_count": 42
}

POST /system/authorization/password_policies/{id}
Update a single Password Policies available on the system.

Update a single Password Policies available on the system. This policy defines the requirements for
passwords that are stored locally, and that will be enforced on login or while creating a new user, or
while a user is updating their password.

Note: This only applies when using System Authentication and does not apply to external passwords.
Table 1376. POST /system/authorization/password_policies/{id} resource details
MIME Type
application/json

Table 1377. POST /system/authorization/password_policies/{id} request parameter details

Parameter Type Optionality Data Type MIME Type Description
id path Required Number text/plain Required. The ID of the
(Integer) Password Policy to retrieve.
This can only be 1
fields header Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.

632 QRadar API Reference Guide

Table 1378. POST /system/authorization/password_policies/{id} request body details
Parameter Data Type MIME Type Description Sample
policy Object application/ Required. A single Password {
json Policy object has the following "disallow_repeating_characters":
modifiable fields: true, "minimum_length": 42,
v minimum_length - The "password_expiry_interval": 42,
minimum length that "password_history_size": 42,
passwords on the system "variance_rules": [ "String <one
must adhere to of: UPPER_CASE,
LOWER_CASE, NUMBER,
v variance_rules - Contains a
OTHER>" ],
subset of the following
"variance_rules_required_count":
values: UPPER_CASE,
42 }
LOWER_CASE, NUMBER,
OTHER.
v
variance_rules_required_count
- The number of
variance_rules that must be
met before a password is said
to 'pass'. This must be a
number between 0 and 4.
v password_history_size - The
number of
password_expiry_intervals
that passwords are
remembered and not
allowed to be reused. Must
be greater than 0, or 'null'.
For example, with a
password_history_size of 3
and a
password_expiry_interval of
90 (days), 270 days must
pass before a password can
be reused. If a user changes
their password four times in
one day, they still cannot use
the first password because
270 days have not passed.
v password_expiry_interval -
The number of milliseconds
before a password must be
changed. Setting this field to
'null' means passwords
never expire.
v
disallow_repeating_characters
- Set this value to true to
disallow more than 2
repeating characters. For
example, "abbc" is allowed,
where "abbbc" is not.
Any other set fields will be
ignored.

6 REST API V9.0 References 633

Table 1379. POST /system/authorization/password_policies/{id} response codes
HTTP Response Code Unique Code Description
200 The Password Policy was updated
404 1002 When the ID parameter was not 1
422 1010 When the minimum_length parameter is not in the range of 1-255
422 1011 When the variance_rules_required_count parameter is not either 0
or 3
422 1012 When the password_history_size and the
password_expiry_interval are not set correctly. Either both must be
set, or both must be set to null
422 1013 When the variance_rules_required_count is greater than the
number of variance_rules
422 1014 When the truncated value password_expiry_interval is 0

Response Description

The resulting Password Policy with the following fields:

v id - Number - The ID of the Password Policy
v minimum_length - The minimum length that passwords on the system must adhere to
v variance_rules - Contains a subset of the following values: UPPER_CASE, LOWER_CASE, NUMBER,
OTHER.
v variance_rules_required_count - The number of variance_rules that must be met before a password is
said to 'pass'. This must be a number between 0 and 4.
v password_history_size - The number of password_expiry_intervals that passwords are remembered
and not allowed to be reused. Must be greater than 0, or 'null'. For example, with a
password_history_size of 3 and a password_expiry_interval of 90 (days), 270 days must pass before a
password can be reused. If a user changes their password four times in one day, they still cannot use
the first password because 270 days have not passed.
v password_expiry_interval - The number of milliseconds before a password must be changed. Setting
this field to 'null' means passwords never expire. The password_expiry_interval field will be truncated
to milliseconds in a day.
v disallow_repeating_characters - Set this value to true to disallow more than 2 repeating characters. For
example, "abbc" is allowed, where "abbbc" is not.

Response Sample
{
"disallow_repeating_characters": true,
"id": 42,
"minimum_length": 42,
"password_expiry_interval": 42,
"password_history_size": 42,
"variance_rules": [
"String <one of: UPPER_CASE, LOWER_CASE, NUMBER, OTHER>"
],
"variance_rules_required_count": 42
}

POST /system/authorization/password_validators
Creates a new password validator for the provided password based on the current Password Policy.

634 QRadar API Reference Guide

Creates a new user password validator. Password validators are used to determine if a password passes
the password policy and if it does not pass the policy it gives feedback on why the password did not
pass the policy. The validator is is returned in the response from the server. The validator or the
password is not persisted.
Table 1380. POST /system/authorization/password_validators resource details
MIME Type
application/json

Table 1381. POST /system/authorization/password_validators request parameter details

Parameter Type Optionality Data Type MIME Type Description
fields header Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.

Table 1382. POST /system/authorization/password_validators request body details

Parameter Data Type MIME Type Description Sample
password String text/plain The password that the String
validator will validate.

Table 1383. POST /system/authorization/password_validators response codes

HTTP Response Code Unique Code Description
200 response with the password validator. The successful 200 response
is returned regardless if the password passed the validation or not.
The 200 response indicates the validation was performed. Details of
the validation will be in the returned password validator structure.
404 38312001 When the password field is null

Response Description

A Password Validator with the following fields:

v password - Caller is required to set this field when creating a new user password validator. This field
is always null in every server response.
v minimum_length_rule_passed - Indicates if the provided password passed the minimum length rule
from the password policy. Set to null if the minimum length rule from the password policy is not
enabled.
v provided_password_length - The number of unicode characters in the provided password.
v variance_rules_required_count_passed - Indicates if the provided password passed the variance count
rule from the password policy. Set to null if the variance count rule is not enabled.
v variance_rules_passed - Lists the variance rules that the provided password passed. Set to null if the
variance count rule is not enabled.
v variance_rules_failed - Lists the variance rules that the provided password failed. Set to null if the
variance count rule is not enabled.

6 REST API V9.0 References 635

v password_history_size_rule_passed - Indicates if the provided password passed the password history
rule. Set to null if the password history rule is not enabled.
v disallow_repeating_characters_rule_passed - Indicates if the provided password passed the repeating
characters rule. Set to null if the repeating characters rule is not enabled.

Response Sample
{
"disallow_repeating_characters_rule_passed": true,
"minimum_length_rule_passed": true,
"password": "String",
"password_history_size_rule_passed": true,
"provided_password_length": 42,
"variance_rules_failed": [
"String <one of: UPPER_CASE, LOWER_CASE, NUMBER, OTHER>"
],
"variance_rules_passed": [
"String <one of: UPPER_CASE, LOWER_CASE, NUMBER, OTHER>"
],
"variance_rules_required_count_passed": true
}

GET /system/information/encodings
Retrieves the list of encodings.
Table 1384. GET /system/information/encodings resource details
MIME Type
application/json

Table 1385. GET /system/information/encodings request parameter details

Parameter Type Optionality Data Type MIME Type Description
fields query Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.
Range header Optional String text/plain Optional - Use this parameter
to restrict the number of
elements that are returned in
the list to a specified range.
The list is indexed starting at
zero.
filter query Optional String text/plain Optional - This parameter is
used to restrict the elements in
a list base on the contents of
various fields.

Table 1386. GET /system/information/encodings response codes

HTTP Response Code Unique Code Description
200 The encodings were retrieved successfully.
500 1020 An error occurred during the attempt to retrieve the encodings.

636 QRadar API Reference Guide

Response Description

The list of encodings available on the system. A encoding contains the following fields:
v id - String - The name/descriptor for the character encoding. Not localized.

Response Sample
[
{
"id": "String"
}
]

GET /system/information/locales
Retrieves a list of locales from the system, with the option to include samples.

Retrieves a list of locales from the system, with the option to include samples.
Table 1387. GET /system/information/locales resource details
MIME Type
application/json

Table 1388. GET /system/information/locales request parameter details

Parameter Type Optionality Data Type MIME Type Description
sample_type query Optional String text/plain Optional - type of samples for
the locale. Currently the only
supported option is NUMBER.
Range header Optional String text/plain Optional - Use this parameter to
restrict the number of elements
that are returned in the list to a
specified range. The list is
indexed starting at zero.
filter query Optional String text/plain Optional - This parameter is
used to restrict the elements in a
list base on the contents of
various fields.
fields query Optional String text/plain Optional - Use this parameter to
specify which fields you would
like to get back in the response.
Fields that are not named are
excluded. Specify subfields in
brackets and multiple fields in
the same object are separated by
commas.

Table 1389. GET /system/information/locales response codes

HTTP Response Code Unique Code Description
200 The requested list of locales was retrieved.
500 1020 An error occurred during the attempt to retrieve the list of locales.

Response Description

A list of locales. A locale contains the following fields:

v id - String - The tag of the locale.
v label - String - The name of the locale.

6 REST API V9.0 References 637

v sample - String - The optional sample for the locale.

Response Sample
[
{
"id": "sq",
"label": "Albanian",
"sample": "1 234 567,89"
},
{
"id": "sq-AL",
"label": "Albanian (Albania)",
"sample": "1 234 567,89"
},
{
"id": "ar",
"label": "Arabic",
"sample": "١٬٢٣٤٬٥٦٧٫Ù}Ù©"
},
{
"id": "ar-DZ",
"label": "Arabic (Algeria)",
"sample": "1.234.567,89"
},
{
"id": "ar-BH",
"label": "Arabic (Bahrain)",
"sample": "١٬٢٣٤٬٥٦٧٫Ù}Ù©"
}
]

GET /system/servers
Retrieve a list of all server hosts in the deployment.
Table 1390. GET /system/servers resource details
MIME Type
application/json

Table 1391. GET /system/servers request parameter details

Parameter Type Optionality Data Type MIME Type Description
filter query Optional String text/plain Optional - This parameter is
used to restrict the elements in
a list base on the contents of
various fields.
Range header Optional String text/plain Optional - Use this parameter
to restrict the number of
elements that are returned in
the list to a specified range.
The list is indexed starting at
zero.
fields query Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.

638 QRadar API Reference Guide

Table 1392. GET /system/servers response codes
HTTP Response Code Unique Code Description
200 The requested list of server records has been successfully retrieved.
500 1020 An error has occurred while trying to retrieve the requested servers.

Response Description

A list of the servers. A server record contains the following fields:

v hostname - String - hostname
v managed_host_id - Number - Id of the managed host the server host belongs to
v private_ip - String - The private ip of this server
v status - String - The status of this server

Response Sample
[
{
"hostname": "String",
"managed_host_id": 42,
"private_ip": "String",
"server_id": 42,
"status": "String"
}
]

GET /system/servers/{server_id}
Retrieve a server host based on the supplied server ID.
Table 1393. GET /system/servers/{server_id} resource details
MIME Type
application/json

Table 1394. GET /system/servers/{server_id} request parameter details

Parameter Type Optionality Data Type MIME Type Description
server_id path Required Number text/plain Required - The id of the server
(Integer)
fields query Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.

Table 1395. GET /system/servers/{server_id} response codes

HTTP Response Code Unique Code Description
200 The requested server record has been retrieved.
404 1002 The requested server record with the given server_id cannot be
found.

6 REST API V9.0 References 639

Table 1395. GET /system/servers/{server_id} response codes (continued)
HTTP Response Code Unique Code Description
422 1005 One or more parameters are invalid in request.
500 1020 An error has occurred while trying to retrieve the requested server
host with the given Id.

Response Description
A server record containing the following fields:
v email_server_address - String - email server address
v hostname - String - hostname
v managed_host_id - Number - Id of the managed host the server host belongs to
v private_ip - String - The private ip of this server
v status - String - The status of this server

Response Sample
{
"email_server_address": "String",
"hostname": "String",
"managed_host_id": 42,
"private_ip": "String",
"server_id": 42,
"status": "String"
}

POST /system/servers/{server_id}
Updates an existing server.
Table 1396. POST /system/servers/{server_id} resource details
MIME Type
application/json

Table 1397. POST /system/servers/{server_id} request parameter details

Parameter Type Optionality Data Type MIME Type Description
server_id path Required Number text/plain Required - The id of the
(Integer) server.

Table 1398. POST /system/servers/{server_id} request body details

Parameter Data Type MIME Type Description Sample
details Object application/json Required - A server details { "email_server_address":
record containing the "String" }
following field:

email_server_address - String
- email server address. Must
be a valid server address that
the server can connect to
through port 25.

640 QRadar API Reference Guide

Table 1399. POST /system/servers/{server_id} response codes
HTTP Response Code Unique Code Description
200 The server record has been updated.
404 1002 The requested server record with the given server_id cannot be
found.
422 1005 One or more parameters are invalid in request.
422 1006 Cannot connect to the mail server address on port 25.
500 1020 An error has occurred while trying to retrieve the requested server
host with the given Id.

Response Description

The updated server record containing the following fields:

v email_server_address - String - email server address.
v hostname - String - hostname
v managed_host_id - Number - Id of the managed host the server host belongs to
v private_ip - String - The private ip of this server
v status - String - The status of this server

Response Sample
{
"email_server_address": "String",
"hostname": "String",
"managed_host_id": 42,
"private_ip": "String",
"server_id": 42,
"status": "String"
}

GET /system/servers/{server_id}/firewall_rules
Retrieve a list of access control firewall rules based on the supplied server ID.
Table 1400. GET /system/servers/{server_id}/firewall_rules resource details
MIME Type
application/json

Table 1401. GET /system/servers/{server_id}/firewall_rules request parameter details

Parameter Type Optionality Data Type MIME Type Description
server_id path Required Number text/plain Required - The id of the
(Integer) server.
filter query Optional String text/plain Optional - This parameter is
used to restrict the elements in
a list base on the contents of
various fields.
Range header Optional String text/plain Optional - Use this parameter
to restrict the number of
elements that are returned in
the list to a specified range.
The list is indexed starting at
zero.

6 REST API V9.0 References 641

Table 1401. GET /system/servers/{server_id}/firewall_rules request parameter details (continued)
Parameter Type Optionality Data Type MIME Type Description
fields query Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.

Table 1402. GET /system/servers/{server_id}/firewall_rules response codes

HTTP Response Code Unique Code Description
200 The rules records have been retrieved.
404 1002 The requested server with the given server_id cannot be found.
422 1005 One or more parameters are invalid in request.
500 1020 An error has occurred while trying to retrieve the requested access
control firewall rules on the server with the given Id.

Response Description

A list of the rules. Each rule record contains the following fields:
v is_any_source_ip - Boolean - Whether any source IP is accepted
v port_range - String - A port range in the format of start-end
v port_type - String - one of: ANY, SINGLE, RANGE
v protocol - String - one of: ANY, TCP, UDP
v single_port - String - A single port
v source_ip - String - A specific IP address

Response Sample
[
{
"is_any_source_ip": true,
"port_range": "String",
"port_type": "String <one of: ANY, SINGLE, RANGE>",
"protocol": "String <one of: ANY, TCP, UDP>",
"single_port": "String",
"source_ip": "String"
}
]

PUT /system/servers/{server_id}/firewall_rules
Set the access control firewall rules based on the supplied server ID.
Table 1403. PUT /system/servers/{server_id}/firewall_rules resource details
MIME Type
application/json

642 QRadar API Reference Guide

Table 1404. PUT /system/servers/{server_id}/firewall_rules request parameter details
Parameter Type Optionality Data Type MIME Type Description
server_id path Required Number text/plain Required - The id of the
(Integer) server.

Table 1405. PUT /system/servers/{server_id}/firewall_rules request body details

Parameter Data Type MIME Type Description Sample
rules Array<Object> application/json Required - A list of new rules [ { "is_any_source_ip": true,
in a JSON string. Each rule "port_range": "String",
record contains the following "port_type": "String <one of:
field: ANY, SINGLE, RANGE>",
v is_any_source_ip - Boolean - "protocol": "String <one of:
Whether any source IP is ANY, TCP, UDP>",
"single_port": "String",
accepted
"source_ip": "String" } ]
v port_range - String - A port
range in the format of
start-end
v port_type - String - one of:
ANY, SINGLE, RANGE
v protocol - String - one of:
ANY, TCP, UDP
v single_port - String - A
single port
v source_ip - String - A
specific IP address.

Table 1406. PUT /system/servers/{server_id}/firewall_rules response codes

HTTP Response Code Unique Code Description
200 The rules have been updated.
404 1002 The requested server with the given server_id cannot be found.
422 1005 One or more parameters are invalid in request.
500 1020 An error has occurred while trying to set the access control firewall
rules on the server with the given Id.

Response Description

A list of the rules in a JSON string. Each rule contains the following fields:
v is_any_source_ip - Boolean - Whether any source IP is accepted
v port_range - String - A port range in the format of start-end
v port_type - String - one of: ANY, SINGLE, RANGE
v protocol - String - one of: ANY, TCP, UDP
v single_port - String - A single port
v source_ip - String - A specific IP address

Response Sample
[
{
"is_any_source_ip": true,
"port_range": "String",
"port_type": "String <one of: ANY, SINGLE, RANGE>",
"protocol": "String <one of: ANY, TCP, UDP>",
"single_port": "String",
"source_ip": "String"
}
]

6 REST API V9.0 References 643

GET /system/servers/{server_id}/network_interfaces/bonded
Retrieves a list of the bonded network interfaces based on the supplied server ID.
Table 1407. GET /system/servers/{server_id}/network_interfaces/bonded resource details
MIME Type
application/json

Table 1408. GET /system/servers/{server_id}/network_interfaces/bonded request parameter details

Parameter Type Optionality Data Type MIME Type Description
server_id path Required Number text/plain Required - The id of the
(Integer) server.
fields query Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.
filter query Optional String text/plain Optional - This parameter is
used to restrict the elements in
a list base on the contents of
various fields.
Range header Optional String text/plain Optional - Use this parameter
to restrict the number of
elements that are returned in
the list to a specified range.
The list is indexed starting at
zero.

Table 1409. GET /system/servers/{server_id}/network_interfaces/bonded response codes

HTTP Response Code Unique Code Description
200 A list of the bonded network interfaces were retrieved.
404 1002 The requested server with the given server ID cannot be found.
422 1005 One or more parameters are invalid in request.
500 1020 An error occurred while trying to retrieve the bonded interfaces on
the server with the given ID.
500 1022 Timeout while performing the task.

Response Description

A list of the bonded network interfaces. Each record contains the following fields:
v device_name - String - The name of the network interface.
v desc - String - The description of the network interface.
v role - String - The role of the network interface. One of: regular, management, hacrossover,
hacrossover_disabled, monitor, disabled.
v ipversion - String - The verson of the IP address configured on the network interface. One of: ipv4,
ipv6.
v ip - String - The IP address that is configured on the network interface.

644 QRadar API Reference Guide

v mask - String - The netmask that is configured on the network interface.
v is_auto_ip - Boolean - Is the IP address auto-configured?
v is_cable_linked - String - Is the network interface cable linked? One of: YES, NO, UNKNOWN
v is_moving_config_with_active_ha - Boolean - Will apply the same settings to a new active HA server
during failover.
v hacrossover_params - String - A map of key-value pairs of HA crossover parameters if the network
interface is used for HA crossover.
v bonding_opts - String - The bonding options that are configured on the bonded network interface.
v slaves - List - The slaves of the bonded network interface. Each slave record contains the follow fields:
– device_name - String - The name of the slave interface.
– desc - String - The description of the slave interface.
– role - String - The role of the slave interface. One of: slave, slave_disabled
– is_cable_linked - String - Is the slave interface cable linked. One of: true, false, unknown

Response Sample
[
{
"bonding_opts": "String",
"desc": "String",
"device_name": "String",
"hacrossover_params": {
"String": "String"
},
"ip": "String",
"ipversion": "String <one of: ipv4,
ipv6>",
"is_auto_ip": true,
"is_cable_linked": "String <one of: true,
false,
unknown>",
"is_moving_config_with_active_ha": true,
"mask": "String",
"role": "String <one of: regular,
management,
hacrossover,
hacrossover_disabled,
monitor,
disabled,
slave,
slave_disabled>",
"slaves": [
{
"desc": "String",
"device_name": "String",
"is_cable_linked": "String <one of: true,
false,
unknown>",
"role": "String <one of: regular,
management,
hacrossover,
hacrossover_disabled,
monitor,
disabled,
slave,
slave_disabled>"
}
]
}
]

6 REST API V9.0 References 645

POST /system/servers/{server_id}/network_interfaces/bonded
Creates a new bonded network interface.
Table 1410. POST /system/servers/{server_id}/network_interfaces/bonded resource details
MIME Type
application/json

Table 1411. POST /system/servers/{server_id}/network_interfaces/bonded request parameter details

Parameter Type Optionality Data Type MIME Type Description
server_id path Required Number text/plain Required - The ID of the
(Integer) server.

Table 1412. POST /system/servers/{server_id}/network_interfaces/bonded request body details

Parameter Data Type MIME Type Description Sample
details Object application/json Required - The details of the bonded network interface { "bonding_opts": "String", "ip": "String", "ipversion": "String <one of: ipv4,
that contains the following fields: ipv6>", "is_auto_ip": true, "is_moving_config_with_active_ha": true, "mask":
"String", "role": "String <one of: regular, management, hacrossover,
v role - String - The role of the network interface. One of:
hacrossover_disabled, monitor, disabled, slave, slave_disabled>", "slaves": [ {
regular, monitor, disabled. "device_name": "String" } ] }
v ipversion - String - The verson of the IP address that is
configured on the network interface. One of: ipv4, ipv6.

v ip - String - The IP address that is configured on the

network interface. This parameter is required when
ipversion is ipv4 or (ipversion is ipv6 and is_auto_ip is
false). The subnet that is computed from the IP address
and the mask must not be the same subnet that is
configured on the management interface.

v mask - String - The netmask that is configured on the

network interface. This parameter is equired when
ipversion is ipv4. The subnet that is computed from
the ip and the mask must not be the same subnet that
is configured on the management interface.

v is_auto_ip - Boolean - Is the address auto-configured?

Required.

v is_moving_config_with_active_ha - Boolean - Applies

the same settings to a new active HA server during
failover. This parameter can be true only when the
server host is an active HA server host.

v bonding_opts - String - The bonding options that are

configured on the bonded network interface.

Table 1413. POST /system/servers/{server_id}/network_interfaces/bonded response codes

HTTP Response Code Unique Code Description
201 The bonded network interface was created.
404 1002 The requested server with the given server_id cannot be found.
409 1004 The ip address has been used by another network interface.
422 1005 One or more parameters are invalid in request.
500 1020 An error occurred while trying to create the bonded interface on
the server with the given ID.
500 1022 Timeout while performing the task.

Response Description

The created bonded network interface that contains the following fields:
v device_name - String - The name of the network interface.
v role - String - The role of the network interface. One of: regular, management, hacrossover,
hacrossover_disabled, monitor, disabled.
v ipversion - String - The verson of the IP address that is configured on the network interface. One of:
ipv4, ipv6.

646 QRadar API Reference Guide

v ip - String - The Ip address that is configured on the network interface.
v mask - String - The netmask that is configured on the network interface.
v is_auto_ip - Boolean - Is the Ip address auto-configured?
v is_moving_config_with_active_ha - Boolean - Applies the same settings to a new active HA server
during failover.
v bonding_opts - String - The bonding options that are configured on the bonded network interface.
v slaves - Array - The slave ethernet interfaces of the bonded interface. Each slave interface has one field:
device_name. The device_name must be an existing ethernet interface that cannot be the management
interface, the HA crossover interface or a slave interface of another bonded network interface. The
array must contain at least one ethernet interface.

Response Sample
{
"bonding_opts": "String",
"desc": "String",
"device_name": "String",
"hacrossover_params": {
"String": "String"
},
"ip": "String",
"ipversion": "String <one of: ipv4, ipv6>",
"is_auto_ip": true,
"is_cable_linked": "String <one of: true, false, unknown>",
"is_moving_config_with_active_ha": true,
"mask": "String",
"role": "String <one of: regular,
management,
hacrossover,
hacrossover_disabled,
monitor,
disabled,
slave,
slave_disabled>",
"slaves": [
{
"desc": "String",
"device_name": "String",
"is_cable_linked": "String <one of: true, false, unknown>",
"role": "String <one of: regular,
management,
hacrossover,
hacrossover_disabled,
monitor,
disabled,
slave,
slave_disabled>"
}
]
}

POST /system/servers/{server_id}/network_interfaces/bonded/
{device_name}
Updates an existing bonded network interface.
Table 1414. POST /system/servers/{server_id}/network_interfaces/bonded/{device_name} resource details
MIME Type
application/json

6 REST API V9.0 References 647

Table 1415. POST /system/servers/{server_id}/network_interfaces/bonded/{device_name} request parameter details
Parameter Type Optionality Data Type MIME Type Description
server_id path Required Number (Integer) text/plain Required - The ID of the server.
device_name path Required String text/plain Required - The name of an existing bonded network
interface. The interface cannot be the management
interface or HA crossover interface. The interface must be
cable linked.

Table 1416. POST /system/servers/{server_id}/network_interfaces/bonded/{device_name} request body details

Parameter Data Type MIME Type Description Sample
details Object application/json Required - The details of the bonded network interface that { "bonding_opts": "String", "ip": "String", "ipversion": "String <one
contains the following fields: of: ipv4, ipv6>", "is_auto_ip": true,
"is_moving_config_with_active_ha": true, "mask": "String", "role":
v role - String - The role of the network interface. One of: regular,
"String <one of: regular, management, hacrossover,
monitor, disabled hacrossover_disabled, monitor, disabled, slave, slave_disabled>",
v ipversion - String - The verson of the IP address that is "slaves": [ { "device_name": "String" } ] }
configured on the network interface. one of: ipv4, ipv6.

v ip - String - The IP address that is configured on the network

interface. This parameter is required when ipversion is ipv4 or
(ipversion is ipv6 and is_auto_ip is false). The subnet that is
computed from the IP address and the mask must not be the
same subnet that is configured on the management interface.

v mask - String - The netmask that is configured on the network

interface. This parameter is equired when ipversion is ipv4. The
subnet that is computed from the IP address and the mask
must not be the same subnet that is configured on the
management interface.

v is_auto_ip - Boolean - Is the IP address auto-configured?

Required.

v is_moving_config_with_active_ha - Boolean - Applies the same

settings to a new active HA server during failover. This
parameter can be true only when the server host is an active
HA server host

v slaves - Array - The slave ethernet interfaces of the bonded

interface. Each slave interface has one field: device_name. The
device_name must be an existing ethernet interface wthat
cannot be the management interface, the HA crossover
interface, or a slave interface of another bonded network
interface. If slaves are not null, the slaves in this array will
override the existing slaves of the bonded interface. When not
null, the array must contain at least one ethernet interface. If
null, the endpoint does not change the existing slave interfaces.

v bonding_opts - String - The bonding options that are

configured on the bonded network interface

Table 1417. POST /system/servers/{server_id}/network_interfaces/bonded/{device_name} response codes

HTTP Response Code Unique Code Description
200 The bonded network interface was updated.
404 1002 The requested server with the given server ID cannot be found.
409 1004 The ip address has been used by another network interface.
422 1005 One or more parameters are invalid in request.
500 1020 An error occurred while trying to update the specified bonded
interfaces on the server with the given ID.
500 1022 Timeout while performing the task.

Response Description

The updated bonded network interface that contains the following fields:
v device_name - String - The name of the network interface.
v role - String - The role of the network interface. One of: regular, management, hacrossover,
hacrossover_disabled, monitor, disabled.
v ipversion - String - The verson of the IP address that is configured on the network interface. one of:
ipv4, ipv6
v ip - String - The IP address that is configured on the network interface.
v mask - String - The netmask that is configured on the network interface.

648 QRadar API Reference Guide

v is_auto_ip - Boolean - Is the IP address auto-configured?
v is_moving_config_with_active_ha - Boolean - Applies the same settings to a new active HA server
during failover.
v bonding_opts - String - The bonding options that are configured on the bonded network interface.
v slaves - Array - The slave ethernet interfaces of the bonded interface. Each slave interface has two
fields: device_name and role. The role is slave or slave_disabled.

Response Sample
{
"bonding_opts": "String",
"desc": "String",
"device_name": "String",
"hacrossover_params": {
"String": "String"
},
"ip": "String",
"ipversion": "String <one of: ipv4, ipv6>",
"is_auto_ip": true,
"is_cable_linked": "String <one of: true, false, unknown>",
"is_moving_config_with_active_ha": true,
"mask": "String",
"role": "String <one of: regular,
management,
hacrossover,
hacrossover_disabled,
monitor,
disabled,
slave,
slave_disabled>",
"slaves": [
{
"desc": "String",
"device_name": "String",
"is_cable_linked": "String <one of: true, false, unknown>",
"role": "String <one of: regular,
management,
hacrossover,
hacrossover_disabled,
monitor,
disabled,
slave,
slave_disabled>"
}
]
}

DELETE /system/servers/{server_id}/network_interfaces/bonded/
{device_name}
Removes a bonded network interface.
Table 1418. DELETE /system/servers/{server_id}/network_interfaces/bonded/{device_name} resource details
MIME Type
text/plain

Table 1419. DELETE /system/servers/{server_id}/network_interfaces/bonded/{device_name} request parameter details

Parameter Type Optionality Data Type MIME Type Description
server_id path Required Number text/plain Required - The ID of the server.
(Integer)

6 REST API V9.0 References 649

Table 1419. DELETE /system/servers/{server_id}/network_interfaces/bonded/{device_name} request parameter
details (continued)
Parameter Type Optionality Data Type MIME Type Description
device_name path Required String text/plain Required - The device name of
the bonded network interface.

Table 1420. DELETE /system/servers/{server_id}/network_interfaces/bonded/{device_name} response codes

HTTP Response Code Unique Code Description
200 The bonded network interface was removed.
404 1002 The requested server with the given server ID or the bonded
network interface cannot be found.
422 1005 One or more parameters are invalid in request.
500 1020 An error occurred while trying to remove the bonded interface on
the server with the given ID.
500 1022 Timeout while performing the task.

Response Description

Response Sample

GET /system/servers/{server_id}/network_interfaces/ethernet
Retrieves a list of the ethernet network interfaces based on the supplied server ID.
Table 1421. GET /system/servers/{server_id}/network_interfaces/ethernet resource details
MIME Type
application/json

Table 1422. GET /system/servers/{server_id}/network_interfaces/ethernet request parameter details

Parameter Type Optionality Data Type MIME Type Description
server_id path Required Number text/plain Required - The id of the
(Integer) server.
fields query Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.
filter query Optional String text/plain Optional - This parameter is
used to restrict the elements in
a list base on the contents of
various fields.
Range header Optional String text/plain Optional - Use this parameter
to restrict the number of
elements that are returned in
the list to a specified range.
The list is indexed starting at
zero.

650 QRadar API Reference Guide

Table 1423. GET /system/servers/{server_id}/network_interfaces/ethernet response codes
HTTP Response Code Unique Code Description
200 A list of the ethernet network interfaces were retrieved.
404 1002 The requested server with the given server ID cannot be found.
422 1005 One or more parameters are invalid in request.
500 1020 An error occurred while trying to retrieve the ethernet interfaces on
the server with the given ID.
500 1022 Timeout while performing the task.

Response Description

A list of the ethernet network interfaces. Each ethernet network interface contains the following fields:
v device_name - String - The name of the network interface.
v desc - String - The description of the network interface.
v role - String - The role of the network interface. One of: regular, management, hacrossover,
hacrossover_disabled, monitor, disabled.
v ipversion - String - The verson of the IP address that is configured on the network interface. One of:
ipv4, ipv6.
v ip - String - The IP that is configured on the network interface.
v mask - String - The netmask that is configured on the network interface
v is_auto_ip - Boolean - Is the IP auto-configured?
v is_cable_linked - String - Is the network interface cable linked? One of: true, false, unknown.
v is_moving_config_with_active_ha - Boolean -Applies the same settings to a new active HA server
during failover.
v hacrossover_params - String - A map of key-value pairs of HA crossover parameters if the network
interface is used for HA crossover.

Response Sample
[
{
"desc": "String",
"device_name": "String",
"hacrossover_params": {
"String": "String"
},
"ip": "String",
"ipversion": "String <one of: ipv4,
ipv6>",
"is_auto_ip": true,
"is_cable_linked": "String <one of: true,
false,
unknown>",
"is_moving_config_with_active_ha": true,
"mask": "String",
"role": "String <one of: regular,
management,
hacrossover,
hacrossover_disabled,
monitor,
disabled,
slave,
slave_disabled>"
}
]

6 REST API V9.0 References 651

POST /system/servers/{server_id}/network_interfaces/ethernet/
{device_name}
Updates an ethernet network interface based on the suppied server_Id and device_name.
Table 1424. POST /system/servers/{server_id}/network_interfaces/ethernet/{device_name} resource details
MIME Type
application/json

Table 1425. POST /system/servers/{server_id}/network_interfaces/ethernet/{device_name} request parameter details

Parameter Type Optionality Data Type MIME Type Description
server_id path Required Number text/plain Required - The ID of the
(Integer) server.
device_name path Required String text/plain Required - The name of an
existing ethernet network
interface. The interface
cannot be the management
interface, HA crossover
interface or a slave of a
bonded interface. The
interface must be cable
linked.

Table 1426. POST /system/servers/{server_id}/network_interfaces/ethernet/{device_name} request body details

Parameter Data Type MIME Type Description Sample
details Object application/json Required - An ethernet network interface { "ip": "String", "ipversion": "String <one of: ipv4, ipv6>",
record containing the following fields: "is_auto_ip": true, "is_moving_config_with_active_ha": true,
v role - String - The role of the network "mask": "String", "role": "String <one of: regular, management,
hacrossover, hacrossover_disabled, monitor, disabled, slave,
interface. One of: regular, monitor,
slave_disabled>" }
disabled.
v ipversion - String - The verson of the
IP address that is configured on the
network interface. One of: ipv4, ipv6.
v ip - String - The IP address that is
configured on the network interface.
Required when ipversion is ipv4 or
(ipversion is ipv6 and is_auto_ip is
false). The subnet that is computed
from the IP address and the mask
must not be the same subnet that is
configured on the management
interface.
v mask - String - The netmask that is
configured on the network interface.
This parameter is required when
ipversion is ipv4. The subnet that is
computed from the IP address and the
mask must not be the same subnet
that is configured on the management
interface.
v is_auto_ip - Boolean - Is the IP
auto-configured. Required.
v is_moving_config _with_active_ha -
Boolean - Applies the same settings to
a new active HA server during
failover. This parameter can be true
only when the server host is an active
HA server host.

Table 1427. POST /system/servers/{server_id}/network_interfaces/ethernet/{device_name} response codes

HTTP Response Code Unique Code Description
200 The network interface has been updated.
404 1002 The requested server with the given server ID cannot be found.

652 QRadar API Reference Guide

Table 1427. POST /system/servers/{server_id}/network_interfaces/ethernet/{device_name} response
codes (continued)
HTTP Response Code Unique Code Description
409 1004 The ip address has been used by another network interface.
422 1005 One or more parameters are invalid in request.
500 1020 An error occurred while trying to update the specified ethernet
interfaces on the server with the given ID.
500 1022 Timeout while performing the task.

Response Description

The updated ethernet network interface containing the following fields:

v device_name - String - The name of the network interface.
v role - String - The role of the network interface. One of: regular, management, hacrossover,
hacrossover_disabled, monitor, disabled.
v ipversion - String - The verson of the that is IP address that is configured on the network interface.
One of: ipv4, ipv6.
v ip - String - The IP address that is configured on the network interface.
v mask - String - The netmask configured on the network interface.
v is_auto_ip - Boolean - Is the IP address auto-configured.
v is_moving_config_with_active_ha - Boolean - Applies the same settings to a new active HA server
during failover.

Response Sample
{
"desc": "String",
"device_name": "String",
"hacrossover_params": {
"String": "String"
},
"ip": "String",
"ipversion": "String <one of: ipv4,
ipv6>",
"is_auto_ip": true,
"is_cable_linked": "String <one of: true,
false,
unknown>",
"is_moving_config_with_active_ha": true,
"mask": "String",
"role": "String <one of: regular,
management,
hacrossover,
hacrossover_disabled,
monitor,
disabled,
slave,
slave_disabled>"
}

GET /system/servers/{server_id}/system_time_settings
Retrieves the system time and time zone settings of a server host based on the supplied server ID.

Retrieves the system time and time zone settings of a server host based on the supplied server ID.

6 REST API V9.0 References 653

Table 1428. GET /system/servers/{server_id}/system_time_settings resource details
MIME Type
application/json

Table 1429. GET /system/servers/{server_id}/system_time_settings request parameter details

Parameter Type Optionality Data Type MIME Type Description
server_id path Required Number text/plain Required - The ID of the
(Integer) server.
fields query Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.

Table 1430. GET /system/servers/{server_id}/system_time_settings response codes

HTTP Response Code Unique Code Description
200 The requested system time settings record was retrieved.
404 1002 The requested system time settings record with the given server ID
cannot be found.
422 1005 One or more parameters are invalid in the request.
500 1020 An error occurred during the attempt to retrieve the requested
system time settings with the given server ID.
500 1022 Timeout while performing the task.

Response Description

Server system time settings that contain the following fields:

v timezone_id - String - the current time zone
v current_time - Long - The current epoch time (number of milliseconds after Epoch).
v is_sync_with_ntp_server - Boolean - Whether the NTP service is used to synchronize the system time
with configured NTP time servers.
v ntp_server_addresses - Array - The array of the configured NTP server addresses. Null if
is_sync_with_ntp_server is false.

Response Sample
{
"current_time": 42,
"ntp_server_addresses": [
"String"
],
"sync_with_ntp_server": true,
"timezone_id": "String"
}

POST /system/servers/{server_id}/system_time_settings
Sets the system time and time zone settings of a server host. Services are restarted after the call and
service interruptions will occur.

654 QRadar API Reference Guide

Sets the system time and time zone settings of a server host.
Table 1431. POST /system/servers/{server_id}/system_time_settings resource details
MIME Type
application/json

Table 1432. POST /system/servers/{server_id}/system_time_settings request parameter details

Parameter Type Optionality Data Type MIME Type Description
server_id path Required Number text/plain Required - The ID of the
(Integer) server
fields header Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.

Table 1433. POST /system/servers/{server_id}/system_time_settings request body details

Parameter Data Type MIME Type Description Sample
settings Object application/ Server system time settings that contain the { "current_time": 42,
json following fields: "ntp_server_addresses": [
v timezone_id - String - The current time "String" ],
zone. "sync_with_ntp_server": true,
"timezone_id": "String" }
v is_sync_with_ntp_server - boolean - Is the
NTP service used to synchronize the system
time with configured NTP time servers?
v current__time - Long - The current epoch
time (number of milliseconds after Epoch).
This parameter must be provided when
is_sync_with_ntp_server is false. This
parameter must be null if
is_sync_with_ntp_server is true.
v ntp_server_addresses - Array - The array of
the NTP server addresses to synchronize
the time with. This parameter must be
provided when is_sync_with_ntp_server is
true. Only the syntax and DNS lookups are
checked. The reachability to the ntp servers
from the server host are not verified
because most ntp servers are rate limited.
Four or more NTP servers are
recommended for time high accuracy. Must
be null if is_sync_with_ntp_server is false.

Table 1434. POST /system/servers/{server_id}/system_time_settings response codes

HTTP Response Code Unique Code Description
200 The system time settings have been applied.
404 1002 The requested server with the given server ID cannot be found.
422 1005 One or more parameters are invalid in request.
500 1020 An error occurred during the attempt to apply the system time
settings to the server.

6 REST API V9.0 References 655

Table 1434. POST /system/servers/{server_id}/system_time_settings response codes (continued)
HTTP Response Code Unique Code Description
500 1022 Timeout during performance of the task.

Response Description

Server system time settings that contain the following fields:

v timezone_id - String - The current time zone.
v current_time - Long - The current epoch time (number of milliseconds after Epoch).
v is_sync_with_ntp_server - Boolean - Whether the NTP service is used to synchronize the system time
with configured NTP time servers.
v ntp_server_addresses - Array - The array of the configured NTP server addresses. Null if
is_sync_with_ntp_server is false.

Response Sample
{
"current_time": 42,
"ntp_server_addresses": [
"String"
],
"sync_with_ntp_server": true,
"timezone_id": "String"
}

GET /system/servers/{server_id}/timezones
Retrieves all the available time zones that can be set for a server.

Retrieves all the available time zones that can be set for a server.
Table 1435. GET /system/servers/{server_id}/timezones resource details
MIME Type
application/json

Table 1436. GET /system/servers/{server_id}/timezones request parameter details

Parameter Type Optionality Data Type MIME Type Description
server_id path Required Number text/plain Required - The ID of the
(Integer) server
fields query Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.

Table 1437. GET /system/servers/{server_id}/timezones response codes

HTTP Response Code Unique Code Description
200 The requested timezone records were retrieved.

656 QRadar API Reference Guide

Table 1437. GET /system/servers/{server_id}/timezones response codes (continued)
HTTP Response Code Unique Code Description
404 1002 The requested timezone records with the given server ID cannot be
found.
422 1005 One or more parameters are invalid in the request.
500 1020 An error occurred during the attempt to retrieve the requested
timezone records with the given server Id.
500 1022 Timeout during the performance of the task.

Response Description

A list of time zones that contains the following fields:

v id - String - the ID of time zone.
v timezone - String - The formatted string representation of the timezone in the current locale.
v offset - Integer - Number of milliseconds offset to UTC time at the moment.

Response Sample
[
{
"id": "String",
"offset": 42,
"timezone": "String"
}
]

6 REST API V9.0 References 657

658 QRadar API Reference Guide
7 Previous REST API versions
Use this reference if you are using REST API version 8.n or previous.

REST API V8.0 References

Each API reference provides information about the parameters, mime type, stability, and responses for
each endpoint.

Analytics endpoints
Use the references for REST API V8.0 analytics endpoints.

GET /analytics/ade_rules
Retrieves a list of ADE rules.

Retrieves a list of ADE rules.

Table 1438. GET /analytics/ade_rules resource details
MIME Type
application/json

Table 1439. GET /analytics/ade_rules request parameter details

Parameter Type Optionality Data Type MIME Type Description
fields query Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.
filter query Optional String text/plain Optional - This parameter is
used to restrict the elements in
a list base on the contents of
various fields.
Range header Optional String text/plain Optional - Use this parameter
to restrict the number of
elements that are returned in
the list to a specified range.
The list is indexed starting at
zero.

Table 1440. GET /analytics/ade_rules response codes

HTTP Response Code Unique Code Description
200 The ADE rules were retrieved.
422 1010 A request parameter is not valid.
500 1020 An error occurred during the attempt to retrieve the ADE rules.

© Copyright IBM Corp. 2014, 2017 659

Response Description

An array of ADE Rule objects. An ADE Rule object contains the following fields:
v id - Long - The ID of the ADE rule.
v name - String - The name of the ADE rule.
v ade_rule_type - String - The type of ADE rule: ANOMALY, BEHAVIORAL, THRESHOLD.
v enabled - Boolean - True if the ADE rule is enabled.
v owner - String - The owner of the ADE rule.

Response Sample
[
{
"enabled": true,
"id": 42,
"name": "String",
"owner": "String",
"type": "String <one of: ANOMALY, BEHAVIORAL, THRESHOLD>"
}
]

GET /analytics/ade_rules/{id}
Retrieves an ADE rule.

Retrieves an ADE rule.

Table 1441. GET /analytics/ade_rules/{id} resource details
MIME Type
application/json

Table 1442. GET /analytics/ade_rules/{id} request parameter details

Parameter Type Optionality Data Type MIME Type Description
id path Required Number text/plain null
(Integer)
fields query Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.

Table 1443. GET /analytics/ade_rules/{id} response codes

HTTP Response Code Unique Code Description
200 The ADE rule was retrieved.
404 1002 The ADE rule does not exist.
500 1020 An error occurred during the attempt to retrieve the ADE rule.

660 QRadar API Reference Guide

Response Description

The ADE rule after it is retrieved. An ADE Rule object contains the following fields:
v id - Long - The ID of the ADE rule.
v name - String - The name of the ADE rule.
v ade_rule_type - String - The type of ADE rule: ANOMALY, BEHAVIORAL, THRESHOLD.
v enabled - Boolean - True if the ADE rule is enabled.
v owner - String - The owner of the ADE rule.

Response Sample
{
"enabled": true,
"id": 42,
"name": "String",
"owner": "String",
"type": "String <one of: ANOMALY, BEHAVIORAL, THRESHOLD>"
}

POST /analytics/ade_rules/{id}
Updates the ADE rule owner or enabled/disabled only.

Updates the ADE rule owner or enabled/disabled only.

Table 1444. POST /analytics/ade_rules/{id} resource details
MIME Type
application/json

Table 1445. POST /analytics/ade_rules/{id} request parameter details

Parameter Type Optionality Data Type MIME Type Description
id path Required Number text/plain null
(Integer)
fields header Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.

Table 1446. POST /analytics/ade_rules/{id} request body details

Parameter Data Type MIME Type Description Sample
ade_rule Object application/ null { "id": "1", "name": "String",
json "type": "String", "owner":
"String" }

Table 1447. POST /analytics/ade_rules/{id} response codes

HTTP Response Code Unique Code Description
200 The ADE rule was updated.
403 1009 You do not have the required capabilities to update the ADE rule.
404 1002 The ADE rule does not exist.

7 Previous REST API versions 661

Table 1447. POST /analytics/ade_rules/{id} response codes (continued)
HTTP Response Code Unique Code Description
409 1004 The provided user does not have the required capabilities to own
the ADE rule.
422 1005 A request parameter is not valid.
500 1020 An error occurred during the attempt to update the ADE rule.

Response Description

The ADE rule after it is updated. An ADE Rule object contains the following fields:
v id - Long - The ID of the ADE rule.
v name - String - The name of the ADE rule.
v ade_rule_type - String - The type of ADE rule: ANOMALY, BEHAVIORAL, THRESHOLD.
v enabled - Boolean - True if the ADE rule is enabled.
v owner - String - The owner of the ADE rule.

Response Sample
{
"enabled": true,
"id": 42,
"name": "String",
"owner": "String",
"type": "String <one of: ANOMALY, BEHAVIORAL, THRESHOLD>"
}

DELETE /analytics/ade_rules/{id}
Deletes an ADE rule. To ensure safe deletion, a dependency check is carried out. The check might take
some time. An asynchronous task is started to do this check.

Deletes an ADE rule. To ensure safe deletion, a dependency check is carried out. The check might take
some time. An asynchronous task is started to do this check.
Table 1448. DELETE /analytics/ade_rules/{id} resource details
MIME Type
application/json

Table 1449. DELETE /analytics/ade_rules/{id} request parameter details

Parameter Type Optionality Data Type MIME Type Description
id path Required Number text/plain null
(Integer)
fields query Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.

662 QRadar API Reference Guide

Table 1450. DELETE /analytics/ade_rules/{id} response codes
HTTP Response Code Unique Code Description
202 The ADE rule delete command was accepted and is in progress.
403 1009 You do not have the required capabilities to delete the ADE rule.
404 1002 The ADE rule does not exist.
500 1020 An error occurred during the attempt to delete the ADE rule.

Response Description

A Delete Task Status object and the location header set to the task status url "/api/analytics/ade_rules/
ade_rule_delete_tasks/{task_id}". A Delete Task Status object contains the following fields:
v id - Long - The ID of the task.
v message - String - The localized task message.
v status - String - The current state that the task is in.
v name - String - The name of the task.
v created_by - String - The name of the user who started the task.
v created - Long - The time in milliseconds since epoch since the task was created.
v started - Long - The time in milliseconds since epoch since the task was started.
v modified - Long - The time in milliseconds since epoch since the task was modified.
v completed - Long - The time in milliseconds since epoch since the task was completed.

Response Sample
{
"completed": 42,
"created": 42,
"created_by": "String",
"id": 42,
"message": "String",
"modified": 42,
"name": "String",
"started": 42,
"status": "String <one of: CANCELLED,
CANCELING,
CANCEL_REQUESTED,
COMPLETED,
CONFLICT,
EXCEPTION,
INITIALIZING,
INTERRUPTED,
PAUSED,
PROCESSING,
QUEUED,
RESUMING>"
}

GET /analytics/ade_rules/{id}/dependents
Retrieves the objects that depend on the ADE rule.

Retrieves the objects that depend on the ADE rule.

Table 1451. GET /analytics/ade_rules/{id}/dependents resource details
MIME Type
application/json

7 Previous REST API versions 663

Table 1452. GET /analytics/ade_rules/{id}/dependents request parameter details
Parameter Type Optionality Data Type MIME Type Description
id path Required Number text/plain null
(Integer)
fields query Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.

Table 1453. GET /analytics/ade_rules/{id}/dependents response codes

HTTP Response Code Unique Code Description
202 The ADE rule dependents retrieval was accepted and is in progress.
404 1002 The ADE rule does not exist.
500 1020 An error occurred during the attempt to initiate the ADE rule
dependents retrieval task.

Response Description

A Dependents Task Status object and the location header set to the task status url "/api/analytics/
ade_rules/ade_rule_dependents_tasks/{task_id}". A Dependent Task Status object contains the following
fields:
v id - Long - The ID of the task.
v message - String - The localized task message.
v status - String - The current state of the task.
v name - String - The name of the task.
v created_by - String - The name of the user who started the task.
v cancelled_by - String - The name of the user who requested to cancel the task.
v created - Long - The time in milliseconds since epoch since the task was created.
v started - Long - The time in milliseconds since epoch since the task was started.
v modified - Long - The time in milliseconds since epoch since the task was modified.
v completed - Long - The time in milliseconds since epoch since the task was completed.
v number_of_dependents - Long - The number of dependents found. the value is null until the task
completes.
v maximum - Long - The maximum number of objects to check for dependency.
v progress - Long - The number of objects that were checked for dependency.
v task_components - Array - An array of task component objects. A task component object contains the
following fields
– message - String - The localized sub-task status message.
– status - String - The current state of the sub-task.
– sub_task_type - String - The type of the sub-task.
– maximum - Long - The maximum number of objects to check for dependency.
– progress - Long - The number of objects that were checked for dependency.
– created - Long - The time in milliseconds since epoch since the sub-task was created.

664 QRadar API Reference Guide

 – started - Long - The time in milliseconds since epoch since the sub-task was started.
– modified - Long - The time in milliseconds since epoch since the sub-task was modified.
– completed - Long - The time in milliseconds since epoch since the sub-task was completed.

Response Sample
{
"cancelled_by": "String",
"completed": 42,
"created": 42,
"created_by": "String",
"id": 42,
"maximum": 42,
"message": "String",
"modified": 42,
"name": "String",
"number_of_dependents": 42,
"progress": 42,
"started": 42,
"status": "String <one of: CANCELLED,
CANCELING,
CANCEL_REQUESTED,
COMPLETED,
CONFLICT,
EXCEPTION,
INITIALIZING,
INTERRUPTED,
PAUSED,
PROCESSING,
QUEUED,
RESUMING>",
"task_components": [
{
"completed": 42,
"created": 42,
"maximum": 42,
"message": "String",
"modified": 42,
"number_of_dependents": 42,
"progress": 42,
"started": 42,
"status": "String <one of: CANCELLED,
CANCELING,
CANCEL_REQUESTED,
COMPLETED,
CONFLICT,
EXCEPTION,
INITIALIZING,
INTERRUPTED,
PAUSED,
PROCESSING,
QUEUED,
RESUMING>",
"task_sub_type": "String <one of:
FIND_DEPENDENT_ARIEL_SAVED_SEARCHES,
FIND_DEPENDENT_OFFENSE_SAVED_SEARCHES,
FIND_DEPENDENT_ASSET_SAVED_SEARCHES,
FIND_DEPENDENT_VULNERABILITY_SAVED_SEARCHES,
FIND_DEPENDENT_ADE_RULES,
FIND_DEPENDENT_RULES,
FIND_DEPENDENT_CALCULATED_PROPERTIES,
FIND_DEPENDENT_LOG_SOURCE_GROUPS,
FIND_DEPENDENT_CUSTOM_PROPERTIES,
FIND_DEPENDENT_REPORTS,
FIND_DEPENDENT_DASHBOARDS,
FIND_DEPENDENT_STORE_AND_FORWARD_POLICIES,

7 Previous REST API versions 665

 FIND_DEPENDENT_AUTHORIZED_SERVICES,
FIND_DEPENDENT_OFFENSE_TYPES,
FIND_DEPENDENT_ASSIGNED_OFFENSES,
FIND_DEPENDENT_VULNERABILITIES,
FIND_DEPENDENT_GROUPS,
FIND_DEPENDENT_HISTORICAL_CORRELATION_PROFILES>"
}
]
}

GET /analytics/ade_rules/ade_rule_delete_tasks/{task_id}
Retrieves the delete the ADE rule task status.

Retrieves the delete ADE rule task status.

Table 1454. GET /analytics/ade_rules/ade_rule_delete_tasks/{task_id} resource details
MIME Type
application/json

Table 1455. GET /analytics/ade_rules/ade_rule_delete_tasks/{task_id} request parameter details

Parameter Type Optionality Data Type MIME Type Description
task_id path Required Number text/plain null
(Integer)
fields query Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.

Table 1456. GET /analytics/ade_rules/ade_rule_delete_tasks/{task_id} response codes

HTTP Response Code Unique Code Description
200 The Delete Task Status was retrieved.
404 1002 The Delete Task Status does not exist.
500 1020 An error occurred during the attempt to retrieve the Delete Task
Status.

Response Description

A Delete Task Status object and the location header set to the task status url "/api/analytics/ade_rules/
ade_rule_delete_tasks/{task_id}". A Delete Task Status object contains the following fields:
v id - Long - The ID of the task.
v message - String - The localized task message.
v status - String - The current state of the task.
v name - String - The name of the task.
v created_by - String - The name of the user who started the task.
v created - Long - The time in milliseconds since epoch since the task was created.
v started - Long - The time in milliseconds since epoch since the task was started.
v modified - Long - The time in milliseconds since epoch since the task was modified.

666 QRadar API Reference Guide

v completed - Long - The time in milliseconds since epoch since the task was completed.

Response Sample
{
"completed": 42,
"created": 42,
"created_by": "String",
"id": 42,
"message": "String",
"modified": 42,
"name": "String",
"started": 42,
"status": "String <one of: CANCELLED,
CANCELING,
CANCEL_REQUESTED,
COMPLETED,
CONFLICT,
EXCEPTION,
INITIALIZING,
INTERRUPTED,
PAUSED,
PROCESSING,
QUEUED,
RESUMING>"
}

GET /analytics/ade_rules/ade_rule_dependent_tasks/{task_id}
Retrieves the dependent the ADE rule task status.

Retrieves the dependent ADE rule task status.

Table 1457. GET /analytics/ade_rules/ade_rule_dependent_tasks/{task_id} resource details
MIME Type
application/json

Table 1458. GET /analytics/ade_rules/ade_rule_dependent_tasks/{task_id} request parameter details

Parameter Type Optionality Data Type MIME Type Description
task_id path Required Number text/plain null
(Integer)
fields query Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.

Table 1459. GET /analytics/ade_rules/ade_rule_dependent_tasks/{task_id} response codes

HTTP Response Code Unique Code Description
200 The Delete Task Status was retrieved.
404 1002 The Delete Task Status does not exist.
500 1020 An error occurred during the attempt to retrieve the Delete Task
Status.

7 Previous REST API versions 667

Response Description

A Dependent Task Status object and the location header set to the task status url "/api/analytics/
ade_rules/ade_rule_dependent_tasks/{task_id}". A Dependent Task Status object contains the following
fields:
v id - Long - The ID of the task.
v message - String - The localized task message.
v status - String - The current state of the task.
v name - String - The name of the task.
v created_by - String - The name of the user who started the task.
v cancelled_by - String - The name of the user who requested to cancel the task.
v created - Long - The time in milliseconds since epoch since the task was created.
v started - Long - The time in milliseconds since epoch since the task was started.
v modified - Long - The time in milliseconds since epoch since the task was modified.
v completed - Long - The time in milliseconds since epoch since the task was completed.
v number_of_dependents - Long - The number of dependents found. The value is null until task
completes.
v maximum - Long - The maximum number of objects to check for dependency.
v progress - Long - The number of objects tha were checked for dependency.
v task_components - Array - An array of task component objects. A task component object contains the
following fields
– message - String - The localized sub-task status message.
– status - String - The current state of the sub-task.
– sub_task_type - String - The type of the sub-task.
– maximum - Long - The maximum number of objects to check for dependency.
– progress - Long - The number of objects checked for dependency.
– created - Long - The time in milliseconds since epoch since the sub-task was created.
– started - Long - The time in milliseconds since epoch since the sub-task was started.
– modified - Long - The time in milliseconds since epoch since the sub-task was modified.
– completed - Long - The time in milliseconds since epoch since the sub-task was completed.

Response Sample
{
"cancelled_by": "String",
"completed": 42,
"created": 42,
"created_by": "String",
"id": 42,
"maximum": 42,
"message": "String",
"modified": 42,
"name": "String",
"number_of_dependents": 42,
"progress": 42,
"started": 42,
"status": "String <one of: CANCELLED,
CANCELING,
CANCEL_REQUESTED,
COMPLETED,
CONFLICT,
EXCEPTION,
INITIALIZING,
INTERRUPTED,
PAUSED,

668 QRadar API Reference Guide

 PROCESSING,
QUEUED,
RESUMING>",
"task_components": [
{
"completed": 42,
"created": 42,
"maximum": 42,
"message": "String",
"modified": 42,
"number_of_dependents": 42,
"progress": 42,
"started": 42,
"status": "String <one of: CANCELLED,
CANCELING,
CANCEL_REQUESTED,
COMPLETED,
CONFLICT,
EXCEPTION,
INITIALIZING,
INTERRUPTED,
PAUSED,
PROCESSING,
QUEUED,
RESUMING>",
"task_sub_type": "String <one of:
FIND_DEPENDENT_ARIEL_SAVED_SEARCHES,
FIND_DEPENDENT_OFFENSE_SAVED_SEARCHES,
FIND_DEPENDENT_ASSET_SAVED_SEARCHES,
FIND_DEPENDENT_VULNERABILITY_SAVED_SEARCHES,
FIND_DEPENDENT_ADE_RULES,
FIND_DEPENDENT_RULES,
FIND_DEPENDENT_CALCULATED_PROPERTIES,
FIND_DEPENDENT_LOG_SOURCE_GROUPS,
FIND_DEPENDENT_CUSTOM_PROPERTIES,
FIND_DEPENDENT_REPORTS,
FIND_DEPENDENT_DASHBOARDS,
FIND_DEPENDENT_STORE_AND_FORWARD_POLICIES,
FIND_DEPENDENT_AUTHORIZED_SERVICES,
FIND_DEPENDENT_OFFENSE_TYPES,
FIND_DEPENDENT_ASSIGNED_OFFENSES,
FIND_DEPENDENT_VULNERABILITIES,
FIND_DEPENDENT_GROUPS,
FIND_DEPENDENT_HISTORICAL_CORRELATION_PROFILES>"
}
]
}

POST /analytics/ade_rules/ade_rule_dependent_tasks/{task_id}
Cancels a dependent the ADE rule task.

Cancels a dependent ADE rule task.

Table 1460. POST /analytics/ade_rules/ade_rule_dependent_tasks/{task_id} resource details
MIME Type
application/json

Table 1461. POST /analytics/ade_rules/ade_rule_dependent_tasks/{task_id} request parameter details

Parameter Type Optionality Data Type MIME Type Description
task_id path Required Number text/plain null
(Integer)

7 Previous REST API versions 669

Table 1461. POST /analytics/ade_rules/ade_rule_dependent_tasks/{task_id} request parameter details (continued)
Parameter Type Optionality Data Type MIME Type Description
fields header Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.

Table 1462. POST /analytics/ade_rules/ade_rule_dependent_tasks/{task_id} request body details

Parameter Data Type MIME Type Description Sample
task Object application/ null { "status": "String <one of:
json CANCELLED, CANCELING,
CANCEL_REQUESTED,
COMPLETED, CONFLICT,
EXCEPTION, INITIALIZING,
INTERRUPTED, PAUSED,
PROCESSING, QUEUED,
RESUMING>" }

Table 1463. POST /analytics/ade_rules/ade_rule_dependent_tasks/{task_id} response codes

HTTP Response Code Unique Code Description
200 The Delete Task Status was retrieved.
404 1002 The Dependent Task Status does not exist.
409 1004 The task is in a completed state.
422 1005 A request parameter is not valid.
500 1020 An error occurred during the attempt to update the Dependent
Task Status.

Response Description

A Dependent Task Status object and the location header set to the task status url "/api/analytics/
ade_rules/ade_rule_dependent_tasks/{task_id}". A Dependent Task Status object contains the following
fields:
v id - Long - The ID of the task.
v message - String - The localized task message.
v status - String - The current state of the task.
v name - String - The name of the task.
v created_by - String - The name of the user who started the task.
v cancelled_by - String - The name of the user who requested to cancel the task.
v created - Long - The time in milliseconds since epoch since the task was created.
v started - Long - The time in milliseconds since epoch since the task was started.
v modified - Long - The time in milliseconds since epoch since the task was modified.
v completed - Long - The time in milliseconds since epoch since the task was completed.
v number_of_dependents - Long - The number of dependents found. The value is null until the task
completes.

670 QRadar API Reference Guide

v maximum - Long - The maximum number of objects to check for dependency.
v progress - Long - The number of objects that were checked for dependency.
v task_components - Array - An array of task component objects. A task component object contains the
following fields:
– message - String - The localized sub-task status message.
– status - String - The current state of the sub-task.
– sub_task_type - String - The type of the sub-task.
– maximum - Long - The maximum number of objects to check for dependency.
– progress - Long - The number of objects that were checked for dependency.
– created - Long - The time in milliseconds since epoch since the sub-task was created.
– started - Long - The time in milliseconds since epoch since the sub-task was started.
– modified - Long - The time in milliseconds since epoch since the sub-task was modified.
– completed - Long - The time in milliseconds since epoch since the sub-task was completed.

Response Sample
{
"cancelled_by": "String",
"completed": 42,
"created": 42,
"created_by": "String",
"id": 42,
"maximum": 42,
"message": "String",
"modified": 42,
"name": "String",
"number_of_dependents": 42,
"progress": 42,
"started": 42,
"status": "String <one of: CANCELLED,
CANCELING,
CANCEL_REQUESTED,
COMPLETED,
CONFLICT,
EXCEPTION,
INITIALIZING,
INTERRUPTED,
PAUSED,
PROCESSING,
QUEUED,
RESUMING>",
"task_components": [
{
"completed": 42,
"created": 42,
"maximum": 42,
"message": "String",
"modified": 42,
"number_of_dependents": 42,
"progress": 42,
"started": 42,
"status": "String <one of: CANCELLED,
CANCELING,
CANCEL_REQUESTED,
COMPLETED,
CONFLICT,
EXCEPTION,
INITIALIZING,
INTERRUPTED,
PAUSED,
PROCESSING,
QUEUED,

7 Previous REST API versions 671

 RESUMING>",
"task_sub_type": "String <one of:
FIND_DEPENDENT_ARIEL_SAVED_SEARCHES,
FIND_DEPENDENT_OFFENSE_SAVED_SEARCHES,
FIND_DEPENDENT_ASSET_SAVED_SEARCHES,
FIND_DEPENDENT_VULNERABILITY_SAVED_SEARCHES,
FIND_DEPENDENT_ADE_RULES,
FIND_DEPENDENT_RULES,
FIND_DEPENDENT_CALCULATED_PROPERTIES,
FIND_DEPENDENT_LOG_SOURCE_GROUPS,
FIND_DEPENDENT_CUSTOM_PROPERTIES,
FIND_DEPENDENT_REPORTS,
FIND_DEPENDENT_DASHBOARDS,
FIND_DEPENDENT_STORE_AND_FORWARD_POLICIES,
FIND_DEPENDENT_AUTHORIZED_SERVICES,
FIND_DEPENDENT_OFFENSE_TYPES,
FIND_DEPENDENT_ASSIGNED_OFFENSES,
FIND_DEPENDENT_VULNERABILITIES,
FIND_DEPENDENT_GROUPS,
FIND_DEPENDENT_HISTORICAL_CORRELATION_PROFILES>"
}
]
}

GET /analytics/ade_rules/ade_rule_dependent_tasks/{task_id}/results
Retrieves the ADE rule dependent task results.

Retrieves the ADE rule dependent task results.

Table 1464. GET /analytics/ade_rules/ade_rule_dependent_tasks/{task_id}/results resource details
MIME Type
application/json

Table 1465. GET /analytics/ade_rules/ade_rule_dependent_tasks/{task_id}/results request parameter details

Parameter Type Optionality Data Type MIME Type Description
task_id path Required Number text/plain null
(Integer)
fields query Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.

Table 1466. GET /analytics/ade_rules/ade_rule_dependent_tasks/{task_id}/results response codes

HTTP Response Code Unique Code Description
200 The ADE rule dependents were retrieved.
404 1002 The dependent task dtatus does not exist.
500 1020 An error occurred during the attempt to retrieve the ADE rules.

672 QRadar API Reference Guide

Response Description

An list of Dependent objects. A Dependent object contains the following fields:

v dependent_id - String - The ID of the dependent resource.
v dependent_name - String - The name of the dependent resource (default resources can have localized
names).
v dependent_owner - String - The owner of the dependent resource
v dependent_type - String - The type of the dependent resource
v dependent_database - String - The database of the dependent resource.
v dependent_group_ids - Array of Longs - List of groups that the dependent resource belongs to.
v user_has_edit_permissions - Boolean - The true if the user who created the task has permission to edit
this dependent resource.

Response Sample
[
{
"blocking": true,
"dependent_database": "String <one of: EVENTS, FLOWS>",
"dependent_group_ids": [
42
],
"dependent_id": "String",
"dependent_name": "String",
"dependent_owner": "String",
"dependent_type": "String <one of: ARIEL_SAVED_SEARCH,
ASSET_SAVED_SEARCH,
OFFENSE_SAVED_SEARCH,
VULNERABILITY_SAVED_SEARCH,
QRM_SAVED_SEARCH_GROUP,
ASSET_SAVED_SEARCH_GROUP,
CUSTOM_RULE_GROUP,
EVENT_ARIEL_SAVED_SEARCH_GROUP,
FLOW_ARIEL_SAVED_SEARCH_GROUP,
LOG_SOURCE_GROUP,
MODEL_GROUP,
OFFENSE_SAVED_SEARCH_GROUP,
QUESTION_GROUP,
REPORT_GROUP,
SIMULATION_GROUP,
TOPOLOGY_SAVED_SEARCH_GROUP,
VULNERABILITY_SAVED_SEARCH_GROUP,
ASSIGNED_OFFENSE,
ASSIGNED_VULNERABILITY,
AUTHORIZED_SERVICE,
BUILDING_BLOCK,
CRE_RULE,
CRE_ADE_RULE,
EVENT_REGEX_PROPERTY,
EVENT_CALCULATED_PROPERTY,
FLOW_REGEX_PROPERTY,
FLOW_CALCULATED_PROPERTY,
DASHBOARD,
GV_REFERENCE, REPORT,
REFERENCE_DATA,
REFERENCE_DATA_MAP_OF_SETS,
REFERENCE_DATA_MAPS,
REFERENCE_DATA_SETS,
REFERENCE_DATA_TABLES,
REFERENCE_DATA_RESPONSE,
REFERENCE_SET_RESPONSE,
EVENT_RETENTION_BUCKET,
FLOW_RETENTION_BUCKET,

7 Previous REST API versions 673

 ROUTING_RULE,
STORE_AND_FORWARD_POLICY,
USER,
HISTORICAL_PROFILE,
OFFENSE_TYPE>",
"user_has_edit_permissions": true
}
]

GET /analytics/building_blocks
Retrieves a list of building block rules.

Retrieves a list of building block rules.

Table 1467. GET /analytics/building_blocks resource details
MIME Type
application/json

Table 1468. GET /analytics/building_blocks request parameter details

Parameter Type Optionality Data Type MIME Type Description
fields query Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.
filter query Optional String text/plain Optional - This parameter is
used to restrict the elements in
a list base on the contents of
various fields.
Range header Optional String text/plain Optional - Use this parameter
to restrict the number of
elements that are returned in
the list to a specified range.
The list is indexed starting at
zero.

Table 1469. GET /analytics/building_blocks response codes

HTTP Response Code Unique Code Description
200 The building block rules were retrieved.
422 1010 A request parameter is not valid.
500 1020 An error occurred during the attempt to retrieve the building block
rules.

Response Description

An array of Building Block Rule objects. A Building Block Rule object contains the following fields:
v id - Long - The ID of the building block rule.
v name - String - The name of the building block rule.
v building_block_type - String - The type of building block rule: EVENT, FLOW, COMMON, USER.

674 QRadar API Reference Guide

v enabled - Boolean - True if the building block rule is enabled.
v owner - String - The owner of the building block rule.
v origin - String - The origin of the building block rule: SYSTEM, OVERRIDE, USER.
v base_capacity - Long - The base capacity of the building block rule in events per second.
v base_host_id - Long - The ID of the host from which the building block rule's base capacity was
determined.
v average_capacity - Long - The moving average capacity, in EPS, of the building block rule across all
hosts.
v capacity_timestamp - Date - The timestamp, as a Date, since the building block's capacity values were
last updated.

Response Sample
[
{
"average_capacity": 42,
"base_capacity": 42,
"base_host_id": 42,
"capacity_timestamp": {
"date": 42,
"day": 42,
"hours": 42,
"minutes": 42,
"month": 42,
"seconds": 42,
"time": 42,
"timezone_offset": 42,
"year": 42
},
"enabled": true,
"id": 42,
"name": "String",
"origin": "String <one of: SYSTEM,
OVERRIDE,
USER>",
"owner": "String",
"type": "String <one of: EVENT,
FLOW,
COMMON,
OFFENSE>"
}
]

GET /analytics/building_blocks/building_block_delete_tasks/{task_id}
Retrieves the delete the building block rule task status.

Retrieves the delete building block rule task status.

Table 1470. GET /analytics/building_blocks/building_block_delete_tasks/{task_id} resource details
MIME Type
application/json

Table 1471. GET /analytics/building_blocks/building_block_delete_tasks/{task_id} request parameter details

Parameter Type Optionality Data Type MIME Type Description
task_id path Required Number text/plain null
(Integer)

7 Previous REST API versions 675

Table 1471. GET /analytics/building_blocks/building_block_delete_tasks/{task_id} request parameter
details (continued)
Parameter Type Optionality Data Type MIME Type Description
fields query Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.

Table 1472. GET /analytics/building_blocks/building_block_delete_tasks/{task_id} response codes

HTTP Response Code Unique Code Description
200 The Delete Task Status was retrieved.
404 1002 The Delete Task Status does not exist.
500 1020 An error occurred during the attempt to retrieve the Delete Task
Status.

Response Description

A Delete Task Status object and the location header set to the task status url "/api/analytics/
building_blocks/building_block_delete_tasks/{task_id}". A Delete Task Status object contains the
following fields:
v id - Long - The ID of the task.
v message - String - The localized task message.
v status - String - The current state of the task.
v name - String - The name of the task.
v created_by - String - The name of the user who started the task.
v created - Long - The time in milliseconds since epoch since the task was created.
v started - Long - The time in milliseconds since epoch since the task was started.
v modified - Long - The time in milliseconds since epoch since the task was modified.
v completed - Long - The time in milliseconds since epoch since the task was completed.

Response Sample
{
"completed": 42,
"created": 42,
"created_by": "String",
"id": 42,
"message": "String",
"modified": 42,
"name": "String",
"started": 42,
"status": "String <one of: CANCELLED,
CANCELING,
CANCEL_REQUESTED,
COMPLETED,
CONFLICT,
EXCEPTION,
INITIALIZING,
INTERRUPTED,
PAUSED,

676 QRadar API Reference Guide

 PROCESSING,
QUEUED,
RESUMING>"
}

GET /analytics/building_blocks/building_block_dependent_tasks/{task_id}
Retrieves the dependent the building block rule task status.

Retrieves the dependent building block rule task status.

Table 1473. GET /analytics/building_blocks/building_block_dependent_tasks/{task_id} resource details
MIME Type
application/json

Table 1474. GET /analytics/building_blocks/building_block_dependent_tasks/{task_id} request parameter details

Parameter Type Optionality Data Type MIME Type Description
task_id path Required Number text/plain null
(Integer)
fields query Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.

Table 1475. GET /analytics/building_blocks/building_block_dependent_tasks/{task_id} response codes

HTTP Response Code Unique Code Description
200 The Delete Task Status was retrieved.
404 1002 The Delete Task Status does not exist.
500 1020 An error occurred during the attempt to retrieve the Delete Task
Status.

Response Description

A Dependent Task Status object and the location header set to the task status url "/api/analytics/
building_blocks/building_block_dependent_tasks/{task_id}". A Dependent Task Status object contains the
following fields:
v id - Long - The ID of the task.
v message - String - The localized task message.
v status - String - The current state of the task.
v name - String - The name of the task.
v created_by - String - The name of the user who started the task.
v cancelled_by - String - The name of the user who requested to cancel the task.
v created - Long - The time in milliseconds since epoch since the task was created.
v started - Long - The time in milliseconds since epoch since the task was started.
v modified - Long - The time in milliseconds since epoch since the task was modified.
v completed - Long - The time in milliseconds since epoch since the task was completed.

7 Previous REST API versions 677

v number_of_dependents - Long - The number of dependents found. The value is null until the task
completes.
v maximum - Long - The maximum number of objects to check for dependency.
v progress - Long - The number of objects that were checked for dependency.
v task_components - Array - An array of task component objects. A task component object contains the
following fields
– message - String - The localized sub-task status message.
– status - String - The current state of the sub-task.
– sub_task_type - String - The type of the sub-task
– maximum - Long - The maximum number of objects to check for dependency.
– progress - Long - The number of objects that were checked for dependency.
– created - Long - The time in milliseconds since epoch since the sub-task was created.
– started - Long - The time in milliseconds since epoch since the sub-task was started.
– modified - Long - The time in milliseconds since epoch since the sub-task was modified.
– completed - Long - The time in milliseconds since epoch since the sub-task was completed.

Response Sample
{
"cancelled_by": "String",
"completed": 42,
"created": 42,
"created_by": "String",
"id": 42,
"maximum": 42,
"message": "String",
"modified": 42,
"name": "String",
"number_of_dependents": 42,
"progress": 42,
"started": 42,
"status": "String <one of: CANCELLED,
CANCELING,
CANCEL_REQUESTED,
COMPLETED,
CONFLICT,
EXCEPTION,
INITIALIZING,
INTERRUPTED,
PAUSED,
PROCESSING,
QUEUED,
RESUMING>",
"task_components": [
{
"completed": 42,
"created": 42,
"maximum": 42,
"message": "String",
"modified": 42,
"number_of_dependents": 42,
"progress": 42,
"started": 42,
"status": "String <one of: CANCELLED,
CANCELING,
CANCEL_REQUESTED,
COMPLETED,
CONFLICT,
EXCEPTION,
INITIALIZING,
INTERRUPTED,

678 QRadar API Reference Guide

 PAUSED,
PROCESSING,
QUEUED,
RESUMING>",
"task_sub_type": "String <one of:
FIND_DEPENDENT_ARIEL_SAVED_SEARCHES,
FIND_DEPENDENT_OFFENSE_SAVED_SEARCHES,
FIND_DEPENDENT_ASSET_SAVED_SEARCHES,
FIND_DEPENDENT_VULNERABILITY_SAVED_SEARCHES,
FIND_DEPENDENT_ADE_RULES,
FIND_DEPENDENT_RULES,
FIND_DEPENDENT_CALCULATED_PROPERTIES,
FIND_DEPENDENT_LOG_SOURCE_GROUPS,
FIND_DEPENDENT_CUSTOM_PROPERTIES,
FIND_DEPENDENT_REPORTS,
FIND_DEPENDENT_DASHBOARDS,
FIND_DEPENDENT_STORE_AND_FORWARD_POLICIES,
FIND_DEPENDENT_AUTHORIZED_SERVICES,
FIND_DEPENDENT_OFFENSE_TYPES,
FIND_DEPENDENT_ASSIGNED_OFFENSES,
FIND_DEPENDENT_VULNERABILITIES,
FIND_DEPENDENT_GROUPS,
FIND_DEPENDENT_HISTORICAL_CORRELATION_PROFILES>"
}
]
}

POST /analytics/building_blocks/building_block_dependent_tasks/{task_id}
Cancels the dependent the building block rule task.

Cancels the dependent building block rule task.

Table 1476. POST /analytics/building_blocks/building_block_dependent_tasks/{task_id} resource details
MIME Type
application/json

Table 1477. POST /analytics/building_blocks/building_block_dependent_tasks/{task_id} request parameter details

Parameter Type Optionality Data Type MIME Type Description
task_id path Required Number text/plain null
(Integer)
fields header Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.

7 Previous REST API versions 679

Table 1478. POST /analytics/building_blocks/building_block_dependent_tasks/{task_id} request body details
Parameter Data Type MIME Type Description Sample
task Object application/ null { "status": "String <one of:
json CANCELLED, CANCELING,
CANCEL_REQUESTED,
COMPLETED, CONFLICT,
EXCEPTION, INITIALIZING,
INTERRUPTED, PAUSED,
PROCESSING, QUEUED,
RESUMING>" }

Table 1479. POST /analytics/building_blocks/building_block_dependent_tasks/{task_id} response codes

HTTP Response Code Unique Code Description
200 The Delete Task Status has been retrieved.
404 1002 The Dependent Task Status does not exist.
409 1004 The task is in a completed state
422 1005 A request parameter is not valid
500 1020 An error occurred during the attempt to update the Dependent
Task Status.

Response Description

A Dependent Task Status object and the location header set to the task status url "/api/analytics/
building_blocks/building_block_dependent_tasks/{task_id}". A Dependent Task Status object contains the
following fields:
v id - Long - The ID of the task.
v message - String - The localized task message.
v status - String - The current state of the task.
v name - String - The name of the task.
v created_by - String - The name of the user who started the task.
v cancelled_by - String - The name of the user who requested the cancellation of the task.
v created - Long - The time in milliseconds since epoch since the task was created.
v started - Long - The time in milliseconds since epoch since the task was started.
v modified - Long - The time in milliseconds since epoch since the task was modified.
v completed - Long - The time in milliseconds since epoch since the task was completed.
v number_of_dependents - Long - The number of dependents found. The value is null until the task
completes.
v maximum - Long - The maximum number of objects to check for dependency.
v progress - Long - The number of objects that were checked for dependency.
v task_components - Array - An array of task component objects. A task component object contains the
following fields
– message - String - The localized sub-task status message.
– status - String - The current state of the the sub-task.
– sub_task_type - String - The type of the sub-task
– maximum - Long - The maximum number of objects to check for dependency.
– progress - Long - The number of objects that were checked for dependency.
– created - Long - The time in milliseconds since epoch since the sub-task was created.

680 QRadar API Reference Guide

 – started - Long - The time in milliseconds since epoch since the sub-task was started.
– modified - Long - The time in milliseconds since epoch since the sub-task was modified.
– completed - Long - The time in milliseconds since epoch since the sub-task was completed.

Response Sample
{
"cancelled_by": "String",
"completed": 42,
"created": 42,
"created_by": "String",
"id": 42,
"maximum": 42,
"message": "String",
"modified": 42,
"name": "String",
"number_of_dependents": 42,
"progress": 42,
"started": 42,
"status": "String <one of: CANCELLED,
CANCELING,
CANCEL_REQUESTED,
COMPLETED,
CONFLICT,
EXCEPTION,
INITIALIZING,
INTERRUPTED,
PAUSED,
PROCESSING,
QUEUED,
RESUMING>",
"task_components": [
{
"completed": 42,
"created": 42,
"maximum": 42,
"message": "String",
"modified": 42,
"number_of_dependents": 42,
"progress": 42,
"started": 42,
"status": "String <one of: CANCELLED,
CANCELING,
CANCEL_REQUESTED,
COMPLETED,
CONFLICT,
EXCEPTION,
INITIALIZING,
INTERRUPTED,
PAUSED,
PROCESSING,
QUEUED,
RESUMING>",
"task_sub_type": "String <one of:
FIND_DEPENDENT_ARIEL_SAVED_SEARCHES,
FIND_DEPENDENT_OFFENSE_SAVED_SEARCHES,
FIND_DEPENDENT_ASSET_SAVED_SEARCHES,
FIND_DEPENDENT_VULNERABILITY_SAVED_SEARCHES,
FIND_DEPENDENT_ADE_RULES,
FIND_DEPENDENT_RULES,
FIND_DEPENDENT_CALCULATED_PROPERTIES,
FIND_DEPENDENT_LOG_SOURCE_GROUPS,
FIND_DEPENDENT_CUSTOM_PROPERTIES,
FIND_DEPENDENT_REPORTS,
FIND_DEPENDENT_DASHBOARDS,
FIND_DEPENDENT_STORE_AND_FORWARD_POLICIES,

7 Previous REST API versions 681

 FIND_DEPENDENT_AUTHORIZED_SERVICES,
FIND_DEPENDENT_OFFENSE_TYPES,
FIND_DEPENDENT_ASSIGNED_OFFENSES,
FIND_DEPENDENT_VULNERABILITIES,
FIND_DEPENDENT_GROUPS,
FIND_DEPENDENT_HISTORICAL_CORRELATION_PROFILES>"
}
]
}

GET /analytics/building_blocks/building_block_dependent_tasks/{task_id}/results
Retrieves the building block rule dependent task results.

Retrieves the building block rule dependent task results

Table 1480. GET /analytics/building_blocks/building_block_dependent_tasks/{task_id}/results resource details
MIME Type
application/json

Table 1481. GET /analytics/building_blocks/building_block_dependent_tasks/{task_id}/results request parameter

details
Parameter Type Optionality Data Type MIME Type Description
task_id path Required Number text/plain null
(Integer)
fields query Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.

Table 1482. GET /analytics/building_blocks/building_block_dependent_tasks/{task_id}/results response codes

HTTP Response Code Unique Code Description
200 The building block rule dependents were retrieved.
404 1002 The Dependent Task Status does not exist.
500 1020 An error occurred during the attempt to retrieve the building block
rules.

Response Description

An list of Dependent objects. A Dependent object contains the following fields:

v dependent_id - String - The ID of the dependent resource.
v dependent_name - String - The name of the dependent resource (default resources can have localized
names).
v dependent_owner - String - The owner of the dependent resource.
v dependent_type - String - The type of the dependent resource.
v dependent_database - String - The database of the dependent resource.
v dependent_group_ids - Array of Longs - List of groups that the dependent resource belongs to.

682 QRadar API Reference Guide

v user_has_edit_permissions - Boolean - The true if the user who created the task has permission to edit
this dependent resource.

Response Sample
[
{
"blocking": true,
"dependent_database": "String <one of: EVENTS, FLOWS>",
"dependent_group_ids": [
42
],
"dependent_id": "String",
"dependent_name": "String",
"dependent_owner": "String",
"dependent_type": "String <one of: ARIEL_SAVED_SEARCH,
ASSET_SAVED_SEARCH,
OFFENSE_SAVED_SEARCH,
VULNERABILITY_SAVED_SEARCH,
QRM_SAVED_SEARCH_GROUP,
ASSET_SAVED_SEARCH_GROUP,
CUSTOM_RULE_GROUP,
EVENT_ARIEL_SAVED_SEARCH_GROUP,
FLOW_ARIEL_SAVED_SEARCH_GROUP,
LOG_SOURCE_GROUP,
MODEL_GROUP,
OFFENSE_SAVED_SEARCH_GROUP,
QUESTION_GROUP,
REPORT_GROUP,
SIMULATION_GROUP,
TOPOLOGY_SAVED_SEARCH_GROUP,
VULNERABILITY_SAVED_SEARCH_GROUP,
ASSIGNED_OFFENSE,
ASSIGNED_VULNERABILITY,
AUTHORIZED_SERVICE,
BUILDING_BLOCK,
CRE_RULE,
CRE_ADE_RULE,
EVENT_REGEX_PROPERTY,
EVENT_CALCULATED_PROPERTY,
FLOW_REGEX_PROPERTY,
FLOW_CALCULATED_PROPERTY,
DASHBOARD,
GV_REFERENCE, REPORT,
REFERENCE_DATA,
REFERENCE_DATA_MAP_OF_SETS,
REFERENCE_DATA_MAPS,
REFERENCE_DATA_SETS,
REFERENCE_DATA_TABLES,
REFERENCE_DATA_RESPONSE,
REFERENCE_SET_RESPONSE,
EVENT_RETENTION_BUCKET,
FLOW_RETENTION_BUCKET,
ROUTING_RULE,
STORE_AND_FORWARD_POLICY,
USER,
HISTORICAL_PROFILE,
OFFENSE_TYPE>",
"user_has_edit_permissions": true
}
]

GET /analytics/building_blocks/{id}
Retrieves a building block rule.

Retrieves a building block rule.

7 Previous REST API versions 683

Table 1483. GET /analytics/building_blocks/{id} resource details
MIME Type
application/json

Table 1484. GET /analytics/building_blocks/{id} request parameter details

Parameter Type Optionality Data Type MIME Type Description
id path Required Number text/plain null
(Integer)
fields query Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.

Table 1485. GET /analytics/building_blocks/{id} response codes

HTTP Response Code Unique Code Description
200 The building block rule was retrieved.
404 1002 The building block rule does not exist.
500 1020 An error occurred during the attempt to retrieve the building block
rule.

Response Description

The building block rule after it is retrieved. A Building Block Rule object contains the following fields:
v id - Long - The ID of the building block rule.
v name - String - The name of the building block rule.
v building_block_type - String - The type of building block rule: EVENT, FLOW, COMMON, USER.
v enabled - Boolean - True if the building block rule is enabled.
v owner - String - The owner of the building block rule.
v origin - String - The origin of the building block rule: SYSTEM, OVERRIDE, USER.
v base_capacity - Long - The base capacity of the building block rule in events per second.
v base_host_id - Long - The ID of the host from which the building block rule's base capacity was
determined.
v average_capacity - Long - The moving average capacity, in EPS, of the building block rule across all
hosts.
v capacity_timestamp - Date - The timestamp, as a Date, since the building block's capacity values were
last updated.

Response Sample
{
"average_capacity": 42,
"base_capacity": 42,
"base_host_id": 42,
"capacity_timestamp": {
"date": 42,
"day": 42,

684 QRadar API Reference Guide

 "hours": 42,
"minutes": 42,
"month": 42,
"seconds": 42,
"time": 42,
"timezone_offset": 42,
"year": 42
},
"enabled": true,
"id": 42,
"name": "String",
"origin": "String <one of: SYSTEM,
OVERRIDE,
USER>",
"owner": "String",
"type": "String <one of: EVENT,
FLOW,
COMMON,
OFFENSE>"
}

POST /analytics/building_blocks/{id}
Updates the building block rule owner or enabled/disabled only.

Updates the building block rule owner or enabled/disabled only.

Table 1486. POST /analytics/building_blocks/{id} resource details
MIME Type
application/json

Table 1487. POST /analytics/building_blocks/{id} request parameter details

Parameter Type Optionality Data Type MIME Type Description
id path Required Number text/plain null
(Integer)
fields header Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.

Table 1488. POST /analytics/building_blocks/{id} request body details

Parameter Data Type MIME Type Description Sample
building_block Object application/json null { "id": "1", "name": "String",
"type": "String", "owner": "String"
}

Table 1489. POST /analytics/building_blocks/{id} response codes

HTTP Response Code Unique Code Description
200 The building block rule was updated.
403 1009 You do not have the required capabilities to update the building
block rule.
404 1002 The building block rule does not exist.

7 Previous REST API versions 685

Table 1489. POST /analytics/building_blocks/{id} response codes (continued)
HTTP Response Code Unique Code Description
409 1004 The provided user does not have the required capabilities to own
the building block rule.
422 1005 A request parameter is not valid.
500 1020 An error occurred during the attempt to update the building block
rule.

Response Description

The building block rule after it is updated. A building block rule object contains the following fields:
v id - Long - The ID of the building block rule.
v name - String - The name of the building block rule.
v building_block_type - String - The type of building block rule: EVENT, FLOW, COMMON, USER.
v enabled - Boolean - True if the building block rule is enabled.
v owner - String - The owner of the building block rule.
v origin - String - The origin of the building block rule: SYSTEM, OVERRIDE, USER.
v base_capacity - Long - The base capacity of the building block rule in events per second.
v base_host_id - Long - The ID of the host from which the building block rule's base capacity was
determined.
v average_capacity - Long - The moving average capacity, in EPS, of the building block rule across all
hosts.
v capacity_timestamp - Date - The timestamp, as a Date, since the building block's capacity values were
last updated.

Response Sample
{
"average_capacity": 42,
"base_capacity": 42,
"base_host_id": 42,
"capacity_timestamp": {
"date": 42,
"day": 42,
"hours": 42,
"minutes": 42,
"month": 42,
"seconds": 42,
"time": 42,
"timezone_offset": 42,
"year": 42
},
"enabled": true,
"id": 42,
"name": "String",
"origin": "String <one of: SYSTEM,
OVERRIDE,
USER>",
"owner": "String",
"type": "String <one of: EVENT,
FLOW,
COMMON,
OFFENSE>"
}

686 QRadar API Reference Guide

DELETE /analytics/building_blocks/{id}
Deletes the building block rule. To ensure safe deletion, a dependency check is carried out. This check
might take some time. An asynchronous task to do is started for this check.

Deletes the building block rule. To ensure safe deletion we check if anything depends on it, this may take
some time. Therefore we start an asynchronous task to do this.
Table 1490. DELETE /analytics/building_blocks/{id} resource details
MIME Type
application/json

Table 1491. DELETE /analytics/building_blocks/{id} request parameter details

Parameter Type Optionality Data Type MIME Type Description
id path Required Number text/plain null
(Integer)
fields query Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.

Table 1492. DELETE /analytics/building_blocks/{id} response codes

HTTP Response Code Unique Code Description
202 The building block rule delete command was accepted and is in
progress.
403 1009 You do not have the required capabilities to delete the building
block rule.
404 1002 The building block rule does not exist.
409 1004 null
500 1020 An error occurred during the attempt to delete the building block
rule.

Response Description

A Delete Task Status object and the location header set to the task status url "/api/analytics/
building_blocks/building_block_delete_tasks/{task_id}". A Delete Task Status object contains the
following fields:
v id - Long - The ID of the task.
v message - String - The localized task message.
v status - String - The current state that the task is in.
v name - String - The name of the task.
v created_by - String - The name of the user who started the task.
v created - Long - The time in milliseconds since epoch since the task was created.
v started - Long - The time in milliseconds since epoch since the task was started.
v modified - Long - The time in milliseconds since epoch since the task was modified.

7 Previous REST API versions 687

v completed - Long - The time in milliseconds since epoch since the task was completed.

Response Sample
{
"completed": 42,
"created": 42,
"created_by": "String",
"id": 42,
"message": "String",
"modified": 42,
"name": "String",
"started": 42,
"status": "String <one of: CANCELLED,
CANCELING,
CANCEL_REQUESTED,
COMPLETED,
CONFLICT,
EXCEPTION,
INITIALIZING,
INTERRUPTED,
PAUSED,
PROCESSING,
QUEUED,
RESUMING>"
}

GET /analytics/building_blocks/{id}/dependents
Retrieves the objects that depend on the building block rule.

Retrieves the objects that depend on the building block rule

Table 1493. GET /analytics/building_blocks/{id}/dependents resource details
MIME Type
application/json

Table 1494. GET /analytics/building_blocks/{id}/dependents request parameter details

Parameter Type Optionality Data Type MIME Type Description
id path Required Number text/plain null
(Integer)
fields query Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.

Table 1495. GET /analytics/building_blocks/{id}/dependents response codes

HTTP Response Code Unique Code Description
202 The building block rule dependents retrieval was accepted and is in
progress.
404 1002 The building block rule does not exist.
500 1020 An error occurred during the attempt to initiate the building block
rule dependents retrieval task.

688 QRadar API Reference Guide

Response Description

A Dependents Task Status object and the location header set to the task status url "/api/analytics/
building_blocks/building_block_dependents_tasks/{task_id}". A Dependent Task Status object contains
the following fields:
v id - Long - The ID of the task.
v message - String - The localized task message.
v status - String - The current state of the task.
v name - String - The name of the task.
v created_by - String - The name of the user who started the task.
v cancelled_by - String - The name of the user who requested to cancel the task.
v created - Long - The time in milliseconds since epoch since the task was created.
v started - Long - The time in milliseconds since epoch since the task was started.
v modified - Long - The time in milliseconds since epoch since the task was modified.
v completed - Long - The time in milliseconds since epoch since the task was completed.
v number_of_dependents - Long - The number of dependents found. the value is null until the task
completes.
v maximum - Long - The maximum number of objects to check for dependency.
v progress - Long - The number of objects that were checked for dependency.
v task_components - Array - An array of task component objects. A task component object contains the
following fields
– message - String - The localized sub-task status message.
– status - String - The current state of the sub-task.
– sub_task_type - String - The type of the sub-task
– maximum - Long - The maximum number of objects to check for dependency.
– progress - Long - The number of objects that were checked for dependency.
– created - Long - The time in milliseconds since epoch since the sub-task was created.
– started - Long - The time in milliseconds since epoch since the sub-task was started.
– modified - Long - The time in milliseconds since epoch since the sub-task was modified.
– completed - Long - The time in milliseconds since epoch since the sub-task was completed.

Response Sample
{
"cancelled_by": "String",
"completed": 42,
"created": 42,
"created_by": "String",
"id": 42,
"maximum": 42,
"message": "String",
"modified": 42,
"name": "String",
"number_of_dependents": 42,
"progress": 42,
"started": 42,
"status": "String <one of: CANCELLED,
CANCELING,
CANCEL_REQUESTED,
COMPLETED,
CONFLICT,
EXCEPTION,
INITIALIZING,
INTERRUPTED,
PAUSED,

7 Previous REST API versions 689

 PROCESSING,
QUEUED,
RESUMING>",
"task_components": [
{
"completed": 42,
"created": 42,
"maximum": 42,
"message": "String",
"modified": 42,
"number_of_dependents": 42,
"progress": 42,
"started": 42,
"status": "String <one of: CANCELLED,
CANCELING,
CANCEL_REQUESTED,
COMPLETED,
CONFLICT,
EXCEPTION,
INITIALIZING,
INTERRUPTED,
PAUSED,
PROCESSING,
QUEUED,
RESUMING>",
"task_sub_type": "String <one of:
FIND_DEPENDENT_ARIEL_SAVED_SEARCHES,
FIND_DEPENDENT_OFFENSE_SAVED_SEARCHES,
FIND_DEPENDENT_ASSET_SAVED_SEARCHES,
FIND_DEPENDENT_VULNERABILITY_SAVED_SEARCHES,
FIND_DEPENDENT_ADE_RULES,
FIND_DEPENDENT_RULES,
FIND_DEPENDENT_CALCULATED_PROPERTIES,
FIND_DEPENDENT_LOG_SOURCE_GROUPS,
FIND_DEPENDENT_CUSTOM_PROPERTIES,
FIND_DEPENDENT_REPORTS,
FIND_DEPENDENT_DASHBOARDS,
FIND_DEPENDENT_STORE_AND_FORWARD_POLICIES,
FIND_DEPENDENT_AUTHORIZED_SERVICES,
FIND_DEPENDENT_OFFENSE_TYPES,
FIND_DEPENDENT_ASSIGNED_OFFENSES,
FIND_DEPENDENT_VULNERABILITIES,
FIND_DEPENDENT_GROUPS,
FIND_DEPENDENT_HISTORICAL_CORRELATION_PROFILES>"
}
]
}

GET /analytics/custom_actions/actions
Retrieves a list of available custom actions.

Retrieves a list of available custom actions.

Table 1496. GET /analytics/custom_actions/actions resource details
MIME Type
application/json

690 QRadar API Reference Guide

Table 1497. GET /analytics/custom_actions/actions request parameter details
Parameter Type Optionality Data Type MIME Type Description
Range header Optional String text/plain Optional - Use this parameter
to restrict the number of
elements that are returned in
the list to a specified range.
The list is indexed starting at
zero.
filter query Optional String text/plain Optional - This parameter is
used to restrict the elements in
a list base on the contents of
various fields.
fields query Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.

Table 1498. GET /analytics/custom_actions/actions response codes

HTTP Response Code Unique Code Description
200 The requested list of custom actions have been successfully
retrieved.
500 1020 An internal server error occurred while retrieving custom actions.

Response Description

Array of available custom actions which in turn contain the following fields:
v id - Number - Unique ID of the custom action within the QRadar deployment.
v name - String - Unique name of the custom action within the QRadar deployment.
v description - String - Optional description attached to the custom action.
v interpreter - Number - Unique ID of the custom action interpreter used by the custom action.
v script - Number - Unique ID of the custom action script used by the custom action.
v parameters - Array - Array of custom action parameters contained within the custom action. Each
Custom action parameter has the following fields:
– name - String - Name of the custom action parameter. Unique in the context of the parent custom
action.
– parameter_type - String - Custom action parameter type. Can be either fixed or dynamic.
– encrypted - Boolean - Designates whether the custom action parameter value field is stored in an
encrypted state.True if encrypted, false otherwise.
– value - String - Value of the custom action parameter.

Response Sample
[
{
"description": "String",
"id": 42,
"interpreter": 42,
"name": "String",

7 Previous REST API versions 691

 "parameters": [
{
"encrypted": true,
"name": "String",
"parameter_type": "String",
"value": "String"
}
],
"script": 42
}
]

POST /analytics/custom_actions/actions
Creates a new custom action with the supplied fields.

Creates a new custom action with the supplied fields. The custom action must contain the following
fields:
v name - Required - String - Unique name of the custom action within the QRadar deployment.
v description - Optional - String - Description of the custom action.
v interpreter - Required - Number - Unique ID of the custom action interpreter used by the custom
action.
v script - Required - Number - Unique ID of the custom action script used by the custom action.
v parameters - Required - Array - Array of custom action parameters contained within the custom action.
Each Custom action parameter must have the following fields:
– name - Required - String - Name of the custom action parameter. Unique in the context of the parent
custom action.
– parameter_type - Required - String - Custom action parameter type. Can be either fixed or dynamic.
– encrypted - Required - Boolean - Designates whether the custom action parameter value field is
stored in an encrypted state.True if encrypted, false otherwise.
– value - Required - String - Value of the custom action parameter. Custom action parameters with
parameter_type fixed can have any value. Custom action parameters with parameter_type dynamic
must have values corresponding to column names in an Ariel database, for example sourceip. Ariel
database column names are available through the /api/ariel/databases/{database_name} endpoint.
Table 1499. POST /analytics/custom_actions/actions resource details
MIME Type
application/json

Table 1500. POST /analytics/custom_actions/actions request parameter details

Parameter Type Optionality Data Type MIME Type Description
fields header Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.

692 QRadar API Reference Guide

Table 1501. POST /analytics/custom_actions/actions request body details
Parameter Data Type MIME Type Description Sample
custom_action Object application/ Custom action JSON object { "description": "String",
json containing the supplied "interpreter": 42, "name":
fields (see above for more "String", "parameters": [ {
details). "encrypted": true, "name":
"String", "parameter_type":
"String", "value": "String" } ],
"script": 42 }

Table 1502. POST /analytics/custom_actions/actions response codes

HTTP Response Code Unique Code Description
201 A new custom action has been successfully created.
422 1005 One or more parameters are invalid in request.
500 1020 An internal server error occurred while posting custom action.

Response Description

The newly created custom action with the following fields:

v id - Number - Unique ID of the custom action within the QRadar deployment.
v name - String - Unique name of the custom action within the QRadar deployment.
v description - String - Optional description attached to the custom action.
v interpreter - Number - Unique ID of the custom action interpreter used by the custom action.
v script - Number - Unique ID of the custom action script used by the custom action.
v parameters - Array - Array of custom action parameters contained within the custom action. Each
Custom action parameter has the following fields:
– name - String - Name of the custom action parameter. Unique in the context of the parent custom
action.
– parameter_type - String - Custom action parameter type. Can be either fixed or dynamic.
– encrypted - Boolean - Designates whether the custom action parameter value field is stored in an
encrypted state.True if encrypted, false otherwise.
– value - String - Value of the custom action parameter.

Response Sample
{
"description": "String",
"id": 42,
"interpreter": 42,
"name": "String",
"parameters": [
{
"encrypted": true,
"name": "String",
"parameter_type": "String",
"value": "String"
}
],
"script": 42
}

7 Previous REST API versions 693

GET /analytics/custom_actions/actions/{action_id}
Retrieves a custom action based on the supplied action_id.

Retrieves a custom action based on the supplied action_id.

Table 1503. GET /analytics/custom_actions/actions/{action_id} resource details
MIME Type
application/json

Table 1504. GET /analytics/custom_actions/actions/{action_id} request parameter details

Parameter Type Optionality Data Type MIME Type Description
action_id path Required Number text/plain Long id of the custom action
(Integer) to be retrieved.
fields query Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.

Table 1505. GET /analytics/custom_actions/actions/{action_id} response codes

HTTP Response Code Unique Code Description
200 The requested custom action has been successfully retrieved.
404 1002 The requested custom action could not be found.
500 1020 An internal server error occurred while retrieving custom action
with supplied action_id.

Response Description

A custom action with containing following fields:

v id - Number - Unique ID of the custom action within the QRadar deployment.
v name - String - Unique name of the custom action within the QRadar deployment.
v description - String - Optional description attached to the custom action.
v interpreter - Number - Unique ID of the custom action interpreter used by the custom action.
v script - Number - Unique ID of the custom action script used by the custom action.
v parameters - Array - Array of custom action parameters contained within the custom action. Each
Custom action parameter has the following fields:
– name - String - Name of the custom action parameter. Unique in the context of the parent custom
action.
– parameter_type - String - Custom action parameter type. Can be either fixed or dynamic.
– encrypted - Boolean - Designates whether the custom action parameter value field is stored in an
encrypted state.True if encrypted, false otherwise.
– value - String - Value of the custom action parameter.

694 QRadar API Reference Guide

Response Sample
{
"description": "String",
"id": 42,
"interpreter": 42,
"name": "String",
"parameters": [
{
"encrypted": true,
"name": "String",
"parameter_type": "String",
"value": "String"
}
],
"script": 42
}

POST /analytics/custom_actions/actions/{action_id}
Updates an existing custom action.

Updates an existing custom action. The custom action should contain the following fields:
v id - Required - Number - Unique ID of the custom action within the QRadar deployment.
v name - Optional - String - Unique name of the custom action within the QRadar deployment.
v description - Optional - String - Description of the custom action.
v interpreter - Required - Number - Unique ID of the custom action interpreter used by the custom
action.
v script - Required - Number - Unique ID of the custom action script used by the custom action.
v parameters - Required - Array - Array of custom action parameters contained within the custom action.
Each Custom action parameter must have the following fields:
– name - Required - String - Name of the custom action parameter. Unique in the context of the parent
custom action.
– parameter_type - Optional - String - Custom action parameter type. Can be either fixed or dynamic.
– encrypted - Optional - Boolean - Designates whether the custom action parameter value field is
stored in an encrypted state.True if encrypted, false otherwise.
– value - Optional - String - Value of the custom action parameter. Custom action parameters with
parameter_type fixed can have any value. Custom action parameters with parameter_type dynamic
must have values corresponding to column names in an Ariel database, for example sourceip. Ariel
database column names are available through the /api/ariel/databases/{database_name} endpoint.
Table 1506. POST /analytics/custom_actions/actions/{action_id} resource details
MIME Type
application/json

Table 1507. POST /analytics/custom_actions/actions/{action_id} request parameter details

Parameter Type Optionality Data Type MIME Type Description
action_id path Required Number text/plain Number id of the custom
(Integer) action to be updated.

7 Previous REST API versions 695

Table 1507. POST /analytics/custom_actions/actions/{action_id} request parameter details (continued)
Parameter Type Optionality Data Type MIME Type Description
fields header Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.

Table 1508. POST /analytics/custom_actions/actions/{action_id} request body details

Parameter Data Type MIME Type Description Sample
custom_action Object application/ Custom action JSON object { "description": "String", "id":
json which can contain the 42, "interpreter": 42, "name":
supplied fields (see above for "String", "parameters": [ {
more details). "encrypted": true, "name":
"String", "parameter_type":
"String", "value": "String" } ],
"script": 42 }

Table 1509. POST /analytics/custom_actions/actions/{action_id} response codes

HTTP Response Code Unique Code Description
200 The custom action has been updated.
404 1002 The requested custom action could not be found.
422 1005 One or more parameters are invalid in request.
500 1020 An internal server error occurred while updating custom action
with supplied action_id.

Response Description

The updated custom action with the following fields:

v id - Number - Unique ID of the custom action within the QRadar deployment.
v name - String - Unique name of the custom action within the QRadar deployment.
v description - String - Optional description attached to the custom action.
v interpreter - Number - Unique ID of the custom action interpreter used by the custom action.
v script - Number - Unique ID of the custom action script used by the custom action.
v parameters - Array - Array of custom action parameters contained within the custom action. Each
Custom action parameter has the following fields:
– name - String - Name of the custom action parameter. Unique in the context of the parent custom
action.
– parameter_type - String - Custom action parameter type. Can be either fixed or dynamic.
– encrypted - Boolean - Designates whether the custom action parameter value field is stored in an
encrypted state.True if encrypted, false otherwise.
– value - String - Value of the custom action parameter.

696 QRadar API Reference Guide

Response Sample
{
"description": "String",
"id": 42,
"interpreter": 42,
"name": "String",
"parameters": [
{
"encrypted": true,
"name": "String",
"parameter_type": "String",
"value": "String"
}
],
"script": 42
}

DELETE /analytics/custom_actions/actions/{action_id}
Deletes an existing custom action.

Deletes an existing custom action.

Table 1510. DELETE /analytics/custom_actions/actions/{action_id} resource details
MIME Type
text/plain

Table 1511. DELETE /analytics/custom_actions/actions/{action_id} request parameter details

Parameter Type Optionality Data Type MIME Type Description
action_id path Required Number text/plain Number id of the custom
(Integer) action you wish to delete.

Table 1512. DELETE /analytics/custom_actions/actions/{action_id} response codes

HTTP Response Code Unique Code Description
204 The custom action has been deleted.
404 1002 The requested custom action could not be found.
500 1020 An internal server error occurred while deleting custom action with
supplied action_id.

Response Description

Empty response with 204 successful response code.

Response Sample

GET /analytics/custom_actions/interpreters
Retrieves a list of available custom action interpreters.

Retrieves a list of available custom action interpreters.

Table 1513. GET /analytics/custom_actions/interpreters resource details
MIME Type
application/json

7 Previous REST API versions 697

Table 1514. GET /analytics/custom_actions/interpreters request parameter details
Parameter Type Optionality Data Type MIME Type Description
Range header Optional String text/plain Optional - Use this parameter
to restrict the number of
elements that are returned in
the list to a specified range.
The list is indexed starting at
zero.
filter query Optional String text/plain Optional - This parameter is
used to restrict the elements in
a list base on the contents of
various fields.
fields query Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.

Table 1515. GET /analytics/custom_actions/interpreters response codes

HTTP Response Code Unique Code Description
200 The requested list of custom action interpreters have been retrieved.
500 1020 An internal server error occurred while retrieving available custom
action interpreters.

Response Description

Array of available custom action interpreters, each with the following fields:
v id - Number - Unique ID of the custom action interpreter within the QRadar deployment.
v name - String - Name of the custom action interpreter.

Response Sample
[
{
"id": 42,
"name": "String"
}
]

GET /analytics/custom_actions/interpreters/{interpreter_id}
Retrieves a custom action interpreter based on supplied interpreter_id.

Retrieves a custom action interpreter based on supplied interpreter_id.

Table 1516. GET /analytics/custom_actions/interpreters/{interpreter_id} resource details
MIME Type
application/json

698 QRadar API Reference Guide

Table 1517. GET /analytics/custom_actions/interpreters/{interpreter_id} request parameter details
Parameter Type Optionality Data Type MIME Type Description
interpreter_id path Required Number text/plain Number id of custom action
(Integer) interpreter to be retrieved.
fields query Optional String text/plain Optional - Use this
parameter to specify which
fields you would like to get
back in the response. Fields
that are not named are
excluded. Specify subfields
in brackets and multiple
fields in the same object are
separated by commas.

Table 1518. GET /analytics/custom_actions/interpreters/{interpreter_id} response codes

HTTP Response Code Unique Code Description
200 The requested custom action interpreter has been retrieved.
404 1002 The requested custom action interpreter could not be found.
500 1020 An internal server error occurred while retrieving custom action
interpreter with supplied interpreter_id.

Response Description

A custom action interpreter with the following fields:

v id - Number - Unique ID of the custom action interpreter within the QRadar deployment.
v name - String - Name of the custom action interpreter.

Response Sample
{
"id": 42,
"name": "String"
}

GET /analytics/custom_actions/scripts
Retrieves a list of meta-data for available custom action script files.

Retrieves a list of meta-data for available custom action script files.

Table 1519. GET /analytics/custom_actions/scripts resource details
MIME Type
application/json

Table 1520. GET /analytics/custom_actions/scripts request parameter details

Parameter Type Optionality Data Type MIME Type Description
Range header Optional String text/plain Optional - Use this parameter
to restrict the number of
elements that are returned in
the list to a specified range.
The list is indexed starting at
zero.

7 Previous REST API versions 699

Table 1520. GET /analytics/custom_actions/scripts request parameter details (continued)
Parameter Type Optionality Data Type MIME Type Description
filter query Optional String text/plain Optional - This parameter is
used to restrict the elements in
a list base on the contents of
various fields.
fields query Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.

Table 1521. GET /analytics/custom_actions/scripts response codes

HTTP Response Code Unique Code Description
200 The requested custom action script file has been retrieved.
500 1020 An internal server error occurred while retrieving available custom
action script file meta-data.

Response Description

Array of available custom action script file meta-data, each with the following fields:
v id - Number - Unique ID of the custom action script file within the QRadar deployment.
v name - String - Name of the custom action script file.

Response Sample
[
{
"file_name": "String",
"id": 42
}
]

POST /analytics/custom_actions/scripts
Creates a new custom action script file. Newly created custom action script files require a deployment
before using.

Creates a new custom action script file. Newly created custom action script files require a deployment
before using. Users can include an optional HTTP header file_name containing the custom action script
file name. If not specified this is defaulted to the script id of the uploaded file.
Table 1522. POST /analytics/custom_actions/scripts resource details
MIME Type
application/json

700 QRadar API Reference Guide

Table 1523. POST /analytics/custom_actions/scripts request parameter details
Parameter Type Optionality Data Type MIME Type Description
fields header Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.

Table 1524. POST /analytics/custom_actions/scripts request body details

Parameter Data Type MIME Type Description Sample
file File application/ Required. The custom action File
octet-stream script file. Must be supplied
with MIME type
application/octet-stream.

Table 1525. POST /analytics/custom_actions/scripts response codes

HTTP Response Code Unique Code Description
201 A custom action script file has been created.
500 1020 An internal server error occurred while posting custom action script
file.

Response Description

Custom action script file meta-data with the following fields:

v id - Number - Unique ID of the custom action script within the QRadar deployment.
v name - String - Name of the custom action script.

Response Sample
{
"file_name": "String",
"id": 42
}

GET /analytics/custom_actions/scripts/{script_id}
Retrieves meta-data of a custom action script file based on supplied script_id.

Retrieves meta-data of a custom action script file based on supplied script_id.

Table 1526. GET /analytics/custom_actions/scripts/{script_id} resource details
MIME Type
application/json

Table 1527. GET /analytics/custom_actions/scripts/{script_id} request parameter details

Parameter Type Optionality Data Type MIME Type Description
script_id path Required Number text/plain Number id of the custom
(Integer) action script file.

7 Previous REST API versions 701

Table 1527. GET /analytics/custom_actions/scripts/{script_id} request parameter details (continued)
Parameter Type Optionality Data Type MIME Type Description
fields query Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.

Table 1528. GET /analytics/custom_actions/scripts/{script_id} response codes

HTTP Response Code Unique Code Description
200 The requested custom action script file has been retrieved.
404 1002 The requested custom action script file could not be found.
500 1020 An internal server error occurred while retrieving custom action
script file meta-data with supplied script_id.

Response Description

Custom action script file meta-data with the following fields:

v id - Number - Unique ID of the custom action script file within the QRadar deployment.
v name - String - Name of the custom action script file.

Response Sample
{
"file_name": "String",
"id": 42
}

POST /analytics/custom_actions/scripts/{script_id}
Updates an existing custom action script file. Updated custom action script files require a deployment
before using.

Updates an existing custom action script file. Updated custom action script files require a deployment
before using. Users can include an optional HTTP header file_name containing the custom action script
file name. If not specified this is defaulted to the script id of the uploaded file.
Table 1529. POST /analytics/custom_actions/scripts/{script_id} resource details
MIME Type
application/json

Table 1530. POST /analytics/custom_actions/scripts/{script_id} request parameter details

Parameter Type Optionality Data Type MIME Type Description
script_id path Required Number text/plain Number id of the custom
(Integer) action script file to be updated.

702 QRadar API Reference Guide

Table 1530. POST /analytics/custom_actions/scripts/{script_id} request parameter details (continued)
Parameter Type Optionality Data Type MIME Type Description
fields header Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.

Table 1531. POST /analytics/custom_actions/scripts/{script_id} request body details

Parameter Data Type MIME Type Description Sample
file File application/ Required. The custom action File
octet-stream script file. Must be supplied
with MIME type
application/octet-stream.

Table 1532. POST /analytics/custom_actions/scripts/{script_id} response codes

HTTP Response Code Unique Code Description
200 The custom action script file has been updated.
404 1002 The requested custom action script file could not be found.
500 1020 An internal server error occurred while updating custom action
script file with supplied script_id.

Response Description

Custom action script file meta-data with the following fields:

v id - Number - Unique ID of the custom action script file within the QRadar deployment.
v name - String - Name of the custom action script file.

Response Sample
{
"file_name": "String",
"id": 42
}

DELETE /analytics/custom_actions/scripts/{script_id}
Deletes an existing custom action script file.

Deletes an existing custom action script file.

Table 1533. DELETE /analytics/custom_actions/scripts/{script_id} resource details
MIME Type
text/plain

Table 1534. DELETE /analytics/custom_actions/scripts/{script_id} request parameter details

Parameter Type Optionality Data Type MIME Type Description
script_id path Required Number text/plain Number id of the custom
(Integer) action script file to be deleted.

7 Previous REST API versions 703

Table 1535. DELETE /analytics/custom_actions/scripts/{script_id} response codes
HTTP Response Code Unique Code Description
204 The custom action script file has been deleted.
404 1002 The requested custom action script file could not be found.
422 1005 The requested custom action script file is tied to an existing custom
action.
500 1020 An internal server error occurred while deleting custom action
script file with supplied script_id.

Response Description

Empty response with a 204 successful response code.

Response Sample

GET /analytics/rule_groups
Retrieves a list of the rule groups.

Retrieves a list of the rule groups.

Table 1536. GET /analytics/rule_groups resource details
MIME Type
application/json

Table 1537. GET /analytics/rule_groups request parameter details

Parameter Type Optionality Data Type MIME Type Description
Range header Optional String text/plain Optional - Use this parameter
to restrict the number of
elements that are returned in
the list to a specified range.
The list is indexed starting at
zero.
filter query Optional String text/plain Optional - This parameter is
used to restrict the elements in
a list base on the contents of
various fields.
fields query Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.

Table 1538. GET /analytics/rule_groups response codes

HTTP Response Code Unique Code Description
200 The rule rroups were returned.
500 1020 An error occurred during the attempt to retrieve the rule groups.

704 QRadar API Reference Guide

Response Description

List of the Group objects. A Group object contains the following fields:
v id - Long - The ID of the group.
v parent_id - Long - The ID of the parent group (default resources can have localized names).
v type - String - The type of the group.
v level - Long - The depth of the group in the group hierarchy.
v name - String - The name of the group (default resources can have localized names).
v description - String - The description of the group (default resources can have localized names).
v owner - String - The owner of the group.
v modified_time - Long - The time in milliseconds since epoch since the group was last modified.
v child_group_ids - Array of Longs - List of the child group IDs.

Response Sample
[
{
"child_groups": [
42
],
"child_items": [
"String"
],
"description": "String",
"id": 42,
"level": 42,
"modified_time": 42,
"name": "String",
"owner": "String",
"parent_id": 42,
"type": "String <one of: LOG_SOURCE_GROUP,
REPORT_GROUP,
RULE_GROUP,
EVENT_SAVED_SEARCH_GROUP,
FLOW_SAVED_SEARCH_GROUP,
OFFENSE_SAVED_SEARCH_GROUP,
QRM_SAVED_SEARCH_GROUP,
MODEL_SAVED_SEARCH_GROUP,
QUESTION_SAVED_SEARCH_GROUP,
SIMULATION_SAVED_SEARCH_GROUP,
TOPOLOGY_SAVED_SEARCH_GROUP,
ASSET_SAVED_SEARCH_GROUP,
VULNERABILITY_SAVED_SEARCH_GROUP>"
}
]

GET /analytics/rule_groups/{group_id}
Retrieves a rule group.

Retrieves a rule group.

Table 1539. GET /analytics/rule_groups/{group_id} resource details
MIME Type
application/json

7 Previous REST API versions 705

Table 1540. GET /analytics/rule_groups/{group_id} request parameter details
Parameter Type Optionality Data Type MIME Type Description
group_id path Required Number text/plain null
(Integer)
fields query Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.

Table 1541. GET /analytics/rule_groups/{group_id} response codes

HTTP Response Code Unique Code Description
200 The rule group was retrieved.
404 1002 The rule group does not exist.
500 1020 An error occurred during the attempt to retrieve the rule group.

Response Description

A single Group object. A Group object contains the following fields:

v id - Long - The ID of the group.
v parent_id - Long - The ID of the parent group (default resources can have localized names).
v type - String - The type of the group.
v level - Long - The depth of the group in the group hierarchy.
v name - String - The name of the group (default resources can have localized names).
v description - String - The description of the group (default resources can have localized names).
v owner - String - The owner of the group.
v modified_time - Long - The time in milliseconds since epoch since the group was last modified.
v child_group_ids - Array of Longs - List of the child group IDs.

Response Sample
{
"child_groups": [
42
],
"child_items": [
"String"
],
"description": "String",
"id": 42,
"level": 42,
"modified_time": 42,
"name": "String",
"owner": "String",
"parent_id": 42,
"type": "String <one of:
LOG_SOURCE_GROUP,
REPORT_GROUP,
RULE_GROUP,
EVENT_SAVED_SEARCH_GROUP,
FLOW_SAVED_SEARCH_GROUP,

706 QRadar API Reference Guide

 OFFENSE_SAVED_SEARCH_GROUP,
QRM_SAVED_SEARCH_GROUP,
MODEL_SAVED_SEARCH_GROUP,
QUESTION_SAVED_SEARCH_GROUP,
SIMULATION_SAVED_SEARCH_GROUP,
TOPOLOGY_SAVED_SEARCH_GROUP,
ASSET_SAVED_SEARCH_GROUP,
VULNERABILITY_SAVED_SEARCH_GROUP>"
}

POST /analytics/rule_groups/{group_id}
Updates the owner of a rule group.

Updates the owner of a rule group.

Table 1542. POST /analytics/rule_groups/{group_id} resource details
MIME Type
application/json

Table 1543. POST /analytics/rule_groups/{group_id} request parameter details

Parameter Type Optionality Data Type MIME Type Description
group_id path Required Number text/plain null
(Integer)
fields header Optional String text/plain Optional - Use this parameter to specify which
fields you would like to get back in the
response. Fields that are not named are
excluded. Specify subfields in brackets and
multiple fields in the same object are
separated by commas.

Table 1544. POST /analytics/rule_groups/{group_id} request body details

Parameter Data Type MIME Type Description Sample
group Object application/json Required - Group object with {
the owner set to a valid "child_groups": [ 42 ],
deployed user.
"child_items": [ "String" ],
"description": "String",
"id": 42,
"level": 42,
"name": "String",
"owner": "String",
"parent_id": 42,
"type": "String <one of:
LOG_SOURCE_GROUP,
REPORT_GROUP,
RULE_GROUP,
EVENT_SAVED_SEARCH _GROUP,
FLOW_SAVED_SEARCH _GROUP,
OFFENSE_SAVED_SEARCH _GROUP,
QRM_SAVED_SEARCH _GROUP,
MODEL_SAVED_SEARCH_GROUP,
QUESTION_SAVED_SEARCH _GROUP,
SIMULATION_SAVED_SEARCH _GROUP,
TOPOLOGY_SAVED_SEARCH _GROUP,
ASSET_SAVED_SEARCH_GROUP,
VULNERABILITY_SAVED _SEARCH _GROUP>" }

7 Previous REST API versions 707

Table 1545. POST /analytics/rule_groups/{group_id} response codes
HTTP Response Code Unique Code Description
200 The rule group was updated.
404 1002 The rule group does not exist.
409 1004 The provided user does not have the required capabilities to own
the rule group.
422 1005 A request parameter is not valid.
500 1020 An error occurred during the attempt to update the rule group.

Response Description

The updated Group object. A Group object contains the following fields:
v id - Long - The ID of the group.
v parent_id - Long - The ID of the parent group (default resources can have localized names).
v type - String - The type of the group.
v level - Long - The depth of the group in the group hierarchy.
v name - String - The name of the group (default resources can have localized names).
v description - String - The description of the group (default resources can have localized names).
v owner - String - The owner of the group.
v modified_time - Long - The time in milliseconds since epoch since the group was last modified.
v child_group_ids - Array of Longs - List of the child group IDs.

Response Sample
{
"child_groups": [
42
],
"child_items": [
"String"
],
"description": "String",
"id": 42,
"level": 42,
"modified_time": 42,
"name": "String",
"owner": "String",
"parent_id": 42,
"type": "String <one of: LOG_SOURCE_GROUP,
REPORT_GROUP,
RULE_GROUP,
EVENT_SAVED_SEARCH_GROUP,
FLOW_SAVED_SEARCH_GROUP,
OFFENSE_SAVED_SEARCH_GROUP,
QRM_SAVED_SEARCH_GROUP,
MODEL_SAVED_SEARCH_GROUP,
QUESTION_SAVED_SEARCH_GROUP,
SIMULATION_SAVED_SEARCH_GROUP,
TOPOLOGY_SAVED_SEARCH_GROUP,
ASSET_SAVED_SEARCH_GROUP,
VULNERABILITY_SAVED_SEARCH_GROUP>"
}

DELETE /analytics/rule_groups/{group_id}
Deletes a rule. To ensure safe deletion, a dependency check is carried out. This check might take some
time. An asynchronous task to do is started for this check.

708 QRadar API Reference Guide

Deletes a rule. To ensure safe deletion, a dependency check is carried out. This check might take some
time. An asynchronous task to do is started for this check.
Table 1546. DELETE /analytics/rule_groups/{group_id} resource details
MIME Type
text/plain

Table 1547. DELETE /analytics/rule_groups/{group_id} request parameter details

Parameter Type Optionality Data Type MIME Type Description
group_id path Required Number text/plain null
(Integer)

Table 1548. DELETE /analytics/rule_groups/{group_id} response codes

HTTP Response Code Unique Code Description
202 The rule delete command was accepted and is in progress.
404 1002 The rule does not exist.
409 1004 null
500 1020 An error occurred during the attempt to delete the rule.

Response Description

A Delete Task Status object and the location header set to the task status url "/api/analytics/rules/
rule_delete_tasks/{task_id}". A Delete Task Status object contains the following fields:
v id - Long - The ID of the task.
v message - String - The localized task message.
v status - String - The current state of the task.
v name - String - The name of the task.
v created_by - String - The name of the user who started the task.
v created - Long - The time in milliseconds since epoch since the task was created.
v started - Long - The time in milliseconds since epoch since the task was started.
v modified - Long - The time in milliseconds since epoch since the task was modified.
v completed - Long - The time in milliseconds since epoch since the task was completed.

Response Sample

GET /analytics/rules
Retrieves a list of rules.

Retrieves a list of rules.

Table 1549. GET /analytics/rules resource details
MIME Type
application/json

7 Previous REST API versions 709

Table 1550. GET /analytics/rules request parameter details
Parameter Type Optionality Data Type MIME Type Description
fields query Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.
filter query Optional String text/plain Optional - This parameter is
used to restrict the elements in
a list base on the contents of
various fields.
Range header Optional String text/plain Optional - Use this parameter
to restrict the number of
elements that are returned in
the list to a specified range.
The list is indexed starting at
zero.

Table 1551. GET /analytics/rules response codes

HTTP Response Code Unique Code Description
200 The rules were retrieved.
422 1010 A request parameter is not valid.
500 1020 An error occurred during the attempt to retrieve the rules.

Response Description

An array of rule objects. A rule object contains the following fields:

v id - Long - The ID of the rule.
v name - String - The name of the rule.
v type - String - The type of rule: EVENT, FLOW, COMMON, USER.
v enabled - Boolean - True if the rule is enabled.
v owner - String - The owner of the rule.
v origin - String - The origin of the rule: SYSTEM, OVERRIDE, USER.
v base_capacity - Long - The base capacity of the rule in events per second.
v base_host_id - Long - The ID of the host from which the rule's base capacity was determined
v average_capacity - Long - The moving average capacity, in EPS, of the rule across all hosts.
v capacity_timestamp - Long - The epoch timestamp, in milliseconds, since the rule's capacity values
were last updated.

Response Sample
[
{
"average_capacity": 42,
"base_capacity": 42,
"base_host_id": 42,
"capacity_timestamp": {
"date": 42,
"day": 42,

710 QRadar API Reference Guide

 "hours": 42,
"minutes": 42,
"month": 42,
"seconds": 42,
"time": 42,
"timezone_offset": 42,
"year": 42
},
"enabled": true,
"id": 42,
"name": "String",
"origin": "String <one of: SYSTEM,
OVERRIDE,
USER>",
"owner": "String",
"type": "String <one of: EVENT,
FLOW,
COMMON,
OFFENSE>"
}
]

GET /analytics/rules/rule_delete_tasks/{task_id}
Retrieves the delete the rule task status.

Retrieves the delete rule task status.

Table 1552. GET /analytics/rules/rule_delete_tasks/{task_id} resource details
MIME Type
application/json

Table 1553. GET /analytics/rules/rule_delete_tasks/{task_id} request parameter details

Parameter Type Optionality Data Type MIME Type Description
task_id path Required Number text/plain null
(Integer)
fields query Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.

Table 1554. GET /analytics/rules/rule_delete_tasks/{task_id} response codes

HTTP Response Code Unique Code Description
200 The delete task status was retrieved.
404 1002 The delete task status does not exist.
500 1020 An error occurred during the attempt to retrieve the delete task
status.

Response Description

A Delete Task Status object and the location header set to the task status url "/api/analytics/rules/
rule_delete_tasks/{task_id}". A Delete Task Status object contains the following fields:

7 Previous REST API versions 711

v id - Long - The ID of the task.
v message - String - The localized task message.
v status - String - The current state of the task.
v name - String - The name of the task.
v created_by - String - The name of the user who started the task.
v created - Long - The time in milliseconds since epoch since the task was created.
v started - Long - The time in milliseconds since epoch since the task was started.
v modified - Long - The time in milliseconds since epoch since the task was modified.
v completed - Long - The time in milliseconds since epoch since the task was completed.

Response Sample
{
"completed": 42,
"created": 42,
"created_by": "String",
"id": 42,
"message": "String",
"modified": 42,
"name": "String",
"started": 42,
"status": "String <one of: CANCELLED,
CANCELING,
CANCEL_REQUESTED,
COMPLETED,
CONFLICT,
EXCEPTION,
INITIALIZING,
INTERRUPTED,
PAUSED,
PROCESSING,
QUEUED,
RESUMING>"
}

GET /analytics/rules/rule_dependent_tasks/{task_id}
Retrieves the dependent rule task status.

Retrieves the dependent rule task status.

Table 1555. GET /analytics/rules/rule_dependent_tasks/{task_id} resource details
MIME Type
application/json

Table 1556. GET /analytics/rules/rule_dependent_tasks/{task_id} request parameter details

Parameter Type Optionality Data Type MIME Type Description
task_id path Required Number text/plain null
(Integer)
fields query Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.

712 QRadar API Reference Guide

Table 1557. GET /analytics/rules/rule_dependent_tasks/{task_id} response codes
HTTP Response Code Unique Code Description
200 The delete task status was retrieved.
404 1002 The delete task status does not exist.
500 1020 An error occurred during the attempt to retrieve the delete task
status.

Response Description

A Dependent Task Status object and the location header set to the task status url "/api/analytics/rules/
rule_dependent_tasks/{task_id}". A Dependent Task Status object contains the following fields:
v id - Long - The ID of the task.
v message - String - The localized task message.
v status - String - The current state of the task.
v name - String - The name of the task.
v created_by - String - The name of the user who started the task.
v cancelled_by - String - The name of the user who requested the cancellation of the task.
v created - Long - The time in milliseconds since epoch since the task was created.
v started - Long - The time in milliseconds since epoch since the task was started.
v modified - Long - The time in milliseconds since epoch since the task was modified.
v completed - Long - The time in milliseconds since epoch since the task was completed.
v number_of_dependents - Long - The number of dependents found. the value is null until the task
completes.
v maximum - Long - The maximum number of objects to check for dependency.
v progress - Long - The number of objects that were checked for dependency.
v task_components - Array - An array of task component objects. A task component object contains the
following fields:
– message - String - The localized sub-task status message.
– status - String - The current state of the sub-task.
– sub_task_type - String - The type of the sub-task
– maximum - Long - The maximum number of objects to check for dependency.
– progress - Long - The number of objects that were checked for dependency.
– created - Long - The time in milliseconds since epoch since the sub-task was created.
– started - Long - The time in milliseconds since epoch since the sub-task was started.
– modified - Long - The time in milliseconds since epoch since the sub-task was modified.
– completed - Long - The time in milliseconds since epoch since the sub-task was completed.

Response Sample
{
"cancelled_by": "String",
"completed": 42,
"created": 42,
"created_by": "String",
"id": 42,
"maximum": 42,
"message": "String",
"modified": 42,
"name": "String",
"number_of_dependents": 42,
"progress": 42,

7 Previous REST API versions 713

 "started": 42,
"status": "String <one of: CANCELLED,
CANCELING,
CANCEL_REQUESTED,
COMPLETED,
CONFLICT,
EXCEPTION,
INITIALIZING,
INTERRUPTED,
PAUSED,
PROCESSING,
QUEUED,
RESUMING>",
"task_components": [
{
"completed": 42,
"created": 42,
"maximum": 42,
"message": "String",
"modified": 42,
"number_of_dependents": 42,
"progress": 42,
"started": 42,
"status": "String <one of: CANCELLED,
CANCELING,
CANCEL_REQUESTED,
COMPLETED,
CONFLICT,
EXCEPTION,
INITIALIZING,
INTERRUPTED,
PAUSED,
PROCESSING,
QUEUED,
RESUMING>",
"task_sub_type": "String <one of:
FIND_DEPENDENT_ARIEL_SAVED_SEARCHES,
FIND_DEPENDENT_OFFENSE_SAVED_SEARCHES,
FIND_DEPENDENT_ASSET_SAVED_SEARCHES,
FIND_DEPENDENT_VULNERABILITY_SAVED_SEARCHES,
FIND_DEPENDENT_ADE_RULES,
FIND_DEPENDENT_RULES,
FIND_DEPENDENT_CALCULATED_PROPERTIES,
FIND_DEPENDENT_LOG_SOURCE_GROUPS,
FIND_DEPENDENT_CUSTOM_PROPERTIES,
FIND_DEPENDENT_REPORTS,
FIND_DEPENDENT_DASHBOARDS,
FIND_DEPENDENT_STORE_AND_FORWARD_POLICIES,
FIND_DEPENDENT_AUTHORIZED_SERVICES,
FIND_DEPENDENT_OFFENSE_TYPES,
FIND_DEPENDENT_ASSIGNED_OFFENSES,
FIND_DEPENDENT_VULNERABILITIES,
FIND_DEPENDENT_GROUPS,
FIND_DEPENDENT_HISTORICAL_CORRELATION_PROFILES>"
}
]
}

POST /analytics/rules/rule_dependent_tasks/{task_id}
Cancels the dependent the rule task.

Cancels the dependent rule task.

714 QRadar API Reference Guide

Table 1558. POST /analytics/rules/rule_dependent_tasks/{task_id} resource details
MIME Type
application/json

Table 1559. POST /analytics/rules/rule_dependent_tasks/{task_id} request parameter details

Parameter Type Optionality Data Type MIME Type Description
task_id path Required Number text/plain null
(Integer)
fields header Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.

Table 1560. POST /analytics/rules/rule_dependent_tasks/{task_id} request body details

Parameter Data Type MIME Type Description Sample
task Object application/ null { "status": "String <one of: CANCELLED,
json CANCELING, CANCEL_REQUESTED,
COMPLETED, CONFLICT, EXCEPTION,
INITIALIZING, INTERRUPTED, PAUSED,
PROCESSING, QUEUED, RESUMING>" }

Table 1561. POST /analytics/rules/rule_dependent_tasks/{task_id} response codes

HTTP Response Code Unique Code Description
200 The dependent task status was retrieved.
404 1002 The dependent task status does not exist.
409 1004 The task is in a completed state.
422 1005 A request parameter is not valid.
500 1020 An error occurred during the attempt to update the dependent task
status.

Response Description

A Dependent Task Status object and the location header set to the task status url "/api/analytics/rules/
rule_dependent_tasks/{task_id}". A Dependent Task Status object contains the following fields:
v id - Long - The ID of the task.
v message - String - The localized task message.
v status - String - The current state of the task.
v name - String - The name of the task.
v created_by - String - The name of the user who started the task.
v cancelled_by - String - The name of the user who requested cancellation of the task.
v created - Long - The time in milliseconds since epoch since the task was created.
v started - Long - The time in milliseconds since epoch since the task was started.
v modified - Long - The time in milliseconds since epoch since the task was modified.

7 Previous REST API versions 715

v completed - Long - The time in milliseconds since epoch since the task was completed.
v number_of_dependents - Long - The number of dependents found. The value is null until the task
completes.
v maximum - Long - The maximum number of objects to check for dependency.
v progress - Long - The number of objects that were checked for dependency.
v task_components - Array - An array of task component objects. A task component object contains the
following fields:
– message - String - The localized sub-task status message.
– status - String - The current state of the sub-task.
– sub_task_type - String - The type of the sub-task
– maximum - Long - The maximum number of objects to check for dependency.
– progress - Long - The number of objects that were checked for dependency.
– created - Long - The time in milliseconds since epoch since the sub-task was created.
– started - Long - The time in milliseconds since epoch since the sub-task was started.
– modified - Long - The time in milliseconds since epoch since the sub-task was modified.
– completed - Long - The time in milliseconds since epoch since the sub-task was completed.

Response Sample
{
"cancelled_by": "String",
"completed": 42,
"created": 42,
"created_by": "String",
"id": 42,
"maximum": 42,
"message": "String",
"modified": 42,
"name": "String",
"number_of_dependents": 42,
"progress": 42,
"started": 42,
"status": "String <one of: CANCELLED,
CANCELING,
CANCEL_REQUESTED,
COMPLETED,
CONFLICT,
EXCEPTION,
INITIALIZING,
INTERRUPTED,
PAUSED,
PROCESSING,
QUEUED,
RESUMING>",
"task_components": [
{
"completed": 42,
"created": 42,
"maximum": 42,
"message": "String",
"modified": 42,
"number_of_dependents": 42,
"progress": 42,
"started": 42,
"status": "String <one of: CANCELLED,
CANCELING,
CANCEL_REQUESTED,
COMPLETED,
CONFLICT,
EXCEPTION,

716 QRadar API Reference Guide

 INITIALIZING,
INTERRUPTED,
PAUSED,
PROCESSING,
QUEUED,
RESUMING>",
"task_sub_type": "String <one of:
FIND_DEPENDENT_ARIEL_SAVED_SEARCHES,
FIND_DEPENDENT_OFFENSE_SAVED_SEARCHES,
FIND_DEPENDENT_ASSET_SAVED_SEARCHES,
FIND_DEPENDENT_VULNERABILITY_SAVED_SEARCHES,
FIND_DEPENDENT_ADE_RULES,
FIND_DEPENDENT_RULES,
FIND_DEPENDENT_CALCULATED_PROPERTIES,
FIND_DEPENDENT_LOG_SOURCE_GROUPS,
FIND_DEPENDENT_CUSTOM_PROPERTIES,
FIND_DEPENDENT_REPORTS,
FIND_DEPENDENT_DASHBOARDS,
FIND_DEPENDENT_STORE_AND_FORWARD_POLICIES,
FIND_DEPENDENT_AUTHORIZED_SERVICES,
FIND_DEPENDENT_OFFENSE_TYPES,
FIND_DEPENDENT_ASSIGNED_OFFENSES,
FIND_DEPENDENT_VULNERABILITIES,
FIND_DEPENDENT_GROUPS,
FIND_DEPENDENT_HISTORICAL_CORRELATION_PROFILES>"
}
]
}

GET /analytics/rules/rule_dependent_tasks/{task_id}/results
Retrieves the rule dependent task results.

Retrieves the rule dependent task results.

Table 1562. GET /analytics/rules/rule_dependent_tasks/{task_id}/results resource details
MIME Type
application/json

Table 1563. GET /analytics/rules/rule_dependent_tasks/{task_id}/results request parameter details

Parameter Type Optionality Data Type MIME Type Description
task_id path Required Number text/plain null
(Integer)
fields query Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.

Table 1564. GET /analytics/rules/rule_dependent_tasks/{task_id}/results response codes

HTTP Response Code Unique Code Description
200 The rule dependents were retrieved.
404 1002 The dependent task status does not exist.
500 1020 An error occurred during the attempt to retrieve the rules.

7 Previous REST API versions 717

Response Description

An list of Dependent objects. A Dependent object contains the following fields:

v dependent_id - String - The ID of the dependent resource.
v dependent_name - String - The name of the dependent resource (default resources can have localized
names).
v dependent_owner - String - The owner of the dependent resource.
v dependent_type - String - The type of the dependent resource.
v dependent_database - String - The database of the dependent resource.
v dependent_group_ids - Array of Longs - List of groups that the dependent resource belongs to.
v user_has_edit_permissions - Boolean - The true if the user who created the task has permission to edit
this dependent resource.

Response Sample
[
{
"blocking": true,
"dependent_database": "String <one of: EVENTS, FLOWS>",
"dependent_group_ids": [
42
],
"dependent_id": "String",
"dependent_name": "String",
"dependent_owner": "String",
"dependent_type": "String <one of:
ARIEL_SAVED_SEARCH,
ASSET_SAVED_SEARCH,
OFFENSE_SAVED_SEARCH,
VULNERABILITY_SAVED_SEARCH,
QRM_SAVED_SEARCH_GROUP,
ASSET_SAVED_SEARCH_GROUP,
CUSTOM_RULE_GROUP,
EVENT_ARIEL_SAVED_SEARCH_GROUP,
FLOW_ARIEL_SAVED_SEARCH_GROUP,
LOG_SOURCE_GROUP,
MODEL_GROUP,
OFFENSE_SAVED_SEARCH_GROUP,
QUESTION_GROUP,
REPORT_GROUP,
SIMULATION_GROUP,
TOPOLOGY_SAVED_SEARCH_GROUP,
VULNERABILITY_SAVED_SEARCH_GROUP,
ASSIGNED_OFFENSE,
ASSIGNED_VULNERABILITY,
AUTHORIZED_SERVICE,
BUILDING_BLOCK,
CRE_RULE,
CRE_ADE_RULE,
EVENT_REGEX_PROPERTY,
EVENT_CALCULATED_PROPERTY,
FLOW_REGEX_PROPERTY,
FLOW_CALCULATED_PROPERTY,
DASHBOARD,
GV_REFERENCE, REPORT,
REFERENCE_DATA,
REFERENCE_DATA_MAP_OF_SETS,
REFERENCE_DATA_MAPS,
REFERENCE_DATA_SETS,
REFERENCE_DATA_TABLES,
REFERENCE_DATA_RESPONSE,
REFERENCE_SET_RESPONSE,
EVENT_RETENTION_BUCKET,

718 QRadar API Reference Guide

 FLOW_RETENTION_BUCKET,
ROUTING_RULE,
STORE_AND_FORWARD_POLICY,
USER,
HISTORICAL_PROFILE,
OFFENSE_TYPE>",
"user_has_edit_permissions": true
}
]

GET /analytics/rules/{id}
Retrieves a rule.

Retrieves a rule.
Table 1565. GET /analytics/rules/{id} resource details
MIME Type
application/json

Table 1566. GET /analytics/rules/{id} request parameter details

Parameter Type Optionality Data Type MIME Type Description
id path Required Number text/plain null
(Integer)
fields query Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.

Table 1567. GET /analytics/rules/{id} response codes

HTTP Response Code Unique Code Description
200 The rule was retrieved.
404 1002 The rule does not exist.
500 1020 An error occurred during the attempt to retrieve the rule.

Response Description

The rule after it is retrieved. A rule object contains the following fields:
v id - Long - The ID of the rule.
v name - String - The name of the rule.
v type - String - The type of rule: EVENT, FLOW, COMMON, USER.
v enabled - Boolean - True if the rule is enabled.
v owner - String - The owner of the rule.
v origin - String - The origin of the rule: SYSTEM, OVERRIDE, USER.
v base_capacity - Long - The base capacity of the rule in events per second.
v base_host_id - Long - The ID of the host from which the rule's base capacity was determined.
v average_capacity - Long - The moving average capacity, in EPS, of the rule across all hosts.

7 Previous REST API versions 719

v capacity_timestamp - Long - The epoch timestamp, in milliseconds, since the rule's capacity values
were last updated.

Response Sample
{
"average_capacity": 42,
"base_capacity": 42,
"base_host_id": 42,
"capacity_timestamp": {
"date": 42,
"day": 42,
"hours": 42,
"minutes": 42,
"month": 42,
"seconds": 42,
"time": 42,
"timezone_offset": 42,
"year": 42
},
"enabled": true,
"id": 42,
"name": "String",
"origin": "String <one of: SYSTEM,
OVERRIDE,
USER>",
"owner": "String",
"type": "String <one of: EVENT,
FLOW,
COMMON,
OFFENSE>"
}

POST /analytics/rules/{id}
Updates the rule owner or enabled/disabled only.

Updates the rule owner or enabled/disabled only.

Table 1568. POST /analytics/rules/{id} resource details
MIME Type
application/json

Table 1569. POST /analytics/rules/{id} request parameter details

Parameter Type Optionality Data Type MIME Type Description
id path Required Number text/plain null
(Integer)
fields header Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.

720 QRadar API Reference Guide

Table 1570. POST /analytics/rules/{id} request body details
Parameter Data Type MIME Type Description Sample
rule Object application/ Required - Rule object. { "enabled": true, "id": 42,
json "name": "String", "origin":
"String <one of: SYSTEM,
OVERRIDE, USER>", "owner":
"String", "type": "String <one
of: EVENT, FLOW, COMMON,
OFFENSE>" }

Table 1571. POST /analytics/rules/{id} response codes

HTTP Response Code Unique Code Description
200 The rule was updated.
403 1009 You do not have the required capabilities to update the rule.
404 1002 The rule does not exist.
409 1004 The provided user does not have the required capabilities to own
the rule.
422 1005 A request parameter is not valid.
500 1020 An error occurred during the attempt to update the rule.

Response Description

The rule after it is updated. A rule object contains the following fields:
v id - Long - The ID of the rule.
v name - String - The name of the rule.
v type - String - The type of rule: EVENT, FLOW, COMMON, USER.
v enabled - Boolean - True if the rule is enabled.
v owner - String - The owner of the rule.
v origin - String - The origin of the rule: SYSTEM, OVERRIDE, USER.
v base_capacity - Long - The base capacity of the rule in events per second.
v base_host_id - Long - The ID of the host from which the rule's base capacity was determined.
v average_capacity - Long - The moving average capacity, in EPS, of the rule across all hosts.
v capacity_timestamp - Long - The epoch timestamp, in milliseconds, since the rule's capacity values
were last updated.

Response Sample
{
"average_capacity": 42,
"base_capacity": 42,
"base_host_id": 42,
"capacity_timestamp": {
"date": 42,
"day": 42,
"hours": 42,
"minutes": 42,
"month": 42,
"seconds": 42,
"time": 42,
"timezone_offset": 42,
"year": 42
},
"enabled": true,

7 Previous REST API versions 721

 "id": 42,
"name": "String",
"origin": "String <one of: SYSTEM,
OVERRIDE,
USER>",
"owner": "String",
"type": "String <one of: EVENT,
FLOW,
COMMON,
OFFENSE>"
}

DELETE /analytics/rules/{id}
Delete the rule. To ensure safe deletion, a dependency check is carried out. This check might take some
time. An asynchronous task to do is started for this check.

Deletes a rule. To ensure safe deletion, a dependency check is carried out. This check might take some
time. An asynchronous task to do is started for this check.
Table 1572. DELETE /analytics/rules/{id} resource details
MIME Type
application/json

Table 1573. DELETE /analytics/rules/{id} request parameter details

Parameter Type Optionality Data Type MIME Type Description
id path Required Number text/plain null
(Integer)
fields query Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.

Table 1574. DELETE /analytics/rules/{id} response codes

HTTP Response Code Unique Code Description
202 The rule delete command was accepted and is in progress.
403 1009 You do not have the required capabilities to delete the rule.
404 1002 The rule does not exist.
409 1004 null
500 1020 An error occurred during the attempt to delete the rule.

Response Description

A Delete Task Status object and the location header set to the task status url "/api/analytics/rules/
rule_delete_tasks/{task_id}". A Delete Task Status object contains the following fields:
v id - Long - The ID of the task.
v message - String - The localized task message.
v status - String - The current state of the task.

722 QRadar API Reference Guide

v name - String - The name of the task.
v created_by - String - The name of the user who started the task.
v created - Long - The time in milliseconds since epoch since the task was created.
v started - Long - The time in milliseconds since epoch since the task was started.
v modified - Long - The time in milliseconds since epoch since the task was modified.
v completed - Long - The time in milliseconds since epoch since the task was completed.

Response Sample
{
"completed": 42,
"created": 42,
"created_by": "String",
"id": 42,
"message": "String",
"modified": 42,
"name": "String",
"started": 42,
"status": "String <one of: CANCELLED,
CANCELING,
CANCEL_REQUESTED,
COMPLETED,
CONFLICT,
EXCEPTION,
INITIALIZING,
INTERRUPTED,
PAUSED,
PROCESSING,
QUEUED,
RESUMING>"
}

GET /analytics/rules/{id}/dependents
Retrieves the objects that depend on the rule.

Retrieves the objects that depend on the rule.

Table 1575. GET /analytics/rules/{id}/dependents resource details
MIME Type
application/json

Table 1576. GET /analytics/rules/{id}/dependents request parameter details

Parameter Type Optionality Data Type MIME Type Description
id path Required Number text/plain null
(Integer)
fields query Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.

7 Previous REST API versions 723

Table 1577. GET /analytics/rules/{id}/dependents response codes
HTTP Response Code Unique Code Description
202 The rule dependents retrieval was accepted and is in progress.
403 1009 null
404 1002 The rule does not exist.
500 1020 An error occurred during the attempt to initiate the rule
dependents retrieval task.

Response Description

A Dependents Task Status object and the location header set to the task status url "/api/analytics/rules/
rule_dependents_tasks/{task_id}". A Dependent Task Status object contains the following fields:
v id - Long - The ID of the task.
v message - String - The localized task message.
v status - String - The current state of the task.
v name - String - The name of the task.
v created_by - String - The name of the user who started the task.
v cancelled_by - String - The name of the user who requested the cancellation of the task.
v created - Long - The time in milliseconds since epoch since the task was created.
v started - Long - The time in milliseconds since epoch since the task was started.
v modified - Long - The time in milliseconds since epoch since the task was modified.
v completed - Long - The time in milliseconds since epoch since the task was completed.
v number_of_dependents - Long - The number of dependents found. the value is null until the task
completes.
v maximum - Long - The maximum number of objects to check for dependency.
v progress - Long - The number of objects that were checked for dependency.
v task_components - Array - An array of Task Component objects. A Task Component object contains the
following fields:
– message - String - The localized sub-task status message.
– status - String - The current state of the sub-task.
– sub_task_type - String - The type of the sub-task
– maximum - Long - The maximum number of objects to check for dependency.
– progress - Long - The number of objects that were checked for dependency.
– created - Long - The time in milliseconds since epoch since the sub-task was created.
– started - Long - The time in milliseconds since epoch since the sub-task was started.
– modified - Long - The time in milliseconds since epoch since the sub-task was modified.
– completed - Long - The time in milliseconds since epoch since the sub-task was completed.

Response Sample
{
"cancelled_by": "String",
"completed": 42,
"created": 42,
"created_by": "String",
"id": 42,
"maximum": 42,
"message": "String",
"modified": 42,
"name": "String",

724 QRadar API Reference Guide

 "number_of_dependents": 42,
"progress": 42,
"started": 42,
"status": "String <one of: CANCELLED,
CANCELING,
CANCEL_REQUESTED,
COMPLETED,
CONFLICT,
EXCEPTION,
INITIALIZING,
INTERRUPTED,
PAUSED,
PROCESSING,
QUEUED,
RESUMING>",
"task_components": [
{
"completed": 42,
"created": 42,
"maximum": 42,
"message": "String",
"modified": 42,
"number_of_dependents": 42,
"progress": 42,
"started": 42,
"status": "String <one of: CANCELLED,
CANCELING,
CANCEL_REQUESTED,
COMPLETED,
CONFLICT,
EXCEPTION,
INITIALIZING,
INTERRUPTED,
PAUSED,
PROCESSING,
QUEUED,
RESUMING>",
"task_sub_type": "String <one of:
FIND_DEPENDENT_ARIEL_SAVED_SEARCHES,
FIND_DEPENDENT_OFFENSE_SAVED_SEARCHES,
FIND_DEPENDENT_ASSET_SAVED_SEARCHES,
FIND_DEPENDENT_VULNERABILITY_SAVED_SEARCHES,
FIND_DEPENDENT_ADE_RULES,
FIND_DEPENDENT_RULES,
FIND_DEPENDENT_CALCULATED_PROPERTIES,
FIND_DEPENDENT_LOG_SOURCE_GROUPS,
FIND_DEPENDENT_CUSTOM_PROPERTIES,
FIND_DEPENDENT_REPORTS,
FIND_DEPENDENT_DASHBOARDS,
FIND_DEPENDENT_STORE_AND_FORWARD_POLICIES,
FIND_DEPENDENT_AUTHORIZED_SERVICES,
FIND_DEPENDENT_OFFENSE_TYPES,
FIND_DEPENDENT_ASSIGNED_OFFENSES,
FIND_DEPENDENT_VULNERABILITIES,
FIND_DEPENDENT_GROUPS,
FIND_DEPENDENT_HISTORICAL_CORRELATION_PROFILES>"
}
]
}

Ariel endpoints
Use the references for REST API V8.0 Ariel endpoints.

7 Previous REST API versions 725

GET /ariel/databases
Retrieves a list of available Ariel database names

Retrieves a list of available Ariel databases.

Table 1578. GET /ariel/databases resource details
MIME Type
application/json

Table 1579. GET /ariel/databases request parameter details

Parameter Type Optionality Data Type MIME Type Description
filter query Optional String text/plain Optional - This parameter is
used to restrict the elements in
a list base on the contents of
various fields.
Range header Optional String text/plain Optional - Use this parameter
to restrict the number of
elements that are returned in
the list to a specified range.
The list is indexed starting at
zero.

Table 1580. GET /ariel/databases response codes

HTTP Response Code Unique Code Description
200 The database list was retrieved.

Response Description

The names of the available Ariel databases.

Response Sample
[
"String"
]

GET /ariel/databases/{database_name}
Retrieves the columns that are defined for a specific Ariel database.

Retrieves the columns that are defined for the specified Ariel database. This is the set of columns that can
be explicitly named in the column list of a SELECT query.
Table 1581. GET /ariel/databases/{database_name} resource details
MIME Type
application/json

Table 1582. GET /ariel/databases/{database_name} request parameter details

Parameter Type Optionality Data Type MIME Type Description
database_name path Required String text/plain Required. The name of the Ariel
database that contains the
columns that you want to
retrieve.

726 QRadar API Reference Guide

Table 1582. GET /ariel/databases/{database_name} request parameter details (continued)
Parameter Type Optionality Data Type MIME Type Description
fields query Optional String text/plain Optional - Use this parameter to
specify which fields you would
like to get back in the response.
Fields that are not named are
excluded. Specify subfields in
brackets and multiple fields in
the same object are separated by
commas.
filter query Optional String text/plain Optional - This parameter is
used to restrict the elements in a
list base on the contents of
various fields.
Range header Optional String text/plain Optional - Use this parameter to
restrict the number of elements
that are returned in the list to a
specified range. The list is
indexed starting at zero.

Table 1583. GET /ariel/databases/{database_name} response codes

HTTP Response Code Unique Code Description
200 The database columns were retrieved.
404 1002 The database does not exist.

Response Description

A list of columns that are defined for the specified database. Multiple properties of each column are
returned. For example, the column name or an indication that the column is indexable.

Response Sample
{
"columns": [
{
"argument_type": "String",
"indexable": true,
"name": "String"
}
]
}

GET /ariel/event_saved_search_groups
Retrieves a list the event Ariel saved search groups.

Retrieves a list the event Ariel saved search groups.

Table 1584. GET /ariel/event_saved_search_groups resource details
MIME Type
application/json

7 Previous REST API versions 727

Table 1585. GET /ariel/event_saved_search_groups request parameter details
Parameter Type Optionality Data Type MIME Type Description
fields query Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.
filter query Optional String text/plain Optional - This parameter is
used to restrict the elements in
a list base on the contents of
various fields.
Range header Optional String text/plain Optional - Use this parameter
to restrict the number of
elements that are returned in
the list to a specified range.
The list is indexed starting at
zero.

Table 1586. GET /ariel/event_saved_search_groups response codes

HTTP Response Code Unique Code Description
200 The event Ariel saved search groups were returned.
500 1020 An error occurred during the attempt to retrieve the event Ariel
saved search groups.

Response Description

List of the Group objects. A Group object contains the following fields:
v id - Long - The ID of the group.
v parent_id - Long - The ID of the parent group (default resources can have localized names).
v type - String - The type of the group.
v level - Long - The depth of the group in the group hierarchy.
v name - String - The name of the group (default groups can have localized names).
v description - String - The description of the group (default groups can have localized names).
v owner - String - The owner of the group.
v modified_time - Long - The time in milliseconds since epoch since the group was last modified.
v child_group_ids - Array of Longs - List of the child group ids.

Response Sample
[
{
"child_groups": [
42
],
"child_items": [
"String"
],
"description": "String",
"id": 42,
"level": 42,

728 QRadar API Reference Guide

 "modified_time": 42,
"name": "String",
"owner": "String",
"parent_id": 42,
"type": "String <one of:
LOG_SOURCE_GROUP,
REPORT_GROUP,
RULE_GROUP,
EVENT_SAVED_SEARCH_GROUP,
FLOW_SAVED_SEARCH_GROUP,
OFFENSE_SAVED_SEARCH_GROUP,
QRM_SAVED_SEARCH_GROUP,
MODEL_SAVED_SEARCH_GROUP,
QUESTION_SAVED_SEARCH_GROUP,
SIMULATION_SAVED_SEARCH_GROUP,
TOPOLOGY_SAVED_SEARCH_GROUP,
ASSET_SAVED_SEARCH_GROUP,
VULNERABILITY_SAVED_SEARCH_GROUP>"
}
]

GET /ariel/event_saved_search_groups/{group_id}
Retrieves an event Ariel saved search group.

Retrieves an event Ariel saved search group.

Table 1587. GET /ariel/event_saved_search_groups/{group_id} resource details
MIME Type
application/json

Table 1588. GET /ariel/event_saved_search_groups/{group_id} request parameter details

Parameter Type Optionality Data Type MIME Type Description
group_id path Required Number text/plain null
(Integer)
fields query Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.

Table 1589. GET /ariel/event_saved_search_groups/{group_id} response codes

HTTP Response Code Unique Code Description
200 The event Ariel saved search group was retrieved.
404 1002 The vent Ariel saved search group does not exist.
500 1020 An error occurred during the attempt to retrieve the event Ariel
saved search groups.

Response Description

A single Group object. A Group object contains the following fields:

v id - Long - The ID of the group.

7 Previous REST API versions 729

v parent_id - Long - The ID of the parent group (default resources can have localized names).
v type - String - The type of the group.
v level - Long - The depth of the group in the group hierarchy.
v name - String - The name of the group (default resources can have localized names).
v description - String - The description of the group (default resources can have localized names).
v owner - String - The owner of the group.
v modified_time - Long - The time in milliseconds since epoch since the group was last modified.
v child_group_ids - Array of Longs - List of the child group IDs.

Response Sample
{
"child_groups": [
42
],
"child_items": [
"String"
],
"description": "String",
"id": 42,
"level": 42,
"modified_time": 42,
"name": "String",
"owner": "String",
"parent_id": 42,
"type": "String <one of:
LOG_SOURCE_GROUP,
REPORT_GROUP,
RULE_GROUP,
EVENT_SAVED_SEARCH_GROUP,
FLOW_SAVED_SEARCH_GROUP,
OFFENSE_SAVED_SEARCH_GROUP,
QRM_SAVED_SEARCH_GROUP,
MODEL_SAVED_SEARCH_GROUP,
QUESTION_SAVED_SEARCH_GROUP,
SIMULATION_SAVED_SEARCH_GROUP,
TOPOLOGY_SAVED_SEARCH_GROUP,
ASSET_SAVED_SEARCH_GROUP,
VULNERABILITY_SAVED_SEARCH_GROUP>"
}

POST /ariel/event_saved_search_groups/{group_id}
Updates the owner of an event Ariel saved search group.

Updates the owner of an event Ariel saved search group.

Table 1590. POST /ariel/event_saved_search_groups/{group_id} resource details
MIME Type
application/json

Table 1591. POST /ariel/event_saved_search_groups/{group_id} request parameter details

Parameter Type Optionality Data Type MIME Type Description
group_id path Required Number text/plain null
(Integer)

730 QRadar API Reference Guide

Table 1591. POST /ariel/event_saved_search_groups/{group_id} request parameter details (continued)
Parameter Type Optionality Data Type MIME Type Description
fields header Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.

Table 1592. POST /ariel/event_saved_search_groups/{group_id} request body details

Parameter Data Type MIME Type Description Sample
group Object application/ Required - Group object {
json with the owner set to a "child_groups": [ 42 ],
valid deployed user.
"child_items": [ "String" ],
"description": "String",
"id": 42,
"level": 42,
"name": "String",
"owner": "String",
"parent_id": 42,
"type": "String <one of:
LOG_SOURCE_GROUP,
REPORT_GROUP,
RULE_GROUP,
EVENT_SAVED_SEARCH _GROUP,
FLOW_SAVED_SEARCH _GROUP,
OFFENSE_SAVED_SEARCH _GROUP,
QRM_SAVED_SEARCH _GROUP,
MODEL_SAVED_SEARCH_GROUP,
QUESTION_SAVED_SEARCH _GROUP,
SIMULATION_SAVED_SEARCH _GROUP,
TOPOLOGY_SAVED_SEARCH _GROUP,
ASSET_SAVED_SEARCH_GROUP,
VULNERABILITY_SAVED _SEARCH _GROUP>" }

Table 1593. POST /ariel/event_saved_search_groups/{group_id} response codes

HTTP Response Code Unique Code Description
200 The event Ariel saved search group was updated.
404 1002 The event Ariel saved search group does not exist.
409 1004 The provided user does not have the required capabilities to own
the Eevent Ariel saved search group.
422 1005 A request parameter is not valid.
500 1020 An error occurred during the attempt to update the event Ariel
saved search group.

7 Previous REST API versions 731

Response Description

The updated Group object. A Group object contains the following fields:
v id - Long - The ID of the group.
v parent_id - Long - The id of the parent group (default resources can have localized names).
v type - String - The type of the group.
v level - Long - The depth of the group in the group hierarchy.
v name - String - The name of the group (default resources can have localized names).
v description - String - The description of the group (default resources can have localized names).
v owner - String - The owner of the group.
v modified_time - Long - The time in milliseconds since epoch since the group was last modified.
v child_group_ids - Array of Longs - List of the child group ids.

Response Sample
{
"child_groups": [
42
],
"child_items": [
"String"
],
"description": "String",
"id": 42,
"level": 42,
"modified_time": 42,
"name": "String",
"owner": "String",
"parent_id": 42,
"type": "String <one of:
LOG_SOURCE_GROUP,
REPORT_GROUP,
RULE_GROUP,
EVENT_SAVED_SEARCH_GROUP,
FLOW_SAVED_SEARCH_GROUP,
OFFENSE_SAVED_SEARCH_GROUP,
QRM_SAVED_SEARCH_GROUP,
MODEL_SAVED_SEARCH_GROUP,
QUESTION_SAVED_SEARCH_GROUP,
SIMULATION_SAVED_SEARCH_GROUP,
TOPOLOGY_SAVED_SEARCH_GROUP,
ASSET_SAVED_SEARCH_GROUP,
VULNERABILITY_SAVED_SEARCH_GROUP>"
}

DELETE /ariel/event_saved_search_groups/{group_id}
Deletes an event Ariel saved search group.

Deletes an event Ariel saved search group.

Table 1594. DELETE /ariel/event_saved_search_groups/{group_id} resource details
MIME Type
text/plain

Table 1595. DELETE /ariel/event_saved_search_groups/{group_id} request parameter details

Parameter Type Optionality Data Type MIME Type Description
group_id path Required Number text/plain null
(Integer)

732 QRadar API Reference Guide

Table 1596. DELETE /ariel/event_saved_search_groups/{group_id} response codes
HTTP Response Code Unique Code Description
204 The event Ariel saved search group was deleted.
404 1002 The event Ariel saved search group does not exist.
409 1004 null
500 1020 An error occurred during the attempt to delete theevent Ariel saved
search group.

Response Description

Response Sample

GET /ariel/flow_saved_search_groups
Retrieves a list of flow Ariel saved search groups.

Retrieves a list of flow Ariel saved search groups.

Table 1597. GET /ariel/flow_saved_search_groups resource details
MIME Type
application/json

Table 1598. GET /ariel/flow_saved_search_groups request parameter details

Parameter Type Optionality Data Type MIME Type Description
fields query Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.
filter query Optional String text/plain Optional - This parameter is
used to restrict the elements in
a list base on the contents of
various fields.
Range header Optional String text/plain Optional - Use this parameter
to restrict the number of
elements that are returned in
the list to a specified range.
The list is indexed starting at
zero.

Table 1599. GET /ariel/flow_saved_search_groups response codes

HTTP Response Code Unique Code Description
200 The Retrieves a list of flow Ariel saved search groups were
returned.
500 1020 An error occurred during the attempt to retrieve the flow Ariel
saved search groups.

7 Previous REST API versions 733

Response Description

List of the Group objects. A Group object contains the following fields:
v id - Long - The ID of the group.
v parent_id - Long - The ID of the parent group (default resources can have localized names).
v type - String - The type of the group.
v level - Long - The depth of the group in the group hierarchy.
v name - String - The name of the group (default resources can have localized names).
v description - String - The description of the group (default resources can have localized names).
v owner - String - The owner of the group.
v modified_time - Long - The time in milliseconds since epoch since the group was last modified.
v child_group_ids - Array of Longs - List of the child group IDs.

Response Sample
[
{
"child_groups": [
42
],
"child_items": [
"String"
],
"description": "String",
"id": 42,
"level": 42,
"modified_time": 42,
"name": "String",
"owner": "String",
"parent_id": 42,
"type": "String <one of:
LOG_SOURCE_GROUP,
REPORT_GROUP,
RULE_GROUP,
EVENT_SAVED_SEARCH_GROUP,
FLOW_SAVED_SEARCH_GROUP,
OFFENSE_SAVED_SEARCH_GROUP,
QRM_SAVED_SEARCH_GROUP,
MODEL_SAVED_SEARCH_GROUP,
QUESTION_SAVED_SEARCH_GROUP,
SIMULATION_SAVED_SEARCH_GROUP,
TOPOLOGY_SAVED_SEARCH_GROUP,
ASSET_SAVED_SEARCH_GROUP,
VULNERABILITY_SAVED_SEARCH_GROUP>"
}
]

GET /ariel/flow_saved_search_groups/{group_id}
Retrieves a flow Ariel saved search group.

Retrieves a flow Ariel saved search group.

Table 1600. GET /ariel/flow_saved_search_groups/{group_id} resource details
MIME Type
application/json

734 QRadar API Reference Guide

Table 1601. GET /ariel/flow_saved_search_groups/{group_id} request parameter details
Parameter Type Optionality Data Type MIME Type Description
group_id path Required Number text/plain null
(Integer)
fields query Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.

Table 1602. GET /ariel/flow_saved_search_groups/{group_id} response codes

HTTP Response Code Unique Code Description
200 The flow Ariel saved search group was retrieved.
404 1002 The flow Ariel saved search group does not exist.
500 1020 An error occurred during the attempt to retrieve the flow Ariel
saved search group.

Response Description

A single Group object. A Group object contains the following fields:

v id - Long - The ID of the group.
v parent_id - Long - The ID of the parent group (default resources can have localized names).
v type - String - The type of the group.
v level - Long - The depth of the group in the group hierarchy.
v name - String - The name of the group (default resources can have localized names).
v description - String - The description of the group (default resources can have localized names).
v owner - String - The owner of the group.
v modified_time - Long - The time in milliseconds since epoch since the group was last modified.
v child_group_ids - Array of Longs - List of the child group IDs.

Response Sample
{
"child_groups": [
42
],
"child_items": [
"String"
],
"description": "String",
"id": 42,
"level": 42,
"modified_time": 42,
"name": "String",
"owner": "String",
"parent_id": 42,
"type": "String <one of:
LOG_SOURCE_GROUP,
REPORT_GROUP,
RULE_GROUP,
EVENT_SAVED_SEARCH_GROUP,

7 Previous REST API versions 735

 FLOW_SAVED_SEARCH_GROUP,
OFFENSE_SAVED_SEARCH_GROUP,
QRM_SAVED_SEARCH_GROUP,
MODEL_SAVED_SEARCH_GROUP,
QUESTION_SAVED_SEARCH_GROUP,
SIMULATION_SAVED_SEARCH_GROUP,
TOPOLOGY_SAVED_SEARCH_GROUP,
ASSET_SAVED_SEARCH_GROUP,
VULNERABILITY_SAVED_SEARCH_GROUP>"
}

POST /ariel/flow_saved_search_groups/{group_id}
Updates the owner of a flow Ariel saved search group.

Updates the owner of a flow Ariel saved search group.

Table 1603. POST /ariel/flow_saved_search_groups/{group_id} resource details
MIME Type
application/json

Table 1604. POST /ariel/flow_saved_search_groups/{group_id} request parameter details

Parameter Type Optionality Data Type MIME Type Description
group_id path Required Number text/plain null
(Integer)
fields header Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.

736 QRadar API Reference Guide

Table 1605. POST /ariel/flow_saved_search_groups/{group_id} request body details
Parameter Data Type MIME Type Description Sample
group Object application/ Required - Group object {
json with the owner set to a "child_groups": [ 42 ],
valid deployed user.
"child_items": [ "String" ],
"description": "String",
"id": 42,
"level": 42,
"name": "String",
"owner": "String",
"parent_id": 42,
"type": "String <one of:
LOG_SOURCE_GROUP,
REPORT_GROUP,
RULE_GROUP,
EVENT_SAVED_SEARCH _GROUP,
FLOW_SAVED_SEARCH _GROUP,
OFFENSE_SAVED_SEARCH _GROUP,
QRM_SAVED_SEARCH _GROUP,
MODEL_SAVED_SEARCH_GROUP,
QUESTION_SAVED_SEARCH _GROUP,
SIMULATION_SAVED_SEARCH _GROUP,
TOPOLOGY_SAVED_SEARCH _GROUP,
ASSET_SAVED_SEARCH_GROUP,
VULNERABILITY_SAVED _SEARCH _GROUP>" }

Table 1606. POST /ariel/flow_saved_search_groups/{group_id} response codes

HTTP Response Code Unique Code Description
200 The flow Ariel saved search group was updated.
404 1002 The flow Ariel saved search group does not exist.
409 1004 The provided user does not have the required capabilities to own
the flow Ariel saved search group.
422 1005 A request parameter is not valid.
500 1020 An error occurred during the attempt to update the flow Ariel
saved search group.

Response Description

The updated Group object. A Group object contains the following fields:
v id - Long - The ID of the group.
v parent_id - Long - The ID of the parent group (default resources can have localized names).
v type - String - The type of the group.
v level - Long - The depth of the group in the group hierarchy.
v name - String - The name of the group (default resources can have localized names).
v description - String - The description of the group (default resources can have localized names).
v owner - String - The owner of the group.
v modified_time - Long - The time in milliseconds since epoch since the group was last modified.
v child_group_ids - Array of Longs - List of the child group IDs.

7 Previous REST API versions 737

Response Sample
{
"child_groups": [
42
],
"child_items": [
"String"
],
"description": "String",
"id": 42,
"level": 42,
"modified_time": 42,
"name": "String",
"owner": "String",
"parent_id": 42,
"type": "String <one of:
LOG_SOURCE_GROUP,
REPORT_GROUP,
RULE_GROUP,
EVENT_SAVED_SEARCH_GROUP,
FLOW_SAVED_SEARCH_GROUP,
OFFENSE_SAVED_SEARCH_GROUP,
QRM_SAVED_SEARCH_GROUP,
MODEL_SAVED_SEARCH_GROUP,
QUESTION_SAVED_SEARCH_GROUP,
SIMULATION_SAVED_SEARCH_GROUP,
TOPOLOGY_SAVED_SEARCH_GROUP,
ASSET_SAVED_SEARCH_GROUP,
VULNERABILITY_SAVED_SEARCH_GROUP>"
}

DELETE /ariel/flow_saved_search_groups/{group_id}
Deletes a flow Ariel saved search group.

Deletes a flow Ariel saved search group.

Table 1607. DELETE /ariel/flow_saved_search_groups/{group_id} resource details
MIME Type
text/plain

Table 1608. DELETE /ariel/flow_saved_search_groups/{group_id} request parameter details

Parameter Type Optionality Data Type MIME Type Description
group_id path Required Number text/plain null
(Integer)

Table 1609. DELETE /ariel/flow_saved_search_groups/{group_id} response codes

HTTP Response Code Unique Code Description
204 The flow Ariel saved search group was deleted.
404 1002 The flow Ariel saved search group does not exist.
409 1004 null
500 1020 An error occurred during the attempt to delete the flow Ariel saved
search group.

738 QRadar API Reference Guide

Response Description

Response Sample

GET /ariel/saved_search_delete_tasks/{task_id}
Retrieves the delete the Ariel saved search task status.

Retrieves the delete Ariel saved search task status.

Table 1610. GET /ariel/saved_search_delete_tasks/{task_id} resource details
MIME Type
application/json

Table 1611. GET /ariel/saved_search_delete_tasks/{task_id} request parameter details

Parameter Type Optionality Data Type MIME Type Description
task_id path Required Number text/plain null
(Integer)
fields query Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.

Table 1612. GET /ariel/saved_search_delete_tasks/{task_id} response codes

HTTP Response Code Unique Code Description
200 The delete task status was retrieved.
404 1002 The delete task status was exist.
500 1020 An error occurred during the attempt to retrieve the delete task
status.

Response Description

A Delete Task Status object and the location header set to the task status url "/api/ariel/
saved_search_delete_tasks/{task_id}". A Delete Task Status object contains the following fields:
v id - Long - The ID of the task.
v message - String - The localized task message.
v status - String - The current state of the task.
v name - String - The name of the task.
v created_by - String - The name of the user who started the task.
v created - Long - The time in milliseconds since epoch since the task was created.
v started - Long - The time in milliseconds since epoch since the task was started.
v modified - Long - The time in milliseconds since epoch since the task was modified.
v completed - Long - The time in milliseconds since epoch since the task was completed.

7 Previous REST API versions 739

Response Sample
{
"completed": 42,
"created": 42,
"created_by": "String",
"id": 42,
"message": "String",
"modified": 42,
"name": "String",
"started": 42,
"status": "String <one of: CANCELLED,
CANCELING,
CANCEL_REQUESTED,
COMPLETED,
CONFLICT,
EXCEPTION,
INITIALIZING,
INTERRUPTED,
PAUSED,
PROCESSING,
QUEUED,
RESUMING>"
}

GET /ariel/saved_search_dependent_tasks/{task_id}
Retrieves the dependent the Ariel saved search task status.

Retrieves the dependent Ariel saved search task status.

Table 1613. GET /ariel/saved_search_dependent_tasks/{task_id} resource details
MIME Type
application/json

Table 1614. GET /ariel/saved_search_dependent_tasks/{task_id} request parameter details

Parameter Type Optionality Data Type MIME Type Description
task_id path Required Number text/plain null
(Integer)
fields query Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.

Table 1615. GET /ariel/saved_search_dependent_tasks/{task_id} response codes

HTTP Response Code Unique Code Description
200 The dependent task status was retrieved.
404 1002 The dependent task status does not exist.
500 1020 An error occurred during the attempt to retrieve the dependent task
status.

740 QRadar API Reference Guide

Response Description

A Dependent Task Status object and the location header set to the task status url "/api/ariel/
saved_search_dependent_tasks/{task_id}". A Dependent Task Status object contains the following fields:
v id - Long - The ID of the task.
v message - String - The localized task message.
v status - String - The current state of the task.
v name - String - The name of the task.
v created_by - String - The name of the user who started the task.
v cancelled_by - String - The name of the user who requested cancellation of the task.
v created - Long - The time in milliseconds since epoch since the task was created.
v started - Long - The time in milliseconds since epoch since the task was started.
v modified - Long - The time in milliseconds since epoch since the task was modified.
v completed - Long - The time in milliseconds since epoch since the task was completed.
v number_of_dependents - Long - The number of dependents found. The value is null until the task
completes.
v maximum - Long - The maximum number of objects to check for dependency.
v progress - Long - The number of objects that were checked for dependency.
v task_components - Array - An array of task component objects. A task component object contains the
following fields:
– message - String - The localized sub-task status message.
– status - String - The current state of the sub-task.
– sub_task_type - String - The type of the sub-task.
– maximum - Long - The maximum number of objects to check for dependency.
– progress - Long - The number of objects that were checked for dependency.
– created - Long - The time in milliseconds since epoch since the sub-task was created.
– started - Long - The time in milliseconds since epoch since the sub-task was started.
– modified - Long - The time in milliseconds since epoch since the sub-task was modified.
– completed - Long - The time in milliseconds since epoch since the sub-task was completed.

Response Sample
{
"cancelled_by": "String",
"completed": 42,
"created": 42,
"created_by": "String",
"id": 42,
"maximum": 42,
"message": "String",
"modified": 42,
"name": "String",
"number_of_dependents": 42,
"progress": 42,
"started": 42,
"status": "String <one of: CANCELLED,
CANCELING,
CANCEL_REQUESTED,
COMPLETED,
CONFLICT,
EXCEPTION,
INITIALIZING,
INTERRUPTED,
PAUSED,
PROCESSING,

7 Previous REST API versions 741

 QUEUED,
RESUMING>"
"task_components": [
{
"completed": 42,
"created": 42,
"maximum": 42,
"message": "String",
"modified": 42,
"number_of_dependents": 42,
"progress": 42,
"started": 42,
"status": "String <one of: CANCELLED,
CANCELING,
CANCEL_REQUESTED,
COMPLETED,
CONFLICT,
EXCEPTION,
INITIALIZING,
INTERRUPTED,
PAUSED,
PROCESSING,
QUEUED,
RESUMING>"
"task_sub_type": "String <one of:
FIND_DEPENDENT_ARIEL_SAVED_SEARCHES,
FIND_DEPENDENT_OFFENSE_SAVED_SEARCHES,
FIND_DEPENDENT_ASSET_SAVED_SEARCHES,
FIND_DEPENDENT_VULNERABILITY_SAVED_SEARCHES,
FIND_DEPENDENT_ADE_RULES,
FIND_DEPENDENT_RULES,
FIND_DEPENDENT_CALCULATED_PROPERTIES,
FIND_DEPENDENT_LOG_SOURCE_GROUPS,
FIND_DEPENDENT_CUSTOM_PROPERTIES,
FIND_DEPENDENT_REPORTS,
FIND_DEPENDENT_DASHBOARDS,
FIND_DEPENDENT_STORE_AND_FORWARD_POLICIES,
FIND_DEPENDENT_AUTHORIZED_SERVICES,
FIND_DEPENDENT_OFFENSE_TYPES,
FIND_DEPENDENT_ASSIGNED_OFFENSES,
FIND_DEPENDENT_VULNERABILITIES,
FIND_DEPENDENT_GROUPS,
FIND_DEPENDENT_HISTORICAL_CORRELATION_PROFILES>"
}
]
}

POST /ariel/saved_search_dependent_tasks/{task_id}
Cancels the dependent Ariel saved search task.

Cancels the dependent Ariel saved search task.

Table 1616. POST /ariel/saved_search_dependent_tasks/{task_id} resource details
MIME Type
application/json

Table 1617. POST /ariel/saved_search_dependent_tasks/{task_id} request parameter details

Parameter Type Optionality Data Type MIME Type Description
task_id path Required Number text/plain null
(Integer)

742 QRadar API Reference Guide

Table 1617. POST /ariel/saved_search_dependent_tasks/{task_id} request parameter details (continued)
Parameter Type Optionality Data Type MIME Type Description
fields header Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.

Table 1618. POST /ariel/saved_search_dependent_tasks/{task_id} request body details

Parameter Data Type MIME Type Description Sample
task Object application/ null { "status": "String <one of:
json CANCELLED, CANCELING,
CANCEL_REQUESTED,
COMPLETED, CONFLICT,
EXCEPTION, INITIALIZING,
INTERRUPTED, PAUSED,
PROCESSING, QUEUED,
RESUMING>" }

Table 1619. POST /ariel/saved_search_dependent_tasks/{task_id} response codes

HTTP Response Code Unique Code Description
200 The delete task status was retrieved.
404 1002 The dependent task status does not exist.
409 1004 The task is in a completed state.
422 1005 A request parameter is not valid.
500 1020 An error occurred during the attempt to update the dependent task
status.

Response Description

A Dependent Task Status object and the location header set to the task status url "/api/ariel/
saved_search_dependent_tasks/{task_id}". A Dependent Task Status object contains the following fields:
v id - Long - The ID of the task.
v message - String - The localized task message.
v status - String - The current state that the task is in.
v name - String - The name of the task.
v created_by - String - The name of the user who started the task.
v cancelled_by - String - The name of the user who requested cancellation of the task.
v created - Long - The time in milliseconds since epoch since the task was created.
v started - Long - The time in milliseconds since epoch since the task was started.
v modified - Long - The time in milliseconds since epoch since the task was modified.
v completed - Long - The time in milliseconds since epoch since the task was completed.
v number_of_dependents - Long - The number of dependents found. the vaalue is null until the task
completes.
v maximum - Long - The maximum number of objects to check for dependency.

7 Previous REST API versions 743

v progress - Long - The number of objects that were checked for dependency.
v task_components - Array - An array of task component objects. A task component object contains the
following fields:
– message - String - The localized sub-task status message.
– status - String - The current state of the sub-task.
– sub_task_type - String - The type of the sub-task
– maximum - Long - The maximum number of objects to check for dependency.
– progress - Long - The number of objects that were checked for dependency.
– created - Long - The time in milliseconds since epoch since the sub-task was created.
– started - Long - The time in milliseconds since epoch since the sub-task was started.
– modified - Long - The time in milliseconds since epoch since the sub-task was modified.
– completed - Long - The time in milliseconds since epoch since the sub-task was completed.

Response Sample
{
"cancelled_by": "String",
"completed": 42,
"created": 42,
"created_by": "String",
"id": 42,
"maximum": 42,
"message": "String",
"modified": 42,
"name": "String",
"number_of_dependents": 42,
"progress": 42,
"started": 42,
"status": "String <one of: CANCELLED,
CANCELING,
CANCEL_REQUESTED,
COMPLETED,
CONFLICT,
EXCEPTION,
INITIALIZING,
INTERRUPTED,
PAUSED,
PROCESSING,
QUEUED,
RESUMING>"
"task_components": [
{
"completed": 42,
"created": 42,
"maximum": 42,
"message": "String",
"modified": 42,
"number_of_dependents": 42,
"progress": 42,
"started": 42,
"status": "String <one of: CANCELLED,
CANCELING,
CANCEL_REQUESTED,
COMPLETED,
CONFLICT,
EXCEPTION,
INITIALIZING,
INTERRUPTED,
PAUSED,
PROCESSING,
QUEUED,
RESUMING>"

744 QRadar API Reference Guide

 "task_sub_type": "String <one of:
FIND_DEPENDENT_ARIEL_SAVED_SEARCHES,
FIND_DEPENDENT_OFFENSE_SAVED_SEARCHES,
FIND_DEPENDENT_ASSET_SAVED_SEARCHES,
FIND_DEPENDENT_VULNERABILITY_SAVED_SEARCHES,
FIND_DEPENDENT_ADE_RULES,
FIND_DEPENDENT_RULES,
FIND_DEPENDENT_CALCULATED_PROPERTIES,
FIND_DEPENDENT_LOG_SOURCE_GROUPS,
FIND_DEPENDENT_CUSTOM_PROPERTIES,
FIND_DEPENDENT_REPORTS,
FIND_DEPENDENT_DASHBOARDS,
FIND_DEPENDENT_STORE_AND_FORWARD_POLICIES,
FIND_DEPENDENT_AUTHORIZED_SERVICES,
FIND_DEPENDENT_OFFENSE_TYPES,
FIND_DEPENDENT_ASSIGNED_OFFENSES,
FIND_DEPENDENT_VULNERABILITIES,
FIND_DEPENDENT_GROUPS,
FIND_DEPENDENT_HISTORICAL_CORRELATION_PROFILES>"
}
]
}

GET /ariel/saved_search_dependent_tasks/{task_id}/results
Retrieves the Ariel saved search dependent task results.

Retrieves the Ariel saved search dependent task results.

Table 1620. GET /ariel/saved_search_dependent_tasks/{task_id}/results resource details
MIME Type
application/json

Table 1621. GET /ariel/saved_search_dependent_tasks/{task_id}/results request parameter details

Parameter Type Optionality Data Type MIME Type Description
task_id path Required Number text/plain null
(Integer)
fields query Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.

Table 1622. GET /ariel/saved_search_dependent_tasks/{task_id}/results response codes

HTTP Response Code Unique Code Description
200 The Ariel saved search dependents were retrieved.
404 1002 The Dependent Task Status does not exist.
500 1020 An error occurred during the attempt to retrieve the Ariel saved
searches.

7 Previous REST API versions 745

Response Description

An list of Dependent objects. A Dependent object contains the following fields:

v dependent_id - String - The ID of the dependent resource.
v dependent_name - String - The name of the dependent resource. ( Default resources can have localized
names )
v dependent_owner - String - The owner of the dependent resource.
v dependent_type - String - The type of the dependent resource.
v dependent_database - String - The database of the dependent resource.
v dependent_group_ids - Array of Longs - List of groups that the dependent resource belongs to.
v user_has_edit_permissions - Boolean - The true if the user who created the task has permission to edit
this dependent resource.

Response Sample
[
{
"blocking": true,
"dependent_database": "String <one of: EVENTS, FLOWS>",
"dependent_group_ids": [
42
],
"dependent_id": "String",
"dependent_name": "String",
"dependent_owner": "String",
"dependent_type": "String <one of:
ARIEL_SAVED_SEARCH,
ASSET_SAVED_SEARCH,
OFFENSE_SAVED_SEARCH,
VULNERABILITY_SAVED_SEARCH,
QRM_SAVED_SEARCH_GROUP,
ASSET_SAVED_SEARCH_GROUP,
CUSTOM_RULE_GROUP,
EVENT_ARIEL_SAVED_SEARCH_GROUP,
FLOW_ARIEL_SAVED_SEARCH_GROUP,
LOG_SOURCE_GROUP, MODEL_GROUP,
OFFENSE_SAVED_SEARCH_GROUP,
QUESTION_GROUP,
REPORT_GROUP,
SIMULATION_GROUP,
TOPOLOGY_SAVED_SEARCH_GROUP,
VULNERABILITY_SAVED_SEARCH_GROUP,
ASSIGNED_OFFENSE,
ASSIGNED_VULNERABILITY,
AUTHORIZED_SERVICE,
BUILDING_BLOCK,
CRE_RULE,
CRE_ADE_RULE,
EVENT_REGEX_PROPERTY,
EVENT_CALCULATED_PROPERTY,
FLOW_REGEX_PROPERTY,
FLOW_CALCULATED_PROPERTY,
DASHBOARD,
GV_REFERENCE,
REPORT,
REFERENCE_DATA,
REFERENCE_DATA_MAP_OF_SETS,
REFERENCE_DATA_MAPS,
REFERENCE_DATA_SETS,
REFERENCE_DATA_TABLES,
REFERENCE_DATA_RESPONSE,
REFERENCE_SET_RESPONSE,
EVENT_RETENTION_BUCKET,

746 QRadar API Reference Guide

 FLOW_RETENTION_BUCKET,
ROUTING_RULE,
STORE_AND_FORWARD_POLICY,
USER,
HISTORICAL_PROFILE,
OFFENSE_TYPE>",
"user_has_edit_permissions": true
}
]

GET /ariel/saved_searches
Retrieves a list of Ariel saved searches.

Retrieves a list of Ariel saved searches.

Table 1623. GET /ariel/saved_searches resource details
MIME Type
application/json

Table 1624. GET /ariel/saved_searches request parameter details

Parameter Type Optionality Data Type MIME Type Description
fields query Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.
filter query Optional String text/plain Optional - This parameter is
used to restrict the elements in
a list base on the contents of
various fields.
Range header Optional String text/plain Optional - Use this parameter
to restrict the number of
elements that are returned in
the list to a specified range.
The list is indexed starting at
zero.

Table 1625. GET /ariel/saved_searches response codes

HTTP Response Code Unique Code Description
200 The Ariel saved searches were retrieved.
422 1010 A request parameter is not valid.
500 1020 An error occurred during the attempt to retrieve the Ariel Saved
Searches.

Response Description

An array of Ariel Saved Search objects. An Ariel Saved Search object contains the following fields:
v id - Long - The ID of the ariel saved search.
v uuid - String - The uuid of the Ariel saved search.

7 Previous REST API versions 747

v name - String - The name of the Ariel saved search.
v database - String - The database of the Ariel saved search, events or flows.
v isShared - Boolean - True if the Ariel saved search is shared with other users.
v owner - String - The owner of the Ariel saved search.

Response Sample
[
{
"database": "String <one of: EVENTS, FLOWS>",
"id": 42,
"is_shared": true,
"name": "String",
"owner": "String",
"uid": "String"
}
]

GET /ariel/saved_searches/{id}
Retrieves an Ariel saved search.

Retrieves an Ariel saved search.

Table 1626. GET /ariel/saved_searches/{id} resource details
MIME Type
application/json

Table 1627. GET /ariel/saved_searches/{id} request parameter details

Parameter Type Optionality Data Type MIME Type Description
id path Required Number text/plain null
(Integer)
fields query Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.

Table 1628. GET /ariel/saved_searches/{id} response codes

HTTP Response Code Unique Code Description
200 The Ariel saved search was retrieved.
404 1002 The Ariel saved search does not exist.
500 1020 An error occurred during the attempt to retrieve the Ariel Saved
Search.

Response Description

The Ariel saved search after it is retrieved. An Ariel Saved Search object contains the following fields:
v id - Long - The ID of the Ariel saved search.
v uuid - String - The uuid of the Ariel saved search.

748 QRadar API Reference Guide

v name - String - The name of the Ariel saved search.
v database - String - The database of the Ariel saved search, events or flows.
v isShared - Boolean - True if the Ariel saved search is shared with other users.
v owner - String - The owner of the Ariel saved search.

Response Sample
{
"database": "String <one of: EVENTS, FLOWS>",
"id": 42,
"is_shared": true,
"name": "String",
"owner": "String",
"uid": "String"
}

POST /ariel/saved_searches/{id}
Updates the Ariel saved search owner only.

Updates the Ariel saved search owner only.

Table 1629. POST /ariel/saved_searches/{id} resource details
MIME Type
application/json

Table 1630. POST /ariel/saved_searches/{id} request parameter details

Parameter Type Optionality Data Type MIME Type Description
id path Required Number text/plain null
(Integer)
fields header Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.

Table 1631. POST /ariel/saved_searches/{id} request body details

Parameter Data Type MIME Type Description Sample
saved_search Object application/ null { "id": "1", "name": "String",
json "database": "String",
"is_shared": true, "owner":
"String" }

Table 1632. POST /ariel/saved_searches/{id} response codes

HTTP Response Code Unique Code Description
200 The Ariel saved search was updated.
403 1009 You do not have the required capabilities to update the Ariel Saved
Search.
404 1002 The Ariel saved search does not exist.

7 Previous REST API versions 749

Table 1632. POST /ariel/saved_searches/{id} response codes (continued)
HTTP Response Code Unique Code Description
409 1004 The provided user does not have the required capabilities to own
the Ariel saved search.
422 1005 A request parameter is not valid.
500 1020 An error occurred during the attempt to update the Ariel Saved
Search.

Response Description

The Ariel saved search after it has been updated. An Ariel Saved Search object contains the following
fields:
v id - Long - The ID of the Ariel saved search.
v uuid - String - The uuid of the Ariel saved search.
v name - String - The name of the Ariel saved search.
v database - String - The database of the Ariel saved search, events or flows.
v isShared - Boolean - True if the Ariel saved search is shared with other users.
v owner - String - The owner of the Ariel saved search.

Response Sample
{
"database": "String <one of: EVENTS, FLOWS>",
"id": 42,
"is_shared": true,
"name": "String",
"owner": "String",
"uid": "String"
}

DELETE /ariel/saved_searches/{id}
Deletes an Ariel saved search. To ensure safe deletion, a dependency check is carried out. The check
might take some time. An asynchronous task is started to do this check.

Deletes an Ariel saved search. To ensure safe deletion, a dependency check is carried out. The check
might take some time. An asynchronous task is started to do this check.
Table 1633. DELETE /ariel/saved_searches/{id} resource details
MIME Type
application/json

Table 1634. DELETE /ariel/saved_searches/{id} request parameter details

Parameter Type Optionality Data Type MIME Type Description
id path Required Number text/plain null
(Integer)

750 QRadar API Reference Guide

Table 1634. DELETE /ariel/saved_searches/{id} request parameter details (continued)
Parameter Type Optionality Data Type MIME Type Description
fields query Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.

Table 1635. DELETE /ariel/saved_searches/{id} response codes

HTTP Response Code Unique Code Description
202 The Ariel saved search delete command was accepted and is in
progress.
403 1009 You do not have the required capabilities to delete the Ariel saved
search.
404 1002 The Ariel saved search does not exist.
500 1020 An error occurred during the attempt to delete the Ariel Saved
Search.

Response Description

A Delete Task Status object and the location header set to the task status url "/api/ariel/
saved_search_delete_tasks/{task_id}". A Delete Task Status object contains the following fields:
v id - Long - The ID of the task.
v message - String - The localized task message.
v status - String - The current state of the task.
v name - String - The name of the task.
v created_by - String - The name of the user who started the task.
v created - Long - The time in milliseconds since epoch since the task was created.
v started - Long - The time in milliseconds since epoch since the task was started.
v modified - Long - The time in milliseconds since epoch since the task was modified.
v completed - Long - The time in milliseconds since epoch since the task was completed.

Response Sample
{
"completed": 42,
"created": 42,
"created_by": "String",
"id": 42,
"message": "String",
"modified": 42,
"name": "String",
"started": 42,
"status": "String <one of: CANCELLED,
CANCELING,
CANCEL_REQUESTED,
COMPLETED,
CONFLICT,
EXCEPTION,
INITIALIZING,

7 Previous REST API versions 751

 INTERRUPTED,
PAUSED,
PROCESSING,
QUEUED,
RESUMING>"
}

GET /ariel/saved_searches/{id}/dependents
Retrieves the objects that depend on the Ariel saved search.

Retrieves the objects that depend on the Ariel saved search.

Table 1636. GET /ariel/saved_searches/{id}/dependents resource details
MIME Type
application/json

Table 1637. GET /ariel/saved_searches/{id}/dependents request parameter details

Parameter Type Optionality Data Type MIME Type Description
id path Required Number text/plain null
(Integer)
fields query Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.

Table 1638. GET /ariel/saved_searches/{id}/dependents response codes

HTTP Response Code Unique Code Description
202 The Ariel saved search dependents retrieval was accepted and is in
progress
404 1002 The Ariel saved search does not exist
500 1020 An error occurred during the attempt to initiate the Ariel Saved
Search dependents retrieval task

Response Description

A Dependents Task Status object and the location header set to the task status url "/api/ariel/
saved_search_dependents_tasks/{task_id}". A Dependent Task Status object contains the following fields:
v id - Long - The ID of the task.
v message - String - The localized task message.
v status - String - The current state of the task.
v name - String - The name of the task.
v created_by - String - The name of the user who started the task.
v cancelled_by - String - The name of the user who requested to cancel the task.
v created - Long - The time in milliseconds since epoch since the task was created.
v started - Long - The time in milliseconds since epoch since the task was started.
v modified - Long - The time in milliseconds since epoch since the task was modified.

752 QRadar API Reference Guide

v completed - Long - The time in milliseconds since epoch since the task was completed.
v number_of_dependents - Long - The number of dependents found. The value is null until the task
completes.
v maximum - Long - The maximum number of objects to check for dependency.
v progress - Long - The number of objects that were checked for dependency.
v task_components - Array - An array of task component objects. A task component object contains the
following fields:
– message - String - The localized sub-task status message.
– status - String - The current state of the sub-task.
– sub_task_type - String - The type of the sub-task
– maximum - Long - The maximum number of objects to check for dependency.
– progress - Long - The number of objects that were checked for dependency.
– created - Long - The time in milliseconds since epoch since the sub-task was created.
– started - Long - The time in milliseconds since epoch since the sub-task was started.
– modified - Long - The time in milliseconds since epoch since the sub-task was modified.
– completed - Long - The time in milliseconds since epoch since the sub-task was completed.

Response Sample
{
"cancelled_by": "String",
"completed": 42,
"created": 42,
"created_by": "String",
"id": 42,
"maximum": 42,
"message": "String",
"modified": 42,
"name": "String",
"number_of_dependents": 42,
"progress": 42,
"started": 42,
"status": "String <one of: CANCELLED,
CANCELING,
CANCEL_REQUESTED,
COMPLETED,
CONFLICT,
EXCEPTION,
INITIALIZING,
INTERRUPTED,
PAUSED,
PROCESSING,
QUEUED,
RESUMING>"
"task_components": [
{
"completed": 42,
"created": 42,
"maximum": 42,
"message": "String",
"modified": 42,
"number_of_dependents": 42,
"progress": 42,
"started": 42,
"status": "String <one of: CANCELLED,
CANCELING,
CANCEL_REQUESTED,
COMPLETED,
CONFLICT,
EXCEPTION,

7 Previous REST API versions 753

 INITIALIZING,
INTERRUPTED,
PAUSED,
PROCESSING,
QUEUED,
RESUMING>"
"task_sub_type": "String <one of:
FIND_DEPENDENT_ARIEL_SAVED_SEARCHES,
FIND_DEPENDENT_OFFENSE_SAVED_SEARCHES,
FIND_DEPENDENT_ASSET_SAVED_SEARCHES,
FIND_DEPENDENT_VULNERABILITY_SAVED_SEARCHES,
FIND_DEPENDENT_ADE_RULES,
FIND_DEPENDENT_RULES,
FIND_DEPENDENT_CALCULATED_PROPERTIES,
FIND_DEPENDENT_LOG_SOURCE_GROUPS,
FIND_DEPENDENT_CUSTOM_PROPERTIES,
FIND_DEPENDENT_REPORTS,
FIND_DEPENDENT_DASHBOARDS,
FIND_DEPENDENT_STORE_AND_FORWARD_POLICIES,
FIND_DEPENDENT_AUTHORIZED_SERVICES,
FIND_DEPENDENT_OFFENSE_TYPES,
FIND_DEPENDENT_ASSIGNED_OFFENSES,
FIND_DEPENDENT_VULNERABILITIES,
FIND_DEPENDENT_GROUPS,
FIND_DEPENDENT_HISTORICAL_CORRELATION_PROFILES>"
}
]
}

GET /ariel/searches
Retrieves the list of Ariel searches. Search IDs for completed and active searches are returned.

Retrieves the list of Ariel searches. This includes search IDs for completed and active searches.
Table 1639. GET /ariel/searches resource details
MIME Type
application/json

Table 1640. GET /ariel/searches request parameter details

Parameter Type Optionality Data Type MIME Type Description
db_name query Optional String text/plain Optional - The name of the
Ariel database to retrieve the
list of Ariel searches.
filter query Optional String text/plain Optional - This parameter is
used to restrict the elements in
a list base on the contents of
various fields.
Range header Optional String text/plain Optional - Use this parameter
to restrict the number of
elements that are returned in
the list to a specified range.
The list is indexed starting at
zero.

Table 1641. GET /ariel/searches response codes

HTTP Response Code Unique Code Description
200 The search list was retrieved.
500 1020 An error occurred during the attempt to retrieve the list of searches.

754 QRadar API Reference Guide

Table 1641. GET /ariel/searches response codes (continued)
HTTP Response Code Unique Code Description
503 1010 The ariel server might be temporarily unavailable or offline. Please
try again later.

Response Description

A list of search IDs.

Response Sample
[
"String"
]

POST /ariel/searches
Creates a new asynchronous Ariel search.

Creates a new Ariel search as specified by the Ariel Query Language (AQL) query expression. Searches
are executed asynchronously. A reference to the search ID is returned and should be used in subsequent
API calls to determine the status of the search and retrieve the results once it is complete.

This endpoint only accepts SELECT query expressions.

Queries are applied to the range of data in a certain time interval. By default this time interval is the last
60 seconds. An alternative time interval can be specified by specifying them as part of the query
expression. For further information, see the AQL reference guide.
Table 1642. POST /ariel/searches resource details
MIME Type
application/json

Table 1643. POST /ariel/searches request parameter details

Parameter Type Optionality Data Type MIME Type Description
query_expression query Required String text/plain Required - The AQL query to
execute.

Table 1644. POST /ariel/searches response codes

HTTP Response Code Unique Code Description
201 A new Ariel search was successfully created.
409 1004 The search cannot be created. The requested search ID that was
provided in the query expression is already in use. Please use a
unique search ID (or allow one to be generated).
422 2000 The query_expression contains invalid AQL syntax.
422 1005 A request parameter is not valid.
500 1020 An error occurred during the attempt to create a new search.
503 1010 The Ariel server might be temporarily unavailable or offline. Please
try again later.

7 Previous REST API versions 755

Response Description

Information about the specified search, including the search ID. Use the search ID to access or manipulate
the search with the other API endpoints. If the exact search being created was already recently created,
the response message will return a reference to the original search ID rather than creating a new search.

Response Sample
{
"cursor_id": "s16",
"compressed_data_file_count": 0,
"compressed_data_total_size": 0,
"data_file_count": 5470,
"data_total_size": 67183115,
"index_file_count": 0,
"index_total_size": 0,
"processed_record_count": 1256462,
"error_messages": [
{
"code": "String",
"contexts": [
"String"
],
"message": "String",
"severity": "String <one of: INFO, WARN, ERROR>"
}
],
"desired_retention_time_msec": 86400000,
"progress": 46,
"progress_details": [
0,
0,
0,
0,
66957,
652657,
76594,
89809,
86032,
107729
],
"query_execution_time": 1480,
"query_string": "SELECT sourceip, starttime from events
into s16 where sourceip
in (select destinationip from events)
parameters snapshotsize=2, PROGRESSDETAILSRESOLUTION=10",
"record_count": 1240923,
"save_results": false,
"status": "EXECUTE",
"snapshot": {
"events": [
{
"sourceip": "10.100.65.20",
"starttime": "1467049610018"
},
{
"sourceip": "10.100.100.121",
"starttime": "1467049610019"
}
]
},
"subsearch_ids": [
"sub_id_1"
],
"search_id": "s16"
}

756 QRadar API Reference Guide

GET /ariel/searches/{search_id}
Retrieves information about an Ariel search.

Retrieve status information for a search, based on the search ID parameter. The same informational fields
are returned regardless of whether the search is in progress or is complete.
Table 1645. GET /ariel/searches/{search_id} resource details
MIME Type
application/json

Table 1646. GET /ariel/searches/{search_id} request parameter details

Parameter Type Optionality Data Type MIME Type Description
search_id path Required String text/plain Required. The identifier for an
Ariel search.

Table 1647. GET /ariel/searches/{search_id} response codes

HTTP Response Code Unique Code Description
200 The search information was retrieved.
404 1002 The search does not exist.
422 1005 A request parameter is not valid.
500 1020 An error occurred during the attempt to retrieve the search
information.
503 1010 The Ariel server might be temporarily unavailable or offline. Please
try again later.

Response Description

Information about the specified search, including the search status.

Response Sample
{
"cursor_id": "s16",
"compressed_data_file_count": 0,
"compressed_data_total_size": 0,
"data_file_count": 5470,
"data_total_size": 67183115,
"index_file_count": 0,
"index_total_size": 0,
"processed_record_count": 1256462,
"error_messages": [
{
"code": "String",
"contexts": [
"String"
],
"message": "String",
"severity": "String <one of: INFO, WARN, ERROR>"
}
],
"desired_retention_time_msec": 86400000,
"progress": 46,
"progress_details": [
0,
0,
0,

7 Previous REST API versions 757

 0,
66957,
652657,
76594,
89809,
86032,
107729
],
"query_execution_time": 1480,
"query_string": "SELECT sourceip, starttime from events
into s16 where sourceip
in (select destinationip from events)
parameters snapshotsize=2, PROGRESSDETAILSRESOLUTION=10",
"record_count": 1240923,
"save_results": false,
"status": "EXECUTE",
"snapshot": {
"events": [
{
"sourceip": "10.100.65.20",
"starttime": "1467049610018"
},
{
"sourceip": "10.100.100.121",
"starttime": "1467049610019"
}
]
},
"subsearch_ids": [
"sub_id_1"
],
"search_id": "s16"
}

POST /ariel/searches/{search_id}
Updates an Ariel search.

Updates details for an Ariel search. You can update searches in the following ways:
v To cancel an active search, set the status parameter to CANCELED. This stops the search and keeps
any search results that were collected before the search was canceled.
v The results for a completed search can be saved by setting the save_results parameter to true. This
ensures that the search is not automatically removed when it expires in accordance with the retention
policy.

The Ariel server uses an internal retention policy to manage available disk space. Searches might be
deleted automatically, according to the settings of the retention policy. Searches with saved results are not
automatically reclaimed by the server and are therefore retained. A search can be explicitly deleted by
using the DELETE /searches/{search_id} endpoint.

Note: Saving too many search results might result in insufficient disk space to process new searches.
Table 1648. POST /ariel/searches/{search_id} resource details
MIME Type
application/json

Table 1649. POST /ariel/searches/{search_id} request parameter details

Parameter Type Optionality Data Type MIME Type Description
search_id path Required String text/plain Required. The ID of the search
to update.

758 QRadar API Reference Guide

Table 1649. POST /ariel/searches/{search_id} request parameter details (continued)
Parameter Type Optionality Data Type MIME Type Description
status query Optional String text/plain Optional. The only accepted
value is CANCELED. If this
value is provided, the search is
canceled.
save_results query Optional String text/plain Optional. The only accepted
value is true. If this value is
provided, the search results
are not deleted by the search
expiration removal process. If
status parameter was
provided, this parameter is not
checked and silently ignored.

Table 1650. POST /ariel/searches/{search_id} response codes

HTTP Response Code Unique Code Description
200 The search was updated.
404 1002 The search does not exist.
422 1005 A request parameter is not valid.
500 1020 An error occurred during the attempt to update the search.
503 1010 The Ariel server might be temporarily unavailable or offline. Please
try again later.

Response Description

Information about the specified search that was updated.

Response Sample
{
"cursor_id": "s16",
"compressed_data_file_count": 0,
"compressed_data_total_size": 0,
"data_file_count": 5470,
"data_total_size": 67183115,
"index_file_count": 0,
"index_total_size": 0,
"processed_record_count": 1256462,
"error_messages": [
{
"code": "String",
"contexts": [
"String"
],
"message": "String",
"severity": "String <one of: INFO, WARN, ERROR>"
}
],
"desired_retention_time_msec": 86400000,
"progress": 46,
"progress_details": [
0,
0,
0,
0,
66957,
652657,

7 Previous REST API versions 759

 76594,
89809,
86032,
107729
],
"query_execution_time": 1480,
"query_string": "SELECT sourceip, starttime from events
into s16 where sourceip
in (select destinationip from events)
parameters snapshotsize=2, PROGRESSDETAILSRESOLUTION=10",
"record_count": 1240923,
"save_results": false,
"status": "EXECUTE",
"snapshot": {
"events": [
{
"sourceip": "10.100.65.20",
"starttime": "1467049610018"
},
{
"sourceip": "10.100.100.121",
"starttime": "1467049610019"
}
]
},
"subsearch_ids": [
"sub_id_1"
],
"search_id": "s16"
}

DELETE /ariel/searches/{search_id}
Deletes an Ariel search.

Deletes an Ariel search. This discards any results that were collected and stops the search if it is in
progress. This search is deleted regardless of whether the results were saved.
Table 1651. DELETE /ariel/searches/{search_id} resource details
MIME Type
application/json

Table 1652. DELETE /ariel/searches/{search_id} request parameter details

Parameter Type Optionality Data Type MIME Type Description
search_id path Required String text/plain Required - The search ID of
the search to delete.

Table 1653. DELETE /ariel/searches/{search_id} response codes

HTTP Response Code Unique Code Description
202 The delete request has been accepted.
404 1002 The search does not exist.
422 1005 A request parameter is not valid.
500 1020 An error occurred during the attempt to delete the search.
503 1010 The ariel server might be temporarily unavailable or offline. Please
try again later.

760 QRadar API Reference Guide

Response Description

Information about the deleted search.

Response Sample
{
"cursor_id": "s16",
"compressed_data_file_count": 0,
"compressed_data_total_size": 0,
"data_file_count": 5470,
"data_total_size": 67183115,
"index_file_count": 0,
"index_total_size": 0,
"processed_record_count": 1256462,
"error_messages": [
{
"code": "String",
"contexts": [
"String"
],
"message": "String",
"severity": "String <one of: INFO, WARN, ERROR>"
}
],
"desired_retention_time_msec": 86400000,
"progress": 46,
"progress_details": [
0,
0,
0,
0,
66957,
652657,
76594,
89809,
86032,
107729
],
"query_execution_time": 1480,
"query_string": "SELECT sourceip, starttime from events
into s16 where sourceip
in (select destinationip from events)
parameters snapshotsize=2, PROGRESSDETAILSRESOLUTION=10",
"record_count": 1240923,
"save_results": false,
"status": "EXECUTE",
"snapshot": {
"events": [
{
"sourceip": "10.100.65.20",
"starttime": "1467049610018"
},
{
"sourceip": "10.100.100.121",
"starttime": "1467049610019"
}
]
},
"subsearch_ids": [
"sub_id_1"
],
"search_id": "s16"
}

7 Previous REST API versions 761

GET /ariel/searches/{search_id}/results
Retrieves search results in the requested format.

Retrieve the results of the Ariel search that is identified by the search ID. The Accepts request header
indicates the format of the result. The formats are RFC compliant and can be JSON, CSV, XML, or tabular
text.

By default, all query result records are returned. To restrict the results to a contiguous subset of the
records, you can supply a Range header to specify the inclusive range of records to be returned.

This end-point works with query results that are generated by AQL query expressions. This endpoint
might not work as expected for results that are generated by other means. Search results might not be
retrievable for searches that are created on the Console.

The response samples are for the following query: Select sourceIP, destinationIP from events.
Table 1654. GET /ariel/searches/{search_id}/results resource details
MIME Type
application/json application/csv text/table application/xml

Table 1655. GET /ariel/searches/{search_id}/results request parameter details

Parameter Type Optionality Data Type MIME Type Description
search_id path Required String text/plain The ID of the search criteria
for the returned results.
Range header Optional String text/plain Optional - Use this parameter
to restrict the number of
elements that are returned in
the list to a specified range.
The list is indexed starting at
zero.

Table 1656. GET /ariel/searches/{search_id}/results response codes

HTTP Response Code Unique Code Description
200 The search results were retrieved.
404 1002 The search does not exist.
404 1003 Search results not found. The search is still in progress.
422 1005 A request parameter is not valid.
500 1020 An error occurred during the attempt to retrieve the search results.
503 1010 The Ariel server might be temporarily unavailable or offline. Please
try again later.

Response Description

The search results for the specified search ID. The format that is used to encapsulate the data depends on
the format specified in the Accept header for this request.

Response Sample
{
"events": [
{
"sourceIP": "1.1.1.1",

762 QRadar API Reference Guide

 "destinationIP": "127.0.0.1"
},
{
"sourceIP": "1.1.1.1",
"destinationIP": "127.0.0.1"
}
]
}

Asset model endpoints

Use the references for REST API V8.0 Asset Model endpoints.

GET /asset_model/assets
List all assets found in the model.
Table 1657. GET /asset_model/assets resource details
MIME Type
application/json

Table 1658. GET /asset_model/assets request parameter details

Parameter Type Optionality Data Type MIME Type Description
Range header Optional String text/plain Optional - Use this parameter
to restrict the number of
elements that are returned in
the list to a specified range.
The list is indexed starting at
zero.
fields query Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.
filter query Optional String text/plain Optional - This parameter is
used to restrict the elements in
a list base on the contents of
various fields.

Table 1659. GET /asset_model/assets response codes

HTTP Response Code Unique Code Description
200 The request to retrieve assets completed successfully.
500 1020 The server encountered an error while trying to retrieve the assets.

Response Description

List of assets retrieved using the associated asset saved search.

Response Sample
[{"id": 42,
"domain_id": 42,
"interfaces": [{"first_seen_scanner": 42,

7 Previous REST API versions 763

 "id": 42,
"first_seen_profiler": 42,
"created": 42,
"last_seen_profiler": 42,
"last_seen_scanner": 42,
"mac_address": "String",
"ip_addresses": [{"first_seen_scanner": 42,
"id": 42,
"first_seen_profiler": 42,
"created": 42,
"network_id": 42,
"value": "String",
"last_seen_profiler": 42,
"last_seen_scanner": 42,
"type": "String"}]
}],
"properties": [{"id": 42,
"name": "String",
"value": "String",
"last_reported": 42,
"type_id": 42,
"last_reported_by": "String"}]
}]

POST /asset_model/assets/{asset_id}
Update an asset with several pertinent pieces of information.

The asset_id tag is mandatory, and is the unique identifier for an asset. This field is available through the
/asset_model/assets or /asset_model/saved_searches/{saved_search_id}/results query. To update
properties, the property type ID which is available through the /asset_model/properties query must be
provided along with the new value. See the sample provided demonstrating an example asset update.
Table 1660. POST /asset_model/assets/{asset_id} resource details
MIME Type
text/plain

Table 1661. POST /asset_model/assets/{asset_id} request parameter details

Parameter Type Optionality Data Type MIME Type Description
asset_id path Required String text/plain Unique identifier of the asset
to update.

Table 1662. POST /asset_model/assets/{asset_id} request body details

Parameter Data Type MIME Type Description Sample
asset JSON application/json JSON representation of an { "properties": [ { "type_id":
asset. 1001, "value": "given name
value" }, { "type_id": 1002,
"value": "unified name value" }
]}

Table 1663. POST /asset_model/assets/{asset_id} response codes

HTTP Response Code Unique Code Description
202 The request to update the asset was successful. The update will
take place when the asset profile application receives the request.
422 1005 One or more of the requested property updates were invalid.
500 1020 The server encountered an error registering the update with the
asset profile application.

764 QRadar API Reference Guide

Response Description

Information about the asset that was updated.

Response Sample
String

GET /asset_model/properties
Get a list of available asset property types that can be used.

Get a list of available asset property types that can be used or applied against the /asset_model/assets
endpoint.
Table 1664. GET /asset_model/properties resource details
MIME Type
application/json

Table 1665. GET /asset_model/properties request parameter details

Parameter Type Optionality Data Type MIME Type Description
Range header Optional String text/plain Optional - Use this parameter
to restrict the number of
elements that are returned in
the list to a specified range.
The list is indexed starting at
zero.
fields query Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.
filter query Optional String text/plain Optional - This parameter is
used to restrict the elements in
a list base on the contents of
various fields.

Table 1666. GET /asset_model/properties response codes

HTTP Response Code Unique Code Description
200 The request to retrieve the list of asset property types completed
successfully.
500 1020 An error occurred while trying to retrieve the list of asset property
types.

Response Description

List of asset properties. Per asset property type: id and name that make up this asset property type.

7 Previous REST API versions 765

Response Sample
[
{
"custom": true,
"data_type": "String",
"display": true,
"id": 42,
"name": "String",
"state": 42
}
]

GET /asset_model/saved_search_groups
Retrieves a list the asset saved search groups.

Retrieves a list the asset saved search groups.

Table 1667. GET /asset_model/saved_search_groups resource details
MIME Type
application/json

Table 1668. GET /asset_model/saved_search_groups request parameter details

Parameter Type Optionality Data Type MIME Type Description
fields query Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.
Range header Optional String text/plain Optional - Use this parameter
to restrict the number of
elements that are returned in
the list to a specified range.
The list is indexed starting at
zero.
filter query Optional String text/plain Optional - This parameter is
used to restrict the elements in
a list base on the contents of
various fields.

Table 1669. GET /asset_model/saved_search_groups response codes

HTTP Response Code Unique Code Description
200 The asset saved search groups were returned.
500 1020 An error occurred during the attempt to retrieve the asset saved
search groups.

Response Description

List of the Group objects. A Group object contains the following fields:
v id - Long - The ID of the group.
v parent_id - Long - The ID of the parent group (default resources can have localized names).

766 QRadar API Reference Guide

v type - String - The type of the group.
v level - Long - The depth of the group in the group hierarchy.
v name - String - The name of the group (default resources can have localized names).
v description - String - The description of the group (default resources can have localized names).
v owner - String - The owner of the group.
v modified_time - Long - The time in milliseconds since epoch since the group was last modified.
v child_group_ids - Array of Longs - List of the child group IDs.

Response Sample
[
{
"child_groups": [
42
],
"child_items": [
"String"
],
"description": "String",
"id": 42,
"level": 42,
"modified_time": 42,
"name": "String",
"owner": "String",
"parent_id": 42,
"type": "String <one of:
LOG_SOURCE_GROUP,
REPORT_GROUP,
RULE_GROUP,
EVENT_SAVED_SEARCH_GROUP,
FLOW_SAVED_SEARCH_GROUP,
OFFENSE_SAVED_SEARCH_GROUP,
QRM_SAVED_SEARCH_GROUP,
MODEL_SAVED_SEARCH_GROUP,
QUESTION_SAVED_SEARCH_GROUP,
SIMULATION_SAVED_SEARCH_GROUP,
TOPOLOGY_SAVED_SEARCH_GROUP,
ASSET_SAVED_SEARCH_GROUP,
VULNERABILITY_SAVED_SEARCH_GROUP>"
}
]

GET /asset_model/saved_search_groups/{group_id}
Retrieves an asset saved search group.

Retrieves an asset saved search group.

Table 1670. GET /asset_model/saved_search_groups/{group_id} resource details
MIME Type
application/json

Table 1671. GET /asset_model/saved_search_groups/{group_id} request parameter details

Parameter Type Optionality Data Type MIME Type Description
group_id path Required Number text/plain null
(Integer)

7 Previous REST API versions 767

Table 1671. GET /asset_model/saved_search_groups/{group_id} request parameter details (continued)
Parameter Type Optionality Data Type MIME Type Description
fields query Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.

Table 1672. GET /asset_model/saved_search_groups/{group_id} response codes

HTTP Response Code Unique Code Description
200 The asset saved search group was retrieved.
404 1002 The asset saved search group does not exist.
500 1020 An error occurred during the attempt to retrieve the asset saved
search group.

Response Description

A single Group object. A Group object contains the following fields:

v id - Long - The ID of the group.
v parent_id - Long - The id of the parent group. ( Default resources can have localized names )
v type - String - The type of the group.
v level - Long - The depth of the group in the group hierarchy.
v name - String - The name of the group. ( Default groups can have localized names )
v description - String - The description of the group. ( Default groups can have localized names )
v owner - String - The owner of the group.
v modified_time - Long - The time in milliseconds since epoch since the group was last modified.
v child_group_ids - Array of Longs - List of the child group IDs.

Response Sample
{
"child_groups": [
42
],
"child_items": [
"String"
],
"description": "String",
"id": 42,
"level": 42,
"modified_time": 42,
"name": "String",
"owner": "String",
"parent_id": 42,
"type": "String <one of:
LOG_SOURCE_GROUP,
REPORT_GROUP,
RULE_GROUP,
EVENT_SAVED_SEARCH_GROUP,
FLOW_SAVED_SEARCH_GROUP,
OFFENSE_SAVED_SEARCH_GROUP,

768 QRadar API Reference Guide

 QRM_SAVED_SEARCH_GROUP,
MODEL_SAVED_SEARCH_GROUP,
QUESTION_SAVED_SEARCH_GROUP,
SIMULATION_SAVED_SEARCH_GROUP,
TOPOLOGY_SAVED_SEARCH_GROUP,
ASSET_SAVED_SEARCH_GROUP,
VULNERABILITY_SAVED_SEARCH_GROUP>"
}

POST /asset_model/saved_search_groups/{group_id}
Updates the owner of an asset saved search group.

Updates the owner of an asset saved search group.

Table 1673. POST /asset_model/saved_search_groups/{group_id} resource details
MIME Type
application/json

Table 1674. POST /asset_model/saved_search_groups/{group_id} request parameter details

Parameter Type Optionality Data Type MIME Type Description
group_id path Required Number text/plain null
(Integer)
fields header Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.

Table 1675. POST /asset_model/saved_search_groups/{group_id} request body details

Parameter Data Type MIME Type Description Sample
group Object application/ Required - Group object with { "child_groups": [ 42 ], "child_items": [ "String" ], "description":
json the owner set to a valid "String", "id": 42, "level": 42, "name": "String", "owner": "String",
deployed user. "parent_id": 42, "type": "String <one of:
LOG_SOURCE_GROUP, REPORT_GROUP, RULE_GROUP,
EVENT_SAVED_SEARCH_GROUP,
FLOW_SAVED_SEARCH_GROUP,
OFFENSE_SAVED_SEARCH_GROUP,
QRM_SAVED_SEARCH_GROUP,
MODEL_SAVED_SEARCH_GROUP,
QUESTION_SAVED_SEARCH_GROUP,
SIMULATION_SAVED_SEARCH_GROUP,
TOPOLOGY_SAVED_SEARCH_GROUP,
ASSET_SAVED_SEARCH_GROUP,
VULNERABILITY_SAVED_SEARCH_GROUP>" }

Table 1676. POST /asset_model/saved_search_groups/{group_id} response codes

HTTP Response Code Unique Code Description
200 The asset saved search group has been updated.
404 1002 The asset saved search group does not exist.
409 1004 The provided user does not have the required capabilities to own
the asset saved search group.
422 1005 A request parameter is not valid.

7 Previous REST API versions 769

Table 1676. POST /asset_model/saved_search_groups/{group_id} response codes (continued)
HTTP Response Code Unique Code Description
500 1020 An error occurred during the attempt to update the asset saved
search group.

Response Description

The updated Group object. A Group object contains the following fields:
v id - Long - The ID of the group.
v parent_id - Long - The ID of the parent group (default resources can have localized names).
v type - String - The type of the group.
v level - Long - The depth of the group in the group hierarchy.
v name - String - The name of the group (default resources can have localized names).
v description - String - The description of the group (default resources can have localized names).
v owner - String - The owner of the group.
v modified_time - Long - The time in milliseconds since epoch since the group was last modified.
v child_group_ids - Array of Longs - List of the child group IDs.

Response Sample
{
"child_groups": [
42
],
"child_items": [
"String"
],
"description": "String",
"id": 42,
"level": 42,
"modified_time": 42,
"name": "String",
"owner": "String",
"parent_id": 42,
"type": "String <one of:
LOG_SOURCE_GROUP,
REPORT_GROUP,
RULE_GROUP,
EVENT_SAVED_SEARCH_GROUP,
FLOW_SAVED_SEARCH_GROUP,
OFFENSE_SAVED_SEARCH_GROUP,
QRM_SAVED_SEARCH_GROUP,
MODEL_SAVED_SEARCH_GROUP,
QUESTION_SAVED_SEARCH_GROUP,
SIMULATION_SAVED_SEARCH_GROUP,
TOPOLOGY_SAVED_SEARCH_GROUP,
ASSET_SAVED_SEARCH_GROUP,
VULNERABILITY_SAVED_SEARCH_GROUP>"
}

DELETE /asset_model/saved_search_groups/{group_id}
Deletes an asset saved search group.

Deletes an asset saved search group.

770 QRadar API Reference Guide

Table 1677. DELETE /asset_model/saved_search_groups/{group_id} resource details
MIME Type
text/plain

Table 1678. DELETE /asset_model/saved_search_groups/{group_id} request parameter details

Parameter Type Optionality Data Type MIME Type Description
group_id path Required Number text/plain null
(Integer)

Table 1679. DELETE /asset_model/saved_search_groups/{group_id} response codes

HTTP Response Code Unique Code Description
204 The asset saved search group was deleted.
404 1002 The asset saved search group does not exist.
409 1004 null
500 1020 An error occurred during the attempt to delete the asset saved
search group.

Response Description

Response Sample

GET /asset_model/saved_searches
Get a list of saved searches that can be used.

Get a list of saved searches that can be used or applied against the /asset_model/saved_searches/
{saved_search_id}/results query.
Table 1680. GET /asset_model/saved_searches resource details
MIME Type
application/json

Table 1681. GET /asset_model/saved_searches request parameter details

Parameter Type Optionality Data Type MIME Type Description
Range header Optional String text/plain Optional - Use this parameter
to restrict the number of
elements that are returned in
the list to a specified range.
The list is indexed starting at
zero.
fields query Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.

7 Previous REST API versions 771

Table 1681. GET /asset_model/saved_searches request parameter details (continued)
Parameter Type Optionality Data Type MIME Type Description
filter query Optional String text/plain Optional - This parameter is
used to restrict the elements in
a list base on the contents of
various fields.

Table 1682. GET /asset_model/saved_searches response codes

HTTP Response Code Unique Code Description
200 The request to retrieve the list of saved searches completed
successfully.
500 1020 The server encountered an error while trying to retrieve the list of
saved searches.

Response Description

List of saved searches. Per saved search: id, name and list of filters that make up this saved search

Response Sample
[
{
"columns": [
{
"name": "String",
"type": "String"
}
],
"description": "String",
"filters": [
{
"operator": "String",
"parameter": "String",
"value": "String"
}
],
"id": 42,
"name": "String"
}
]

GET /asset_model/saved_searches/{saved_search_id}
Retrieves an asset saved search.

Retrieves an asset saved search.

Table 1683. GET /asset_model/saved_searches/{saved_search_id} resource details
MIME Type
application/json

Table 1684. GET /asset_model/saved_searches/{saved_search_id} request parameter details

Parameter Type Optionality Data Type MIME Type Description
saved_search_id path Required Number text/plain null
(Integer)

772 QRadar API Reference Guide

Table 1684. GET /asset_model/saved_searches/{saved_search_id} request parameter details (continued)
Parameter Type Optionality Data Type MIME Type Description
fields query Optional String text/plain Optional - Use this parameter to
specify which fields you would
like to get back in the response.
Fields that are not named are
excluded. Specify subfields in
brackets and multiple fields in
the same object are separated by
commas.

Table 1685. GET /asset_model/saved_searches/{saved_search_id} response codes

HTTP Response Code Unique Code Description
200 The asset saved search was retrieved,
404 1002 The asset saved search does not exist,
500 1020 An error occurred during the attempt to retrieve the asset saved
search,

Response Description

The asset saved search after it is retrieved. An Asset Saved Search object contains the following fields:
v id - Long - The ID of the asset saved search.
v name - String - The name of the asset saved search.
v owner - String - The owner of the asset saved search.
v isShared - Boolean - True if the asset saved search is shared with other users.
v description - String - The description of the asset saved search.
v filters - List of Strings - The asset saved search filters.
v columns - List of Strings - The asset saved search columns.

Response Sample
{
"columns": [
{
"name": "String",
"type": "String"
}
],
"description": "String",
"filters": [
{
"operator": "String",
"parameter": "String",
"value": "String"
}
],
"id": 42,
"is_shared": true,
"name": "String",
"owner": "String"
}

POST /asset_model/saved_searches/{saved_search_id}
Updates the asset saved search owner only.

Updates the asset saved search owner only.

7 Previous REST API versions 773

Table 1686. POST /asset_model/saved_searches/{saved_search_id} resource details
MIME Type
application/json

Table 1687. POST /asset_model/saved_searches/{saved_search_id} request parameter details

Parameter Type Optionality Data Type MIME Type Description
saved_search_id path Required Number text/plain null
(Integer)
fields header Optional String text/plain Optional - Use this parameter to
specify which fields you would
like to get back in the response.
Fields that are not named are
excluded. Specify subfields in
brackets and multiple fields in
the same object are separated by
commas.

Table 1688. POST /asset_model/saved_searches/{saved_search_id} request body details

Parameter Data Type MIME Type Description Sample
saved_search Object application/json null { "columns": [ { "name": "String",
"type": "String" } ], "description":
"String", "filters": [ { "operator":
"String", "parameter": "String",
"value": "String" } ], "id": 42,
"is_shared": true, "name":
"String", "owner": "String" }

Table 1689. POST /asset_model/saved_searches/{saved_search_id} response codes

HTTP Response Code Unique Code Description
200 The asset saved search was updated.
403 1009 You do not have the required capabilities to update the asset saved
search.
404 1002 The asset saved search does not exist.
409 1004 The provided user does not have the required capabilities to own
the asset saved search.
422 1005 A request parameter is not valid.
500 1020 An error occurred during the attempt to update the asset saved
search.

Response Description

The asset saved search after it is updated. An Asset Saved Search object contains the following fields:
v id - Long - The ID of the asset saved search.
v name - String - The name of the asset saved search.
v owner - String - The owner of the asset saved search.
v isShared - Boolean - True if the asset saved search is shared with other users.
v description - String - The description of the asset saved search.
v filters - List of Strings - The asset saved search filters.
v columns - List of Strings - The asset saved search columns.

774 QRadar API Reference Guide

Response Sample
{
"columns": [
{
"name": "String",
"type": "String"
}
],
"description": "String",
"filters": [
{
"operator": "String",
"parameter": "String",
"value": "String"
}
],
"id": 42,
"is_shared": true,
"name": "String",
"owner": "String"
}

DELETE /asset_model/saved_searches/{saved_search_id}
Deletes an asset saved search.

Deletes an asset saved search.

Table 1690. DELETE /asset_model/saved_searches/{saved_search_id} resource details
MIME Type
text/plain

Table 1691. DELETE /asset_model/saved_searches/{saved_search_id} request parameter details

Parameter Type Optionality Data Type MIME Type Description
saved_search_id path Required Number text/plain null
(Integer)

Table 1692. DELETE /asset_model/saved_searches/{saved_search_id} response codes

HTTP Response Code Unique Code Description
204 The asset saved searchh was deleted.
403 1009 You do not have the required capabilities to delete the asset saved
search.
404 1002 The asset saved search does not exist.
500 1020 An error occurred during the attempt to delete the asset saved
search.

7 Previous REST API versions 775

Response Description

Response Sample

GET /asset_model/saved_searches/{saved_search_id}/results
Retrieves a list of assets based on the results of an asset saved search.
Table 1693. GET /asset_model/saved_searches/{saved_search_id}/results resource details
MIME Type
application/json

Table 1694. GET /asset_model/saved_searches/{saved_search_id}/results request parameter details

Parameter Type Optionality Data Type MIME Type Description
saved_search_id path Required String text/plain Unique identifier of the saved
search used to retrieve assets.
Range header Optional String text/plain Optional - Use this parameter to
restrict the number of elements
that are returned in the list to a
specified range. The list is
indexed starting at zero.
fields query Optional String text/plain Optional - Use this parameter to
specify which fields you would
like to get back in the response.
Fields that are not named are
excluded. Specify subfields in
brackets and multiple fields in
the same object are separated by
commas.
filter query Optional String text/plain Optional - This parameter is
used to restrict the elements in a
list base on the contents of
various fields.

Table 1695. GET /asset_model/saved_searches/{saved_search_id}/results response codes

HTTP Response Code Unique Code Description
200 The request to retrieve assets completed successfully.
422 1005 The unique identifier of the saved search provided was invalid.
500 1003 The server encountered an error executing the saved search.

Response Description

List of assets retrieved using the associated asset saved search.

Response Sample
[
{
"domain_id": 42,
"id": 42,
"interfaces": [
{
"created": 42,
"first_seen_profiler": 42,
"first_seen_scanner": 42,
"id": 42,
"ip_addresses": [
{

776 QRadar API Reference Guide

 "created": 42,
"first_seen_profiler": 42,
"first_seen_scanner": 42,
"id": 42,
"last_seen_profiler": 42,
"last_seen_scanner": 42,
"network_id": 42,
"type": "String",
"value": "String"
}
],
"last_seen_profiler": 42,
"last_seen_scanner": 42,
"mac_address": "String"
}
],
"properties": [
{
"id": 42,
"last_reported": 42,
"last_reported_by": "String",
"name": "String",
"type_id": 42,
"value": "String"
}
]
}
]

Authentication endpoints
Use the references for REST API V8.0 authentication endpoints.

POST /auth/logout
Invoke this method as an authorized user and your session will be invalidated.
Table 1696. POST /auth/logout resource details
MIME Type
text/plain

There are no parameters for this endpoint.

Table 1697. POST /auth/logout response codes
HTTP Response Code Unique Code Description
200 The session was invalidated.

Response Description

Returns true. Throws exception upon failure.

Response Sample
true

Configuration endpoints
Use the references for REST API V8.0 configuration endpoints.

7 Previous REST API versions 777

GET /config/access/tenant_management/tenants
Retrieve the list of all tenants ordered by tenant ID.

Retrieve the list of all tenants. The list is ordered by tenant ID.
Table 1698. GET /config/access/tenant_management/tenants resource details
MIME Type
application/json

Table 1699. GET /config/access/tenant_management/tenants request parameter details

Parameter Type Optionality Data Type MIME Type Description
Range header Optional String text/plain Optional - Use this parameter
to restrict the number of
elements that are returned in
the list to a specified range.
The list is indexed starting at
zero.
fields query Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.
filter query Optional String text/plain Optional - This parameter is
used to restrict the elements in
a list base on the contents of
various fields.

Table 1700. GET /config/access/tenant_management/tenants response codes

HTTP Response Code Unique Code Description
200 The tenant list was successfully retrieved.
500 1020 An error occurred while the tenant list was being retrieved.

Response Description

a list of all the tenants

Response Sample
[
{
"deleted": true,
"description": "String",
"event_rate_limit": 42,
"flow_rate_limit": 42,
"id": 42,
"name": "String"
}
]

778 QRadar API Reference Guide

POST /config/access/tenant_management/tenants
Create a new tenant.
Table 1701. POST /config/access/tenant_management/tenants resource details
MIME Type
application/json

Table 1702. POST /config/access/tenant_management/tenants request parameter details

Parameter Type Optionality Data Type MIME Type Description
fields header Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.

Table 1703. POST /config/access/tenant_management/tenants request body details

Parameter Data Type MIME Type Description Sample
tenant Object application/json Required - Tenant - includes { "deleted": true, "description":
name, event_rate_limit (unit "String", "event_rate_limit": 42,
eps), flow_rate_limit (unit "flow_rate_limit": 42, "name":
fpm) and description "String" }

Table 1704. POST /config/access/tenant_management/tenants response codes

HTTP Response Code Unique Code Description
201 A new tenant was created successfully and returned the new tenant
object.
409 1004 A tenant with the given name already exists.
422 1005 A request parameter is invalid.
500 1020 Failed to create the tenant.

Response Description

a created tenant object

Response Sample
{
"deleted": true,
"description": "String",
"event_rate_limit": 42,
"flow_rate_limit": 42,
"id": 42,
"name": "String"
}

7 Previous REST API versions 779

GET /config/access/tenant_management/tenants/{tenant_id}
Retrieve a tenant by tenant id.
Table 1705. GET /config/access/tenant_management/tenants/{tenant_id} resource details
MIME Type
application/json

Table 1706. GET /config/access/tenant_management/tenants/{tenant_id} request parameter details

Parameter Type Optionality Data Type MIME Type Description
tenant_id path Required Number text/plain null
(Integer)
fields query Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.

Table 1707. GET /config/access/tenant_management/tenants/{tenant_id} response codes

HTTP Response Code Unique Code Description
200 The tenant was successfully retrieved.
404 1002 No tenant was found for the provided tenant id.
500 1020 An error occurred while the tenant was being retrieved.

Response Description

the associated tenants object

Response Sample
{
"deleted": true,
"description": "String",
"event_rate_limit": 42,
"flow_rate_limit": 42,
"id": 42,
"name": "String"
}

POST /config/access/tenant_management/tenants/{tenant_id}
Update a tenant
Table 1708. POST /config/access/tenant_management/tenants/{tenant_id} resource details
MIME Type
application/json

Table 1709. POST /config/access/tenant_management/tenants/{tenant_id} request parameter details

Parameter Type Optionality Data Type MIME Type Description
tenant_id path Required Number text/plain Required - Integer - the tenant
(Integer) id to modify

780 QRadar API Reference Guide

Table 1709. POST /config/access/tenant_management/tenants/{tenant_id} request parameter details (continued)
Parameter Type Optionality Data Type MIME Type Description
fields header Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.

Table 1710. POST /config/access/tenant_management/tenants/{tenant_id} request body details

Parameter Data Type MIME Type Description Sample
tenant Object application/json Required - Tenant - includes { "deleted": true, "description":
name, event_rate_limit (unit "String", "event_rate_limit": 42,
eps), flow_rate_limit (unit "flow_rate_limit": 42, "name":
fpm) and description "String" }

Table 1711. POST /config/access/tenant_management/tenants/{tenant_id} response codes

HTTP Response Code Unique Code Description
200 A tenant profile that was updated successfully and returned the
updated tenant object.
404 1002 The tenant profile does not exist.
409 1004 A tenant with the given name already exists.
422 1005 A request parameter is invalid.
500 1020 Failed to retrieve/update the given tenant profile.

Response Description

The updated tenant object.

Response Sample
{
"deleted": true,
"description": "String",
"event_rate_limit": 42,
"flow_rate_limit": 42,
"id": 42,
"name": "String"
}

DELETE /config/access/tenant_management/tenants/{tenant_id}
Delete a tenant.

Deletes a tenant by tenant ID.

Table 1712. DELETE /config/access/tenant_management/tenants/{tenant_id} resource details
MIME Type
application/json

7 Previous REST API versions 781

Table 1713. DELETE /config/access/tenant_management/tenants/{tenant_id} request parameter details
Parameter Type Optionality Data Type MIME Type Description
tenant_id path Required Number text/plain Required - String - id
(Integer) associated to a tenant

Table 1714. DELETE /config/access/tenant_management/tenants/{tenant_id} response codes

HTTP Response Code Unique Code Description
200 The tenant was deleted successfully (soft delete).
404 1002 The tenant does not exists.
500 1020 An error occurred while deleting tenant.

Response Description

the deleted tenant object with its parameter deleted set to true

Response Sample
{
"deleted": true,
"description": "String",
"event_rate_limit": 42,
"flow_rate_limit": 42,
"id": 42,
"name": "String"
}

GET /config/deployment/hosts
Retrieves a list of all deployed hosts.

Retrieves the list of all deployed hosts.

Table 1715. GET /config/deployment/hosts resource details
MIME Type
application/json

Table 1716. GET /config/deployment/hosts request parameter details

Parameter Type Optionality Data Type MIME Type Description
fields query Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.
Range header Optional String text/plain Optional - Use this parameter
to restrict the number of
elements that are returned in
the list to a specified range.
The list is indexed starting at
zero.

782 QRadar API Reference Guide

Table 1716. GET /config/deployment/hosts request parameter details (continued)
Parameter Type Optionality Data Type MIME Type Description
filter query Optional String text/plain Optional - This parameter is
used to restrict the elements in
a list base on the contents of
various fields.

Table 1717. GET /config/deployment/hosts response codes

HTTP Response Code Unique Code Description
200 The host list was successfully retrieved.
500 1001 An error occurred during the attempt to retrieve the host list.

Response Description

A list of all the hosts. Each Host object has the following fields:
v id - The ID of this managed host.
v hostname - The host name of this managed host.
v private_ip - The private IP of this managed host.
v public_ip - The public IP of this managed host.
v appliance - An object that represents the appliance type ID and description of this managed host.
v version - The installed version on this managed host.
v status - The status of this managed host.
v eps_rate_hardware_limit - The upper limit for eps_allocation based on hardware constraints for this
managed host.
v eps_allocation - The allocated eps rate of this managed host.
v average_eps - The average eps rate of this managed host over the previous month.
v peak_eps - The peak eps rate that was experienced by this managed host over the previous month.
v fpm_rate_hardware_limit - The upper limit for fpm_allocation based on hardware constraints for this
managed host
v fpm_allocation - The allocated fpm rate of this managed host.
v average_fpm - The average fpm rate of this managed host over the previous month.
v peak_fpm - The peak fpm rate that was experienced by this managed host over the previous month.
v primary_server_id - The ID for the primary server host for this managed host.
v secondary_server_id - If configured, the ID for the secondary server host for this managed host.
v license_serial_number - The serial number that is associated with this managed host's license.
v components - A list of components that are associated with this managed host.
v compression_enabled - Whether or not compression is enabled for this managed host.
v encryption_enabled - Whether or not encryption is enabled for this managed host.

Response Sample
[
{
"appliance": {
"id": "String",
"type": "String"
},
"average_eps": 42,
"average_fpm": 42,
"components": [

7 Previous REST API versions 783

 "String <one of: eventcollector,
eventprocessor,
dataNode,
magistrate,
ariel_query_server,
ariel_proxy_server,
vis,
assetprofiler,
qflow,
hostcontext,
tunnel,
setuptunnel,
ecs-ec,
ecs-ep,
resolveragent,
resolver_manager,
offsiteSource,
offsiteTarget,
accumulator,
offline_forwarder,
qvm,
qvmprocessor,
qvmscanner,
qvmhostedscanner,
qvmsiteprotector,
arc_builder,
tomcat-rm,
ziptie-server,
qrm,
asset_change_publisher,
forensicsnode,
forensics_realtime,
masterdaemon>"
],
"compression_enabled": true,
"encryption_enabled": true,
"eps_allocation": 42,
"eps_rate_hardware_limit": 42,
"fpm_allocation": 42,
"fpm_rate_hardware_limit": 42,
"hostname": "String",
"id": 42,
"license_serial_number": "String",
"peak_eps": 42,
"peak_fpm": 42,
"primary_server_id": 42,
"private_ip": "String",
"public_ip": "String",
"secondary_server_id": 42,
"status": "String <one of: Active,
ADDING,
Deleted,
Deleting,
ADD_FAILED,
New,
ADD_FAILED_VERSION_CHECK,
ADD_FAILED_DEPLOY_IN_PROGRESS,
ADD_FAILED_RETRY_CONNECTION,
ADD_FAILED_HA,
ADD_FAILED_CHECK_LOGS>",
"version": "String"
}
]

784 QRadar API Reference Guide

GET /config/deployment/hosts/{id}
Retrieves a deployed host by ID.

Retrieves a deployed host by ID.

Table 1718. GET /config/deployment/hosts/{id} resource details
MIME Type
application/json

Table 1719. GET /config/deployment/hosts/{id} request parameter details

Parameter Type Optionality Data Type MIME Type Description
id path Required Number text/plain Required - The ID of the
(Integer) deployed host to be retrieved.
fields query Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.

Table 1720. GET /config/deployment/hosts/{id} response codes

HTTP Response Code Unique Code Description
200 The host was successfully retrieved.
404 1002 No such host is deployed for the given ID
422 1003 The provided ID was a negative number or zero.
500 1004 An error occurred during the retrieval of the host.

Response Description

The associated deployed host object. The Host object has the following fields:
v id - The ID of this managed host.
v hostname - The host name of this managed host.
v private_ip - The private IP of this managed host.
v public_ip - The public IP of this managed host.
v appliance - An object that represents the appliance type ID and description of this managed host.
v version - The installed version on this managed host.
v status - The status of this managed host.
v eps_rate_hardware_limit - The upper limit for eps_allocation based on hardware constraints for this
managed host.
v eps_allocation - The allocated eps rate of this managed host.
v average_eps - The average eps rate of this managed host over the previous month.
v peak_eps - The peak eps rate that was experienced by this managed host over the previous month.
v fpm_rate_hardware_limit - The upper limit for fpm_allocation based on hardware constraints for this
managed host.
v fpm_allocation - The allocated fpm rate of this managed host.

7 Previous REST API versions 785

v average_fpm - The average fpm rate of this managed host over the previous month.
v peak_fpm - The peak fpm rate that was experienced by this managed host over the previous month.
v primary_server_id - The ID for the primary server host for this managed host.
v secondary_server_id - If configured, the ID for the secondary server host for this managed host.
v license_serial_number - The serial number that is associated with this managed host's license.
v components - A list of components that are associated with this managed host.
v compression_enabled - Whether or not compression is enabled for this managed host.
v encryption_enabled - Whether or not encryption is enabled for this managed host.

Response Sample
[
{
"appliance": {
"id": "String",
"type": "String"
},
"average_eps": 42,
"average_fpm": 42,
"components": [
"String <one of: eventcollector,
eventprocessor,
dataNode,
magistrate,
ariel_query_server,
ariel_proxy_server,
vis,
assetprofiler,
qflow,
hostcontext,
tunnel,
setuptunnel,
ecs-ec,
ecs-ep,
resolveragent,
resolver_manager,
offsiteSource,
offsiteTarget,
accumulator,
offline_forwarder,
qvm,
qvmprocessor,
qvmscanner,
qvmhostedscanner,
qvmsiteprotector,
arc_builder,
tomcat-rm,
ziptie-server,
qrm,
asset_change_publisher,
forensicsnode,
forensics_realtime,
masterdaemon>"
],
"compression_enabled": true,
"encryption_enabled": true,
"eps_allocation": 42,
"eps_rate_hardware_limit": 42,
"fpm_allocation": 42,
"fpm_rate_hardware_limit": 42,
"hostname": "String",
"id": 42,
"license_serial_number": "String",
"peak_eps": 42,

786 QRadar API Reference Guide

 "peak_fpm": 42,
"primary_server_id": 42,
"private_ip": "String",
"public_ip": "String",
"secondary_server_id": 42,
"status": "String <one of: Active,
ADDING,
Deleted,
Deleting,
ADD_FAILED,
New,
ADD_FAILED_VERSION_CHECK,
ADD_FAILED_DEPLOY_IN_PROGRESS,
ADD_FAILED_RETRY_CONNECTION,
ADD_FAILED_HA,
ADD_FAILED_CHECK_LOGS>",
"version": "String"
}
]

POST /config/deployment/hosts/{id}
Updates a host by ID and sends a JMS message to update the pipeline.

Updates a host by the given ID.

Table 1721. POST /config/deployment/hosts/{id} resource details
MIME Type
application/json

Table 1722. POST /config/deployment/hosts/{id} request parameter details

Parameter Type Optionality Data Type MIME Type Description
id path Required Number text/plain Required - The ID of the
(Integer) staged host to be updated.
fields header Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.

7 Previous REST API versions 787

Table 1723. POST /config/deployment/hosts/{id} request body details
Parameter Data Type MIME Type Description Sample
host Object application/json Required - The host values to be { "appliance": { "id": "String", "type": "String" }, "average_eps": 42,
updated. At the moment, the only "average_fpm": 42, "components": [ "String <one of: eventcollector,
writable properties are eventprocessor, dataNode, magistrate, ariel_query_server,
eps_allocation and fpm_allocation. ariel_proxy_server, vis, assetprofiler, qflow, hostcontext, tunnel,
setuptunnel, ecs-ec, ecs-ep, resolveragent, resolver_manager,
offsiteSource, offsiteTarget, accumulator, offline_forwarder, qvm,
qvmprocessor, qvmscanner, qvmhostedscanner, qvmsiteprotector,
arc_builder, tomcat-rm, ziptie-server, qrm, asset_change_publisher,
forensicsnode, forensics_realtime, masterdaemon>" ],
"compression_enabled": true, "encryption_enabled": true, "eps_allocation":
42, "eps_rate_hardware_limit": 42, "fpm_allocation": 42,
"fpm_rate_hardware_limit": 42, "hostname": "String", "id": 42,
"license_serial_number": "String", "peak_eps": 42, "peak_fpm": 42,
"primary_server_id": 42, "private_ip": "String", "public_ip": "String",
"secondary_server_id": 42, "status": "String <one of: Active, ADDING,
Deleted, Deleting, ADD_FAILED, New,
ADD_FAILED_VERSION_CHECK,
ADD_FAILED_DEPLOY_IN_PROGRESS,
ADD_FAILED_RETRY_CONNECTION, ADD_FAILED_HA,
ADD_FAILED_CHECK_LOGS,
ADD_FAILED_QVMPROCESSOR_ALREADY_EXISTS>", "version":
"String" }

Table 1724. POST /config/deployment/hosts/{id} response codes

HTTP Response Code Unique Code Description
200 The host was successfully updated.
404 1010 Could not find the host to update.
417 1011 EPS values are expected to be a multiple of the set EPS block. By
default the block size is 500.
417 1012 FPM values are expected to be a multiple of the set FPM block. By
default the block size is 10000.
417 1013 The EPS value given does not meet the minimum required EPS 200.
417 1014 The FPM value given does not meet the minimum required FPM
200.
417 1016 Can't change EPS/FPM values for a host with a serialized license.
417 1017 EPS value exceeds hardware limit.
417 1018 FPM value exceeds hardware limit.
417 1019 EPS value is greater than that available in the license pool.
417 1020 FPM value is greater than that available in the license pool.
422 1009 null
500 1021 null

Response Description

The updated host object. The host object has the following fields:
v id - The ID of this managed host.
v hostname - The host name of this managed host.
v private_ip - The private IP of this managed host.
v public_ip - The public IP of this managed host.
v appliance - An object that represents the appliance type ID and description of this managed host.
v version - The installed version on this managed host.
v status - The status of this managed host.
v eps_rate_hardware_limit - The upper limit for eps_allocation based on hardware constraints for this
managed host.

788 QRadar API Reference Guide

v eps_allocation - The allocated eps rate of this managed host.
v average_eps - The average eps rate of this managed host over the previous month.
v peak_eps - The peak eps rate that was experienced by this managed host over the previous month.
v fpm_rate_hardware_limit - The upper limit for fpm_allocation based on hardware constraints for this
managed host.
v fpm_allocation - The allocated fpm rate of this managed host.
v average_fpm - The average fpm rate of this managed host over the previous month.
v peak_fpm - The peak fpm rate that was experienced by this managed host over the previous month.
v primary_server_id - The ID for the primary server host for this managed host.
v secondary_server_id - If configured, the ID for the secondary server host for this managed host.
v license_serial_number - The serial number associated with this managed host's license.
v components - A list of components that are associated with this managed host.
v compression_enabled - Whether or not compression is enabled for this managed host.
v encryption_enabled - Whether or not encryption is enabled for this managed host.

* @throws ServerProcessingException An unexpected exception occurred during the updating of the host.

Response Sample
[
{
"appliance": {
"id": "String",
"type": "String"
},
"average_eps": 42,
"average_fpm": 42,
"components": [
"String <one of: eventcollector,
eventprocessor,
dataNode,
magistrate,
ariel_query_server,
ariel_proxy_server,
vis,
assetprofiler,
qflow,
hostcontext,
tunnel,
setuptunnel,
ecs-ec,
ecs-ep,
resolveragent,
resolver_manager,
offsiteSource,
offsiteTarget,
accumulator,
offline_forwarder,
qvm,
qvmprocessor,
qvmscanner,
qvmhostedscanner,
qvmsiteprotector,
arc_builder,
tomcat-rm,
ziptie-server,
qrm,
asset_change_publisher,
forensicsnode,
forensics_realtime,
masterdaemon>"

7 Previous REST API versions 789

 ],
"compression_enabled": true,
"encryption_enabled": true,
"eps_allocation": 42,
"eps_rate_hardware_limit": 42,
"fpm_allocation": 42,
"fpm_rate_hardware_limit": 42,
"hostname": "String",
"id": 42,
"license_serial_number": "String",
"peak_eps": 42,
"peak_fpm": 42,
"primary_server_id": 42,
"private_ip": "String",
"public_ip": "String",
"secondary_server_id": 42,
"status": "String <one of: Active,
ADDING,
Deleted,
Deleting,
ADD_FAILED,
New,
ADD_FAILED_VERSION_CHECK,
ADD_FAILED_DEPLOY_IN_PROGRESS,
ADD_FAILED_RETRY_CONNECTION,
ADD_FAILED_HA,
ADD_FAILED_CHECK_LOGS>",
"version": "String"
}
]

GET /config/deployment/license_pool
Retrieves the deployed license pool information.

Retrieves the deployed license pool information.

Table 1725. GET /config/deployment/license_pool resource details
MIME Type
application/json

Table 1726. GET /config/deployment/license_pool request parameter details

Parameter Type Optionality Data Type MIME Type Description
fields query Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.

Table 1727. GET /config/deployment/license_pool response codes

HTTP Response Code Unique Code Description
200 The license pool was successfully retrieved.
500 1001 An error occurred during the retrieval of the license pool.

790 QRadar API Reference Guide

Response Description

The deployed license pool information.

v eps(allocated) - The amount of EPS rate allocated from the pool.
v eps(overallocated) - Whether EPS is overallocated or not in the pool.
v eps(total) - The total EPS rate available in the pool.
v fpm(allocated) - The amount of FPM rate allocated from the pool.
v fpm(overallocated) - Whether FPM is overallocated or not in the pool.
v fpm(total) - The total FPM rate available in the pool.

Response Sample
{
"eps": {
"allocated": 42,
"overallocated": true,
"total": 42
},
"fpm": {
"allocated": 42,
"overallocated": true,
"total": 42
}
}

GET /config/domain_management/domains
Retrieves the list of all domains, active and deleted (including the default domain).

The list is ordered by domain ID. If domains were never configured, only the default domain is returned.
Table 1728. GET /config/domain_management/domains resource details
MIME Type
application/json

Table 1729. GET /config/domain_management/domains request parameter details

Parameter Type Optionality Data Type MIME Type Description
Range header Optional String text/plain Optional - Use this parameter
to restrict the number of
elements that are returned in
the list to a specified range.
The list is indexed starting at
zero.
fields query Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.
filter query Optional String text/plain Optional - This parameter is
used to restrict the elements in
a list base on the contents of
various fields.

7 Previous REST API versions 791

Table 1730. GET /config/domain_management/domains response codes
HTTP Response Code Unique Code Description
200 The domain list has been successfully retrieved.
500 1020 An error occurred while the domain list was being retrieved.

Response Description

The list of domain objects.

Response Sample
[
{
"asset_scanner_ids": [
42
],
"custom_properties": [
{
"capture_result": "String",
"id": 42
}
],
"deleted": true,
"description": "String",
"event_collector_ids": [
42
],
"flow_collector_ids": [
42
],
"flow_source_ids": [
42
],
"id": 42,
"log_source_group_ids": [
42
],
"log_source_ids": [
42
],
"name": "String",
"qvm_scanner_ids": [
42
],
"tenant_id": 42
}
]

POST /config/domain_management/domains
Creates a new domain.
Table 1731. POST /config/domain_management/domains resource details
MIME Type
application/json

792 QRadar API Reference Guide

Table 1732. POST /config/domain_management/domains request parameter details
Parameter Type Optionality Data Type MIME Type Description
fields header Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.

Table 1733. POST /config/domain_management/domains request body details

Parameter Data Type MIME Type Description Sample
domain Object application/json A domain JSON object (its id { "asset_scanner_ids": [42],
parameter is ignored). "custom_properties":
[{"capture_result": "String",
"id": 42}], "deleted": true,
"description": "String",
"event_collector_ids": [42],
"flow_collector_ids": [42],
"flow_source_ids": [42],
"log_source_group_ids": [42],
"log_source_ids": [42], "name":
"String", "qvm_scanner_ids":
[42], "tenant_id": 42 }

Table 1734. POST /config/domain_management/domains response codes

HTTP Response Code Unique Code Description
201 The domain has been successfully created.
409 1004 A domain object parameter already exists.
422 1005 A domain object parameter is invalid.
500 1020 An error occurred while the domain was being created.

Response Description

A created domain object.

Response Sample
{
"asset_scanner_ids": [
42
],
"custom_properties": [
{
"capture_result": "String",
"id": 42
}
],
"deleted": true,
"description": "String",
"event_collector_ids": [
42
],
"flow_collector_ids": [
42
],

7 Previous REST API versions 793

 "flow_source_ids": [
42
],
"id": 42,
"log_source_group_ids": [
42
],
"log_source_ids": [
42
],
"name": "String",
"qvm_scanner_ids": [
42
],
"tenant_id": 42
}

GET /config/domain_management/domains/{domain_id}
Retrieves a domain by domain ID.
Table 1735. GET /config/domain_management/domains/{domain_id} resource details
MIME Type
application/json

Table 1736. GET /config/domain_management/domains/{domain_id} request parameter details

Parameter Type Optionality Data Type MIME Type Description
domain_id path Required Number text/plain The ID of the domain object to
(Integer) retrieve.
fields query Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.

Table 1737. GET /config/domain_management/domains/{domain_id} response codes

HTTP Response Code Unique Code Description
200 The domain has been successfully retrieved.
404 1002 No domain was found for the provided domain id.
500 1020 An error occurred while the domain was being retrieved.

Response Description

A domain object.

Response Sample
{
"asset_scanner_ids": [
42
],
"custom_properties": [
{
"capture_result": "String",

794 QRadar API Reference Guide

 "id": 42
}
],
"deleted": true,
"description": "String",
"event_collector_ids": [
42
],
"flow_collector_ids": [
42
],
"flow_source_ids": [
42
],
"id": 42,
"log_source_group_ids": [
42
],
"log_source_ids": [
42
],
"name": "String",
"qvm_scanner_ids": [
42
],
"tenant_id": 42
}

POST /config/domain_management/domains/{domain_id}
Updates an existing domain.
Table 1738. POST /config/domain_management/domains/{domain_id} resource details
MIME Type
application/json

Table 1739. POST /config/domain_management/domains/{domain_id} request parameter details

Parameter Type Optionality Data Type MIME Type Description
domain_id path Required Number text/plain The ID of the domain object to
(Integer) update.
fields header Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.

7 Previous REST API versions 795

Table 1740. POST /config/domain_management/domains/{domain_id} request body details
Parameter Data Type MIME Type Description Sample
domain Object application/json A domain JSON object. { "asset_scanner_ids": [42],
"custom_properties":
[{"capture_result": "String",
"id": 42}], "deleted": true,
"description": "String",
"event_collector_ids": [42],
"flow_collector_ids": [42],
"flow_source_ids": [42],
"log_source_group_ids": [42],
"log_source_ids": [42], "name":
"String", "qvm_scanner_ids":
[42], "tenant_id": 42 }

Table 1741. POST /config/domain_management/domains/{domain_id} response codes

HTTP Response Code Unique Code Description
200 The domain has been successfully updated.
404 1002 No domain was found for the provided domain id.
409 1004 A domain object parameter already exists.
422 1005 A domain object parameter is invalid.
500 1020 An error occurred while the domain was being updated.

Response Description

The updated domain object.

Response Sample
{
"asset_scanner_ids": [
42
],
"custom_properties": [
{
"capture_result": "String",
"id": 42
}
],
"deleted": true,
"description": "String",
"event_collector_ids": [
42
],
"flow_collector_ids": [
42
],
"flow_source_ids": [
42
],
"id": 42,
"log_source_group_ids": [
42
],
"log_source_ids": [
42
],
"name": "String",
"qvm_scanner_ids": [

796 QRadar API Reference Guide

 42
],
"tenant_id": 42
}

DELETE /config/domain_management/domains/{domain_id}
Deletes a domain by domain ID.

All domain mappings are also deleted

Table 1742. DELETE /config/domain_management/domains/{domain_id} resource details
MIME Type
application/json

Table 1743. DELETE /config/domain_management/domains/{domain_id} request parameter details

Parameter Type Optionality Data Type MIME Type Description
domain_id path Required Number text/plain The ID of the domain object to
(Integer) delete.
fields query Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.

Table 1744. DELETE /config/domain_management/domains/{domain_id} response codes

HTTP Response Code Unique Code Description
200 The domain has been successfully deleted.
404 1002 No domain was found for the provided domain id.
422 1005 Default domain cannot be deleted.
500 1020 An error occurred while the domain was being deleted.

Response Description

The deleted domain object with its parameter deleted set to true.

Response Sample
{
"asset_scanner_ids": [
42
],
"custom_properties": [
{
"capture_result": "String",
"id": 42
}
],
"deleted": true,
"description": "String",
"event_collector_ids": [
42
],

7 Previous REST API versions 797

 "flow_collector_ids": [
42
],
"flow_source_ids": [
42
],
"id": 42,
"log_source_group_ids": [
42
],
"log_source_ids": [
42
],
"name": "String",
"qvm_scanner_ids": [
42
],
"tenant_id": 42
}

GET /config/event_retention_buckets
Retrieves a list of event retention buckets.

Retrieves a list of event retention buckets.

Table 1745. GET /config/event_retention_buckets resource details
MIME Type
application/json

Table 1746. GET /config/event_retention_buckets request parameter details

Parameter Type Optionality Data Type MIME Type Description
Range header Optional String text/plain Optional - Use this parameter
to restrict the number of
elements that are returned in
the list to a specified range.
The list is indexed starting at
zero.
filter query Optional String text/plain Optional - This parameter is
used to restrict the elements in
a list base on the contents of
various fields.
fields query Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.

Table 1747. GET /config/event_retention_buckets response codes

HTTP Response Code Unique Code Description
200 The event retention buckets were retrieved.
422 1010 A request parameter is not valid.

798 QRadar API Reference Guide

Table 1747. GET /config/event_retention_buckets response codes (continued)
HTTP Response Code Unique Code Description
500 1020 An error occurred during the attempt to retrieve the event retention
buckets.

Response Description

An array of Retention Bucket objects. An Retention Bucket object contains the following fields:
v id - Integer - The ID of the retention bucket.
v bucket_id - Integer - The Bucket ID of the retention bucket. ( 0 - 10 )
v priority - Integer - The priority of the retention bucket. ( 0 - 10 ).
v name - String - The name of the retention bucket.
v database - String - The database of the retention bucket, EVENTS or FLOWS.
v description - String - The description of the retention bucket.
v period - Integer - The retention period in hours.
v delete - String - The delete protocol of the retention bucket, IMMEDIATELY or ON_DEMAND.
v created - Long - The time in milliseconds since epoch since the retention bucket was created.
v modified - Long - The time in milliseconds since epoch since the retention bucket was last modified.
v saved_search_id - String - The id of the saved search used by the retention bucket.
v enabled - Boolean - True if the retention bucket is enabled.

Response Sample
[
{
"bucket_id": 42,
"created": 42,
"database": "String",
"deletion": "String <one of: ON_DEMAND, IMMEDIATELY>",
"description": "String",
"enabled": true,
"id": 42,
"modified": 42,
"name": "String",
"period": 42,
"priority": 42,
"saved_search_id": "String"
}
]

GET /config/event_retention_buckets/{id}
Retrieves an event retention bucket.

Retrieves an event retention bucket.

Table 1748. GET /config/event_retention_buckets/{id} resource details
MIME Type
application/json

Table 1749. GET /config/event_retention_buckets/{id} request parameter details

Parameter Type Optionality Data Type MIME Type Description
id path Required Number text/plain null
(Integer)

7 Previous REST API versions 799

Table 1749. GET /config/event_retention_buckets/{id} request parameter details (continued)
Parameter Type Optionality Data Type MIME Type Description
fields query Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.

Table 1750. GET /config/event_retention_buckets/{id} response codes

HTTP Response Code Unique Code Description
200 The event retention bucket was retrieved.
404 1002 The event retention bucket does not exist.
500 1020 An error occurred during the attempt to retrieve the event retention
bucket.

Response Description

The retention bucket after it has been retrieved. An Retention Bucket object contains the following fields:
v id - Integer - The ID of the retention bucket.
v bucket_id - Integer - The Bucket ID of the retention bucket (0 - 10).
v priority - Integer - The priority of the retention bucket (0 - 10).
v name - String - The name of the retention bucket.
v database - String - The database of the retention bucket, EVENTS or FLOWS.
v description - String - The description of the retention bucket.
v period - Integer - The retention period in hours.
v delete - String - The delete protocol of the retention bucket, IMMEDIATELY or ON_DEMAND.
v created - Long - The time in milliseconds since epoch since the retention bucket was created.
v modified - Long - The time in milliseconds since epoch since the retention bucket was last modified.
v saved_search_id - String - The ID of the saved search that is used by the retention bucket.
v enabled - Boolean - True if the retention bucket is enabled.

Response Sample
{
"bucket_id": 42,
"created": 42,
"database": "String",
"deletion": "String <one of: ON_DEMAND, IMMEDIATELY>",
"description": "String",
"enabled": true,
"id": 42,
"modified": 42,
"name": "String",
"period": 42,
"priority": 42,
"saved_search_id": "String"
}

800 QRadar API Reference Guide

POST /config/event_retention_buckets/{id}
Updates the event retention bucket owner or enabled/disabled only.

Updates the event retention bucket owner or enabled/disabled only.

Table 1751. POST /config/event_retention_buckets/{id} resource details
MIME Type
application/json

Table 1752. POST /config/event_retention_buckets/{id} request parameter details

Parameter Type Optionality Data Type MIME Type Description
id path Required Number text/plain null
(Integer)
fields header Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.

Table 1753. POST /config/event_retention_buckets/{id} request body details

Parameter Data Type MIME Type Description Sample
retention_bucket Object application/json null { "id": 1, "name": "String", "description": "String",
"priority": 1, "period": 1, "deletion": "String",
"created": 123123, "modified": 123123,
"saved_search_id": "String", "enabled": true }

Table 1754. POST /config/event_retention_buckets/{id} response codes

HTTP Response Code Unique Code Description
200 The event retention bucket has been updated.
404 1002 The event retention bucket does not exist.
409 1004 The provided user does not have the required capabilities to own
the event retention bucket.
422 1005 A request parameter is not valid.
500 1020 An error occurred during the attempt to update the event retention
bucket.

Response Description

The Retention Bucket after it is updated. A Retention Bucket object contains the following fields:
v id - Integer - The ID of the retention bucket.
v bucket_id - Integer - The Bucket ID of the retention bucket (0 - 10).
v priority - Integer - The priority of the retention bucket (0 - 10).
v name - String - The name of the retention bucket.
v database - String - The database of the retention bucket, EVENTS or FLOWS.
v description - String - The description of the retention bucket.
v period - Integer - The retention period in hours.

7 Previous REST API versions 801

v delete - String - The delete protocol of the retention bucket, IMMEDIATELY or ON_DEMAND.
v created - Long - The time in milliseconds since epoch since the retention bucket was created.
v modified - Long - The time in milliseconds since epoch since the retention bucket was last modified.
v saved_search_id - String - The ID of the saved search that is used by the retention bucket.
v enabled - Boolean - True if the retention bucket is enabled.

Response Sample
{
"bucket_id": 42,
"created": 42,
"database": "String",
"deletion": "String <one of: ON_DEMAND, IMMEDIATELY>",
"description": "String",
"enabled": true,
"id": 42,
"modified": 42,
"name": "String",
"period": 42,
"priority": 42,
"saved_search_id": "String"
}

DELETE /config/event_retention_buckets/{id}
Deletes an event retention bucket.

Deletes an event retention bucket.

Table 1755. DELETE /config/event_retention_buckets/{id} resource details
MIME Type
text/plain

Table 1756. DELETE /config/event_retention_buckets/{id} request parameter details

Parameter Type Optionality Data Type MIME Type Description
id path Required Number text/plain null
(Integer)

Table 1757. DELETE /config/event_retention_buckets/{id} response codes

HTTP Response Code Unique Code Description
204 The Event Retention Bucket was deleted.
403 1009 You do not have the proper capabilities to delete the event retention
bucket.
404 1002 The Event Retention Bucket does not exist.
500 1020 An error occurred during the attempt to delete the event retention
bucket.

Response Description

Response Sample

GET /config/event_sources/custom_properties/property_expressions
Retrieves a list of event regex property expressions.

Retrieves a list of event regex property expressions.

802 QRadar API Reference Guide

Table 1758. GET /config/event_sources/custom_properties/property_expressions resource details
MIME Type
application/json

Table 1759. GET /config/event_sources/custom_properties/property_expressions request parameter details

Parameter Type Optionality Data Type MIME Type Description
fields query Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.
Range header Optional String text/plain Optional - Use this parameter
to restrict the number of
elements that are returned in
the list to a specified range.
The list is indexed starting at
zero.
filter query Optional String text/plain Optional - This parameter is
used to restrict the elements in
a list base on the contents of
various fields.

Table 1760. GET /config/event_sources/custom_properties/property_expressions response codes

HTTP Response Code Unique Code Description
200 The requested list of event regex property expressions was
retrieved.
422 1010 An error occurred while building the filter.
500 1020 An error occurred during the attempt to retrieve the list of event
regex property expressions.

Response Description

A list of event regex property expressions. Each regex property expression contains the following fields:
v id - Integer - The sequence ID of the event regex property expression.
v identifier - String - The ID of the event regex property expression.
v regex_property_identifier - String - The identifier of the event regex property that this expression
belongs to.
v enabled - Boolean - Flag that indicates whether this expression is enabled.
v regex - String - The regex to extract the property from the payload.
v capture_group - Integer - The capture group to capture.
v payload - String - Test payload. This parameter is only used in the UI so that the user can verify their
regex matches the expected payload.
v log_source_type_id - Integer - The expression is only applied to events for this log source type.
v log_source_id - Integer - The expression is only applied to events for this log source (more specific
than type alone).
v qid - Integer - The expression is only applied to events associated with this QID record.

7 Previous REST API versions 803

v low_level_category_id - Integer - The expression is only applied to events with this low level category.
v username - String - The owner of the event regex property expression.

Response Sample
[
{
"capture_group": 42,
"creation_date": 42,
"enabled": true,
"id": 42,
"identifier": "String",
"log_source_id": 42,
"log_source_type_id": 42,
"low_level_category_id": 42,
"modification_date": 42,
"payload": "String",
"qid": 42,
"regex": "String",
"regex_property_identifier": "String",
"username": "String"
}
]

POST /config/event_sources/custom_properties/property_expressions
Creates a new event regex property expression.

Creates a new event regex property expression.

Table 1761. POST /config/event_sources/custom_properties/property_expressions resource details
MIME Type
application/json

Table 1762. POST /config/event_sources/custom_properties/property_expressions request parameter details

Parameter Type Optionality Data Type MIME Type Description
fields header Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.

804 QRadar API Reference Guide

Table 1763. POST /config/event_sources/custom_properties/property_expressions request body details
Parameter Data Type MIME Type Description Sample
data Object application/json Required - A JSON representation of the regex { "capture_group": 42, "creation_date": 42, "enabled":
property expression object true, "id": 42, "identifier": "String", "log_source_id": 42,
"log_source_type_id": 42, "low_level_category_id": 42,
v regex_property_identifier - Required - String - The
"modification_date": 42, "payload": "String", "qid": 42,
identifier of the event regex property that this
"regex": "String", "regex_property_identifier": "String",
expression belongs to. "username": "String" }
v enabled - Optional - Boolean - Flag that indicates
whether this expression is enabled. It defaults to
true if not provided.
v regex - Required - String - The regex to extract the
property from the payload.
v capture_group - Optional - Integer - The capture
group to capture. It defaults to 1 if not provided.
v payload - Optional - String - Test payload. This
parameter is only used in the UI so that the user can
verify their regex matches the expected payload.
v log_source_type_id - Required - Integer - The
expression is only applied to events for this log
source type.
v log_source_id - Optional - Integer - The expression
is only applied to events for this log source (more
specific than type alone).
v qid - Optional - Integer - The expression is only
applied to events associated with this QID record.
v low_level_category_id - Optional - Integer - The
expression is only applied to events with this low
level category.

Table 1764. POST /config/event_sources/custom_properties/property_expressions response codes

HTTP Response Code Unique Code Description
201 A new event regex property expression was created.
422 1005 One or more request parameter are invalid in request.
500 1020 An error occurred during the attempt to create a new event regex
property expression.

Response Description

The newly created event regex property expression that contains the following fields:
v id - Integer - The sequence ID of the event regex property expression.
v identifier - String - The ID of the event regex property expression.
v regex_property_identifier - String - The identifier of the event regex property that this expression
belongs to.
v enabled - Boolean - Flag that indicates whether this expression is enabled.
v regex - String - The regex to extract the property from the payload.
v capture_group - Integer - The capture group to capture.
v payload - String - Test payload. This parameter is only used in the UI so that the user can verify their
regex matches the expected payload.
v log_source_type_id - Integer - The expression is only applied to events for this log source type.
v log_source_id - Integer - The expression is only applied to events for this log source (more specific
than type alone).
v qid - Integer - The expression is only applied to events associated with this QID record.
v low_level_category_id - Integer - The expression is only applied to events with this low level category.
v username - String - The owner of the event regex property expression.

7 Previous REST API versions 805

Response Sample
{
"capture_group": 42,
"creation_date": 42,
"enabled": true,
"id": 42,
"identifier": "String",
"log_source_id": 42,
"log_source_type_id": 42,
"low_level_category_id": 42,
"modification_date": 42,
"payload": "String",
"qid": 42,
"regex": "String",
"regex_property_identifier": "String",
"username": "String"
}

GET /config/event_sources/custom_properties/property_expressions/
{expression_id}
Retrieves an event regex property expression based on the supplied expression ID.

Retrieves an event regex property expression based on the supplied expression ID.
Table 1765. GET /config/event_sources/custom_properties/property_expressions/{expression_id} resource details
MIME Type
application/json

Table 1766. GET /config/event_sources/custom_properties/property_expressions/{expression_id} request parameter

details
Parameter Type Optionality Data Type MIME Type Description
expression_id path Required Number (Integer) text/plain Required - The Guid ID of the
event_regex_property_expression.
fields query Optional String text/plain Optional - Use this parameter to specify which fields you
would like to get back in the response. Fields that are not
named are excluded. Specify subfields in brackets and multiple
fields in the same object are separated by commas.

Table 1767. GET /config/event_sources/custom_properties/property_expressions/{expression_id} response codes

HTTP Response Code Unique Code Description
200 The requested event regex property expression was successfully
retrieved.
404 1002 The requested event regex property expression cannot be found.
500 1020 An error occurred during the attempt to retrieve the requested
event regex property expression.

Response Description

A event regex property expression that contains the following fields:

v id - Integer - The sequence ID of the event regex property expression.
v identifier - String - The ID of the event regex property expression.
v regex_property_identifier - String - The identifier of the event regex property that this expression
belongs to.
v enabled - Boolean - Flag that indicates whether this expression is enabled.
v regex - String - The regex to extract the property from the payload.
v capture_group - Integer - The capture group to capture.

806 QRadar API Reference Guide

v payload - String - Test payload. This parameter is only used in the UI so that the user can verify their
regex matches the expected payload.
v log_source_type_id - Integer - The expression is only applied to events for this log source type.
v log_source_id - Integer - The expression is only applied to events for this log source (more specific
than type alone).
v qid - Integer - The expression is only applied to events associated with this QID record.
v low_level_category_id - Integer - The expression is only applied to events with this low level category.
v username - String - The owner of the event regex property expression.

Response Sample
{
"capture_group": 42,
"creation_date": 42,
"enabled": true,
"id": 42,
"identifier": "String",
"log_source_id": 42,
"log_source_type_id": 42,
"low_level_category_id": 42,
"modification_date": 42,
"payload": "String",
"qid": 42,
"regex": "String",
"regex_property_identifier": "String",
"username": "String"
}

POST /config/event_sources/custom_properties/property_expressions/
{expression_id}
Updates an existing event regex property expression.

Updates an existing event regex property expression.

Table 1768. POST /config/event_sources/custom_properties/property_expressions/{expression_id} resource details
MIME Type
application/json

Table 1769. POST /config/event_sources/custom_properties/property_expressions/{expression_id} request parameter

details
Parameter Type Optionality Data Type MIME Type Description
expression_id path Required Number text/plain Required - The sequence ID
(Integer) of the event regex property
expression.
fields header Optional String text/plain Optional - Use this
parameter to specify which
fields you would like to get
back in the response. Fields
that are not named are
excluded. Specify subfields
in brackets and multiple
fields in the same object are
separated by commas.

7 Previous REST API versions 807

Table 1770. POST /config/event_sources/custom_properties/property_expressions/{expression_id} request body
details
Parameter Data Type MIME Type Description Sample
data Object application/json Required - A JSON representation of the event regex { "capture_group": 42, "creation_date": 42, "enabled":
property expression object. true, "id": 42, "identifier": "String", "log_source_id": 42,
"log_source_type_id": 42, "low_level_category_id": 42,
v regex_property_identifier - Optional - String - The
"modification_date": 42, "payload": "String", "qid": 42,
identifier of the event regex property that this
"regex": "String", "regex_property_identifier": "String",
expression belongs to. "username": "String" }
v enabled - Optional - Boolean - Flag that indicates
whether this expression is enabled.
v regex - Optional - String - The regex to extract the
property from the payload.
v capture_group - Optional - Integer - The capture
group to capture.
v payload - Optional - String - Test payload. This
parameter is only used in the UI so that the user can
verify their regex matches the expected payload.
v log_source_type_id - Optional - Integer - The
expression is only applied to events for this log
source type.
v log_source_id - Optional - Integer - The expression
is only applied to events for this log source (more
specific than type alone).
v qid - Optional - Integer - The expression is only
applied to events associated with this QID record.
v low_level_category_id - Optional - Integer - The
expression is only applied to events with this low
level category.
v username - Optional - String - The owner of the
event regex property expression. If the input
username is authorized service, the prefix
"API_token: " is required.

Table 1771. POST /config/event_sources/custom_properties/property_expressions/{expression_id} response codes

HTTP Response Code Unique Code Description
200 The event regex property expression was updated.
403 1009 The user cannot update the resource because it only can be updated
by the owner or admin user.
404 1002 The requested event regex property expression cannot be found.
422 1005 One or more parameters are invalid in request.
500 1020 An error occurred during the attempt to update an event regex
property expression.

Response Description

The updated event regex property expression object contains the following fields:
v id - Integer - The sequence ID of the event regex property expression.
v identifier - String - The ID of the event regex property expression.
v regex_property_identifier - String - The ID of the event regex property that this expression belongs to.
v enabled - Boolean - Flag that indicates whether this expression is enabled.
v regex - String - The regex to extract the property from the payload.
v capture_group - Integer - The capture group to capture.
v payload - String - Test payload. This parameter is only used in the UI so that the user can verify their
regex matches the expected payload.
v log_source_type_id - Integer - The expression is only applied to events for this log source type.
v log_source_id - Integer - The expression is only applied to events for this log source (more specific
than type alone).
v qid - Integer - The expression is only applied to events associated with this QID record.

808 QRadar API Reference Guide

v low_level_category_id - Integer - The expression is only applied to events with this low level category.
v username - String - The owner of the event regex property expression.

Response Sample
{
"capture_group": 42,
"creation_date": 42,
"enabled": true,
"id": 42,
"identifier": "String",
"log_source_id": 42,
"log_source_type_id": 42,
"low_level_category_id": 42,
"modification_date": 42,
"payload": "String",
"qid": 42,
"regex": "String",
"regex_property_identifier": "String",
"username": "String"
}

DELETE /config/event_sources/custom_properties/property_expressions/
{expression_id}
Deletes an event regex property expression based on the supplied expression ID.

Deletes an event regex property expression based on the supplied expression ID.
Table 1772. DELETE /config/event_sources/custom_properties/property_expressions/{expression_id} resource details
MIME Type
text/plain

Table 1773. DELETE /config/event_sources/custom_properties/property_expressions/{expression_id} request

parameter details
Parameter Type Optionality Data Type MIME Type Description
expression_id path Required Number (Integer) text/plain Required - The sequence ID of the
event_regex_property_expression.

Table 1774. DELETE /config/event_sources/custom_properties/property_expressions/{expression_id} response codes

HTTP Response Code Unique Code Description
204 The requested event regex property expression was successfully
deleted.
403 1009 The user cannot delete the resource because it only can be deleted
by the owner or admin user.
404 1002 The requested event regex property expression cannot be found.
500 1020 An error occurred during the attempt to delete the requested event
regex property expression.

Response Description

Response Sample

GET /config/event_sources/custom_properties/regex_properties
Retrieves a list of event regex properties.

Retrieves a list of event regex properties.

7 Previous REST API versions 809

Table 1775. GET /config/event_sources/custom_properties/regex_properties resource details
MIME Type
application/json

Table 1776. GET /config/event_sources/custom_properties/regex_properties request parameter details

Parameter Type Optionality Data Type MIME Type Description
fields query Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.
Range header Optional String text/plain Optional - Use this parameter
to restrict the number of
elements that are returned in
the list to a specified range.
The list is indexed starting at
zero.
filter query Optional String text/plain Optional - This parameter is
used to restrict the elements in
a list base on the contents of
various fields.

Table 1777. GET /config/event_sources/custom_properties/regex_properties response codes

HTTP Response Code Unique Code Description
200 The requested list of event regex properties was retrieved.
422 1010 An error occurred while building the filter.
500 1020 An error occurred during the attempt to retrieve the list of event
regex properties.

Response Description

A list of event regex properties. Each regex property contains the following fields:
v id - Integer - The sequence ID of the event regex property.
v identifier - String - The ID of the event regex property.
v name - String - The name of the event regex property.
v username - String - The owner of the event regex property.
v description - String - The description of the event regex property.
v property_type - String - The property type (STRING, NUMERIC, IP, PORT, TIME) of event regex
property.
v use_for_rule_engine - Boolean - The flag to indicate if the event regex property is parsed when the
event is received.
v datetime_format - String - The date/time pattern that the event regex property matches.
v locale - String - The Language tag of what locale the Property matches.

810 QRadar API Reference Guide

Response Sample
[
{
"creation_date": 42,
"datetime_format": "String",
"description": "String",
"id": 42,
"identifier": "String",
"locale": "String",
"modification_date": 42,
"name": "String",
"property_type": "String <one of: string, numeric, ip, port, time>",
"use_for_rule_engine": true,
"username": "String"
}
]

POST /config/event_sources/custom_properties/regex_properties
Creates a new event regex property.

Creates a new event regex property.

Table 1778. POST /config/event_sources/custom_properties/regex_properties resource details
MIME Type
application/json

Table 1779. POST /config/event_sources/custom_properties/regex_properties request parameter details

Parameter Type Optionality Data Type MIME Type Description
fields header Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.

Table 1780. POST /config/event_sources/custom_properties/regex_properties request body details

Parameter Data Type MIME Type Description Sample
data Object application/json Required - A JSON representation of the event regex { "creation_date": 42, "datetime_format": "String",
property object. "description": "String", "id": 42, "identifier": "String",
v name - Required - String - The name of the event "locale": "String", "modification_date": 42, "name":
"String", "property_type": "String <one of: string,
regex property.
numeric, ip, port, time>", "use_for_rule_engine": true,
v description - Optional - String - The description of "username": "String" }
the event regex property.
v property_type - Required - String - The property
type (string, numeric, ip, port, time) of event regex
property.
v use_for_rule_engine - Optional - Boolean - The flag
to indicate if the event regex property is parsed
when the event is received. It is false if no value
supplied.
v datetime_format - Optional - String - The date/time
pattern that the event regex property matches.. It is
required when property type is TIME.
v locale - Optional - String - The language tag of the
locale that the property matches. The locale is
required when the property type is TIME.

7 Previous REST API versions 811

Table 1781. POST /config/event_sources/custom_properties/regex_properties response codes
HTTP Response Code Unique Code Description
201 A new event regex property was created.
422 1005 One or more request parameter are invalid in the request.
500 1020 An error occurred during the attempt to create a new event regex
property.

Response Description

The newly created event regex property that contains the following fields:
v id - Integer - The sequence ID of the event regex property.
v identifier - String - The ID of the event regex property.
v name - String - The name of the event regex property.
v username - String - The owner of the event regex property.
v description - String - The description of the event regex property.
v property_type - String - The property type (string, numeric, ip, port, time) of event regex property.
v use_for_rule_engine - Boolean - The flag to indicate if the event regex property is parsed when the
event is received.
v datetime_format - String - The date/time pattern that the event regex property matches.
v locale - String - The language tag of the locale that the property matches.

Response Sample
{
"creation_date": 42,
"datetime_format": "String",
"description": "String",
"id": 42,
"identifier": "String",
"locale": "String",
"modification_date": 42,
"name": "String",
"property_type": "String <one of: string, numeric, ip, port, time>",
"use_for_rule_engine": true,
"username": "String"
}

GET /config/event_sources/custom_properties/regex_properties/
{regex_property_id}
Retrieves a event regex property based on the supplied regex property ID.

Retrieves a event regex property based on the supplied regex property ID.
Table 1782. GET /config/event_sources/custom_properties/regex_properties/{regex_property_id} resource details
MIME Type
application/json

Table 1783. GET /config/event_sources/custom_properties/regex_properties/{regex_property_id} request parameter

details
Parameter Type Optionality Data Type MIME Type Description
regex_property_id path Required Number (Integer) text/plain Required - The sequence ID of the
event_regex_property.

812 QRadar API Reference Guide

Table 1783. GET /config/event_sources/custom_properties/regex_properties/{regex_property_id} request parameter
details (continued)
Parameter Type Optionality Data Type MIME Type Description
fields query Optional String text/plain Optional - Use this parameter to
specify which fields you would like
to get back in the response. Fields
that are not named are excluded.
Specify subfields in brackets and
multiple fields in the same object
are separated by commas.

Table 1784. GET /config/event_sources/custom_properties/regex_properties/{regex_property_id} response codes

HTTP Response Code Unique Code Description
200 The requested event regex property was successfully retrieved.
404 1002 The requested event regex property cannot be found.
500 1020 An error occurred during the attempt to retrieve the requested
event regex property.

Response Description

A event regex property that contains the following fields:

v id - Integer - The sequence ID of the event regex property.
v identifier - String - The ID of the event regex property.
v name - String - The name of the event regex property.
v username - String - The owner of the event regex property.
v description - String - The description of the event regex property.
v property_type - String - The property type (string, numeric, ip, port, time) of the event regex property.
v use_for_rule_engine - Boolean - The flag to indicate if the event regex property is parsed when the
event is received.
v datetime_format - String - The date/time pattern that the event regex property matches.
v locale - String - The language tag of the locale that the property matches.

Response Sample
{
"creation_date": 42,
"datetime_format": "String",
"description": "String",
"id": 42,
"identifier": "String",
"locale": "String",
"modification_date": 42,
"name": "String",
"property_type": "String <one of: string, numeric, ip, port, time>",
"use_for_rule_engine": true,
"username": "String"
}

POST /config/event_sources/custom_properties/regex_properties/
{regex_property_id}
Updates an existing event regex property.

Updates an existing event regex property.

7 Previous REST API versions 813

Table 1785. POST /config/event_sources/custom_properties/regex_properties/{regex_property_id} resource details
MIME Type
application/json

Table 1786. POST /config/event_sources/custom_properties/regex_properties/{regex_property_id} request parameter

details
Parameter Type Optionality Data Type MIME Type Description
regex_property_id path Required Number (Integer) text/plain Required - The sequence ID of the
event regex property.
fields header Optional String text/plain Optional - Use this parameter to
specify which fields you would like
to get back in the response. Fields
that are not named are excluded.
Specify subfields in brackets and
multiple fields in the same object
are separated by commas.

Table 1787. POST /config/event_sources/custom_properties/regex_properties/{regex_property_id} request body

details
Parameter Data Type MIME Type Description Sample
data Object application/ Required - A JSON { "creation_date": 42,
json representation of the event "datetime_format": "String",
regex property object. "description": "String", "id": 42,
v description - Optional - "identifier": "String", "locale":
String - The description of "String", "modification_date":
the event regex property. 42, "name": "String",
"property_type": "String <one
v property_type - Optional -
of: string, numeric, ip, port,
String - The property type
time>", "use_for_rule_engine":
(string, numeric, ip, port,
true, "username": "String" }
time) of event regex
property.
v use_for_rule_engine -
Optional - Boolean - The flag
to indicate if the event regex
property is parsed when the
event is received.
v datetime_format - Optional -
String - The date/time
pattern that the event regex
property matches. It is
required when property type
is TIME.
v locale - Optional - String -
The language tag of the
locale that the property
matches. The locale is
required when the property
type is TIME.
v username - Optional - String
- The owner of the event
regex property. If the input
username is authorized
service, the prefix
"API_token: " is required.

814 QRadar API Reference Guide

Table 1788. POST /config/event_sources/custom_properties/regex_properties/{regex_property_id} response codes
HTTP Response Code Unique Code Description
200 The event regex property was updated.
403 1009 The user cannot update the resource because it only can be updated
by the owner or admin user.
404 1002 The requested event regex property cannot be found.
422 1005 One or more parameters are invalid in request.
500 1020 An error occurred during the attempt to update an event regex
property.

Response Description

The updated event regex property object contains the following fields:
v id - Integer - The sequence ID of the event regex property.
v identifier - String - The ID of the event regex property.
v name - String - The name of the event regex property.
v username - String - The owner of the event regex property.
v description - String - The description of the event regex property.
v property_type - String - The property type (string, numeric, ip, port, time) of event regex property.
v use_for_rule_engine - Boolean - The flag to indicate if the event regex property is parsed when the
event is received.
v datetime_format - String - The date/time pattern that the event regex property matches.
v locale - String - The language tag of the locale the the property matches.

Response Sample
{
"creation_date": 42,
"datetime_format": "String",
"description": "String",
"id": 42,
"identifier": "String",
"locale": "String",
"modification_date": 42,
"name": "String",
"property_type": "String <one of: string, numeric, ip, port, time>",
"use_for_rule_engine": true,
"username": "String"
}

DELETE /config/event_sources/custom_properties/regex_properties/
{regex_property_id}
Deletes an event regex property. To ensure safe deletion, a dependency check is carried out. This check
might take some time. An asynchronous task is started to do this check.

Deletes an event regex property. To ensure safe deletion, a dependency check is carried out. This check
might take some time. An asynchronous task is started to do this check.
Table 1789. DELETE /config/event_sources/custom_properties/regex_properties/{regex_property_id} resource details
MIME Type
application/json

7 Previous REST API versions 815

Table 1790. DELETE /config/event_sources/custom_properties/regex_properties/{regex_property_id} request
parameter details
Parameter Type Optionality Data Type MIME Type Description
regex_property_id path Required Number (Integer) text/plain null
fields query Optional String text/plain Optional - Use this parameter to
specify which fields you would like
to get back in the response. Fields
that are not named are excluded.
Specify subfields in brackets and
multiple fields in the same object
are separated by commas.

Table 1791. DELETE /config/event_sources/custom_properties/regex_properties/{regex_property_id} response codes

HTTP Response Code Unique Code Description
202 The event regex property delete request was accepted and is in
progress.
403 1009 The user cannot delete the regex_property because it only can be
deleted by the owner or admin user.
404 1002 The requested event regex property cannot be found.
500 1020 An error occurred while attempting to delete the event regex
property.

Response Description

A Delete Task Status object and the location header set to the task status URL "/api/config/
event_sources/custom_properties/regex_property_delete_tasks/{task_id}". A Delete Task Status object
contains the following fields:
v id - Long - The ID of the task.
v message - String - The localized task message.
v status - String - The current state of the task.
v name - String - The name of the task.
v created_by - String - The name of the user who started the task.
v created - Long - The time in milliseconds since epoch since the task was created.
v started - Long - The time in milliseconds since epoch since the task was started.
v modified - Long - The time in milliseconds since epoch since the task was modified.
v completed - Long - The time in milliseconds since epoch since the task was completed.

Response Sample
{
"completed": 42,
"created": 42,
"created_by": "String",
"id": 42,
"message": "String",
"modified": 42,
"name": "String",
"started": 42,
"status": "String <one of:
CANCELLED,
CANCELING,
CANCEL_REQUESTED,
COMPLETED,
CONFLICT,
EXCEPTION,
INITIALIZING,

816 QRadar API Reference Guide

 INTERRUPTED,
PAUSED,
PROCESSING,
QUEUED,
RESUMING>"
}

GET /config/event_sources/custom_properties/regex_properties/
{regex_property_id}/dependents
Retrieves the objects that depend on the event regex property.

Retrieves the objects that depend on the event regex property.

Table 1792. GET /config/event_sources/custom_properties/regex_properties/{regex_property_id}/dependents resource
details
MIME Type
application/json

Table 1793. GET /config/event_sources/custom_properties/regex_properties/{regex_property_id}/dependents request

parameter details
Parameter Type Optionality Data Type MIME Type Description
regex_property_id path Required Number (Integer) text/plain null
fields query Optional String text/plain Optional - Use this parameter to
specify which fields you would like
to get back in the response. Fields
that are not named are excluded.
Specify subfields in brackets and
multiple fields in the same object
are separated by commas.

Table 1794. GET /config/event_sources/custom_properties/regex_properties/{regex_property_id}/dependents

response codes
HTTP Response Code Unique Code Description
202 The event regex property dependents retrieval was accepted and is
in progress.
404 1002 The event regex property does not exist.
500 1020 An error occurred while attempting to initiate the event regex
property dependents retrieval task.

Response Description

A Dependents Task Status object and the location header set to the task status URL "/api/config/
event_sources/custom_properties/regex_property_dependents_tasks/{task_id}". A Dependent Task Status
object contains the following fields:
v id - Long - The ID of the task.
v message - String - The localized task message.
v status - String - The current state of the task.
v name - String - The name of the task.
v created_by - String - The name of the user who started the task.
v cancelled_by - String - The name of the user who requested to cancel the task.
v created - Long - The time in milliseconds since epoch since the task was created.
v started - Long - The time in milliseconds since epoch since the task was started.
v modified - Long - The time in milliseconds since epoch since the task was modified.

7 Previous REST API versions 817

v completed - Long - The time in milliseconds since epoch since the task was completed.
v number_of_dependents - Long - The number of dependents found. The value is null until the task
completes.
v maximum - Long - The maximum number of objects to check for dependency.
v progress - Long - The number of objects that were checked for dependency.
v task_components - Array - An array of task component objects. A task component object contains the
following fields:
– message - String - The localized sub-task status message.
– status - String - The current state of the sub-task.
– sub_task_type - String - The type of the sub-task
– maximum - Long - The maximum number of objects to check for dependency.
– progress - Long - The number of objects that were checked for dependency.
– created - Long - The time in milliseconds since epoch since the sub-task was created.
– started - Long - The time in milliseconds since epoch since the sub-task was started.
– modified - Long - The time in milliseconds since epoch since the sub-task was modified.
– completed - Long - The time in milliseconds since epoch since the sub-task was completed.

Response Sample
{
"cancelled_by": "String",
"completed": 42,
"created": 42,
"created_by": "String",
"id": 42,
"maximum": 42,
"message": "String",
"modified": 42,
"name": "String",
"number_of_dependents": 42,
"progress": 42,
"started": 42,
"status": "String <one of:
CANCELLED,
CANCELING,
CANCEL_REQUESTED,
COMPLETED,
CONFLICT,
EXCEPTION,
INITIALIZING,
INTERRUPTED,
PAUSED,
PROCESSING,
QUEUED,
RESUMING>",
"task_components": [
{
"completed": 42,
"created": 42,
"maximum": 42,
"message": "String",
"modified": 42,
"number_of_dependents": 42,
"progress": 42,
"started": 42,
"status": "String <one of: CANCELLED,
CANCELING,
CANCEL_REQUESTED,
COMPLETED,
CONFLICT,

818 QRadar API Reference Guide

 EXCEPTION,
INITIALIZING,
INTERRUPTED,
PAUSED,
PROCESSING,
QUEUED,
RESUMING>",
"task_sub_type": "String <one of:
FIND_DEPENDENT_ARIEL_SAVED_SEARCHES,
FIND_DEPENDENT_OFFENSE_SAVED_SEARCHES,
FIND_DEPENDENT_ASSET_SAVED_SEARCHES,
FIND_DEPENDENT_VULNERABILITY_SAVED_SEARCHES,
FIND_DEPENDENT_ADE_RULES,
FIND_DEPENDENT_RULES,
FIND_DEPENDENT_CALCULATED_PROPERTIES,
FIND_DEPENDENT_LOG_SOURCE_GROUPS,
FIND_DEPENDENT_CUSTOM_PROPERTIES,
FIND_DEPENDENT_REPORTS,
FIND_DEPENDENT_DASHBOARDS,
FIND_DEPENDENT_STORE_AND_FORWARD_POLICIES,
FIND_DEPENDENT_AUTHORIZED_SERVICES,
FIND_DEPENDENT_OFFENSE_TYPES,
FIND_DEPENDENT_ASSIGNED_OFFENSES,
FIND_DEPENDENT_VULNERABILITIES,
FIND_DEPENDENT_GROUPS,
FIND_DEPENDENT_HISTORICAL_CORRELATION_PROFILES>"
}
]
}

GET /config/event_sources/custom_properties/regex_property_delete_tasks/
{task_id}
Retrieves the event regex property delete task status.

Retrieves the event regex property delete task status.

Table 1795. GET /config/event_sources/custom_properties/regex_property_delete_tasks/{task_id} resource details
MIME Type
application/json

Table 1796. GET /config/event_sources/custom_properties/regex_property_delete_tasks/{task_id} request parameter

details
Parameter Type Optionality Data Type MIME Type Description
task_id path Required Number text/plain null
(Integer)
fields query Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.

Table 1797. GET /config/event_sources/custom_properties/regex_property_delete_tasks/{task_id} response codes

HTTP Response Code Unique Code Description
200 The delete task status was retrieved.

7 Previous REST API versions 819

Table 1797. GET /config/event_sources/custom_properties/regex_property_delete_tasks/{task_id} response
codes (continued)
HTTP Response Code Unique Code Description
404 1002 The requested delete task status cannot be found.
422 1005 The task ID is invalid in the request.
500 1020 An error occurred during the attempt to retrieve the delete task
status.

Response Description

A Delete Task Status object and the location header set to the task status URL "/api/config/
event_sources/custom_properties/regex_property_delete_tasks/{task_id}". A Delete Task Status object
contains the following fields:
v id - Long - The ID of the task.
v message - String - The localized task message.
v status - String - The current state of the task.
v name - String - The name of the task.
v created_by - String - The name of the user who started the task.
v created - Long - The time in milliseconds since epoch since the task was created.
v started - Long - The time in milliseconds since epoch since the task was started.
v modified - Long - The time in milliseconds since epoch since the task was modified.
v completed - Long - The time in milliseconds since epoch since the task was completed.

Response Sample
{
"completed": 42,
"created": 42,
"created_by": "String",
"id": 42,
"message": "String",
"modified": 42,
"name": "String",
"started": 42,
"status": "String <one of:
CANCELLED,
CANCELING,
CANCEL_REQUESTED,
COMPLETED,
CONFLICT,
EXCEPTION,
INITIALIZING,
INTERRUPTED,
PAUSED,
PROCESSING,
QUEUED,
RESUMING>"
}

GET /config/event_sources/custom_properties/regex_property_dependent_tasks/
{task_id}
Retrieves the event regex property dependent task status.

Retrieves the event regex property dependent task status.

820 QRadar API Reference Guide

Table 1798. GET /config/event_sources/custom_properties/regex_property_dependent_tasks/{task_id} resource
details
MIME Type
application/json

Table 1799. GET /config/event_sources/custom_properties/regex_property_dependent_tasks/{task_id} request

parameter details
Parameter Type Optionality Data Type MIME Type Description
task_id path Required Number text/plain null
(Integer)
fields query Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.

Table 1800. GET /config/event_sources/custom_properties/regex_property_dependent_tasks/{task_id} response

codes
HTTP Response Code Unique Code Description
200 The dependent task status was retrieved.
404 1002 The requested dependent task status cannot be found.
422 1005 The task ID is invalid in the request.
500 1020 An error occurred during the attempt to retrieve the task status.

Response Description

A Dependent Task Status object and the location header set to the task status URL "/api/config/
event_sources/custom_properties/regex_property_dependent_tasks/{task_id}". A Dependent Task Status
object contains the following fields:
v id - Long - The ID of the task.
v message - String - The localized task message.
v status - String - The current state of the task.
v name - String - The name of the task.
v created_by - String - The name of the user who started the task.
v cancelled_by - String - The name of the user who requested to cancel the task.
v created - Long - The time in milliseconds since epoch since the task was created.
v started - Long - The time in milliseconds since epoch since the task was started.
v modified - Long - The time in milliseconds since epoch since the task was modified.
v completed - Long - The time in milliseconds since epoch since the task was completed.
v number_of_dependents - Long - The number of dependents found. The value is null until the task
completes.
v maximum - Long - The maximum number of objects to check for dependency.
v progress - Long - The number of objects that were checked for dependency.

7 Previous REST API versions 821

v task_components - Array - An array of task component objects. A task component object contains the
following fields
– message - String - The localized sub-task status message.
– status - String - The current state of the sub-task.
– sub_task_type - String - The type of the sub-task
– maximum - Long - The maximum number of objects to check for dependency.
– progress - Long - The number of objects that were checked for dependency.
– created - Long - The time in milliseconds since epoch since the sub-task was created.
– started - Long - The time in milliseconds since epoch since the sub-task was started.
– modified - Long - The time in milliseconds since epoch since the sub-task was modified.
– completed - Long - The time in milliseconds since epoch since the sub-task was completed.

Response Sample
{
"cancelled_by": "String",
"completed": 42,
"created": 42,
"created_by": "String",
"id": 42,
"maximum": 42,
"message": "String",
"modified": 42,
"name": "String",
"number_of_dependents": 42,
"progress": 42,
"started": 42,
"status": "String <one of:
CANCELLED,
CANCELING,
CANCEL_REQUESTED,
COMPLETED,
CONFLICT,
EXCEPTION,
INITIALIZING,
INTERRUPTED,
PAUSED,
PROCESSING,
QUEUED,
RESUMING>",
"task_components": [
{
"completed": 42,
"created": 42,
"maximum": 42,
"message": "String",
"modified": 42,
"number_of_dependents": 42,
"progress": 42,
"started": 42,
"status": "String <one of: CANCELLED,
CANCELING,
CANCEL_REQUESTED,
COMPLETED,
CONFLICT,
EXCEPTION,
INITIALIZING,
INTERRUPTED,
PAUSED,
PROCESSING,
QUEUED,
RESUMING>",
"task_sub_type": "String <one of:

822 QRadar API Reference Guide

 FIND_DEPENDENT_ARIEL_SAVED_SEARCHES,
FIND_DEPENDENT_OFFENSE_SAVED_SEARCHES,
FIND_DEPENDENT_ASSET_SAVED_SEARCHES,
FIND_DEPENDENT_VULNERABILITY_SAVED_SEARCHES,
FIND_DEPENDENT_ADE_RULES,
FIND_DEPENDENT_RULES,
FIND_DEPENDENT_CALCULATED_PROPERTIES,
FIND_DEPENDENT_LOG_SOURCE_GROUPS,
FIND_DEPENDENT_CUSTOM_PROPERTIES,
FIND_DEPENDENT_REPORTS,
FIND_DEPENDENT_DASHBOARDS,
FIND_DEPENDENT_STORE_AND_FORWARD_POLICIES,
FIND_DEPENDENT_AUTHORIZED_SERVICES,
FIND_DEPENDENT_OFFENSE_TYPES,
FIND_DEPENDENT_ASSIGNED_OFFENSES,
FIND_DEPENDENT_VULNERABILITIES,
FIND_DEPENDENT_GROUPS,
FIND_DEPENDENT_HISTORICAL_CORRELATION_PROFILES>"
}
]
}

POST /config/event_sources/custom_properties/regex_property_dependent_tasks/
{task_id}
Cancels the regex property dependent task.

Cancels the regex property dependent task.

Table 1801. POST /config/event_sources/custom_properties/regex_property_dependent_tasks/{task_id} resource
details
MIME Type
application/json

Table 1802. POST /config/event_sources/custom_properties/regex_property_dependent_tasks/{task_id} request

parameter details
Parameter Type Optionality Data Type MIME Type Description
task_id path Required Number text/plain null
(Integer)
fields header Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.

7 Previous REST API versions 823

Table 1803. POST /config/event_sources/custom_properties/regex_property_dependent_tasks/{task_id} request body
details
Parameter Data Type MIME Type Description Sample
task Object application/ null { "status": "String <one of:
json CANCELLED, CANCELING,
CANCEL_REQUESTED,
COMPLETED, CONFLICT,
EXCEPTION, INITIALIZING,
INTERRUPTED, PAUSED,
PROCESSING, QUEUED,
RESUMING>" }

Table 1804. POST /config/event_sources/custom_properties/regex_property_dependent_tasks/{task_id} response

codes
HTTP Response Code Unique Code Description
200 The dependent task was cancelled.
404 1002 The dependent task status does not exist.
409 1004 The task is in a completed state.
422 1005 A request parameter is not valid.
500 1020 An error occurred while attempting to update the dependent task
status.

Response Description

A Dependent Task Status object and the location header set to the task status URL "/api/config/
event_sources/custom_properties/regex_property_dependent_tasks/{task_id}". A Dependent Task Status
object contains the following fields:
v id - Long - The ID of the task.
v message - String - The localized task message.
v status - String - The current state of the task.
v name - String - The name of the task.
v created_by - String - The name of the user who started the task.
v cancelled_by - String - The name of the user who requested to cancel the task.
v created - Long - The time in milliseconds since epoch since the task was created.
v started - Long - The time in milliseconds since epoch since the task was started.
v modified - Long - The time in milliseconds since epoch since the task was modified.
v completed - Long - The time in milliseconds since epoch since the task was completed.
v number_of_dependents - Long - The number of dependents found. The value is null until the task
completes.
v maximum - Long - The maximum number of objects to check for dependency.
v progress - Long - The number of objects that were checked for dependency.
v task_components - Array - An array of task component objects. A task component object contains the
following fields:
– message - String - The localized sub-task status message.
– status - String - The current state of the sub-task.
– sub_task_type - String - The type of the sub-task
– maximum - Long - The maximum number of objects to check for dependency.
– progress - Long - The number of objects that were checked for dependency.

824 QRadar API Reference Guide

 – created - Long - The time in milliseconds since epoch since the sub-task was created.
– started - Long - The time in milliseconds since epoch since the sub-task was started.
– modified - Long - The time in milliseconds since epoch since the sub-task was modified.
– completed - Long - The time in milliseconds since epoch since the sub-task was completed.

Response Sample
{
"cancelled_by": "String",
"completed": 42,
"created": 42,
"created_by": "String",
"id": 42,
"maximum": 42,
"message": "String",
"modified": 42,
"name": "String",
"number_of_dependents": 42,
"progress": 42,
"started": 42,
"status": "String <one of:
CANCELLED,
CANCELING,
CANCEL_REQUESTED,
COMPLETED,
CONFLICT,
EXCEPTION,
INITIALIZING,
INTERRUPTED,
PAUSED,
PROCESSING,
QUEUED,
RESUMING>",
"task_components": [
{
"completed": 42,
"created": 42,
"maximum": 42,
"message": "String",
"modified": 42,
"number_of_dependents": 42,
"progress": 42,
"started": 42,
"status": "String <one of: CANCELLED,
CANCELING,
CANCEL_REQUESTED,
COMPLETED,
CONFLICT,
EXCEPTION,
INITIALIZING,
INTERRUPTED,
PAUSED,
PROCESSING,
QUEUED,
RESUMING>",
"task_sub_type": "String <one of:
FIND_DEPENDENT_ARIEL_SAVED_SEARCHES,
FIND_DEPENDENT_OFFENSE_SAVED_SEARCHES,
FIND_DEPENDENT_ASSET_SAVED_SEARCHES,
FIND_DEPENDENT_VULNERABILITY_SAVED_SEARCHES,
FIND_DEPENDENT_ADE_RULES,
FIND_DEPENDENT_RULES,
FIND_DEPENDENT_CALCULATED_PROPERTIES,
FIND_DEPENDENT_LOG_SOURCE_GROUPS,
FIND_DEPENDENT_CUSTOM_PROPERTIES,
FIND_DEPENDENT_REPORTS,

7 Previous REST API versions 825

 FIND_DEPENDENT_DASHBOARDS,
FIND_DEPENDENT_STORE_AND_FORWARD_POLICIES,
FIND_DEPENDENT_AUTHORIZED_SERVICES,
FIND_DEPENDENT_OFFENSE_TYPES,
FIND_DEPENDENT_ASSIGNED_OFFENSES,
FIND_DEPENDENT_VULNERABILITIES,
FIND_DEPENDENT_GROUPS,
FIND_DEPENDENT_HISTORICAL_CORRELATION_PROFILES>"
}
]
}

GET /config/event_sources/custom_properties/regex_property_dependent_tasks/
{task_id}/results
Retrieves the regex property dependent task results.

Retrieves the regex property dependent task results.

Table 1805. GET /config/event_sources/custom_properties/regex_property_dependent_tasks/{task_id}/results
resource details
MIME Type
application/json

Table 1806. GET /config/event_sources/custom_properties/regex_property_dependent_tasks/{task_id}/results request

parameter details
Parameter Type Optionality Data Type MIME Type Description
task_id path Required Number text/plain null
(Integer)
fields query Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.

Table 1807. GET /config/event_sources/custom_properties/regex_property_dependent_tasks/{task_id}/results

response codes
HTTP Response Code Unique Code Description
200 The regex property dependents were retrieved.
404 1002 The requested task status cannot be found.
500 1020 An error occurred during the attempt to retrieve the task results.

Response Description

A list of Dependent objects. A Dependent object contains the following fields:

v dependent_id - String - The ID of the dependent resource.
v dependent_name - String - The name of the dependent resource )default resources can have localized
names).
v dependent_owner - String - The owner of the dependent resource
v dependent_type - String - The type of the dependent resource

826 QRadar API Reference Guide

v dependent_database - String - The database of the dependent resource.
v dependent_group_ids - Array of Longs - List of groups that the dependent resource belongs to.
v user_has_edit_permissions - Boolean - True if the user who created the task has permission to edit this
dependent resource.

Response Sample
[
{
"blocking": true,
"dependent_database": "String <one of: EVENTS, FLOWS>",
"dependent_group_ids": [
42
],
"dependent_id": "String",
"dependent_name": "String",
"dependent_owner": "String",
"dependent_type": "String <one of:
ARIEL_SAVED_SEARCH,
ASSET_SAVED_SEARCH,
OFFENSE_SAVED_SEARCH,
VULNERABILITY_SAVED_SEARCH,
QRM_SAVED_SEARCH_GROUP,
ASSET_SAVED_SEARCH_GROUP,
CUSTOM_RULE_GROUP,
EVENT_ARIEL_SAVED_SEARCH_GROUP,
FLOW_ARIEL_SAVED_SEARCH_GROUP,
LOG_SOURCE_GROUP, MODEL_GROUP,
OFFENSE_SAVED_SEARCH_GROUP,
QUESTION_GROUP,
REPORT_GROUP,
SIMULATION_GROUP,
TOPOLOGY_SAVED_SEARCH_GROUP,
VULNERABILITY_SAVED_SEARCH_GROUP,
ASSIGNED_OFFENSE,
ASSIGNED_VULNERABILITY,
AUTHORIZED_SERVICE,
BUILDING_BLOCK,
CRE_RULE,
CRE_ADE_RULE,
EVENT_REGEX_PROPERTY,
EVENT_CALCULATED_PROPERTY,
FLOW_REGEX_PROPERTY,
FLOW_CALCULATED_PROPERTY,
DASHBOARD,
GV_REFERENCE,
REPORT,
REFERENCE_DATA,
REFERENCE_DATA_MAP_OF_SETS,
REFERENCE_DATA_MAPS,
REFERENCE_DATA_SETS,
REFERENCE_DATA_TABLES,
REFERENCE_DATA_RESPONSE,
REFERENCE_SET_RESPONSE,
EVENT_RETENTION_BUCKET,
FLOW_RETENTION_BUCKET,
ROUTING_RULE,
STORE_AND_FORWARD_POLICY,
USER,
HISTORICAL_PROFILE,
OFFENSE_TYPE>",
"user_has_edit_permissions": true
}
]

7 Previous REST API versions 827

GET /config/extension_management/extensions
Retrieve a list of extensions.
Table 1808. GET /config/extension_management/extensions resource details
MIME Type
application/json

Table 1809. GET /config/extension_management/extensions request parameter details

Parameter Type Optionality Data Type MIME Type Description
Range header Optional String text/plain Optional - Use this parameter
to restrict the number of
elements that are returned in
the list to a specified range.
The list is indexed starting at
zero.
sort query Optional String text/plain Optional - This parameter is
used to sort the elements in a
list.
fields query Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.
filter query Optional String text/plain Optional - This parameter is
used to restrict the elements in
a list base on the contents of
various fields.

Table 1810. GET /config/extension_management/extensions response codes

HTTP Response Code Unique Code Description
200 The requested list of extensions has been retrieved.
422 22608 The supplied filter is invalid.
422 22615 Unknown status used in filter.
422 22610 The selected field cannot be utilized for sorting.
422 22609 Only top-level-elements of the root entity can be sorted on.
500 22602 An error has occurred while trying to retrieve the list of extensions.

Response Description

A list of extensions. Each extension contains the following fields:

v id - Number - Unique ID of this extension within the QRadar deployment.
v name - String - The name of the extension.
v description - String - The description of the extension.
v author - String - The author (person who generated) the extension.
v version - String - The version of the extension.
v supported_languages - Array of strings - The language tags supported by this extension.

828 QRadar API Reference Guide

v exported_qradar_version - String - The version of the QRadar deployment this extension was exported
from.
v min_qradar_version - String - The minimum QRadar version required for the extension to function
properly.
v file_location - String - The location of the extension file on disk.
v size - Number - The size in bytes of the extension file.
v signed - String - The state of the extension's signature.
v beta - Boolean - True if the extension is considered to be beta or experimental.
v added_by - String - The user or authorized service that added the extension to QRadar.
v installed_by - String The user or authorized service that installed the extension.
v add_time - Number - The date/time at which the extension was added to QRadar, represented as
number of milliseconds since Unix epoch.
v install_time - Number - The date/time at which the extension was installed, represented as number of
milliseconds since Unix epoch.
v full_uninstall - Boolean - True if the extension and all of its contents can be fully uninstalled.
v status - String - The tag corresponding to the current status of the extension. Possible values are
UPLOADED, UPLOADING, INSTALLED, INSTALLING, INSTALL_FAILED, UNINSTALLED,
UNINSTALLING, UNINSTALL_FAILED, NOT_INSTALLED, PREVIEWING, NONE.
v contents - Array of objects representing an item contained within the extension. Each object has the
following fields:
– content_type_id - Number - The ID of the content type.
– content_type_name - String - The name of the content type.
– identifier - String - The descriptive name/identifier of the item.

Response Sample
[
{
"file_location": "/store/cmt/exports/custom_rule.zip",
"supported_languages": [
"en_US"
],
"contents": [
{
"content_type_id": 3,
"identifier": "No Description Supplied",
"content_type_name": "custom_rule"
},
{
"content_type_id": 28,
"identifier": "Asset Reconciliation IPv4 Blacklist",
"content_type_name": "reference_data"
},
{
"content_type_id": 28,
"identifier": "Asset Reconciliation IPv4 Whitelist",
"content_type_name": "reference_data"
},
{
"content_type_id": 32,
"identifier": "No Description Supplied",
"content_type_name": "reference_data_rules"
}
],
"status": "INSTALLED",
"signed": "NOT_SIGNED",
"full_uninstall": false,
"min_qradar_version": null,

7 Previous REST API versions 829

 "beta": false,
"version": "7.2.6.20150825133843",
"size": 8575,
"id": 59,
"author": "admin",
"description": null,
"exported_qradar_version": null,
"name": "custom_rule.xml",
"install_time": 1440788704856,
"installed_by": "admin",
"added_by": "admin",
"add_time": 1440693660702
},
{
"file_location": "/store/cmt/exports/qidmap.xml",
"supported_languages": [
"en_US"
],
"contents": [
{
"content_type_id": 27,
"identifier": "",
"content_type_name": "qidmap"
}
],
"status": "INSTALLED",
"signed": "NOT_SIGNED",
"full_uninstall": false,
"min_qradar_version": null,
"beta": false,
"version": "7.2.6.20150821144442",
"size": 675,
"id": 2,
"author": "admin",
"description": null,
"exported_qradar_version": null,
"name": "qidmap.xml",
"install_time": 1440612194941,
"installed_by": "admin",
"added_by": "admin",
"add_time": 1440555001236
}
]

POST /config/extension_management/extensions
Uploads the supplied extension file to the IBM Security QRadarsystem.
Table 1811. POST /config/extension_management/extensions resource details
MIME Type
application/json

Table 1812. POST /config/extension_management/extensions request parameter details

Parameter Type Optionality Data Type MIME Type Description
fields header Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.

830 QRadar API Reference Guide

Table 1813. POST /config/extension_management/extensions request body details
Parameter Data Type MIME Type Description Sample
file File application/x-gzip Required - The Extension file. File
Must be a properly-formed
QRadar extension/content
export, either an XML file or
an XML within a ZIP or
TAR.GZ archive. Must be
provided with MIME type
application/xml,
application/zip,
application/x-gzip or
multipart/form-data

Table 1814. POST /config/extension_management/extensions response codes

HTTP Response Code Unique Code Description
201 The supplied extension file has been uploaded.
409 22613 The supplied extension file can not be uploaded because it shares
the same hub_id and version as one of the extensions in the system.
422 22607 The supplied extension could not be validated successfully
422 22616 The supplied manifest for the extension is invalid.
500 22602 An error has occurred while trying to upload the extension file.

Response Description

An extension containing the following fields:

v id - Number - Unique ID of this extension within the QRadar deployment.
v name - String - The name of the extension.
v description - String - The description of the extension.
v author - String - The author (person who generated) the extension.
v version - String - The version of the extension.
v supported_languages - Array of strings - The language tags supported by this extension.
v exported_qradar_version - String - The version of the QRadar deployment this extension was exported
from.
v min_qradar_version - String - The minimum QRadar version required for the extension to function
properly.
v file_location - String - The location of the extension file on disk.
v size - Number - The size in bytes of the extension file.
v signed - String - The state of the extension's signature.
v beta - Boolean - True if the extension is considered to be beta or experimental.
v added_by - String - The user or authorized service that added the extension to QRadar.
v installed_by - String The user or authorized service that installed the extension.
v add_time - Number - The date/time at which the extension was added to QRadar, represented as
number of milliseconds since Unix epoch.
v install_time - Number - The date/time at which the extension was installed, represented as number of
milliseconds since Unix epoch.
v full_uninstall - Boolean - True if the extension and all of its contents can be fully uninstalled.
v status - String - The tag corresponding to the current status of the extension. Possible values are
UPLOADED, UPLOADING, INSTALLED, INSTALLING, INSTALL_FAILED, UNINSTALLED,
UNINSTALLING, UNINSTALL_FAILED, NOT_INSTALLED, PREVIEWING, NONE.

7 Previous REST API versions 831

v contents - Array of objects representing an item contained within the extension. Each object has the
following fields:
– content_type_id - Number - The ID of the content type.
– content_type_name - String - The name of the content type.
– identifier - String - The descriptive name/identifier of the item.

Response Sample
{
"file_location": "/store/cmt/exports/qidmaps.xml",
"supported_languages": [
"en_US"
],
"contents": [
{
"content_type_id": 27,
"identifier": "",
"content_type_name": "qidmap"
}
],
"status": "INSTALLED",
"signed": "NOT_SIGNED",
"full_uninstall": false,
"min_qradar_version": null,
"beta": false,
"version": "7.2.6.20150821144442",
"size": 675,
"id": 2,
"author": "admin",
"description": null,
"exported_qradar_version": null,
"name": "qidmaps.xml",
"install_time": 1440612194941,
"installed_by": "admin",
"added_by": "admin",
"add_time": 1440555001236
}

GET /config/extension_management/extensions/{extension_id}
Retrieves an extension based on the supplied extension ID.
Table 1815. GET /config/extension_management/extensions/{extension_id} resource details
MIME Type
application/json

Table 1816. GET /config/extension_management/extensions/{extension_id} request parameter details

Parameter Type Optionality Data Type MIME Type Description
extension_id path Required Number text/plain Required - The id of the
(Integer) extension.
fields query Optional String text/plain Optional - Use this parameter to
specify which fields you would
like to get back in the response.
Fields that are not named are
excluded. Specify subfields in
brackets and multiple fields in
the same object are separated by
commas.

832 QRadar API Reference Guide

Table 1817. GET /config/extension_management/extensions/{extension_id} response codes
HTTP Response Code Unique Code Description
200 The requested extension has been retrieved.
404 22603 The requested extension cannot be found.
422 22606 A supplied numeric parameter was not positive.
500 22602 An error has occurred while trying to retrieve the requested
extension.

Response Description

An extension containing the following fields:

v id - Number - Unique ID of this extension within the QRadar deployment.
v name - String - The name of the extension.
v description - String - The description of the extension.
v author - String - The author (person who generated) the extension.
v version - String - The version of the extension.
v supported_languages - Array of strings - The language tags supported by this extension.
v exported_qradar_version - String - The version of the QRadar deployment this extension was exported
from.
v min_qradar_version - String - The minimum QRadar version required for the extension to function
properly.
v file_location - String - The location of the extension file on disk.
v size - Number - The size in bytes of the extension file.
v signed - String - The state of the extension's signature.
v beta - Boolean - True if the extension is considered to be beta or experimental.
v added_by - String - The user or authorized service that added the extension to QRadar.
v installed_by - String The user or authorized service that installed the extension.
v add_time - Number - The date/time at which the extension was added to QRadar, represented as
number of milliseconds since Unix epoch.
v install_time - Number - The date/time at which the extension was installed, represented as number of
milliseconds since Unix epoch.
v full_uninstall - Boolean - True if the extension and all of its contents can be fully uninstalled.
v status - String - The tag corresponding to the current status of the extension. Possible values are
UPLOADED, UPLOADING, INSTALLED, INSTALLING, INSTALL_FAILED, UNINSTALLED,
UNINSTALLING, UNINSTALL_FAILED, NOT_INSTALLED, PREVIEWING, NONE.
v contents - Array of objects representing an item contained within the extension. Each object has the
following fields:
– content_type_id - Number - The ID of the content type.
– content_type_name - String - The name of the content type.
– identifier - String - The descriptive name/identifier of the item.

Response Sample
{
"file_location": "/store/cmt/exports/qidmaps.xml",
"supported_languages": [
"en_US"
],
"contents": [
{

7 Previous REST API versions 833

 "content_type_id": 27,
"identifier": "",
"content_type_name": "qidmap"
}
],
"status": "INSTALLED",
"signed": "NOT_SIGNED",
"full_uninstall": false,
"min_qradar_version": null,
"beta": false,
"version": "7.2.6.20150821144442",
"size": 675,
"id": 2,
"author": "admin",
"description": null,
"exported_qradar_version": null,
"name": "qidmaps.xml",
"install_time": 1440612194941,
"installed_by": "admin",
"added_by": "admin",
"add_time": 1440555001236
}

POST /config/extension_management/extensions/{extension_id}
Install an extension based on the supplied extension ID. This is an asynchronous action.

Installs the Extension corresponding to the supplied extension ID Alternatively can be used to preview an
extension, showing what values are applied if the extension is installed.
Table 1818. POST /config/extension_management/extensions/{extension_id} resource details
MIME Type
application/json

Table 1819. POST /config/extension_management/extensions/{extension_id} request parameter details

Parameter Type Optionality Data Type MIME Type Description
extension_id path Required Number text/plain Required - The id of the
(Integer) extension.
action_type query Required String text/plain Required - The desired action to
take on the Extension (INSTALL
or PREVIEW)
overwrite query Optional Boolean text/plain Optional - If true, any existing
items on the importing system
will be overwritten if the
extension contains the same
items. If false, existing items
will be preserved, and the
corresponding items in the
extension will be skipped.
fields query Optional String text/plain Optional - Use this parameter to
specify which fields you would
like to get back in the response.
Fields that are not named are
excluded. Specify subfields in
brackets and multiple fields in
the same object are separated by
commas.

Table 1820. POST /config/extension_management/extensions/{extension_id} response codes

HTTP Response Code Unique Code Description
202 The requested install or preview task has been started.

834 QRadar API Reference Guide

Table 1820. POST /config/extension_management/extensions/{extension_id} response codes (continued)
HTTP Response Code Unique Code Description
404 22603 The requested extension cannot be found.
404 22604 The task status for status_id cannot be found.
409 22612 The supplied extension cannot be installed/previewed because it is
already installed
409 22611 The supplied extension cannot be installed/previewed because it is
already in the process of being installed/previewed.
409 22618 The requested task can not be initiated because another
preview/install task is already in progress.
422 22605 The supplied action type is invalid
422 22606 A supplied numeric parameter was not positive.
500 22602 An error has occurred while trying to install or preview the
requested extension.

Response Description

A JSON string depicting the accepted task for previewing/installing an extension:

v message - String - description of the accepted task.
v status_location - String - the url of the task status.
v current_status - String - a JSON object depicting the current status of the task.

Response Sample
{
"message": "Uninstalling an extension",
"status_location":
"https://1.1.1.1/console/restapi/api/config/extension_management/
extensions_task_status/101",
"current_status": {
"progress": 0,
"result_url": null,
"cancelled_by": null,
"status": "QUEUED",
"task_components": null,
"modified": 1440891410849,
"id": 101,
"message": "Queued Extension uninstallation task for extension id 2",
"created_by": "admin",
"created": 1440891410629,
"maximum": 0,
"cancel_requested": false,
"name": "Extension uninstallation task",
"child_tasks": null,
"started": 1440891410847,
"completed": null
}
}

DELETE /config/extension_management/extensions/{extension_id}
Uninstall an extension based on the supplied extension ID. This is an asynchronous action.
Table 1821. DELETE /config/extension_management/extensions/{extension_id} resource details
MIME Type
application/json

7 Previous REST API versions 835

Table 1822. DELETE /config/extension_management/extensions/{extension_id} request parameter details
Parameter Type Optionality Data Type MIME Type Description
extension_id path Required Number text/plain Required - The id of the
(Integer) extension to be uninstalled.
fields query Optional String text/plain Optional - Use this parameter to
specify which fields you would
like to get back in the response.
Fields that are not named are
excluded. Specify subfields in
brackets and multiple fields in
the same object are separated by
commas.

Table 1823. DELETE /config/extension_management/extensions/{extension_id} response codes

HTTP Response Code Unique Code Description
202 The requested uninstall task has been started.
404 22603 The requested extension cannot be found.
404 22604 The task status for status_id cannot be found.
409 22611 The supplied extension cannot be uninstalled because it is already
in the process of being uninstalled.
409 22617 The extension can not be uninstalled because it is already in the
process of being previewed/installed.
422 22606 A supplied numeric parameter was not positive.
500 22602 An error has occurred while trying to uninstall an extension.

Response Description

A JSON string depicting the accepted task for uninstalling an extension:

v message - String - description of the accepted task.
v status_location - String - the url of the task status.
v current_status - String - a JSON object depicting the current status of the task.

Response Sample
{
"message": "Uninstalling an extension",
"status_location":
"https://1.1.1.1/console/restapi/api/config/extension_management/
extensions_task_status/101",
"current_status": {
"progress": 0,
"result_url": null,
"cancelled_by": null,
"status": "QUEUED",
"task_components": null,
"modified": 1440891410849,
"id": 101,
"message": "Queued Extension uninstallation task for extension id 2",
"created_by": "admin",
"created": 1440891410629,
"maximum": 0,
"cancel_requested": false,
"name": "Extension uninstallation task",
"child_tasks": null,

836 QRadar API Reference Guide

 "started": 1440891410847,
"completed": null
}
}

GET /config/extension_management/extensions_task_status/{status_id}
Retrieves the tasks status based on the status ID.
Table 1824. GET /config/extension_management/extensions_task_status/{status_id} resource details
MIME Type
application/json

Table 1825. GET /config/extension_management/extensions_task_status/{status_id} request parameter details

Parameter Type Optionality Data Type MIME Type Description
status_id path Required Number text/plain Required - the id of the task
(Integer) status.
fields query Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.

Table 1826. GET /config/extension_management/extensions_task_status/{status_id} response codes

HTTP Response Code Unique Code Description
200 The requested task status has been retrieved.
404 22604 The task status for status_id cannot be found.
422 22606 A supplied numeric parameter was not positive.
500 22602 An error has occurred while trying to retrieve the task status.

Response Description

A task status containing the following fields:

v id - Number - The ID of the task status.
v name - String - The name of the task status.
v status - String - A string that represents the current state of the task status.
v message - String - A message regarding the current state of the task.
v progress - Number - The current progress of the task
v minimum - Number - The minimum progress of the task.
v maximum - Number - The maximum progress of the task.
v created_by - String - The username of the user who created the task.
v cancelled_by - String - The username of the user who cancelled the task.
v created - Number - The date/time at which this task was created, represented as number of
milliseconds since Unix epoch.
v started - Number - The date/time at which this task was started, represented as number of
milliseconds since Unix epoch.

7 Previous REST API versions 837

v modified - Number - The date/time at which this task was last modified, represented as number of
milliseconds since Unix epoch.
v completed - Number - The date/time at which this task was completed, represented as number of
milliseconds since Unix epoch.
v result_url - String - The url where the result can be viewed.
v cancel_requested - Boolean - True if cancel has been requested.
v child_tasks - Array - Array of child task id's that are executed asynchronously from this task.
v task_components - Array - Array of task components that are executed sequentially.

Response Sample
{
"progress": 0,
"result_url": "",
"cancelled_by": "",
"status": "COMPLETED",
"task_components": null,
"modified": 1440891517961,
"id": 102,
"message": "Completed Extension uninstallation task for extension id 56",
"created_by": "admin",
"created": 1440891514006,
"maximum": 0,
"cancel_requested": false,
"name": "Extension uninstallation task",
"child_tasks": null,
"started": 1440891514041,
"completed": 1440891515224
}

GET /config/extension_management/extensions_task_status/{status_id}/results
Retrieves the tasks status results based on the status ID.
Table 1827. GET /config/extension_management/extensions_task_status/{status_id}/results resource details
MIME Type
application/json

Table 1828. GET /config/extension_management/extensions_task_status/{status_id}/results request parameter details

Parameter Type Optionality Data Type MIME Type Description
status_id path Required Number text/plain Required - The id of the task
(Integer) status.
fields query Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.

Table 1829. GET /config/extension_management/extensions_task_status/{status_id}/results response codes

HTTP Response Code Unique Code Description
200 The requested results of the task status have been retrieved.
404 22604 The task status for status_id cannot be found.

838 QRadar API Reference Guide

Table 1829. GET /config/extension_management/extensions_task_status/{status_id}/results response
codes (continued)
HTTP Response Code Unique Code Description
404 22614 The task results are not available.
422 22606 A supplied numeric parameter was not positive.
500 22602 An error has occurred while trying to retrieve the results of a task
status.

Response Description

A JSON object representing the result of an Extension preview, install or uninstall task. It contains the
following fields:
v id - Number - The ID of the extension.
v task_type - String - The type of task that was issued against the Extension.
v content - Array - An array of JSON objects representing the contents of the extension and what action
is associated with each content item for the task that was executed. Each content item contains the
following fields:
– name - String - The name of the content item.
– content_type_id - Number - The ID of the type of the content item.
– content_type_name - String - The name of the type of the content item.
– action - String - The action taken for the content item.

Response Sample
{
"id": 56,
"task_type": "UNINSTALL",
"content": [
{
"content_type_id": 3,
"name": "SYSTEM-1607",
"action": "SKIP",
"content_type_name": "custom_rule"
},
{
"content_type_id": 28,
"name": "Asset Reconciliation IPv4 Whitelist",
"action": "SKIP",
"content_type_name": "reference_data"
}
]
}

GET /config/flow_retention_buckets
Retrieves a list of flow retention buckets.

Retrieves a list of flow retention buckets.

Table 1830. GET /config/flow_retention_buckets resource details
MIME Type
application/json

7 Previous REST API versions 839

Table 1831. GET /config/flow_retention_buckets request parameter details
Parameter Type Optionality Data Type MIME Type Description
Range header Optional String text/plain Optional - Use this parameter
to restrict the number of
elements that are returned in
the list to a specified range.
The list is indexed starting at
zero.
filter query Optional String text/plain Optional - This parameter is
used to restrict the elements in
a list base on the contents of
various fields.
fields query Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.

Table 1832. GET /config/flow_retention_buckets response codes

HTTP Response Code Unique Code Description
200 The flow retention buckets were retrieved.
422 1010 A request parameter is not valid.
500 1020 An error occurred during the attempt to retrieve the flow retention
buckets.

Response Description

An array of Retention Bucket objects. An Retention Bucket object contains the following fields:
v id - Integer - The ID of the retention bucket.
v bucket_id - Integer - The Bucket ID of the retention bucket. ( 0 - 10 )
v priority - Integer - The priority of the retention bucket. ( 0 - 10 ).
v name - String - The name of the retention bucket.
v database - String - The database of the retention bucket, EVENTS or FLOWS.
v description - String - The description of the retention bucket.
v period - Integer - The retention period in hours.
v delete - String - The delete protocol of the retention bucket, IMMEDIATELY or ON_DEMAND.
v created - Long - The time in milliseconds since epoch since the retention bucket was created.
v modified - Long - The time in milliseconds since epoch since the retention bucket was last modified.
v saved_search_id - String - The ID of the saved search used by the retention bucket.
v enabled - Boolean - True if the retention bucket is enabled.

Response Sample
[
{
"bucket_id": 42,
"created": 42,
"database": "String",

840 QRadar API Reference Guide

 "deletion": "String <one of: ON_DEMAND, IMMEDIATELY>",
"description": "String",
"enabled": true,
"id": 42,
"modified": 42,
"name": "String",
"period": 42,
"priority": 42,
"saved_search_id": "String"
}
]

GET /config/flow_retention_buckets/{id}
Retrieves a flow retention bucket.

Retrieves a flow retention bucket.

Table 1833. GET /config/flow_retention_buckets/{id} resource details
MIME Type
application/json

Table 1834. GET /config/flow_retention_buckets/{id} request parameter details

Parameter Type Optionality Data Type MIME Type Description
id path Required Number text/plain null
(Integer)
fields query Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.

Table 1835. GET /config/flow_retention_buckets/{id} response codes

HTTP Response Code Unique Code Description
200 The flow retention bucket was retrieved.
404 1002 The flow retention bucket does not exist.
500 1020 An error occurred during the attempt to retrieve the flow retention
bucket.

Response Description

The retention bucket after it is retrieved. An Retention Bucket object contains the following fields:
v id - Integer - The ID of the retention bucket.
v bucket_id - Integer - The Bucket ID of the retention bucket. ( 0 - 10 )
v priority - Integer - The priority of the retention bucket. ( 0 - 10 ).
v name - String - The name of the retention bucket.
v database - String - The database of the retention bucket, EVENTS or FLOWS.
v description - String - The description of the retention bucket.
v period - Integer - The retention period in hours.

7 Previous REST API versions 841

v delete - String - The delete protocol of the retention bucket, IMMEDIATELY or ON_DEMAND.
v created - Long - The time in milliseconds since epoch since the retention bucket was created.
v modified - Long - The time in milliseconds since epoch since the retention bucket was last modified.
v saved_search_id - String - The ID of the saved search that is used by the retention bucket.
v enabled - Boolean - True if the retention bucket is enabled.

Response Sample
{
"bucket_id": 42,
"created": 42,
"database": "String",
"deletion": "String <one of: ON_DEMAND, IMMEDIATELY>",
"description": "String",
"enabled": true,
"id": 42,
"modified": 42,
"name": "String",
"period": 42,
"priority": 42,
"saved_search_id": "String"
}

POST /config/flow_retention_buckets/{id}
Updates the flow retention bucket owner, or enabled/disabled only.

Updates the flow retention bucket owner, or enabled/disabled only.

Table 1836. POST /config/flow_retention_buckets/{id} resource details
MIME Type
application/json

Table 1837. POST /config/flow_retention_buckets/{id} request parameter details

Parameter Type Optionality Data Type MIME Type Description
id path Required Number text/plain null
(Integer)
fields header Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.

Table 1838. POST /config/flow_retention_buckets/{id} request body details

Parameter Data Type MIME Type Description Sample
retention_bucket Object application/ null { "bucket_id": 42, "database":
json "String", "description":
"String", "enabled": true, "id":
42, "name": "String", "period":
42, "priority": 42,
"saved_search_id": "String" }

842 QRadar API Reference Guide

Table 1839. POST /config/flow_retention_buckets/{id} response codes
HTTP Response Code Unique Code Description
200 The flow retention bucket was updated.
404 1002 The Flow Retention Bucket does not exist.
409 1004 The provided user does not have the required capabilities to own
the flow retention bucket.
422 1005 A request parameter is not valid.
500 1020 An error occurred during the attempt to update the flow retention
bucket.

Response Description

The Retention Bucket after it is updated. A Retention Bucket object contains the following fields:
v id - Integer - The ID of the retention bucket.
v bucket_id - Integer - The Bucket ID of the retention bucket. ( 0 - 10 ).
v priority - Integer - The priority of the retention bucket ( 0 - 10 ).
v name - String - The name of the retention bucket.
v database - String - The database of the retention bucket, EVENTS or FLOWS.
v description - String - The description of the retention bucket.
v period - Integer - The retention period in hours.
v delete - String - The delete protocol of the retention bucket, IMMEDIATELY or ON_DEMAND.
v created - Long - The time in milliseconds since epoch since the retention bucket was created.
v modified - Long - The time in milliseconds since epoch since the retention bucket was last modified.
v saved_search_id - String - The ID of the saved search used by the retention bucket.
v enabled - Boolean - True if the retention bucket is enabled.

Response Sample
{
"bucket_id": 42,
"created": 42,
"database": "String",
"deletion": "String <one of: ON_DEMAND, IMMEDIATELY>",
"description": "String",
"enabled": true,
"id": 42,
"modified": 42,
"name": "String",
"period": 42,
"priority": 42,
"saved_search_id": "String"
}

DELETE /config/flow_retention_buckets/{id}
Deletes a flow retention bucket.

Deletes a flow retention bucket.

Table 1840. DELETE /config/flow_retention_buckets/{id} resource details
MIME Type
text/plain

7 Previous REST API versions 843

Table 1841. DELETE /config/flow_retention_buckets/{id} request parameter details
Parameter Type Optionality Data Type MIME Type Description
id path Required Number text/plain null
(Integer)

Table 1842. DELETE /config/flow_retention_buckets/{id} response codes

HTTP Response Code Unique Code Description
204 The flow retention bucket was deleted.
403 1009 You do not have the proper capabilities to delete the flow retention
bucket.
404 1002 The flow retention bucket does not exist.
500 1020 An error occurred during the attempt to delete the flow retention
bucket.

Response Description

Response Sample

GET /config/flow_sources/custom_properties/property_expressions
Retrieve a list of flow regex property expressions.

Retrieves a list of flow regex property expressions.

Table 1843. GET /config/flow_sources/custom_properties/property_expressions resource details
MIME Type
application/json

Table 1844. GET /config/flow_sources/custom_properties/property_expressions request parameter details

Parameter Type Optionality Data Type MIME Type Description
fields query Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.
Range header Optional String text/plain Optional - Use this parameter
to restrict the number of
elements that are returned in
the list to a specified range.
The list is indexed starting at
zero.
filter query Optional String text/plain Optional - This parameter is
used to restrict the elements in
a list base on the contents of
various fields.

844 QRadar API Reference Guide

Table 1845. GET /config/flow_sources/custom_properties/property_expressions response codes
HTTP Response Code Unique Code Description
200 The requested list of flow regex property expressions was retrieved.
422 1010 An error occurred while building the filter.
500 1020 An error occurred during the attempt to retrieve the list of flow
regex property expressions.

Response Description

A list of flow regex property expressions. Each regex property expression contains the following fields:
v id - Integer - The sequence ID of the flow regex property expression.
v identifier - String - The ID of the flow regex property expression.
v regex_property_identifier - String - The identifier of the flow regex property that this expression
belongs to.
v enabled - Boolean - Flag that indicates whether this expression is enabled.
v regex - String - The regex to extract the property from the payload.
v capture_group - Integer - The capture group to capture.
v payload - String - Test payload. This is only used in the UI so that the user can verify their regex
matches the expected payload.
v qid - Integer - The QID of the flow to apply this expression to.
v low_level_category_id - Integer - The expression is applied to all flows with this low level category.
v payload_origin - BaseProperty - The payload type (source_payload, destination_payload) to apply the
expression to.
v username - String - The owner of the flow regex property expression.

Response Sample
[
{
"capture_group": 42,
"creation_date": 42,
"enabled": true,
"id": 42,
"identifier": "String",
"low_level_category_id": 42,
"modification_date": 42,
"payload": "String",
"payload_origin": "String <one of:
event_payload,
source_payload,
destination_payload>",
"qid": 42,
"regex": "String",
"regex_property_identifier": "String",
"username": "String"
}
]

POST /config/flow_sources/custom_properties/property_expressions
Creates a new flow regex property expression.

Creates a new flow regex property expression.

7 Previous REST API versions 845

Table 1846. POST /config/flow_sources/custom_properties/property_expressions resource details
MIME Type
application/json

Table 1847. POST /config/flow_sources/custom_properties/property_expressions request parameter details

Parameter Type Optionality Data Type MIME Type Description
fields header Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.

Table 1848. POST /config/flow_sources/custom_properties/property_expressions request body details

Parameter Data Type MIME Type Description Sample
data Object application/ Required - A JSON representation of the regex { "capture_group": 42, "creation_date": 42,
json property expression object. "enabled": true, "id": 42, "identifier": "String",
v regex_property_identifier - Required - "low_level_category_id": 42,
String - The identifier of the flow regex "modification_date": 42, "payload": "String",
"payload_origin": "String <one of:
property that this expression belongs to.
event_payload, source_payload,
v enabled - Optional - Boolean - Flag that destination_payload>", "qid": 42, "regex":
indicates whether this expression is enabled. "String", "regex_property_identifier": "String",
It defaults to true if not provided. "username": "String" }
v regex - Required - String - The regex to
extract the property from the payload.
v capture_group - Optional - Integer - The
capture group to capture. It defaults to 1 if
not provided.
v payload - Optional - String - Test payload.
This is only used in the UI so that the user
can verify their regex matches the expected
payload.
v qid - Optional - Integer - The QID of the
flow to apply this expression to.
v low_level_category_id - Optional - Integer -
The expression is applied to all flows with
this low level category.
v payload_origin - Required - String - The
payload type (source_payload,
destination_payload) to apply the expression
to.

Table 1849. POST /config/flow_sources/custom_properties/property_expressions response codes

HTTP Response Code Unique Code Description
201 A new flow regex property expression was created.
422 1005 One or more request parameter are invalid in the request.
500 1020 An error occurred during the attempt to create a new flow regex
property expression.

Response Description

The newly created flow regex property expression containing the following fields:
v id - Integer - The sequence ID of the flow regex property expression.

846 QRadar API Reference Guide

v identifier - String - The ID of the flow regex property expression.
v regex_property_identifier - String - The identifier of the flow regex property that this expression
belongs to.
v enabled - Boolean - Flag that indicates whether this expression is enabled.
v regex - String - The regex to extract the property from the payload.
v capture_group - Integer - The capture group to capture.
v payload - String - Test payload. This is only used in the UI so that the user can verify their regex
matches the expected payload.
v qid - Integer - The QID of the flow to apply this expression to.
v low_level_category_id - Integer - The expression is applied to all flows with this low level category.
v payload_origin - BaseProperty - The payload type (source_payload, destination_payload) to apply the
expression to.
v username - String - The owner of the flow regex property expression.

Response Sample
{
"capture_group": 42,
"creation_date": 42,
"enabled": true,
"id": 42,
"identifier": "String",
"low_level_category_id": 42,
"modification_date": 42,
"payload": "String",
"payload_origin": "String <one of:
event_payload,
source_payload,
destination_payload>",
"qid": 42,
"regex": "String",
"regex_property_identifier": "String",
"username": "String"
}

GET /config/flow_sources/custom_properties/property_expressions/
{expression_id}
Retrieves a flow regex property expression based on the supplied expression ID.

Retrieves a flow regex property expression based on the supplied expression ID.
Table 1850. GET /config/flow_sources/custom_properties/property_expressions/{expression_id} resource details
MIME Type
application/json

Table 1851. GET /config/flow_sources/custom_properties/property_expressions/{expression_id} request parameter

details
Parameter Type Optionality Data Type MIME Type Description
expression_id path Required Number text/plain Required - The sequence ID of the
(Integer) flow_regex_property_expression.
fields query Optional String text/plain Optional - Use this parameter to specify which
fields you would like to get back in the
response. Fields that are not named are
excluded. Specify subfields in brackets and
multiple fields in the same object are separated
by commas.

7 Previous REST API versions 847

Table 1852. GET /config/flow_sources/custom_properties/property_expressions/{expression_id} response codes
HTTP Response Code Unique Code Description
200 The requested flow regex property expression was successfully
retrieved.
404 1002 The requested flow regex property expression cannot be found.
500 1020 An error occurred during the attempt to retrieve the requested flow
regex property expression.

Response Description

A flow regex property expression containing the following fields:

v id - Integer - The sequence ID of the flow regex property expression.
v identifier - String - The ID of the flow regex property expression.
v regex_property_identifier - String - The identifier of the flow regex property that this expression
belongs to.
v enabled - Boolean - Flag that indicates whether this expression is enabled.
v regex - String - The regex to extract the property from the payload.
v capture_group - Integer - The capture group to capture.
v payload - String - Test payload. This is only used in the UI so that the user can verify their regex
matches the expected payload.
v qid - Integer - The QID of the flow to apply this expression to.
v low_level_category_id - Integer - The expression is applied to all flows with this low level category.
v payload_origin - BaseProperty - The payload type (source_payload, destination_payload) to apply the
expression to.
v username - String - The owner of the flow regex property expression.

Response Sample
{
"capture_group": 42,
"creation_date": 42,
"enabled": true,
"id": 42,
"identifier": "String",
"low_level_category_id": 42,
"modification_date": 42,
"payload": "String",
"payload_origin": "String <one of:
event_payload,
source_payload,
destination_payload>",
"qid": 42,
"regex": "String",
"regex_property_identifier": "String",
"username": "String"
}

POST /config/flow_sources/custom_properties/property_expressions/
{expression_id}
Updates an existing flow regex property expression.

Updates an existing flow regex property expression.

848 QRadar API Reference Guide

Table 1853. POST /config/flow_sources/custom_properties/property_expressions/{expression_id} resource details
MIME Type
application/json

Table 1854. POST /config/flow_sources/custom_properties/property_expressions/{expression_id} request parameter

details
Parameter Type Optionality Data Type MIME Type Description
expression_id path Required Number text/plain Required - The sequence ID
(Integer) of the flow regex property
expression.
fields header Optional String text/plain Optional - Use this
parameter to specify which
fields you would like to get
back in the response. Fields
that are not named are
excluded. Specify subfields
in brackets and multiple
fields in the same object are
separated by commas.

Table 1855. POST /config/flow_sources/custom_properties/property_expressions/{expression_id} request body details

Parameter Data Type MIME Type Description Sample
data Object application/json Required - A JSON representation { "capture_group": 42, "creation_date": 42, "enabled":
of the flow regex property true, "id": 42, "identifier": "String",
expression object. "low_level_category_id": 42, "modification_date": 42,
v regex_property_identifier - "payload": "String", "payload_origin": "String <one of:
Optional - String - The identifier event_payload, source_payload,
destination_payload>", "qid": 42, "regex": "String",
of the flow regex property that
"regex_property_identifier": "String", "username":
this expression belongs to.
"String" }
v enabled - Optional - Boolean -
Flag that indicates whether this
expression is enabled.
v regex - Optional - String - The
regex to extract the property
from the payload.
v capture_group - Optional -
Integer - The capture group to
capture.
v payload - Optional - String - Test
payload. This is only used in the
UI so that the user can verify
their regex matches the expected
payload.
v qid - Optional - Integer - The
QID of the flow to apply this
expression to.
v low_level_category_id -
Optional - Integer - The
expression is applied to all flows
with this low level category.
v payload_origin - Optional -
String - The payload type
(source_payload,
destination_payload) to apply
the expression to.
v username - Optional - String -
The owner of the flow regex
property expression. If the input
username is authorized service,
the prefix "API_token: " is
required.

7 Previous REST API versions 849

Table 1856. POST /config/flow_sources/custom_properties/property_expressions/{expression_id} response codes
HTTP Response Code Unique Code Description
200 The flow regex property expression was updated.
403 1009 The user cannot update the resource because it only can be updated
by the owner or admin user.
404 1002 The requested flow regex property expression cannot be found.
422 1005 One or more parameters are invalid in the request.
500 1020 An error occurred during the attempt to update an flow regex
property expression.

Response Description

The updated flow regex property expression object contains the following fields:
v id - Integer - The sequence ID of the flow regex property expression.
v identifier - String - The ID of the flow regex property expression.
v regex_property_identifier - String - The identifier of the flow regex property that this expression
belongs to.
v enabled - Boolean - Flag that indicates whether this expression is enabled.
v regex - String - The regex to extract the property from the payload.
v capture_group - Integer - The capture group to capture.
v payload - String - Test payload. This is only used in the UI so that the user can verify their regex
matches the expected payload.
v qid - Integer - The QID of the flow to apply this expression to.
v low_level_category_id - Integer - The expression is applied to all flows with this low level category.
v payload_origin - BaseProperty - The payload type (source_payload, destination_payload) to apply the
expression to.
v username - String - The owner of the flow regex property expression.

Response Sample
{
"capture_group": 42,
"creation_date": 42,
"enabled": true,
"id": 42,
"identifier": "String",
"low_level_category_id": 42,
"modification_date": 42,
"payload": "String",
"payload_origin": "String <one of:
event_payload,
source_payload,
destination_payload>",
"qid": 42,
"regex": "String",
"regex_property_identifier": "String",
"username": "String"
}

DELETE /config/flow_sources/custom_properties/property_expressions/
{expression_id}
Deletes a flow regex property expression based on the supplied expression ID.

Deletes a flow regex property expression based on the supplied expression ID.

850 QRadar API Reference Guide

Table 1857. DELETE /config/flow_sources/custom_properties/property_expressions/{expression_id} resource details
MIME Type
text/plain

Table 1858. DELETE /config/flow_sources/custom_properties/property_expressions/{expression_id} request

parameter details
Parameter Type Optionality Data Type MIME Type Description
expression_id path Required Number text/plain Required - The sequence ID of the
(Integer) flow_regex_property_expression.

Table 1859. DELETE /config/flow_sources/custom_properties/property_expressions/{expression_id} response codes

HTTP Response Code Unique Code Description
204 The requested flow regex property expression was successfully
deleted.
403 1009 The user cannot delete the resource because it only can be deleted
by the owner or admin user.
404 1002 The requested flow regex property expression cannot be found.
500 1020 An error occurred during the attempt to delete the requested flow
regex property expression.

Response Description

Response Sample

GET /config/flow_sources/custom_properties/regex_properties
Retrieves a list of flow regex properties.

Retrieves a list of flow regex properties.

Table 1860. GET /config/flow_sources/custom_properties/regex_properties resource details
MIME Type
application/json

Table 1861. GET /config/flow_sources/custom_properties/regex_properties request parameter details

Parameter Type Optionality Data Type MIME Type Description
fields query Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.
Range header Optional String text/plain Optional - Use this parameter
to restrict the number of
elements that are returned in
the list to a specified range.
The list is indexed starting at
zero.

7 Previous REST API versions 851

 Table 1861. GET /config/flow_sources/custom_properties/regex_properties request parameter details (continued)
Parameter Type Optionality Data Type MIME Type Description
filter query Optional String text/plain Optional - This parameter is
used to restrict the elements in
a list base on the contents of
various fields.

Table 1862. GET /config/flow_sources/custom_properties/regex_properties response codes

HTTP Response Code Unique Code Description
200 The requested list of flow regex properties was retrieved.
422 1010 An error occurred while building the filter.
500 1020 An error occurred during the attempt to retrieve the list of flow
regex properties.

Response Description

A list of flow regex properties. Each regex property contains the following fields:
v id - Integer - The sequence ID of the flow regex property.
v identifier - String - The ID of the flow regex property.
v name - String - The name of the flow regex property.
v username - String - The owner of the flow regex property.
v description - String - The description of the flow regex property.
v property_type - String - The property type (string, numeric, ip, port, time) of flow regex property.
v use_for_rule_engine - Boolean - The flag that indicates if the flow regex property is parsed when the
flow was captured.
v datetime_format - String - The date/time pattern that the flow regex property matches.
v locale - String - The language tag of the locale that the property matches.
.

Response Sample
[
{
"creation_date": 42,
"datetime_format": "String",
"description": "String",
"id": 42,
"identifier": "String",
"locale": "String",
"modification_date": 42,
"name": "String",
"property_type": "String <one of: string, numeric, ip, port, time>",
"use_for_rule_engine": true,
"username": "String"
}
]

POST /config/flow_sources/custom_properties/regex_properties
Creates a new flow regex property.

Creates a new flow regex property.

852 QRadar API Reference Guide

Table 1863. POST /config/flow_sources/custom_properties/regex_properties resource details
MIME Type
application/json

Table 1864. POST /config/flow_sources/custom_properties/regex_properties request parameter details

Parameter Type Optionality Data Type MIME Type Description
fields header Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.

Table 1865. POST /config/flow_sources/custom_properties/regex_properties request body details

Parameter Data Type MIME Type Description Sample
data Object application/ Required - A JSON representation of the flow { "creation_date": 42, "datetime_format":
json regex property object. "String", "description": "String", "id": 42,
v name - Required - String - The name of the "identifier": "String", "locale": "String",
flow regex property. "modification_date": 42, "name": "String",
"property_type": "String <one of: string,
v description - Optional - String - The numeric, ip, port, time>",
description of the flow regex property. "use_for_rule_engine": true, "username":
v property_type - Required - String - The "String" }
property type (string, numeric, ip, port,
time) of flow regex property.
v use_for_rule_engine - Optional - Boolean -
The flag that indicates if the flow regex
property is parsed when the flow was
captured.
v datetime_format - Optional - String - The
date/time pattern that the flow regex
property matches. It is required when
property type is TIME.
v locale - Optional - String - The language tag
of the locale that the property matches. The
locale is required when property type is
TIME.

Table 1866. POST /config/flow_sources/custom_properties/regex_properties response codes

HTTP Response Code Unique Code Description
201 A new flow regex property was created.
422 1005 One or more request parameter are invalid in the request.
500 1020 An error occurred during the attempt to create a new flow regex
property.

Response Description

The newly created flow regex property that contains the following fields:
v id - Integer - The sequence ID of the flow regex property.
v identifier - String - The ID of the flow regex property.
v name - String - The name of the flow regex property.
v username - String - The owner of the flow regex property.

7 Previous REST API versions 853

v description - String - The description of the flow regex property.
v property_type - String - The property type (string, numeric, ip, port, time) of flow regex property.
v use_for_rule_engine - Boolean - The flag that indicates if the flow regex property is parsed when the
flow was captured.
v datetime_format - String - The date/time pattern that the flow regex property matches.
v locale - String - The language tag of the locale that the property matches.

Response Sample
{
"creation_date": 42,
"datetime_format": "String",
"description": "String",
"id": 42,
"identifier": "String",
"locale": "String",
"modification_date": 42,
"name": "String",
"property_type": "String <one of: string, numeric, ip, port, time>",
"use_for_rule_engine": true,
"username": "String"
}

GET /config/flow_sources/custom_properties/regex_properties/{regex_property_id}
Retrieves a flow regex property based on the supplied regex property ID.

Retrieves a flow regex property based on the supplied regex property ID.
Table 1867. GET /config/flow_sources/custom_properties/regex_properties/{regex_property_id} resource details
MIME Type
application/json

Table 1868. GET /config/flow_sources/custom_properties/regex_properties/{regex_property_id} request parameter

details
Parameter Type Optionality Data Type MIME Type Description
regex_property_id path Required Number (Integer) text/plain Required - The sequence ID of the
flow_regex_property.
fields query Optional String text/plain Optional - Use this parameter to
specify which fields you would like
to get back in the response. Fields
that are not named are excluded.
Specify subfields in brackets and
multiple fields in the same object
are separated by commas.

Table 1869. GET /config/flow_sources/custom_properties/regex_properties/{regex_property_id} response codes

HTTP Response Code Unique Code Description
200 The requested flow regex property was successfully retrieved.
404 1002 The requested flow regex property cannot be found.
500 1020 An error occurred during the attempt to retrieve the requested flow
regex property.

Response Description

A flow regex property that contains the following fields:

v id - Integer - The sequence ID of the flow regex property.

854 QRadar API Reference Guide

v identifier - String - The ID of the flow regex property.
v name - String - The name of the flow regex property.
v username - String - The owner of the flow regex property.
v description - String - The description of the flow regex property.
v property_type - String - The property type (string, numeric, ip, port, time) of flow regex property.
v use_for_rule_engine - Boolean - The flag that indicates if the flow regex property is parsed when the
flow was captured.
v datetime_format - String - The date/time pattern that the flow regex property matches.
v locale - String - The language tag of the locale that the property matches.

Response Sample
{
"creation_date": 42,
"datetime_format": "String",
"description": "String",
"id": 42,
"identifier": "String",
"locale": "String",
"modification_date": 42,
"name": "String",
"property_type": "String <one of: string, numeric, ip, port, time>",
"use_for_rule_engine": true,
"username": "String"
}

POST /config/flow_sources/custom_properties/regex_properties/
{regex_property_id}
Updates an existing flow regex property.

Updates an existing flow regex property.

Table 1870. POST /config/flow_sources/custom_properties/regex_properties/{regex_property_id} resource details
MIME Type
application/json

Table 1871. POST /config/flow_sources/custom_properties/regex_properties/{regex_property_id} request parameter

details
Parameter Type Optionality Data Type MIME Type Description
regex_property_id path Required Number (Integer) text/plain Required - The sequence ID of the
flow regex property.
fields header Optional String text/plain Optional - Use this parameter to
specify which fields you would like
to get back in the response. Fields
that are not named are excluded.
Specify subfields in brackets and
multiple fields in the same object
are separated by commas.

7 Previous REST API versions 855

Table 1872. POST /config/flow_sources/custom_properties/regex_properties/{regex_property_id} request body details
Parameter Data Type MIME Type Description Sample
data Object application/ Required - A JSON { "creation_date": 42,
json representation of the flow "datetime_format": "String",
regex property object. "description": "String", "id": 42,
v description - Optional - "identifier": "String", "locale":
String - The description of "String", "modification_date":
the flow regex property. 42, "name": "String",
"property_type": "String <one
v property_type - Optional -
of: string, numeric, ip, port,
String - The property type
time>", "use_for_rule_engine":
(string, numeric, ip, port,
true, "username": "String" }
time) of flow regex property.
v use_for_rule_engine -
Optional - Boolean - The flag
that indicates if the flow
regex property is parsed
when the flow is captured. It
is false if no value supplied.
v datetime_format - Optional -
String - The date/time
pattern that the flow regex
property matches. It is
required when property type
is TIME.
v locale - Optional - String -
The language tag of the
locale that the property
matches.The locale is
required when property type
is TIME.
v username - Optional - String
- The owner of the event
regex property. If the input
username is authorized
service, the prefix
"API_token: " is required.

Table 1873. POST /config/flow_sources/custom_properties/regex_properties/{regex_property_id} response codes

HTTP Response Code Unique Code Description
200 The flow regex property was updated.
403 1009 The user cannot update the resourse because it only can be updated
by the owner or admin user.
404 1002 The requested flow regex property cannot be found.
422 1005 One or more parameters are invalid in the request.
500 1020 An error occurred during the attempt to update an flow regex
property.

Response Description

The updated flow regex property object contains the following fields:
v id - Integer - The sequence ID of the flow regex property.
v identifier - String - The ID of the flow regex property.
v name - String - The name of the flow regex property.
856 QRadar API Reference Guide
v username - String - The owner of the flow regex property.
v description - String - The description of the flow regex property.
v property_type - String - The property type (string, numeric, ip, port, time) of flow regex property.
v use_for_rule_engine - Boolean - The flag that indicates if the flow regex property is parsed when the
flow is captured.
v datetime_format - String - The date/time pattern that the flow regex property matches.
v locale - String - The language tag of the locale that the property matches.

Response Sample
{
"creation_date": 42,
"datetime_format": "String",
"description": "String",
"id": 42,
"identifier": "String",
"locale": "String",
"modification_date": 42,
"name": "String",
"property_type": "String <one of: string, numeric, ip, port, time>",
"use_for_rule_engine": true,
"username": "String"
}

DELETE /config/flow_sources/custom_properties/regex_properties/
{regex_property_id}
Deletes a flow regex property. To ensure safe deletion, a dependency check is carried out. This check
might take some time. An asynchronous task is started to do this check.

Deletes a flow regex property. To ensure safe deletion, a dependency check is carried out. This check
might take some time. An asynchronous task is started to do this check.
Table 1874. DELETE /config/flow_sources/custom_properties/regex_properties/{regex_property_id} resource details
MIME Type
application/json

Table 1875. DELETE /config/flow_sources/custom_properties/regex_properties/{regex_property_id} request parameter

details
Parameter Type Optionality Data Type MIME Type Description
regex_property_id path Required Number (Integer) text/plain Required - The sequence ID of the
Flow Regex property to delete.
fields query Optional String text/plain Optional - Use this parameter to
specify which fields you would like
to get back in the response. Fields
that are not named are excluded.
Specify subfields in brackets and
multiple fields in the same object
are separated by commas.

Table 1876. DELETE /config/flow_sources/custom_properties/regex_properties/{regex_property_id} response codes

HTTP Response Code Unique Code Description
202 The flow regex property delete request was accepted and is in
progress
403 1009 The user cannot delete the regex_property because it only can be
deleted by the owner or admin user.
404 1002 The requested flow regex property cannot be found.

7 Previous REST API versions 857

Table 1876. DELETE /config/flow_sources/custom_properties/regex_properties/{regex_property_id} response
codes (continued)
HTTP Response Code Unique Code Description
500 1020 An error occurred during the attempt to delete the flow regex
property.

Response Description

A Delete Task Status object and the location header set to the task status URL "/api/config/
flow_sources/custom_properties/regex_property_delete_tasks/{task_id}". A Delete Task Status object
contains the following fields:
v id - Long - The ID of the task.
v message - String - The localized task message.
v status - String - The current state of the task .
v name - String - The name of the task.
v created_by - String - The name of the user who started the task.
v created - Long - The time in milliseconds since epoch since the task was created.
v started - Long - The time in milliseconds since epoch since the task was started.
v modified - Long - The time in milliseconds since epoch since the task was modified.
v completed - Long - The time in milliseconds since epoch since the task was completed.

Response Sample
{
"completed": 42,
"created": 42,
"created_by": "String",
"id": 42,
"message": "String",
"modified": 42,
"name": "String",
"started": 42,
"status": "String <one of:
CANCELLED,
CANCELING,
CANCEL_REQUESTED,
COMPLETED,
CONFLICT,
EXCEPTION,
INITIALIZING,
INTERRUPTED,
PAUSED,
PROCESSING,
QUEUED,
RESUMING>"
}

GET /config/flow_sources/custom_properties/regex_properties/
{regex_property_id}/dependents
Retrieves the objects that depend on the flow regex property.

Retrieves the objects that depend on the flow regex property.

858 QRadar API Reference Guide

Table 1877. GET /config/flow_sources/custom_properties/regex_properties/{regex_property_id}/dependents resource
details
MIME Type
application/json

Table 1878. GET /config/flow_sources/custom_properties/regex_properties/{regex_property_id}/dependents request

parameter details
Parameter Type Optionality Data Type MIME Type Description
regex_property_id path Required Number (Integer) text/plain null
fields query Optional String text/plain Optional - Use this parameter to
specify which fields you would like
to get back in the response. Fields
that are not named are excluded.
Specify subfields in brackets and
multiple fields in the same object
are separated by commas.

Table 1879. GET /config/flow_sources/custom_properties/regex_properties/{regex_property_id}/dependents response

codes
HTTP Response Code Unique Code Description
202 The flow regex property dependents retrieval was accepted and is
in progress.
404 1002 The flow regex property does not exist.
500 1020 An error occurred during the attempt to initiate the flow regex
property dependents retrieval task.

Response Description

A Dependents Task Status object and the location header set to the task status URL "/api/config/
flow_sources/custom_properties/regex_property_dependents_tasks/{task_id}". A Dependent Task Status
object contains the following fields:
v id - Long - The ID of the task.
v message - String - The localized task message.
v status - String - The current state of the task.
v name - String - The name of the task.
v created_by - String - The name of the user who started the task.
v cancelled_by - String - The name of the user who requested to cancel the task.
v created - Long - The time in milliseconds since epoch since the task was created.
v started - Long - The time in milliseconds since epoch since the task was started.
v modified - Long - The time in milliseconds since epoch since the task was modified.
v completed - Long - The time in milliseconds since epoch since the task was completed.
v number_of_dependents - Long - The number of dependents found. The value is null until the task
completes.
v maximum - Long - The maximum number of objects to check for dependency.
v progress - Long - The number of objects that were checked for dependency.
v task_components - Array - An array of task component objects. A task component object contains the
following fields
– message - String - The localized sub-task status message.
– status - String - The current state of the sub-task.
– sub_task_type - String - The type of the sub-task.

7 Previous REST API versions 859

 – maximum - Long - The maximum number of objects to check for dependency.
– progress - Long - The number of objects that were checked for dependency.
– created - Long - The time in milliseconds since epoch since the sub-task was created.
– started - Long - The time in milliseconds since epoch since the sub-task was started.
– modified - Long - The time in milliseconds since epoch since the sub-task was modified.
– completed - Long - The time in milliseconds since epoch since the sub-task was completed.

Response Sample
{
"cancelled_by": "String",
"completed": 42,
"created": 42,
"created_by": "String",
"id": 42,
"maximum": 42,
"message": "String",
"modified": 42,
"name": "String",
"number_of_dependents": 42,
"progress": 42,
"started": 42,
"status": "String <one of:
CANCELLED,
CANCELING,
CANCEL_REQUESTED,
COMPLETED,
CONFLICT,
EXCEPTION,
INITIALIZING,
INTERRUPTED,
PAUSED,
PROCESSING,
QUEUED,
RESUMING>",
"task_components": [
{
"completed": 42,
"created": 42,
"maximum": 42,
"message": "String",
"modified": 42,
"number_of_dependents": 42,
"progress": 42,
"started": 42,
"status": "String <one of: CANCELLED,
CANCELING,
CANCEL_REQUESTED,
COMPLETED,
CONFLICT,
EXCEPTION,
INITIALIZING,
INTERRUPTED,
PAUSED,
PROCESSING,
QUEUED,
RESUMING>",
"task_sub_type": "String <one of:
FIND_DEPENDENT_ARIEL_SAVED_SEARCHES,
FIND_DEPENDENT_OFFENSE_SAVED_SEARCHES,
FIND_DEPENDENT_ASSET_SAVED_SEARCHES,
FIND_DEPENDENT_VULNERABILITY_SAVED_SEARCHES,
FIND_DEPENDENT_ADE_RULES,
FIND_DEPENDENT_RULES,
FIND_DEPENDENT_CALCULATED_PROPERTIES,

860 QRadar API Reference Guide

 FIND_DEPENDENT_LOG_SOURCE_GROUPS,
FIND_DEPENDENT_CUSTOM_PROPERTIES,
FIND_DEPENDENT_REPORTS,
FIND_DEPENDENT_DASHBOARDS,
FIND_DEPENDENT_STORE_AND_FORWARD_POLICIES,
FIND_DEPENDENT_AUTHORIZED_SERVICES,
FIND_DEPENDENT_OFFENSE_TYPES,
FIND_DEPENDENT_ASSIGNED_OFFENSES,
FIND_DEPENDENT_VULNERABILITIES,
FIND_DEPENDENT_GROUPS,
FIND_DEPENDENT_HISTORICAL_CORRELATION_PROFILES>"
}
]
}

GET /config/flow_sources/custom_properties/regex_property_dependent_tasks/
{task_id}
Retrieves the flow regex property dependent task status.

Retrieves the flow regex property dependent task status.

Table 1880. GET /config/flow_sources/custom_properties/regex_property_dependent_tasks/{task_id} resource details
MIME Type
application/json

Table 1881. GET /config/flow_sources/custom_properties/regex_property_dependent_tasks/{task_id} request

parameter details
Parameter Type Optionality Data Type MIME Type Description
task_id path Required Number text/plain null
(Integer)
fields query Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.

Table 1882. GET /config/flow_sources/custom_properties/regex_property_dependent_tasks/{task_id} response codes

HTTP Response Code Unique Code Description
200 The dependent task status was retrieved.
404 1002 The requested task status cannot be found.
422 1005 The task id is invalid in the request.
500 1020 An error occurred during the attempt to retrieve the task status.

Response Description

A Dependent Task Status object and the location header set to the task status URL "/api/config/
flow_sources/custom_properties/regex_property_dependent_tasks/{task_id}". A Dependent Task Status
object contains the following fields:
v id - Long - The ID of the task.
v message - String - The localized task message.

7 Previous REST API versions 861

v status - String - The current state of the task.
v name - String - The name of the task.
v created_by - String - The name of the user who started the task.
v cancelled_by - String - The name of the user who requested to cancel the task.
v created - Long - The time in milliseconds since epoch since the task was created.
v started - Long - The time in milliseconds since epoch since the task was started.
v modified - Long - The time in milliseconds since epoch since the task was modified.
v completed - Long - The time in milliseconds since epoch since the task was completed.
v number_of_dependents - Long - The number of dependents found. The value is null until the task
completes.
v maximum - Long - The maximum number of objects to check for dependency.
v progress - Long - The number of objects that were checked for dependency.
v task_components - Array - An array of task component objects. A task component object contains the
following fields
– message - String - The localized sub-task status message.
– status - String - The current state of the sub-task.
– sub_task_type - String - The type of the sub-task.
– maximum - Long - The maximum number of objects to check for dependency.
– progress - Long - The number of objects that were checked for dependency.
– created - Long - The time in milliseconds since epoch since the sub-task was created.
– started - Long - The time in milliseconds since epoch since the sub-task was started.
– modified - Long - The time in milliseconds since epoch since the sub-task was modified.
– completed - Long - The time in milliseconds since epoch since the sub-task was completed.

Response Sample
{
"cancelled_by": "String",
"completed": 42,
"created": 42,
"created_by": "String",
"id": 42,
"maximum": 42,
"message": "String",
"modified": 42,
"name": "String",
"number_of_dependents": 42,
"progress": 42,
"started": 42,
"status": "String <one of:
CANCELLED,
CANCELING,
CANCEL_REQUESTED,
COMPLETED,
CONFLICT,
EXCEPTION,
INITIALIZING,
INTERRUPTED,
PAUSED,
PROCESSING,
QUEUED,
RESUMING>",
"task_components": [
{
"completed": 42,
"created": 42,
"maximum": 42,

862 QRadar API Reference Guide

 "message": "String",
"modified": 42,
"number_of_dependents": 42,
"progress": 42,
"started": 42,
"status": "String <one of: CANCELLED,
CANCELING,
CANCEL_REQUESTED,
COMPLETED,
CONFLICT,
EXCEPTION,
INITIALIZING,
INTERRUPTED,
PAUSED,
PROCESSING,
QUEUED,
RESUMING>",
"task_sub_type": "String <one of:
FIND_DEPENDENT_ARIEL_SAVED_SEARCHES,
FIND_DEPENDENT_OFFENSE_SAVED_SEARCHES,
FIND_DEPENDENT_ASSET_SAVED_SEARCHES,
FIND_DEPENDENT_VULNERABILITY_SAVED_SEARCHES,
FIND_DEPENDENT_ADE_RULES,
FIND_DEPENDENT_RULES,
FIND_DEPENDENT_CALCULATED_PROPERTIES,
FIND_DEPENDENT_LOG_SOURCE_GROUPS,
FIND_DEPENDENT_CUSTOM_PROPERTIES,
FIND_DEPENDENT_REPORTS,
FIND_DEPENDENT_DASHBOARDS,
FIND_DEPENDENT_STORE_AND_FORWARD_POLICIES,
FIND_DEPENDENT_AUTHORIZED_SERVICES,
FIND_DEPENDENT_OFFENSE_TYPES,
FIND_DEPENDENT_ASSIGNED_OFFENSES,
FIND_DEPENDENT_VULNERABILITIES,
FIND_DEPENDENT_GROUPS,
FIND_DEPENDENT_HISTORICAL_CORRELATION_PROFILES>"
}
]
}

POST /config/flow_sources/custom_properties/regex_property_dependent_tasks/
{task_id}
Cancels the flow regex property dependent task.

Cancels the flow regex property dependent task.

Table 1883. POST /config/flow_sources/custom_properties/regex_property_dependent_tasks/{task_id} resource
details
MIME Type
application/json

Table 1884. POST /config/flow_sources/custom_properties/regex_property_dependent_tasks/{task_id} request

parameter details
Parameter Type Optionality Data Type MIME Type Description
task_id path Required Number text/plain null
(Integer)

7 Previous REST API versions 863

Table 1884. POST /config/flow_sources/custom_properties/regex_property_dependent_tasks/{task_id} request
parameter details (continued)
Parameter Type Optionality Data Type MIME Type Description
fields header Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.

Table 1885. POST /config/flow_sources/custom_properties/regex_property_dependent_tasks/{task_id} request body

details
Parameter Data Type MIME Type Description Sample
task Object application/ null { "status": "String <one of:
json CANCELLED, CANCELING,
CANCEL_REQUESTED,
COMPLETED, CONFLICT,
EXCEPTION, INITIALIZING,
INTERRUPTED, PAUSED,
PROCESSING, QUEUED,
RESUMING>" }

Table 1886. POST /config/flow_sources/custom_properties/regex_property_dependent_tasks/{task_id} response

codes
HTTP Response Code Unique Code Description
200 The delete task status was cancelled.
404 1002 The dependent task status does not exist.
409 1004 The task is in a completed state.
422 1005 A request parameter is not valid.
500 1020 An error occurred during the attempt to update the dependent task
status.

Response Description

A Dependent Task Status object and the location header set to the task status URL "/api/config/
flow_sources/custom_properties/regex_property_dependent_tasks/{task_id}". A Dependent Task Status
object contains the following fields:
v id - Long - The ID of the task.
v message - String - The localized task message.
v status - String - The current state of the task.
v name - String - The name of the task.
v created_by - String - The name of the user who started the task.
v cancelled_by - String - The name of the user who requested to cancel the task.
v created - Long - The time in milliseconds since epoch since the task was created.
v started - Long - The time in milliseconds since epoch since the task was started.
v modified - Long - The time in milliseconds since epoch since the task was modified.
v completed - Long - The time in milliseconds since epoch since the task was completed.
864 QRadar API Reference Guide
v number_of_dependents - Long - The number of dependents found. The value is null until the task
completes.
v maximum - Long - The maximum number of objects to check for dependency.
v progress - Long - The number of objects that were checked for dependency.
v task_components - Array - An array of task component objects. A task component object contains the
following fields
– message - String - The localized sub-task status message.
– status - String - The current state of the sub-task.
– sub_task_type - String - The type of the sub-task.
– maximum - Long - The maximum number of objects to check for dependency.
– progress - Long - The number of objects that were checked for dependency.
– created - Long - The time in milliseconds since epoch since the sub-task was created.
– started - Long - The time in milliseconds since epoch since the sub-task was started.
– modified - Long - The time in milliseconds since epoch since the sub-task was modified.
– completed - Long - The time in milliseconds since epoch since the sub-task was completed.

Response Sample
{
"cancelled_by": "String",
"completed": 42,
"created": 42,
"created_by": "String",
"id": 42,
"maximum": 42,
"message": "String",
"modified": 42,
"name": "String",
"number_of_dependents": 42,
"progress": 42,
"started": 42,
"status": "String <one of:
CANCELLED,
CANCELING,
CANCEL_REQUESTED,
COMPLETED,
CONFLICT,
EXCEPTION,
INITIALIZING,
INTERRUPTED,
PAUSED,
PROCESSING,
QUEUED,
RESUMING>",
"task_components": [
{
"completed": 42,
"created": 42,
"maximum": 42,
"message": "String",
"modified": 42,
"number_of_dependents": 42,
"progress": 42,
"started": 42,
"status": "String <one of: CANCELLED,
CANCELING,
CANCEL_REQUESTED,
COMPLETED,
CONFLICT,
EXCEPTION,
INITIALIZING,

7 Previous REST API versions 865

 INTERRUPTED,
PAUSED,
PROCESSING,
QUEUED,
RESUMING>",
"task_sub_type": "String <one of:
FIND_DEPENDENT_ARIEL_SAVED_SEARCHES,
FIND_DEPENDENT_OFFENSE_SAVED_SEARCHES,
FIND_DEPENDENT_ASSET_SAVED_SEARCHES,
FIND_DEPENDENT_VULNERABILITY_SAVED_SEARCHES,
FIND_DEPENDENT_ADE_RULES,
FIND_DEPENDENT_RULES,
FIND_DEPENDENT_CALCULATED_PROPERTIES,
FIND_DEPENDENT_LOG_SOURCE_GROUPS,
FIND_DEPENDENT_CUSTOM_PROPERTIES,
FIND_DEPENDENT_REPORTS,
FIND_DEPENDENT_DASHBOARDS,
FIND_DEPENDENT_STORE_AND_FORWARD_POLICIES,
FIND_DEPENDENT_AUTHORIZED_SERVICES,
FIND_DEPENDENT_OFFENSE_TYPES,
FIND_DEPENDENT_ASSIGNED_OFFENSES,
FIND_DEPENDENT_VULNERABILITIES,
FIND_DEPENDENT_GROUPS,
FIND_DEPENDENT_HISTORICAL_CORRELATION_PROFILES>"
}
]
}

GET /config/flow_sources/custom_properties/regex_property_dependent_tasks/
{task_id}/results
Retrieves the regex property dependent task results.

Retrieves the regex property dependent task results.

Table 1887. GET /config/flow_sources/custom_properties/regex_property_dependent_tasks/{task_id}/results resource
details
MIME Type
application/json

Table 1888. GET /config/flow_sources/custom_properties/regex_property_dependent_tasks/{task_id}/results request

parameter details
Parameter Type Optionality Data Type MIME Type Description
task_id path Required Number text/plain null
(Integer)
fields query Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.

Table 1889. GET /config/flow_sources/custom_properties/regex_property_dependent_tasks/{task_id}/results response

codes
HTTP Response Code Unique Code Description
200 The requested task results was retrieved.

866 QRadar API Reference Guide

Table 1889. GET /config/flow_sources/custom_properties/regex_property_dependent_tasks/{task_id}/results response
codes (continued)
HTTP Response Code Unique Code Description
404 1002 The requested task status cannot be found.
500 1020 An error occurred during the attempt to retrieve the task status.

Response Description

A list of Dependent objects. A Dependent object contains the following fields:

v dependent_id - String - The ID of the dependent resource.
v dependent_name - String - The name of the dependent resource (default resources can have localized
names).
v dependent_owner - String - The owner of the dependent resource
v dependent_type - String - The type of the dependent resource
v dependent_database - String - The database of the dependent resource.
v dependent_group_ids - Array of Longs - List of groups that the dependent resource belongs to.
v user_has_edit_permissions - Boolean - True if the user who created the task has permission to edit this
dependent resource.

Response Sample
[
{
"blocking": true,
"dependent_database": "String <one of: EVENTS, FLOWS>",
"dependent_group_ids": [
42
],
"dependent_id": "String",
"dependent_name": "String",
"dependent_owner": "String",
"dependent_type": "String <one of:
ARIEL_SAVED_SEARCH,
ASSET_SAVED_SEARCH,
OFFENSE_SAVED_SEARCH,
VULNERABILITY_SAVED_SEARCH,
QRM_SAVED_SEARCH_GROUP,
ASSET_SAVED_SEARCH_GROUP,
CUSTOM_RULE_GROUP,
EVENT_ARIEL_SAVED_SEARCH_GROUP,
FLOW_ARIEL_SAVED_SEARCH_GROUP,
LOG_SOURCE_GROUP, MODEL_GROUP,
OFFENSE_SAVED_SEARCH_GROUP,
QUESTION_GROUP,
REPORT_GROUP,
SIMULATION_GROUP,
TOPOLOGY_SAVED_SEARCH_GROUP,
VULNERABILITY_SAVED_SEARCH_GROUP,
ASSIGNED_OFFENSE,
ASSIGNED_VULNERABILITY,
AUTHORIZED_SERVICE,
BUILDING_BLOCK,
CRE_RULE,
CRE_ADE_RULE,
EVENT_REGEX_PROPERTY,
EVENT_CALCULATED_PROPERTY,
FLOW_REGEX_PROPERTY,
FLOW_CALCULATED_PROPERTY,
DASHBOARD,

7 Previous REST API versions 867

 GV_REFERENCE,
REPORT,
REFERENCE_DATA,
REFERENCE_DATA_MAP_OF_SETS,
REFERENCE_DATA_MAPS,
REFERENCE_DATA_SETS,
REFERENCE_DATA_TABLES,
REFERENCE_DATA_RESPONSE,
REFERENCE_SET_RESPONSE,
EVENT_RETENTION_BUCKET,
FLOW_RETENTION_BUCKET,
ROUTING_RULE,
STORE_AND_FORWARD_POLICY,
USER,
HISTORICAL_PROFILE,
OFFENSE_TYPE>",
"user_has_edit_permissions": true
}
]

GET /config/global_system_notifications
Retrieves a list of all deployed global system notifications.

Retrieves the list of deployed global system notifications.

Table 1890. GET /config/global_system_notifications resource details
MIME Type
application/json

Table 1891. GET /config/global_system_notifications request parameter details

Parameter Type Optionality Data Type MIME Type Description
Range header Optional String text/plain Optional - Use this parameter
to restrict the number of
elements that are returned in
the list to a specified range.
The list is indexed starting at
zero.
filter query Optional String text/plain Optional - This parameter is
used to restrict the elements in
a list base on the contents of
various fields.
fields query Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.

Table 1892. GET /config/global_system_notifications response codes

HTTP Response Code Unique Code Description
200 The deployed global system notifications list was successfully
retrieved.
500 1020 An internal server error occurred during the retrieval of the list of
deployed global system notifications.

868 QRadar API Reference Guide

Response Description

A list of all deployed global system notifications. A notification contains the following fields:
v id - Long - The ID of the notification.
v name - String - The name of the notification.
v operator - String - The notification criteria operator.
v value - String - The notification criteria value.
v message - Double - The notification message.
v default - Boolean - Whether the notification message is modified by the user or not.
v enabled - Boolean - Whether the notification is enabled or not.

Response Sample
[
{
"default": true,
"enabled": true,
"id": 42,
"message": "String",
"name": "String",
"operator": "String",
"value": 42.5
}
]

GET /config/global_system_notifications/{notification_id}
Retrieves a deployed global system notification by ID.

Retrieves a deployed global system notification by ID.

Table 1893. GET /config/global_system_notifications/{notification_id} resource details
MIME Type
application/json

Table 1894. GET /config/global_system_notifications/{notification_id} request parameter details

Parameter Type Optionality Data Type MIME Type Description
notification_id path Required Number text/plain ID that is used for retrieving a
(Integer) deployed global system
notification.
fields query Optional String text/plain Optional - Use this parameter to
specify which fields you would
like to get back in the response.
Fields that are not named are
excluded. Specify subfields in
brackets and multiple fields in
the same object are separated by
commas.

Table 1895. GET /config/global_system_notifications/{notification_id} response codes

HTTP Response Code Unique Code Description
200 The deployed global system notification was successfully retrieved.
404 1002 No deployed global system notification was found for the provided
notification ID.

7 Previous REST API versions 869

Table 1895. GET /config/global_system_notifications/{notification_id} response codes (continued)
HTTP Response Code Unique Code Description
500 1020 An error occurred while the notification was being retrieved.

Response Description

The associated deployed global system notification object. A notification contains the following fields:
v id - Long - The ID of the notification.
v name - String - The name of the notification.
v operator - String - The notification criteria operator.
v value - String - The notification criteria value.
v message - Double - The notification message.
v default - Boolean - Whether the notification message is modified by the user or not.
v enabled - Boolean - Whether the notification is enabled or not.

Response Sample
{
"default": true,
"enabled": true,
"id": 42,
"message": "String",
"name": "String",
"operator": "String",
"value": 42.5
}

GET /config/network_hierarchy/networks
Retrieves the deployed network hierarchy.

Retrieves the deployed network hierarchy.

Table 1896. GET /config/network_hierarchy/networks resource details
MIME Type
application/json

Table 1897. GET /config/network_hierarchy/networks request parameter details

Parameter Type Optionality Data Type MIME Type Description
fields query Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.

Table 1898. GET /config/network_hierarchy/networks response codes

HTTP Response Code Unique Code Description
200 The network hierarchy was returned.

870 QRadar API Reference Guide

Table 1898. GET /config/network_hierarchy/networks response codes (continued)
HTTP Response Code Unique Code Description
500 1020 An error occurred during the attempt to retreive the network
hierarchy.

Response Description

Network Hierarchy - A JSON string that contains network_hierarchy objects with the following fields:
v id - Integer - The ID of the network object.
v group - String - The group of the network object.
v name - String - The name of the network object.
v cidr - String - The CIDR range of the network object.
v description - String - The description of the network object.
v domain_id - Integer - The domain ID of the network object.

Response Sample
[
{
"cidr": "String",
"description": "String",
"domain_id": 42,
"group": "String",
"id": 42,
"name": "String"
}
]

GET /config/network_hierarchy/staged_networks
Retrieves the staged network hierarchy.

Retrieves the staged network hierarchy.

Table 1899. GET /config/network_hierarchy/staged_networks resource details
MIME Type
application/json

Table 1900. GET /config/network_hierarchy/staged_networks request parameter details

Parameter Type Optionality Data Type MIME Type Description
fields query Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.

Table 1901. GET /config/network_hierarchy/staged_networks response codes

HTTP Response Code Unique Code Description
200 The network hierarchy was returned

7 Previous REST API versions 871

Table 1901. GET /config/network_hierarchy/staged_networks response codes (continued)
HTTP Response Code Unique Code Description
500 1020 An error occurred during the attempt to retreive the network
hierarchy

Response Description

Network Hierarchy - A JSON string that contains network_hierarchy objects with the following fields:
v id - Integer - The ID of the network object.
v group - String - The group of the network object.
v name - String - The name of the network object.
v cidr - String - The CIDR range of the network object.
v description - String - The description of the network object.
v domain_id - Integer - The domain ID of the network object.

Response Sample
[
{
"cidr": "String",
"description": "String",
"domain_id": 42,
"group": "String",
"id": 42,
"name": "String"
}
]

PUT /config/network_hierarchy/staged_networks
Replaces the current network hierarchy with the input that is provided.

Replaces the current network hierarchy with the input that is provided.
Table 1902. PUT /config/network_hierarchy/staged_networks resource details
MIME Type
application/json

Table 1903. PUT /config/network_hierarchy/staged_networks request parameter details

Parameter Type Optionality Data Type MIME Type Description
fields header Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.

872 QRadar API Reference Guide

Table 1904. PUT /config/network_hierarchy/staged_networks request body details
Parameter Data Type MIME Type Description Sample
network_hierarchy Array<Object> application/ Required - A JSON String that contains network [ { "id": 4, "group": "DMZ", "name": "External",
json hierarchy objects with the following fields: "description": "network description", "cidr":
"0.0.0.1/32", "domain_id": 0 }, { "id": 5, "group":
v id - Optional - Integer - The ID of the
"DMZ", "name": "External", "description":
network object.
"network description", "cidr": "0.0.0.2/32",
v group - Required - String - The group of the "domain_id": 0 } ]
network object.
v name - Required - String - The name of the
network object.
v cidr - Required - String - The CIDR range of
the network object.
v description - Optional - String - The
description of the network object.
v domain_id - Optional - Integer - The domain
ID of the network object (required if domain
aware).

Table 1905. PUT /config/network_hierarchy/staged_networks response codes

HTTP Response Code Unique Code Description
200 The network hierarchy was successfully replaced.
409 1004 A duplicate parameter was passed to the API call.
422 1005 An invalid parameter was passed to the API call.
500 1020 An unexpected error occurred during the creation of the network
hierarchy.

Response Description

Network Hierarchy - A JSON string that contains network_hierarchy objects, each with the following
fields:
v id - Integer - The ID of the network object.
v group - String - The group of the network object.
v name - String - The name of the network object.
v cidr - String - The CIDR range of the network object.
v description - String - The description of the network object.
v domain_id - Integer - The domain ID of the network object.

Response Sample
[
{
"cidr": "String",
"description": "String",
"domain_id": 42,
"group": "String",
"id": 42,
"name": "String"
}
]

GET /config/remote_networks
Retrieves a list of deployed remote networks.

Retrieves the list of deployed remote networks

7 Previous REST API versions 873

Table 1906. GET /config/remote_networks resource details
MIME Type
application/json

Table 1907. GET /config/remote_networks request parameter details

Parameter Type Optionality Data Type MIME Type Description
fields query Optional String text/plain Optional - Use this parameter
to specify which fields you
want to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets. Multiple
fields in the same object are
separated by commas.
filter query Optional String text/plain Optional - This parameter is
used to restrict the elements in
a list based on the contents of
various fields.
Range header Optional String text/plain Optional - Use this parameter
to restrict the number of
elements that are returned in
the list to a specified range.
The list is indexed starting at
zero.

Table 1908. GET /config/remote_networks response codes

HTTP Response Code Unique Code Description
200 The deployed remote networks list was successfully retrieved.
500 1020 An internal server error occurred during the retrieval of the list of
deployed remote networks.

Response Description

A list of deployed remote networks.

v id - Long - The ID of the remote network.
v name - String - The name of the remote network.
v description - String - The description of the remote network.
v group - String - The group to which the remote network belongs.
v cidrs - Array of <String> - A list of all the CIDR ranges that belong to the remote network.

Response Sample
[
{
"cidrs": [
"String"
],
"description": "String",
"group": "String",
"id": 42,
"name": "String"
}
]

874 QRadar API Reference Guide

GET /config/remote_networks/{network_id}
Retrieves a deployed remote network by ID.

Retrieves a deployed remote network by ID.

Table 1909. GET /config/remote_networks/{network_id} resource details
MIME Type
application/json

Table 1910. GET /config/remote_networks/{network_id} request parameter details

Parameter Type Optionality Data Type MIME Type Description
network_id path Required Number text/plain ID that is used to retrieve a
(Integer) deployed remote network.
fields query Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets. Multiple
fields in the same object are
separated by commas.

Table 1911. GET /config/remote_networks/{network_id} response codes

HTTP Response Code Unique Code Description
200 The deployed remote network was successfully retrieved.
404 1002 No deployed remote network was found with the provided ID.
500 1020 An error occurred during the retrieval of the remote network.

Response Description

The associated deployed remote network object.

v id - Long - The ID of the remote network.
v name - String - The name of the remote network.
v description - String - The description of the remote network.
v group - String - The group to which the remote network belongs.
v cidrs - Array of <String> - A list of all the CIDR ranges that belong to the remote network.

Response Sample
{
"cidrs": [
"String"
],
"description": "String",
"group": "String",
"id": 42,
"name": "String"
}

GET /config/remote_services
Retrieves a list of deployed remote services.

Retrieves the list of deployed remote services.

7 Previous REST API versions 875

Table 1912. GET /config/remote_services resource details
MIME Type
application/json

Table 1913. GET /config/remote_services request parameter details

Parameter Type Optionality Data Type MIME Type Description
fields query Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets. Multiple
fields in the same object are
separated by commas.
filter query Optional String text/plain Optional - This parameter is
used to restrict the elements in
a list base on the contents of
various fields.
Range header Optional String text/plain Optional - Use this parameter
to restrict the number of
elements that are returned in
the list to a specified range.
The list is indexed starting at
zero.

Table 1914. GET /config/remote_services response codes

HTTP Response Code Unique Code Description
200 The deployed remote services list was successfully retrieved.
500 1020 An internal server error occurred during the retrieval of the list of
deployed remote services.

Response Description

A list of deployed remote services.

v id - Long - The ID of the remote service.
v name - String - The name of the remote service.
v description - String - The description of the remote service.
v group - String - The group to which the remote service belongs.
v cidrs - Array of <String> - A list of all the CIDR ranges that belong to the remote service.

Response Sample
[
{
"cidrs": [
"String"
],
"description": "String",
"group": "String",
"id": 42,
"name": "String"
}
]

876 QRadar API Reference Guide

GET /config/remote_services/{service_id}
Retrieves a deployed remote service by ID.

Retrieves a deployed remote service by ID.

Table 1915. GET /config/remote_services/{service_id} resource details
MIME Type
application/json

Table 1916. GET /config/remote_services/{service_id} request parameter details

Parameter Type Optionality Data Type MIME Type Description
service_id path Required Number text/plain ID that is used for retrieving a
(Integer) deployed remote service.
fields query Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets. Multiple
fields in the same object are
separated by commas.

Table 1917. GET /config/remote_services/{service_id} response codes

HTTP Response Code Unique Code Description
200 The deployed remote service was successfully retrieved.
404 1002 No deployed remote service was found with the provided ID.
500 1020 An error occurred during the retrieval of the remote service.

Response Description

The associated deployed remote service object.

v id - Long - The ID of the remote service.
v name - String - The name of the remote service.
v description - String - The description of the remote service.
v group - String - The group to which the remote service belongs.
v cidrs - Array of <String> - A list of all the CIDR ranges that belong to the remote service.

Response Sample
{
"cidrs": [
"String"
],
"description": "String",
"group": "String",
"id": 42,
"name": "String"
}

GET /config/resource_restrictions
Retrieves a list of all resource restrictions.

Retrieves the list of all resource restrictions.

7 Previous REST API versions 877

Table 1918. GET /config/resource_restrictions resource details
MIME Type
application/json

Table 1919. GET /config/resource_restrictions request parameter details

Parameter Type Optionality Data Type MIME Type Description
Range header Optional String text/plain Optional - Use this parameter
to restrict the number of
elements that are returned in
the list to a specified range.
The list is indexed starting at
zero.
filter query Optional String text/plain Optional - This parameter is
used to restrict the elements in
a list base on the contents of
various fields.
fields query Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.

Table 1920. GET /config/resource_restrictions response codes

HTTP Response Code Unique Code Description
200 The resource restriction list was successfully retrieved.
500 1001 An error occurred during the attempt to retrieve the restriction list.

Response Description

A list of all the restrictions.

Response Sample
[
{
"data_window": 42,
"execution_time": 42,
"id": "String",
"record_limit": 42,
"role_id": 42,
"tenant_id": 42,
"user_id": 42
}
]

POST /config/resource_restrictions
Creates a new resource restriction.

Creates a new resource restriction.

878 QRadar API Reference Guide

Table 1921. POST /config/resource_restrictions resource details
MIME Type
application/json

Table 1922. POST /config/resource_restrictions request parameter details

Parameter Type Optionality Data Type MIME Type Description
fields header Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.

Table 1923. POST /config/resource_restrictions request body details

Parameter Data Type MIME Type Description Sample
resourceRestriction Object application/json Required - The resource { "data_window": 42,
restriction to be added. Only one "execution_time": 42, "id":
of the ID fields (user_id, "String", "record_limit": 42,
tenant_id, role_id) can be "role_id": 42, "tenant_id": 42,
provided. "user_id": 42 }

Table 1924. POST /config/resource_restrictions response codes

HTTP Response Code Unique Code Description
200 The new resource restriction was successfully created.
404 1009 The consumer (user, tenant, or role) provided was not found.
422 1008 One of: user_id, role_id, or tenant_id
500 1010 An error occurred during the attempt to create a resource
restriction.

Response Description

The associated restriction object.

Response Sample
{
"data_window": 42,
"execution_time": 42,
"id": "String",
"record_limit": 42,
"role_id": 42,
"tenant_id": 42,
"user_id": 42
}

GET /config/resource_restrictions/{resource_restriction_id}
Retrieves a resource restriction consumer by ID.

Retrieves a resource restriction consumer by ID.

7 Previous REST API versions 879

Table 1925. GET /config/resource_restrictions/{resource_restriction_id} resource details
MIME Type
application/json

Table 1926. GET /config/resource_restrictions/{resource_restriction_id} request parameter details

Parameter Type Optionality Data Type MIME Type Description
resource_restriction_id path Required String text/plain Required - The resource
restriction ID of the resource
restriction to be retrieved.
Must be of the format
[1-3]-\d+
fields query Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.

Table 1927. GET /config/resource_restrictions/{resource_restriction_id} response codes

HTTP Response Code Unique Code Description
200 The resource restriction consumer was successfully retrieved.
404 1003 No such resource restriction consumer (user, tenant, or role) exists
for the given ID.
422 1002 Provided ID is not a valid format. must be [1-3]-\d+
500 1004 An error occurred during the retrtieval resource restrictions.

Response Description

The associated restriction object.

Response Sample
{
"data_window": 42,
"execution_time": 42,
"id": "String",
"record_limit": 42,
"role_id": 42,
"tenant_id": 42,
"user_id": 42
}

DELETE /config/resource_restrictions/{resource_restriction_id}
Deletes a resource restriction consumer by ID.

Deletes a resource restriction consumer by ID.

Table 1928. DELETE /config/resource_restrictions/{resource_restriction_id} resource details
MIME Type
text/plain

880 QRadar API Reference Guide

Table 1929. DELETE /config/resource_restrictions/{resource_restriction_id} request parameter details
Parameter Type Optionality Data Type MIME Type Description
resource_restriction_id path Required String text/plain Required - The resource
restriction ID of the resource
restriction to be retrieved.
Must be of the format
[1-3]-\d+

Table 1930. DELETE /config/resource_restrictions/{resource_restriction_id} response codes

HTTP Response Code Unique Code Description
204 The resource restriction consumer was successfully deleted.
404 1003 null
422 1002 Provided ID is not a valid format. Must be of the format [1-3]-\d+
500 1004 An error occurred during the retrieval of the resource restrictions.

Response Description

The deleted restriction object.

Response Sample

PUT /config/resource_restrictions/{resource_restriction_id}
Updates a resource restriction consumer by ID.

Updates a resource restriction consumer by ID.

Table 1931. PUT /config/resource_restrictions/{resource_restriction_id} resource details
MIME Type
application/json

Table 1932. PUT /config/resource_restrictions/{resource_restriction_id} request parameter details

Parameter Type Optionality Data Type MIME Type Description
resource_restriction_id path Required String text/plain Required - The resource
restriction ID of the resource
restriction to be updated.
Must be of the format
[1-3]-\d+
fields header Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.

Table 1933. PUT /config/resource_restrictions/{resource_restriction_id} request body details

Parameter Data Type MIME Type Description Sample
resourceRestriction Object application/json Required - The resource { "data_window": 42,
restrictions to be updated. "execution_time": 42, "id":
"String", "record_limit": 42,
"role_id": 42, "tenant_id": 42,
"user_id": 42 }

7 Previous REST API versions 881

Table 1934. PUT /config/resource_restrictions/{resource_restriction_id} response codes
HTTP Response Code Unique Code Description
200 The resource restriction consumer was successfully updated.
404 1006 The resource restriction consumer (user, tenant, or role) wasn't
found.
422 1005 Provided ID is not a valid format. Must be of the format [1-3]-\d+
500 1007 An error occurred during the retrieval of the resource restriction.

Response Description

The associated restriction object.

Response Sample
{
"data_window": 42,
"execution_time": 42,
"id": "String",
"record_limit": 42,
"role_id": 42,
"tenant_id": 42,
"user_id": 42
}

GET /config/store_and_forward/policies
Retrieves a list of store and forward policies.

Retrieves a list of store and forward policies.

Table 1935. GET /config/store_and_forward/policies resource details
MIME Type
application/json

Table 1936. GET /config/store_and_forward/policies request parameter details

Parameter Type Optionality Data Type MIME Type Description
Range header Optional String text/plain Optional - Use this parameter
to restrict the number of
elements that are returned in
the list to a specified range.
The list is indexed starting at
zero.
filter query Optional String text/plain Optional - This parameter is
used to restrict the elements in
a list base on the contents of
various fields.
fields query Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.

882 QRadar API Reference Guide

Table 1937. GET /config/store_and_forward/policies response codes
HTTP Response Code Unique Code Description
200 The store and forward policies were retrieved.
422 1010 A request parameter is not valid.
500 1020 An error occurred during the attempt to retrieve the store and
forward policies.

Response Description

An array of Store and Forward Policy objects. An Store and Forward Policy object contains the following
fields:
v id - Long - The ID of the store and forward policy.
v name - String - The name of the store and forward policy.
v description - String - The description of the store and forward policy.
v timezone - String - The timezone of the store and forward policy.
v owner - String - The owner of the store and forward policy.
v store_and_forward_schedule_id - Long - The schedule ID of the store and forward policy.
v created - Long - The time in milliseconds since epoch since the store and forward policy was created.
v modified - Long - The time in milliseconds since epoch since the store and forward policy was last
modified.

Response Sample
[
{
"created": 42,
"description": "String",
"id": 42,
"modified": 42,
"name": "String",
"owner": "String",
"saf_schedule_id": 42,
"timezone": "String"
}
]

GET /config/store_and_forward/policies/{id}
Retrieves a store and forward policy.

Retrieves a store and forward policy.

Table 1938. GET /config/store_and_forward/policies/{id} resource details
MIME Type
application/json

Table 1939. GET /config/store_and_forward/policies/{id} request parameter details

Parameter Type Optionality Data Type MIME Type Description
id path Required Number text/plain null
(Integer)

7 Previous REST API versions 883

Table 1939. GET /config/store_and_forward/policies/{id} request parameter details (continued)
Parameter Type Optionality Data Type MIME Type Description
fields query Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.

Table 1940. GET /config/store_and_forward/policies/{id} response codes

HTTP Response Code Unique Code Description
200 The store and forward policy was retrieved.
404 1002 The store and forward policy does not exist.
500 1020 An error occurred during the attempt to retrieve the store and
forward policy.

Response Description

The store and forward policy after it has been retrieved. An Store and Forward Policy object contains the
following fields:
v id - Long - The ID of the store and forward policy.
v name - String - The name of the store and forward policy.
v description - String - The description of the store and forward policy.
v timezone - String - The timezone of the store and forward policy.
v owner - String - The owner of the store and forward policy.
v store_and_forward_schedule_id - Long - The schedule ID of the store and forward policy.
v created - Long - The time in milliseconds since epoch since the store and forward policy was created.
v modified - Long - The time in milliseconds since epoch since the store and forward policy was last
modified.

Response Sample
{
"created": 42,
"description": "String",
"id": 42,
"modified": 42,
"name": "String",
"owner": "String",
"saf_schedule_id": 42,
"timezone": "String"
}

POST /config/store_and_forward/policies/{id}
Updates the store and forward policy owner only.

Updates the store and forward policy owner only

884 QRadar API Reference Guide

Table 1941. POST /config/store_and_forward/policies/{id} resource details
MIME Type
application/json

Table 1942. POST /config/store_and_forward/policies/{id} request parameter details

Parameter Type Optionality Data Type MIME Type Description
id path Required Number text/plain null
(Integer)
fields header Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.

Table 1943. POST /config/store_and_forward/policies/{id} request body details

Parameter Data Type MIME Type Description Sample
policy Object application/ null { "description": "String", "id":
json 42, "name": "String", "owner":
"String", "saf_schedule_id": 42,
"timezone": "String" }

Table 1944. POST /config/store_and_forward/policies/{id} response codes

HTTP Response Code Unique Code Description
200 The store and forward policy has been updated.
403 1009 You do not have the required capabilities to update the store and
forward policy.
404 1002 The store and forward policy does not exist.
409 1004 The provided user does not have the required capabilities to own
the store and forward policy.
422 1005 A request parameter is not valid.
500 1020 An error occurred during the attempt to update the store and
forward policy.

Response Description

The store and forward policy after it was updated. An Store and Forward Policy object contains the
following fields:
v id - Long - The ID of the store and forward policy.
v name - String - The name of the store and forward policy.
v description - String - The description of the store and forward policy.
v timezone - String - The timezone of the store and forward policy.
v owner - String - The owner of the store and forward policy.
v store_and_forward_schedule_id - Long - The schedule ID of the store and forward policy.
v created - Long - The time in milliseconds since epoch since the store and forward policy was created.

7 Previous REST API versions 885

v modified - Long - The time in milliseconds since epoch since the store and forward policy was last
modified.

Response Sample
{
"created": 42,
"description": "String",
"id": 42,
"modified": 42,
"name": "String",
"owner": "String",
"saf_schedule_id": 42,
"timezone": "String"
}

DELETE /config/store_and_forward/policies/{id}
Deletes a store and forward policy.

Deletes a store and forward policy.

Table 1945. DELETE /config/store_and_forward/policies/{id} resource details
MIME Type
text/plain

Table 1946. DELETE /config/store_and_forward/policies/{id} request parameter details

Parameter Type Optionality Data Type MIME Type Description
id path Required Number text/plain null
(Integer)

Table 1947. DELETE /config/store_and_forward/policies/{id} response codes

HTTP Response Code Unique Code Description
204 The Store and Forward Policy has been deleted
403 1009 You do not have the required capabilities to delete the store and
forward policy
404 1002 The Store and Forward Policy does not exist
500 1020 An error occurred during the attempt to delete the store and
forward policy

Response Description

Response Sample

Data classification endpoints

Use the references for REST API V8.0 data classification endpoints.

GET /data_classification/dsm_event_mappings
Retrieve a list of DSM event mappings.

Retrieves a list of DSM event mappings.

886 QRadar API Reference Guide

Table 1948. GET /data_classification/dsm_event_mappings resource details
MIME Type
application/json

Table 1949. GET /data_classification/dsm_event_mappings request parameter details

Parameter Type Optionality Data Type MIME Type Description
fields query Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.
Range header Optional String text/plain Optional - Use this parameter
to restrict the number of
elements that are returned in
the list to a specified range.
The list is indexed starting at
zero.
filter query Optional String text/plain Optional - This parameter is
used to restrict the elements in
a list base on the contents of
various fields.

Table 1950. GET /data_classification/dsm_event_mappings response codes

HTTP Response Code Unique Code Description
200 The requested list of DSM event mappings was retrieved.
500 1020 An error occurred during the attempt to retrieve the list of DSM
event mappings.

Response Description

A list of DSM event mappings. A DSM event mapping contains the following fields:
v id - Number - The ID of the DSM event mapping.
v log_source_type_id - Number - The ID of the Log Source Type this DSM event mapping resource is
associated with.
v log_source_event_id - String - The primary identifying value parsed from an event to be used to look
up the corresponding QID record.
v log_source_event_category - String - The secondary identifying value parsed from an event to be used
to look up the corresponding QID record.
v custom_event - Boolean - Flag to identify if the DSM event mapping is system provided
(custom_event=false) or user-provided (custom_event=true).
v qid_record_id - Number - The ID of the QID record to which this DSM event mapping provides a
mapping.

Response Sample
[
{
"custom_event": true,

7 Previous REST API versions 887

 "id": 42,
"log_source_event_category": "String",
"log_source_event_id": "String",
"log_source_type_id": 42,
"qid_record_id": 42
}
]

POST /data_classification/dsm_event_mappings
Creates a new custom DSM event mapping.

Creates a new custom DSM event mapping.

Table 1951. POST /data_classification/dsm_event_mappings resource details
MIME Type
application/json

Table 1952. POST /data_classification/dsm_event_mappings request parameter details

Parameter Type Optionality Data Type MIME Type Description
fields header Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.

Table 1953. POST /data_classification/dsm_event_mappings request body details

Parameter Data Type MIME Type Description Sample
data Object application/json Required - A DSM event mapping that { "log_source_event_category": "String",
contains the following fields: "log_source_event_id": "String",
v log_source_type_id - Required - "log_source_type_id": 42, "qid_record_id": 42 }
Number - The ID of the Log Source
Type this DSM event mapping resource
is associated with.
v log_source_event_id - Required -
String - The primary identifying value
parsed from an event to be used to
look up the corresponding QID record.
v log_source_event_category - Required
- String - The secondary identifying
value parsed from an event to be used
to look up the corresponding QID
record.
v qid_record_id - Required - Number -
The ID of the QID record to which this
DSM event mapping provides a
mapping.

Table 1954. POST /data_classification/dsm_event_mappings response codes

HTTP Response Code Unique Code Description
201 The new custom DSM event mapping was created.
409 1008 There is an existing custom DSM event mapping with same the
log_source_type_id, log_source_event_id and
log_source_event_category combination. Cannot create duplicate
DSM event mapping.

888 QRadar API Reference Guide

Table 1954. POST /data_classification/dsm_event_mappings response codes (continued)
HTTP Response Code Unique Code Description
422 1005 Invalid parameter value provided for the new DSM event mapping.
500 1020 An error occurred during the attempt to create a new custom DSM
event mapping.

Response Description

The newly created DSM event mapping that contains the following fields:
v id - Number - The ID of the DSM event mapping.
v log_source_type_id - Number - The ID of the Log Source Type this DSM event mapping resource is
associated with.
v log_source_event_id - String - The primary identifying value parsed from an event to be used to look
up the corresponding QID record.
v log_source_event_category - String - The secondary identifying value parsed from an event to be used
to look up the corresponding QID record.
v custom_event - Boolean - Flag to identify if the DSM event mapping is system provided
(custom_event=false) or user-provided (custom_event=true).
v qid_record_id - Number - The ID of the QID record to which this DSM event mapping provides a
mapping.

Response Sample
{
"custom_event": true,
"id": 42,
"log_source_event_category": "String",
"log_source_event_id": "String",
"log_source_type_id": 42,
"qid_record_id": 42
}

GET /data_classification/dsm_event_mappings/{dsm_event_mapping_id}
Retrieves a DSM event mapping based on the supplied DSM event mapping ID.

Retrieves a DSM event mapping based on the supplied DSM event mapping ID.
Table 1955. GET /data_classification/dsm_event_mappings/{dsm_event_mapping_id} resource details
MIME Type
application/json

Table 1956. GET /data_classification/dsm_event_mappings/{dsm_event_mapping_id} request parameter details

Parameter Type Optionality Data Type MIME Type Description
dsm_event_mapping_id path Required Number (Integer) text/plain Required - The ID of the DSM
event mapping.
fields query Optional String text/plain Optional - Use this parameter to
specify which fields you would
like to get back in the response.
Fields that are not named are
excluded. Specify subfields in
brackets and multiple fields in the
same object are separated by
commas.

7 Previous REST API versions 889

Table 1957. GET /data_classification/dsm_event_mappings/{dsm_event_mapping_id} response codes
HTTP Response Code Unique Code Description
200 The requested DSM event mapping was retrieved.
404 1002 The requested DSM event mapping was not found.
500 1020 An error occurred during the attempt to retrieve the DSM event
mapping.

Response Description

A DSM event mapping that contains the following fields:

v id - Number - The ID of the DSM event mapping.
v log_source_type_id - Number - The ID of the Log Source Type this DSM event mapping resource is
associated with.
v log_source_event_id - String - The primary identifying value parsed from an event to be used to look
up the corresponding QID record.
v log_source_event_category - String - The secondary identifying value parsed from an event to be used
to look up the corresponding QID record.
v custom_event - Boolean - Flag to identify if the DSM event mapping is system provided
(custom_event=false) or user-provided (custom_event=true).
v qid_record_id - Number - The ID of the QID record to which this DSM event mapping provides a
mapping.

Response Sample
{
"custom_event": true,
"id": 42,
"log_source_event_category": "String",
"log_source_event_id": "String",
"log_source_type_id": 42,
"qid_record_id": 42
}

POST /data_classification/dsm_event_mappings/{dsm_event_mapping_id}
Updates an existing custom DSM event mapping.

Updates an existing custom DSM event mapping.

Table 1958. POST /data_classification/dsm_event_mappings/{dsm_event_mapping_id} resource details
MIME Type
application/json

Table 1959. POST /data_classification/dsm_event_mappings/{dsm_event_mapping_id} request parameter details

Parameter Type Optionality Data Type MIME Type Description
dsm_event_mapping_id path Required Number (Integer) text/plain Required - The ID of the DSM
event mapping.
fields header Optional String text/plain Optional - Use this parameter to
specify which fields you would
like to get back in the response.
Fields that are not named are
excluded. Specify subfields in
brackets and multiple fields in the
same object are separated by
commas.

890 QRadar API Reference Guide

Table 1960. POST /data_classification/dsm_event_mappings/{dsm_event_mapping_id} request body details
Parameter Data Type MIME Type Description Sample
data Object application/ Required - The DSM event { "qid_record_id": 42 }
json mapping to be updated that
might contain the following
field:
v qid_record_id - Number -
Required - The ID of the
QID record to which this
DSM event mapping
provides a mapping.

Table 1961. POST /data_classification/dsm_event_mappings/{dsm_event_mapping_id} response codes

HTTP Response Code Unique Code Description
200 The DSM event mapping was updated.
404 1002 The requested DSM event mapping was not found.
422 1005 Invalid parameter provided while updating the DSM event
mapping.
500 1020 An error occurred during the attempt to update a DSM event
mapping.

Response Description

The updated DSM event mapping that contains the following fields:
v id - Number - The ID of the DSM event mapping.
v log_source_type_id - Number - The ID of the Log Source Type this DSM event mapping resource is
associated with.
v log_source_event_id - String - The primary identifying value parsed from an event to be used to look
up the corresponding QID record.
v log_source_event_category - String - The secondary identifying value parsed from an event to be used
to look up the corresponding QID record.
v custom_event - Boolean - Flag to identify if the DSM event mapping is system provided
(custom_event=false) or user-provided (custom_event=true).
v qid_record_id - Number - The ID of the QID record to which this DSM event mapping provides a
mapping.

Response Sample
{
"custom_event": true,
"id": 42,
"log_source_event_category": "String",
"log_source_event_id": "String",
"log_source_type_id": 42,
"qid_record_id": 42
}

GET /data_classification/high_level_categories
Retrieves a list of high level categories.

Retrieves a list of high level categories.

7 Previous REST API versions 891

Table 1962. GET /data_classification/high_level_categories resource details
MIME Type
application/json

Table 1963. GET /data_classification/high_level_categories request parameter details

Parameter Type Optionality Data Type MIME Type Description
fields query Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.
sort query Optional String text/plain Optional - This parameter is
used to sort the elements in a
list.
Range header Optional String text/plain Optional - Use this parameter
to restrict the number of
elements that are returned in
the list to a specified range.
The list is indexed starting at
zero.
filter query Optional String text/plain Optional - This parameter is
used to restrict the elements in
a list base on the contents of
various fields.

Table 1964. GET /data_classification/high_level_categories response codes

HTTP Response Code Unique Code Description
200 The requested list of high level categories was retrieved.
422 23003 Sorting is only supported for fields "id" or "name".
422 23004 The sort field that was provided does not exist.
422 23005 Sorting on multiple fields is not supported.
500 1020 An error occurred during the attempt to retrieve the list of high
level categories.

Response Description

A list of high level categories. A high level category contains the following fields:
v id - Number - The ID of the high level category.
v name - String - The name of the high level category.
v description - String - The description of the high level category.

Response Sample
[
{
"id": 19000,
"name": "Audit",
"description": "Audit"

892 QRadar API Reference Guide

 },
{
"id": 20000,
"name": "Risk",
"description": "Risk"
}
]

GET /data_classification/high_level_categories/{high_level_category_id}
Retrieves a high level category based on the supplied high level category ID.

Retrieves a high level category based on the supplied high level category ID.
Table 1965. GET /data_classification/high_level_categories/{high_level_category_id} resource details
MIME Type
application/json

Table 1966. GET /data_classification/high_level_categories/{high_level_category_id} request parameter details

Parameter Type Optionality Data Type MIME Type Description
high_level_category_id path Required Number (Integer) text/plain Required - the ID of the high level
category.
fields query Optional String text/plain Optional - Use this parameter to
specify which fields you would
like to get back in the response.
Fields that are not named are
excluded. Specify subfields in
brackets and multiple fields in the
same object are separated by
commas.

Table 1967. GET /data_classification/high_level_categories/{high_level_category_id} response codes

HTTP Response Code Unique Code Description
200 The requested high level category was retrieved.
404 1002 The requested high level category was not found.
422 1005 High level category ID must be a positive integer.
500 1020 An error occurred during the attempt to retrieve the high level
category.

Response Description

A high level category that contains the following fields:

v id - Number - The ID of the high level category.
v name - String - The name of the high level category.
v description - String - The description of the high level category.

Response Sample
{
"id": 19000,
"name": "Audit",
"description": "Audit",
}

GET /data_classification/low_level_categories
Retrieves a list of low level categories.

Retrieves a list of low level categories.

7 Previous REST API versions 893

Table 1968. GET /data_classification/low_level_categories resource details
MIME Type
application/json

Table 1969. GET /data_classification/low_level_categories request parameter details

Parameter Type Optionality Data Type MIME Type Description
fields query Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.
sort query Optional String text/plain Optional - This parameter is
used to sort the elements in a
list.
Range header Optional String text/plain Optional - Use this parameter
to restrict the number of
elements that are returned in
the list to a specified range.
The list is indexed starting at
zero.
filter query Optional String text/plain Optional - This parameter is
used to restrict the elements in
a list base on the contents of
various fields.

Table 1970. GET /data_classification/low_level_categories response codes

HTTP Response Code Unique Code Description
200 The requested list of low level categories was retrieved.
422 23053 Sorting is only supported for fields "id" or "name"
422 23054 The sort field that was provided does not exist.
422 23055 Sorting on multiple fields is not supported.
500 1020 An error occurred during the attempt to retrieve the list of low
level categories.

Response Description

A list of low level category objects. A low level category contains the following fields:
v id - Number - The ID of the low level category.
v name - String - The name of the low level category.
v description - String - The description of the low level category.
v severity - Number - The severity of the low level category.
v high_level_category_id - Number - The ID of the parent high level category.

894 QRadar API Reference Guide

Response Sample
[
{
"id": 19001,
"name": "General Audit Event",
"description": "General Audit Event",
"high_level_category_id": 19000,
"severity" : 0
},
{
"id": 19002,
"name": "Built-in Execution",
"description": " Built-in Execution",
"high_level_category_id": 19000,
"severity" : 0
}
]

GET /data_classification/low_level_categories/{low_level_category_id}
Retrieves a low level category based on the supplied low level category ID.

Retrieves a low level category that is based on the supplied low level category ID.
Table 1971. GET /data_classification/low_level_categories/{low_level_category_id} resource details
MIME Type
application/json

Table 1972. GET /data_classification/low_level_categories/{low_level_category_id} request parameter details

Parameter Type Optionality Data Type MIME Type Description
low_level_category_id path Required Number (Integer) text/plain Required - The id of the low level
category.
fields query Optional String text/plain Optional - Use this parameter to
specify which fields you would
like to get back in the response.
Fields that are not named are
excluded. Specify subfields in
brackets and multiple fields in the
same object are separated by
commas.

Table 1973. GET /data_classification/low_level_categories/{low_level_category_id} response codes

HTTP Response Code Unique Code Description
200 The requested low level category was retrieved.
404 1002 The requested low level category was not found.
422 1005 Low level category ID must be a positive integer.
500 1020 An error occurred during the attempt to retrieve the low level
category.

Response Description

A low level category that contains the following fields:

v id - Number - The ID of the low level category.
v name - String - The name of the low level category.
v description - String - The description of the low level category.
v severity - Number - The severity of the low level category.
v high_level_category_id - Number - The ID of the parent high level category.

7 Previous REST API versions 895

Response Sample
{
"id": 19001,
"name": "General Audit Event",
"description": "General Audit Event",
"high_level_category_id": 19000,
"severity" : 0
}

GET /data_classification/qid_records
Retrieves a list of QID records.

Retrieves a list of QID records.

Table 1974. GET /data_classification/qid_records resource details
MIME Type
application/json

Table 1975. GET /data_classification/qid_records request parameter details

Parameter Type Optionality Data Type MIME Type Description
fields query Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.
Range header Optional String text/plain Optional - Use this parameter
to restrict the number of
elements that are returned in
the list to a specified range.
The list is indexed starting at
zero.
filter query Optional String text/plain Optional - This parameter is
used to restrict the elements in
a list base on the contents of
various fields.

Table 1976. GET /data_classification/qid_records response codes

HTTP Response Code Unique Code Description
200 The requested list of QID records was retrieved.
500 1020 An error occurred during the attempt to retrieve the list of QID
records.

Response Description

A list of QID records. A QID record contains the following fields:

v id - Number - The ID of the QID record.
v qid - Number - The QID of the QID record.
v name - String - The name of the QID record.
v description - String - The description of the QID record.

896 QRadar API Reference Guide

v severity - Number - The severity of the QID record.
v low_level_category_id - Number - The low level category ID of the QID record.
v log_source_type_id - Number - A placeholder with null value to ensure data structure consistency
among endpoints.

Response Sample
[
{
"id": 64280,
"qid": 2500283,
"name": "DELETED WEB-MISC O’Reilly args.bat access",
"description": "DELETED WEB-MISC O’Reilly args.bat access",
"severity": 2 ,
"low_level_category_id": 1011,
"log_source_type_id": null
},
{
"id": 64297,
"qid": 2500300,
"name": "DELETED WEB-MISC Cisco Web DOS attempt",
"description": "DELETED WEB-MISC Cisco Web DOS attempt",
"severity": 8,
"low_level_category_id": 2009
"log_source_type_id": null
}
]

POST /data_classification/qid_records
Creates a new QID record.

Creates a new QID record.

Table 1977. POST /data_classification/qid_records resource details
MIME Type
application/json

Table 1978. POST /data_classification/qid_records request parameter details

Parameter Type Optionality Data Type MIME Type Description
fields header Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.

7 Previous REST API versions 897

Table 1979. POST /data_classification/qid_records request body details
Parameter Data Type MIME Type Description Sample
data Object application/ Required - A QID record { "log_source_type_id": 199, "name":
json containing the following fields: "spp_portscan: Portscan Detected",
v log_source_type_id - "description": "spp_portscan: Portscan
Required - Number - The ID Detected", "severity": 4,
of the log source type which "low_level_category_id":1008 }
the QID record is created
for.
v name - Required - String -
The name of the QID
record.
v description - Optional -
String - The description of
the QID record.
v severity - Optional -
Number - The severity of
the QID record. If not
provided, the severity of the
corresponding low level
category is used as the
default value.
v low_level_category_id -
Required - Number - The
low level category ID of the
QID record.

Table 1980. POST /data_classification/qid_records response codes

HTTP Response Code Unique Code Description
201 The new QID record was created.
422 1005 Invalid parameter value provided for the new QID record.
500 1020 An error occurred during the attempt to create a new QID record.

Response Description

The newly created QID record containing the following fields:

v id - Number - The ID of the QID record.
v qid - Number - The QID of the QID record.
v name - String - The name of the QID record.
v description - String - The description of the QID record.
v severity - Number - The severity of the QID record.
v low_level_category_id - Number - The low level category ID of the QID record.
v log_source_type_id - Number - A placeholder with null value to ensure data structure consistency
among endpoints.

Response Sample
{
"id": 63998,
"qid": 2500001,
"name": "spp_portscan: Portscan Detected",
"description": "spp_portscan: Portscan Detected",
"severity": 4,
"low_level_category_id": 1008,
"log_source_type_id": null
}

898 QRadar API Reference Guide

GET /data_classification/qid_records/{qid_record_id}
Retrieves a QID record that is based on the supplied qid_record_id.

Retrieves a QID record that is based on the supplied qid_record_id.

Table 1981. GET /data_classification/qid_records/{qid_record_id} resource details
MIME Type
application/json

Table 1982. GET /data_classification/qid_records/{qid_record_id} request parameter details

Parameter Type Optionality Data Type MIME Type Description
qid_record_id path Required Number text/plain Required - the ID of the
(Integer) QID record.
fields query Optional String text/plain Optional - Use this
parameter to specify which
fields you would like to get
back in the response. Fields
that are not named are
excluded. Specify subfields
in brackets and multiple
fields in the same object are
separated by commas.

Table 1983. GET /data_classification/qid_records/{qid_record_id} response codes

HTTP Response Code Unique Code Description
200 The requested QID record was retrieved.
404 1002 The requested QID record was not found.
422 1005 qid_record_id must be a positive integer.
500 1020 An error occurred during the attempt to retrieve the QID record.

Response Description

A QID record containing the following fields:

v id - Number - The ID of the QID record.
v qid - Number - The QID of the QID record.
v name - String - The name of the QID record.
v description - String - The description of the QID record.
v severity - Number - The severity of the QID record.
v low_level_category_id - Number - The low level category ID of the QID record.
v log_source_type_id - Number - A placeholder with null value to ensure data structure consistency
among endpoints.

Response Sample
{
"id": 63998,
"qid": 2500001,
"name": "spp_portscan: Portscan Detected",
"description": "spp_portscan: Portscan Detected",

7 Previous REST API versions 899

 "severity": 4,
"low_level_category_id": 1008,
"log_source_type_id": null
}

POST /data_classification/qid_records/{qid_record_id}
Updates an existing QID record.

Updates an existing QID record.

Table 1984. POST /data_classification/qid_records/{qid_record_id} resource details
MIME Type
application/json

Table 1985. POST /data_classification/qid_records/{qid_record_id} request parameter details

Parameter Type Optionality Data Type MIME Type Description
qid_record_id path Required Number text/plain Required - The ID of the
(Integer) QID record.
fields header Optional String text/plain Optional - Use this
parameter to specify which
fields you would like to get
back in the response. Fields
that are not named are
excluded. Specify subfields
in brackets and multiple
fields in the same object are
separated by commas.

Table 1986. POST /data_classification/qid_records/{qid_record_id} request body details

Parameter Data Type MIME Type Description Sample
qid_record Object application/json Required - The QID record to be { "name": "spp_portscan: Portscan Detected",
updated, which may contain the "description": "spp_portscan: Portscan Detected",
following fields: "severity": 4, "low_level_category_id":1008 }
v name - Optional - String - The name of
the QID record.
v description - Optional - String - The
description of the QID record.
v severity - Optional - Number - The
severity of the QID record.
v low_level_category_id - Optional -
Number - The low level category ID of
the QID record.

Table 1987. POST /data_classification/qid_records/{qid_record_id} response codes

HTTP Response Code Unique Code Description
200 The QID record was updated.
404 1002 The requested QID record was not found.
409 1008 The QID record that was provided cannot be updated because it is
a system-provided QID.
422 1005 Invalid parameter was provided during the update to the QID
record.
500 1020 An error occurred during the attempt to update a QID record.

900 QRadar API Reference Guide

Response Description

The updated QID record containing the following fields:

v id - Number - The ID of the QID record.
v qid - Number - The QID of the QID record.
v name - String - The name of the QID record.
v description - String - The description of the QID record.
v severity - Number - The severity of the QID record.
v low_level_category_id - Number - The low level category ID of the QID record.
v log_source_type_id - Number - A placeholder with null value to ensure data structure consistency
among endpoints.

Response Sample
{
"id": 63998,
"qid": 2500001,
"name": "spp_portscan: Portscan Detected",
"description": "spp_portscan: Portscan Detected",
"severity": 4,
"low_level_category_id": 1008,
"log_source_type_id": null
}

Forensics endpoints
Use the references for REST API V8.0 forensics endpoints.

GET /forensics/capture/recoveries
Retrieves a list of capture recoveries.

Retrieves a list of recoveries.

Table 1988. GET /forensics/capture/recoveries resource details
MIME Type
application/json

Table 1989. GET /forensics/capture/recoveries request parameter details

Parameter Type Optionality Data Type MIME Type Description
Range header Optional String text/plain Optional - Use this parameter
to restrict the number of
elements that are returned in
the list to a specified range.
The list is indexed starting at
zero.
filter query Optional String text/plain Optional - This parameter is
used to restrict the elements in
a list base on the contents of
various fields.

7 Previous REST API versions 901

Table 1989. GET /forensics/capture/recoveries request parameter details (continued)
Parameter Type Optionality Data Type MIME Type Description
fields query Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.

Table 1990. GET /forensics/capture/recoveries response codes

HTTP Response Code Unique Code Description
200 The Workflow Recovery Jobs were retrieved.
500 1020 An error occurred while the recovery job list was being retrieved.

Response Description

A list of recoveries. A recovery contains the following fields:

v assigned_to - String - The username of the user the recovery is assigned to.
v bpf - String - The Berkeley Packet Filter to pass to the capture device.
v case_id - String - ID of the case where the collection(s) are created.
v collection_name_suffix - String - Suffix that is used to name the collection(s) to store the recovered
data in.
v id - Long - ID for the recovery.
v recovery_task_ids - Long Array - IDs for all recovery tasks belonging to this recovery.
v recovery_window_end_time - Long - End of time range for data recovery.
v recovery_window_start_time - Long - Start of time range for data recovery.
v tags - String - Identifiers applied to recovered data to assist with grouping when searching. These are
user supplied string identifiers that are used to mark the data so the user can easily look up the data
later.

Response Sample
[
{
"assigned_to": "String",
"bpf": "String",
"case_id": 42,
"collection_name_suffix": "String",
"id": 42,
"recovery_task_ids": [
42
],
"recovery_window_end_time": 42,
"recovery_window_start_time": 42,
"session_ids": [
"String"
],
"tags": [
"String"
]
}
]

902 QRadar API Reference Guide

POST /forensics/capture/recoveries
Creates a new capture recovery.

Creates a new recovery.

Table 1991. POST /forensics/capture/recoveries resource details
MIME Type
application/json

Table 1992. POST /forensics/capture/recoveries request parameter details

Parameter Type Optionality Data Type MIME Type Description
fields header Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.

Table 1993. POST /forensics/capture/recoveries request body details

Parameter Data Type MIME Type Description Sample
recovery Object application/ null { "assigned_to": "String", "bpf": "String", "case_id": 42,
json "collection_name_suffix": "String",
"recovery_window_end_time": 42,
"recovery_window_start_time": 42, "session_ids": [
"String" ], "tags": [ "String" ] }

Table 1994. POST /forensics/capture/recoveries response codes

HTTP Response Code Unique Code Description
201 The workflow recovery job was created.
403 1009 The user or targeted user does not have the capability to perform
this request.
409 1000 null
422 1005 A request parameter is not valid.
500 1020 An error occurred during the creation of the recovery job.

Response Description

The newly created recovery that contains the following fields:

v assigned_to - String - The username of the user the recovery is assigned to. If not supplied the
recovery will be assigned to the user making the request. Requires a valid user with Forensics role. Not
an authorized service.
v bpf - String - The Berkeley Packet Filter to pass to the capture device. A simplified Berkley Packet
Filter expression to pass to the capture device to apply when recovering network data. Maximum
length is 250 characters
v case_id - String - ID of the case where the collection(s) are created.
v collection_name_suffix - String - Suffix that is used to name the collection(s) to store the recovered
data in. Collection name(s) for recovery tasks are derived from this value and capture devices where
network data originates as a recovery task is created for each device. (e.g. A collection name suffix of

7 Previous REST API versions 903

 "mycollection" and data recovered from capture device IP "10.0.0.2" results in a collection that is named
"10.0.0.2_mycollection"). NOTE: If the collection name already exists in the case the existing collection
is deleted. Maximum length is 100 characters. Alphanumeric and period characters are permitted only.
v id - Long - ID for the recovery.
v recovery_task_ids - Long Array - IDs for all recovery tasks belonging to this recovery.
v recovery_window_end_time - Long - End of time range for data recovery.
v recovery_window_start_time - Long - Start of time range for data recovery.
v tags - String - Identifiers applied to recovered data to assist with grouping when searching. These are
user supplied string identifiers that are used to mark the data so the user can easily look up the data
later. Maximum length 255 alphanumeric characters (all values converted to space separated string)

Response Sample
{
"assigned_to": "String",
"bpf": "String",
"case_id": 42,
"collection_name_suffix": "String",
"id": 42,
"recovery_task_ids": [
42
],
"recovery_window_end_time": 42,
"recovery_window_start_time": 42,
"session_ids": [
"String"
],
"tags": [
"String"
]
}

GET /forensics/capture/recoveries/{id}
Retrieves a recovery based on the supplied ID.

Retrieves a recovery based on the supplied ID.

Table 1995. GET /forensics/capture/recoveries/{id} resource details
MIME Type
application/json

Table 1996. GET /forensics/capture/recoveries/{id} request parameter details

Parameter Type Optionality Data Type MIME Type Description
id path Required Number text/plain Required - The ID of the
(Integer) workflow job to retrieve.
fields query Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.

904 QRadar API Reference Guide

Table 1997. GET /forensics/capture/recoveries/{id} response codes
HTTP Response Code Unique Code Description
404 1002 No recovery job was found for the provided ID.
500 1020 An error occurred during the retrieval of the recovery job.

Response Description

A recovery that contains the following fields:

v assigned_to - String - The username of the user the recovery is assigned to.
v bpf - String - The Berkeley Packet Filter to pass to the capture device.
v case_id - String - ID of the case where the collection(s) are created.
v collection_name_suffix - String - Suffix that is used to name the collection(s) to store the recovered
data in.
v id - Long - ID for the recovery.
v recovery_task_ids - Long Array - IDs for all recovery tasks belonging to this recovery.
v recovery_window_end_time - Long - End of time range for data recovery.
v recovery_window_start_time - Long - Start of time range for data recovery.
v tags - String - Identifiers applied to recovered data to assist with grouping when searching. These are
user supplied string identifiers that are used to mark the data so the user can easily look up the data
later.

Response Sample
{
"assigned_to": "String",
"bpf": "String",
"case_id": 42,
"collection_name_suffix": "String",
"id": 42,
"recovery_task_ids": [
42
],
"recovery_window_end_time": 42,
"recovery_window_start_time": 42,
"session_ids": [
"String"
],
"tags": [
"String"
]
}

GET /forensics/capture/recovery_tasks
Retrieves a list of recovery tasks.

Retrieves a list of recovery tasks.

Table 1998. GET /forensics/capture/recovery_tasks resource details
MIME Type
application/json

7 Previous REST API versions 905

Table 1999. GET /forensics/capture/recovery_tasks request parameter details
Parameter Type Optionality Data Type MIME Type Description
Range header Optional String text/plain Optional - Use this parameter
to restrict the number of
elements that are returned in
the list to a specified range.
The list is indexed starting at
zero.
filter query Optional String text/plain Optional - This parameter is
used to restrict the elements in
a list base on the contents of
various fields.
fields query Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.

Table 2000. GET /forensics/capture/recovery_tasks response codes

HTTP Response Code Unique Code Description
200 The workflow recovery job tasks were retrieved.
500 1020 An error occurred while the recovery job task list was being
retrieved.

Response Description

A list of recovery tasks. A recovery task contains the following fields:

v assigned_to - String - The username of the user the recovery task is assigned to.
v bpf - String - Berkeley Packet Filter sent to capture device when recovering.
v capture_device_id - String - Capture device where this task collected its data. The IP address of the
capture device at time of recovery.
v case_id - String - ID of case where the collection is created.
v collection_name - String - Name of collection where recovered data is stored. Derived from device
recovery collection name suffix. NOTE: This is used as part of the collection_name to uniquely identify
and index the data at time of recovery and is not updated if the capture device IP address is changed.
v id - Long - ID for the recovery task.
v managed_host_hostname - String - The managed host the recovery task is running on.
v recovery_id - Long - ID of the recovery this task belongs to.
v recovery_window_end_time - Long - End of time range for data recovery window sent to capture
device. Data recovered is from before this time.
v recovery_window_start_time - Long - Start of time range for data recovery window sent to capture
device. Data recovered is from after this time.
v status - String - Current status of this task. Possible values are:
– CANCELED - Recovery from capture device canceled. Any documents recovered before cancellation
remain in the system.
– CANCELLING - Recovery from capture device in process of cancellation

906 QRadar API Reference Guide

 – FAILED - Something went wrong with the recovery.
– IN_PROGRESS - The capture device is processing the recovery.
– NEW - The recovery task was created and is waiting to be picked up by the system.
– PENDING - The recovery task was picked up by the system and is waiting for the capture device to
start processing the recovery.
– SUCCESS - Recovery from capture device successfully completed
v tags - String Array - Identifiers that are applied to recovered data to assist with grouping when
searching. These are user-supplied string identifiers that are used to mark the data so the user can
easily look up the data later.
v task_end_time - Long - Timestamp the recovery task completed.
v task_start_time - Long - Timestamp the recovery task started.

Response Sample
[
{
"assignee": "String",
"bpf": "String",
"capture_device_ip": "String",
"case_id": 42,
"collection_name": "String",
"id": 42,
"managed_host_hostname": "String",
"recovery_id": 42,
"recovery_window_end_time": 42,
"recovery_window_start_time": 42,
"status": "String <one of: CANCELED,
CANCELING,
FAILED,
IN_PROGRESS,
NEW,
PENDING,
SUCCESS>",
"tags": [
"String"
],
"task_end_time": 42,
"task_start_time": 42
}
]

GET /forensics/capture/recovery_tasks/{id}
Retrieves a recovery task based on the supplied ID.

Retrieves a recovery task based on the supplied ID.

Table 2001. GET /forensics/capture/recovery_tasks/{id} resource details
MIME Type
application/json

Table 2002. GET /forensics/capture/recovery_tasks/{id} request parameter details

Parameter Type Optionality Data Type MIME Type Description
id path Required Number text/plain Required - The ID of the
(Integer) workflow job to retrieve.

7 Previous REST API versions 907

Table 2002. GET /forensics/capture/recovery_tasks/{id} request parameter details (continued)
Parameter Type Optionality Data Type MIME Type Description
fields query Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.

Table 2003. GET /forensics/capture/recovery_tasks/{id} response codes

HTTP Response Code Unique Code Description
200 The Workflow Recovery Job was retrieved.
404 1002 No recovery job was found for the provided ID.
500 1020 An error occurred while the recovery job was being retrieved.

Response Description

A recovery task containing the following fields:

v assigned_to - String - The username of the user the recovery task is assigned to.
v bpf - String - Berkeley Packet Filter sent to capture device when recovering.
v capture_device_id - String - Capture device where this task collected its data. The IP address of the
capture device at time of recovery.
v case_id - String - Id of case where the collection is created.
v collection_name - String - Name of collection where recovered data is stored. Derived from device
recovery collection name suffix. NOTE: This is used as part of the collection_name to uniquely identify
and index the data at time of recovery and is not updated if the capture device ip address is changed.
v id - Long - ID for the recovery task.
v managed_host_hostname - String - The managed host where the recovery task runs.
v recovery_id - Long - ID of the recovery this task belongs to.
v recovery_window_end_time - Long - End of time range for data recovery window sent to capture
device. Data recovered is from before this time.
v recovery_window_start_time - Long - Start of time range for data recovery window sent to capture
device. Data recovered is from after this time.
v status - String - Current status of this task. Possible values are:
– CANCELED - Recovery from capture device canceled. Any documents recovered before cancellation
remain in the system.
– CANCELLING - Recovery from capture device in process of cancellation.
– FAILED - Something went wrong with the recovery.
– IN_PROGRESS - The capture device is processing the recovery.
– NEW - The recovery task was created and is waiting to be picked up by the system.
– PENDING - The recovery task was picked up by the system and is waiting for the capture device to
start processing the recovery.
– SUCCESS - Recovery from capture device successfully completed

908 QRadar API Reference Guide

v tags - String Array - Identifiers that are applied to recovered data to assist with grouping when
searching. These are user-supplied string identifiers that are used to mark the data so the user can
easily look up the data later.
v task_end_time - Long - Timestamp the recovery task completed.
v task_start_time - Long - Timestamp the recovery task started.

Response Sample
{
"assignee": "String",
"bpf": "String",
"capture_device_ip": "String",
"case_id": 42,
"collection_name": "String",
"id": 42,
"managed_host_hostname": "String",
"recovery_id": 42,
"recovery_window_end_time": 42,
"recovery_window_start_time": 42,
"status": "String <one of: CANCELED,
CANCELING,
FAILED,
IN_PROGRESS,
NEW,
PENDING,
SUCCESS>",
"tags": [
"String"
],
"task_end_time": 42,
"task_start_time": 42
}

GET /forensics/case_management/case_create_tasks/{id}
Retrieves a case create task based on the supplied id.

Retrieves a case create task based on the supplied id.

Table 2004. GET /forensics/case_management/case_create_tasks/{id} resource details
MIME Type
application/json

Table 2005. GET /forensics/case_management/case_create_tasks/{id} request parameter details

Parameter Type Optionality Data Type MIME Type Description
id path Required Number text/plain Required - The id of the case
(Integer) create task to retrieve.
fields query Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.

7 Previous REST API versions 909

Table 2006. GET /forensics/case_management/case_create_tasks/{id} response codes
HTTP Response Code Unique Code Description
200 The case create task was retrieved.
404 1002 No case create task was found for the provided ID.
500 1020 An error occurred during the retrieval of the case create task.

Response Description

A case create task containing the following fields:

v assigned_to - String Array - Usernames of users to give access to the case once it is created. Users
must have the FORENSICS role. Authorized services are not allowed.
v case_id - Long - ID for the created case .
v case_name - String - Name to give the created case.
v id - Long - ID for the case create task.
v status - String - Possible values are:
– COMPLETE - The case has been created across all managed hosts.
– PARTIALLY_COMPLETE - The case was created on at least one managed host, but not all of them.
The case is considered to be usable, but functionality might be limited. This usually means one or
more managed hosts are down and the case is not created yet. The task completes after all offending
managed hosts either complete the task, or are removed from the deployment.
– PROCESSING - The task has been picked up by QRadar and is actively being processed. Cases are
being created on the managed hosts.
– WAITING - The task is waiting for its time to be processed. Nothing is being done at this time.

Response Sample
{
"assigned_to": [
"String"
],
"case_id": 42,
"id": 42,
"name": "String",
"state": "String <one of: COMPLETE,
PARTIALLY_COMPLETE,
PROCESSING,
WAITING>"
}

GET /forensics/case_management/cases
Retrieves a list of cases.

Retrieves a list of cases.

Table 2007. GET /forensics/case_management/cases resource details
MIME Type
application/json

910 QRadar API Reference Guide

Table 2008. GET /forensics/case_management/cases request parameter details
Parameter Type Optionality Data Type MIME Type Description
Range header Optional String text/plain Optional - Use this parameter
to restrict the number of
elements that are returned in
the list to a specified range.
The list is indexed starting at
zero.
filter query Optional String text/plain Optional - This parameter is
used to restrict the elements in
a list base on the contents of
various fields.
fields query Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.

Table 2009. GET /forensics/case_management/cases response codes

HTTP Response Code Unique Code Description
200 The cases were retrieved.
500 1020 An error occurred during the retrieval of the case list.

Response Description

A list of cases. A case contains the following fields:

v assigned_to - String Array - Usernames of the users who have access to the case. Users must have the
FORENSICS role. Authorized services are not allowed.
v id - Long - ID for the case.
v name - String - The name of the case.

Response Sample
[
{
"assigned_to": [
"String"
],
"id": 42,
"name": "String"
}
]

POST /forensics/case_management/cases
Creates a new case.

Creates a new case.

7 Previous REST API versions 911

Table 2010. POST /forensics/case_management/cases resource details
MIME Type
application/json

Table 2011. POST /forensics/case_management/cases request parameter details

Parameter Type Optionality Data Type MIME Type Description
fields header Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.

Table 2012. POST /forensics/case_management/cases request body details

Parameter Data Type MIME Type Description Sample
case Object application/ null { "assigned_to": [ "String" ],
json "name": "String" }

Table 2013. POST /forensics/case_management/cases response codes

HTTP Response Code Unique Code Description
201 The case was created.
403 1009 The user or targeted user does not have the capability to perform
this request.
422 1005 A request parameter is not valid.
500 1020 An error occurred during the creation of the case.

Response Description

The case create status contains the following fields:

v assigned_to - String Array - Usernames of users to give access to the case once it is created. Users
must have the FORENSICS role. Authorized services are not allowed. If the case is not assign to
anyone, it is assigned to the creator if they are a user (not authorized service). Otherwise, it is only
accessible by an administrator. NOTE: During creation the assigned_to list can contain at most one
username.
v case_id - Long - ID for the created case.
v case_name - String - Name to give the created case. The case name must include alphanumeric
characters only, and be 1-15 characters long with no spaces. Case names are unique.
v id - Long - ID for the case create task.
v status - String - Possible values are:
– COMPLETE - The case has been created across all managed hosts.
– PARTIALLY_COMPLETE - The case has been created on at least one managed host, but not all of
them. The case is considered to be usable, but functionality might be limited. This usually means
one or more managed hosts are down and the case is not created yet. The task completes after all
offending managed hosts either complete the task or are removed from the deployment.
– PROCESSING - The task was picked up by QRadar and is actively being processed. Cases are
being created on the managed hosts.

912 QRadar API Reference Guide

 – WAITING - The task is waiting for its time to be processed. Nothing is being done at this time.

Response Sample
{
"assigned_to": [
"String"
],
"case_id": 42,
"id": 42,
"name": "String",
"state": "String <one of: COMPLETE,
PARTIALLY_COMPLETE,
PROCESSING,
WAITING>"
}

GET /forensics/case_management/cases/{id}
Retrieves a case based on the supplied id.

Retrieves a case based on the supplied ID.

Table 2014. GET /forensics/case_management/cases/{id} resource details
MIME Type
application/json

Table 2015. GET /forensics/case_management/cases/{id} request parameter details

Parameter Type Optionality Data Type MIME Type Description
id path Required Number text/plain Required - The ID of the
(Integer) workflow job to retrieve.
fields query Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.

Table 2016. GET /forensics/case_management/cases/{id} response codes

HTTP Response Code Unique Code Description
404 1002 No case was found for the provided ID.
500 1020 An error occurred during the retrieval of the case.

Response Description

A case that contains the following fields:

v assigned_to - String Array - Usernames of the users who have access to the case. Users must have the
FORENSICS role. Authorized services are not allowed.
v id - Long - ID for the case.
v name - String - The name of the case.

7 Previous REST API versions 913

Response Sample
{
"assigned_to": [
"String"
],
"id": 42,
"name": "String"
}

GUI application framework endpoints

Use the references for REST API V8.0 GUI application framework endpoints.

GET /gui_app_framework/application_creation_task
Retrieve status details.

Retrieve a list of status details of all asynchronous requests to create applications.

Table 2017. GET /gui_app_framework/application_creation_task resource details
MIME Type
application/json

There are no parameters for this endpoint.

Table 2018. GET /gui_app_framework/application_creation_task response codes
HTTP Response Code Unique Code Description
200 Application Creation Request list was retrieved.
500 1020 An error occurred while attempting to retrieve the list of status
details.

Response Description

The details of the requests to create applications.

Response Sample
[
{
"application_id":"101",
"status":"String <one of: CREATING,
UPGRADING,
COMPLETED,
CANCELLED,
ERROR>",
"error_messages": [
{
"code":"String <one of: ERROR_DB_UNAVAILABLE,
ERROR_FRAMEWORK_UNAVAILABLE,
ERROR_CREATING_IMAGE,
ERROR_STARTING_CONTAINER>",
"message":"String"
}
]
}
]

POST /gui_app_framework/application_creation_task
Creates a new application within the Application framework.

914 QRadar API Reference Guide

Create a new application within the Application framework, and register it with QRadar. The application
is created asynchronously. A reference to the application_id is returned and should be used in subsequent
API calls to determine the status of the application installation.
Table 2019. POST /gui_app_framework/application_creation_task resource details
MIME Type
application/json

Table 2020. POST /gui_app_framework/application_creation_task request body details

Parameter Data Type MIME Type Description Sample

package zip application/zip A zip file, that contains custom code, null
and a application manifest JSON file
descriptor

Table 2021. POST /gui_app_framework/application_creation_task response codes

HTTP Response Code Unique Code Description
201 The application was installed and registered successfully.

409 1008 An application with that UUID is already installed. Only an

upgrade or delete can be performed in this state.
422 1005 The provided application is invalid. See messages for further
details.
500 1020 The application could not be created.

Response Description

application id and status

Response Sample
[
{
"application_id":"101",
"status":"String <one of: CREATING,
UPGRADING,
COMPLETED,
CANCELLED,
ERROR>",
"error_messages": [
{
"code":"String <one of: ERROR_DB_UNAVAILABLE,
ERROR_FRAMEWORK_UNAVAILABLE,
ERROR_CREATING_IMAGE,
ERROR_STARTING_CONTAINER>",
"message":"String"
}
]
}
]

7 Previous REST API versions 915

GET /gui_app_framework/application_creation_task/{application_id}
Retrieve a list of status details of a asynchronous request to create application.
Table 2022. GET /gui_app_framework/application_creation_task/{application_id} resource details
MIME Type
application/json

Table 2023. GET /gui_app_framework/application_creation_task/{application_id} request parameter details

Parameter Type Optionality Data Type MIME Type Description
application_id path Required Number text/plain Required - Get the status details of
(Integer) this application defined by
application_id returned by the
initial POST on
application_creation_task.

Table 2024. GET /gui_app_framework/application_creation_task/{application_id} response codes

HTTP Response Code Unique Code Description
200 Application Creation Request list was retrieved.
404 1002 The application_id is invalid or could not be found.
500 1020 An error occurred while attempting to retrieve the list of status
details.

Response Description

The details of the request to create application.

Response Sample
[
{
"application_id":"101",
"status":"String <one of: CREATING,
UPGRADING,
COMPLETED,
CANCELLED,
ERROR>",
"error_messages": [
{
"code":"String <one of: ERROR_DB_UNAVAILABLE,
ERROR_FRAMEWORK_UNAVAILABLE,
ERROR_CREATING_IMAGE,
ERROR_STARTING_CONTAINER>",
"message":"String"
}
]
}
]

POST /gui_app_framework/application_creation_task/{application_id}
Cancel a new application install within the Application framework.

Use this endpoint to cancel a new application install within the Application framework. The
application_id and a status are required.

916 QRadar API Reference Guide

Table 2025. POST /gui_app_framework/application_creation_task/{application_id} resource details
MIME Type
application/json

Table 2026. POST /gui_app_framework/application_creation_task/{application_id} request parameter details

Parameter Type Optionality Data Type MIME Type Description
application_id path Required Number text/plain Required - The application_id to
(Integer) cancel installing.
status query Required String text/plain Required - The status to update
the application install to.
Currently only CANCELLED is
supported

Table 2027. POST /gui_app_framework/application_creation_task/{application_id} response codes

HTTP Response Code Unique Code Description
200 The application installation was canceled and unregistered
successfully.
404 1002 The application_id is invalid or could not be found.
422 1005 The status is not valid.
500 1020 An error occurred when attempting to update the Application
request state.

Response Description

application id and status

Response Sample
[
{
"application_id":"101",
"status":"String <one of: CREATING,
UPGRADING,
COMPLETED,
CANCELLED,
ERROR>",
"error_messages": [
{
"code":"String <one of: ERROR_DB_UNAVAILABLE,
ERROR_FRAMEWORK_UNAVAILABLE,
ERROR_CREATING_IMAGE,
ERROR_STARTING_CONTAINER>",
"message":"String"
}
]
}
]

GET /gui_app_framework/applications
Retrieve list of applications

Retrieve a list of applications that are installed on the console, with their manifest json structures and
current status.

7 Previous REST API versions 917

Table 2028. GET /gui_app_framework/applications resource details
MIME Type
application/json

There are no parameters for this endpoint.

Table 2029. GET /gui_app_framework/applications response codes
HTTP Response Code Unique Code Description
200 The database list was retrieved.
500 1020 An error occurred while attempting to retrieve the list of
applications.

Response Description

The list of applications.

Response Sample
[
{
"application_state":{
"application_id":"101",
"status":"String <one of: CREATING,
UPGRADING,
RUNNING,
STOPPED,
ERROR>",
"error_message": "String"
}
,
"manifest":{

"name":"Sample Application",
"description":"An example of how to create an application manifest",
"version":"0.0.1",

"areas": [
{
"id":"Qapp1_HelloWorld",
"url":"http://9.21.118.58:5000",
"text":"QApp1",
"description":"Loading a dockerised web app into a tab
inside Qradar",
"required_capabilities":["ADMIN"]
}
],

"dashboard_items": [
{
"text":"Sample Item",
"description":"Sample dashboard item that is a copy of
most recent offenses",
"rest_method":"sampleDashboardItem",
"required_capabilities":["ADMIN"]
}
],

"rest_methods": [
{
"name":"sampleDashboardItem",
"url":"/static/sampleDashboardItemResponse.json",

918 QRadar API Reference Guide

 "method":"GET",
"argument_names":[],
"required_capabilities":["ADMIN"]
},
{
"name":"sampleToolbarMethod",
"url":"/static/sampleToolbarButtonResponse.json",
"method":"GET",
"argument_names":["context"],
"required_capabilities":["ADMIN"]
},
{
"name":"sampleIPInformation",
"url":"/static/sampleIPInformationResponse.json",
"method":"GET",
"argument_names":["metaDataContext"],
"required_capabilities":["ADMIN"]
},
{
"name":"sampleUserInformation",
"url":"/static/sampleUserInformationResponse.json",
"method":"GET",
"argument_names":["metaDataContext"],
"required_capabilities":["ADMIN"]
},
{
"name":"sampleURLInformation",
"url":"/static/sampleURLInformationResponse.json",
"method":"GET",
"argument_names":["metaDataContext"],
"required_capabilities":["ADMIN"]
},
{
"name":"addToReferenceSet",
"url":"/addToReferenceSet",
"method":"GET",
"argument_names":["data"]
}
],

"configuration_pages": [
{
"text":"Open IBM.com",
"description":"Loading IBM.com in a new window",
"icon":null,
"url":"https://www.ibm.com/us/en/",
"required_capabilities":["ADMIN"]
}
],

"gui_actions": [
{
"id":"addToReferenceSet",
"text":"Add To Reference Set",
"description":"Adds to a reference set",
"icon":null,
"rest_method":"addToReferenceSet",
"javascript":"alert(result)",
"groups":[ "ipPopup" ],
"required_capabilities":[ "ADMIN" ]
},
{
"id":"sampleToolbarButton",
"text":"Sample Toolbar Button",
"description":"Sample toolbar button that calls a REST method,
passing an offense ID along",
"icon":null,

7 Previous REST API versions 919

 "rest_method":"sampleToolbarMethod",
"javascript":"alert(result)",
"groups":[ "OffenseListToolbar" ],
"required_capabilities":[ "ADMIN" ]
}
],

"page_scripts": [
{
"app_name":"SEM",
"page_id":"OffenseList",
"scripts":["/static/sampleScriptInclude.js"]
}
],

"metadata_providers": [
{
"rest_method":"sampleIPInformation",
"metadata_type":"ip"
},
{
"rest_method":"sampleUserInformation",
"metadata_type":"userName"
},
{
"rest_method":"sampleURLInformation",
"metadata_type":"ariel:URL"
}
]
}
}
]

GET /gui_app_framework/applications/{application_id}
Retrieve specific application

Retrieve a specific application installed on the console with manifest json structure and current status.
Table 2030. GET /gui_app_framework/applications/{application_id} resource details
MIME Type
application/json

Table 2031. GET /gui_app_framework/applications/{application_id} request parameter details

Parameter Type Optionality Data Type MIME Type Description
application_id path Required Number text/plain Required - Get specific installed
(Integer) application defined by
application_id returned by the
initial POST on
application_creation_task.

Table 2032. GET /gui_app_framework/applications/{application_id} response codes

HTTP Response Code Unique Code Description
200 The application was retrieved.
404 1002 The application_id is invalid or could not be found.
500 1020 An error occurred while attempting to retrieve the application.

920 QRadar API Reference Guide

Response Description

The specific application.

Response Sample
[
{
"application_state":{
"application_id":"101",
"status":"String <one of: CREATING,
UPGRADING,
RUNNING,
STOPPED,
ERROR>",
"error_message": "String"
}
,
"manifest":{

"name":"Sample Application",
"description":"An example of how to create an application manifest",
"version":"0.0.1",

"areas": [
{
"id":"Qapp1_HelloWorld",
"url":"http://9.21.118.58:5000",
"text":"QApp1",
"description":"Loading a dockerised web app into a tab
inside Qradar",
"required_capabilities":["ADMIN"]
}
],

"dashboard_items": [
{
"text":"Sample Item",
"description":"Sample dashboard item that is a copy of
most recent offenses",
"rest_method":"sampleDashboardItem",
"required_capabilities":["ADMIN"]
}
],

"rest_methods": [
{
"name":"sampleDashboardItem",
"url":"/static/sampleDashboardItemResponse.json",
"method":"GET",
"argument_names":[],
"required_capabilities":["ADMIN"]
},
{
"name":"sampleToolbarMethod",
"url":"/static/sampleToolbarButtonResponse.json",
"method":"GET",
"argument_names":["context"],
"required_capabilities":["ADMIN"]
},
{
"name":"sampleIPInformation",
"url":"/static/sampleIPInformationResponse.json",
"method":"GET",
"argument_names":["metaDataContext"],
"required_capabilities":["ADMIN"]
},

7 Previous REST API versions 921

 {
"name":"sampleUserInformation",
"url":"/static/sampleUserInformationResponse.json",
"method":"GET",
"argument_names":["metaDataContext"],
"required_capabilities":["ADMIN"]
},
{
"name":"sampleURLInformation",
"url":"/static/sampleURLInformationResponse.json",
"method":"GET",
"argument_names":["metaDataContext"],
"required_capabilities":["ADMIN"]
},
{
"name":"addToReferenceSet",
"url":"/addToReferenceSet",
"method":"GET",
"argument_names":["data"]
}
],

"configuration_pages": [
{
"text":"Open IBM.com",
"description":"Loading IBM.com in a new window",
"icon":null,
"url":"https://www.ibm.com/us/en/",
"required_capabilities":["ADMIN"]
}
],

"gui_actions": [
{
"id":"addToReferenceSet",
"text":"Add To Reference Set",
"description":"Adds to a reference set",
"icon":null,
"rest_method":"addToReferenceSet",
"javascript":"alert(result)",
"groups":[ "ipPopup" ],
"required_capabilities":[ "ADMIN" ]
},
{
"id":"sampleToolbarButton",
"text":"Sample Toolbar Button",
"description":"Sample toolbar button that calls a REST method,
passing an offense ID along",
"icon":null,
"rest_method":"sampleToolbarMethod",
"javascript":"alert(result)",
"groups":[ "OffenseListToolbar" ],
"required_capabilities":[ "ADMIN" ]
}
],

"page_scripts": [
{
"app_name":"SEM",
"page_id":"OffenseList",
"scripts":["/static/sampleScriptInclude.js"]
}
],

"metadata_providers": [
{
"rest_method":"sampleIPInformation",

922 QRadar API Reference Guide

 "metadata_type":"ip"
},
{
"rest_method":"sampleUserInformation",
"metadata_type":"userName"
},
{
"rest_method":"sampleURLInformation",
"metadata_type":"ariel:URL"
}
]
}
}
]

POST /gui_app_framework/applications/{application_id}
Update an Application

Start or stop an application by setting status to RUNNING or STOPPED respectively.

Table 2033. POST /gui_app_framework/applications/{application_id} resource details
MIME Type
application/json

Table 2034. POST /gui_app_framework/applications/{application_id} request parameter details

Parameter Type Optionality Data Type MIME Type Description
application_id path Required Number text/plain Required - The
(Integer) applicationId of the
application to update.
status query Required String text/plain Required - The status of
the application to set to
RUNNING or STOPPED.

Table 2035. POST /gui_app_framework/applications/{application_id} response codes

HTTP Response Code Unique Code Description
200 The application has been successfully updated
404 1002 The application_id does not exist.
409 1008 The application is locked by another process.
422 1005 The application status is not valid.
500 1020 An error occurred while attempting to update the application.

Response Description

Application structure including application status.

Response Sample
[
{
"application_state":{
"application_id":"101",
"status":"String <one of: CREATING,
UPGRADING,
RUNNING,
STOPPED,
ERROR>",

7 Previous REST API versions 923

 "error_message": "String"
}
,
"manifest":{

"name":"Sample Application",
"description":"An example of how to create an application manifest",
"version":"0.0.1",

"areas": [
{
"id":"Qapp1_HelloWorld",
"url":"http://9.21.118.58:5000",
"text":"QApp1",
"description":"Loading a dockerised web app into a tab
inside Qradar",
"required_capabilities":["ADMIN"]
}
],

"dashboard_items": [
{
"text":"Sample Item",
"description":"Sample dashboard item that is a copy
of most recent offenses",
"rest_method":"sampleDashboardItem",
"required_capabilities":["ADMIN"]
}
],

"rest_methods": [
{
"name":"sampleDashboardItem",
"url":"/static/sampleDashboardItemResponse.json",
"method":"GET",
"argument_names":[],
"required_capabilities":["ADMIN"]
},
{
"name":"sampleToolbarMethod",
"url":"/static/sampleToolbarButtonResponse.json",
"method":"GET",
"argument_names":["context"],
"required_capabilities":["ADMIN"]
},
{
"name":"sampleIPInformation",
"url":"/static/sampleIPInformationResponse.json",
"method":"GET",
"argument_names":["metaDataContext"],
"required_capabilities":["ADMIN"]
},
{
"name":"sampleUserInformation",
"url":"/static/sampleUserInformationResponse.json",
"method":"GET",
"argument_names":["metaDataContext"],
"required_capabilities":["ADMIN"]
},
{
"name":"sampleURLInformation",
"url":"/static/sampleURLInformationResponse.json",
"method":"GET",
"argument_names":["metaDataContext"],
"required_capabilities":["ADMIN"]
},
{

924 QRadar API Reference Guide

 "name":"addToReferenceSet",
"url":"/addToReferenceSet",
"method":"GET",
"argument_names":["data"]
}
],

"configuration_pages": [
{
"text":"Open IBM.com",
"description":"Loading IBM.com in a new window",
"icon":null,
"url":"https://www.ibm.com/us/en/",
"required_capabilities":["ADMIN"]
}
],

"gui_actions": [
{
"id":"addToReferenceSet",
"text":"Add To Reference Set",
"description":"Adds to a reference set",
"icon":null,
"rest_method":"addToReferenceSet",
"javascript":"alert(result)",
"groups":[ "ipPopup" ],
"required_capabilities":[ "ADMIN" ]
},
{
"id":"sampleToolbarButton",
"text":"Sample Toolbar Button",
"description":"Sample toolbar button that calls a REST method,
passing an offense ID along",
"icon":null,
"rest_method":"sampleToolbarMethod",
"javascript":"alert(result)",
"groups":[ "OffenseListToolbar" ],
"required_capabilities":[ "ADMIN" ]
}
],

"page_scripts": [
{
"app_name":"SEM",
"page_id":"OffenseList",
"scripts":["/static/sampleScriptInclude.js"]
}
],

"metadata_providers": [
{
"rest_method":"sampleIPInformation",
"metadata_type":"ip"
},
{
"rest_method":"sampleUserInformation",
"metadata_type":"userName"
},
{
"rest_method":"sampleURLInformation",
"metadata_type":"ariel:URL"
}
]
}
}
]

7 Previous REST API versions 925

PUT /gui_app_framework/applications/{application_id}
Upgrade an application.

Upgrade an application.
Table 2036. PUT /gui_app_framework/applications/{application_id} resource details
MIME Type
application/json

Table 2037. PUT /gui_app_framework/applications/{application_id} request parameter details

Parameter Type Optionality Data Type MIME Type Description
application_id path Required Number text/plain null
(Integer)

Table 2038. PUT /gui_app_framework/applications/{application_id} request body details

Parameter Data Type MIME Type Description Sample
package zip application/zip A zip file, that contains custom null
code, and a application
manifest JSON file descriptor

Table 2039. PUT /gui_app_framework/applications/{application_id} response codes

HTTP Response Code Unique Code Description
202 The request for an application upgrade was accepted.
404 1002 The application_id is invalid or could not be found.
409 1008 The application is locked by another process.
422 1005 The provided application is invalid. See messages for further
details.
500 1020 The application could not be created.

Response Description

application id and status

Response Sample
[
{
"application_id":"101",
"status":"String <one of: CREATING,
UPGRADING,
COMPLETED,
CANCELLED,
ERROR>",
"error_messages": [
{
"code":"String <one of: ERROR_DB_UNAVAILABLE,
ERROR_FRAMEWORK_UNAVAILABLE,
ERROR_CREATING_IMAGE,
ERROR_STARTING_CONTAINER>",
"message":"String"
}
]
}
]

926 QRadar API Reference Guide

DELETE /gui_app_framework/applications/{application_id}
Delete an Application.
Table 2040. DELETE /gui_app_framework/applications/{application_id} resource details
MIME Type
text/plain

Table 2041. DELETE /gui_app_framework/applications/{application_id} request parameter details

Parameter Type Optionality Data Type MIME Type Description
application_id path Required Number text/plain Required - The
(Integer) applicationId of the
application to delete.

Table 2042. DELETE /gui_app_framework/applications/{application_id} response codes

HTTP Response Code Unique Code Description
204 The application has been successfully unregistered.
404 1002 The application_id does not exist.
409 1008 The application is locked by another process.
500 1020 An error occurred while attempting to delete the application.

Response Description

Successful response code 204 No content.

Response Sample

GET /gui_app_framework/named_services
Retrieves all named services.

Retrieves a list of all named services registered with the Application Framework.

By using the returned information, the caller can determine what services are available and what facilities
each service provides via its REST endpoints.
Table 2043. GET /gui_app_framework/named_services resource details
MIME Type
application/json

There are no parameters for this endpoint.

Response Description
Table 2044. GET /gui_app_framework/named_services response codes
HTTP Response Code Unique Code Description
200 The list of named services was returned.
500 1020 An error occurred while trying to retrieve the list of named
services.

7 Previous REST API versions 927

A list of named services. The documentation for /named_services/{uuid} has a description of the details
returned for a named service instance.

Response Sample
[{
"name": "resourceservice",
"version": "1",
"application_id": 1001,
"uuid": "e4081cd1-c3c8-4089-afc7-c32039bd796c",
"endpoints": [
{
"name": "getResource",
"path": "https://1.1.1.1/console/plugins/1001/
app_proxy:resourceservice/resource/{resource_id}",
"http_method": "GET",
"parameters": [
{ "location": "PATH", "name": "resource_id" }
],
"response": {
"mime_type": "application/json+ld",
"body_type": {
"@type": "http://id.ibm.com/Resource",
"resource_id": "http://id.ibm.com/resourceID",
"resource_name": "http://id.ibm.com/resourceName",
"resource_owner": "http://id.ibm.com/personId"
}
},
"error_mime_type": "text/plain"
},
{
"name": "createResource",
"path": "https://1.1.1.1/console/plugins/1001/
app_proxy:resourceservice/resource",
"http_method": "POST",
"request_mime_type": "application/json+ld",
"request_body_type": {
"@type": "http://id.ibm.com/Resource",
"resource_name": "http://id.ibm.com/resourceName",
"resource_owner": "http://id.ibm.com/personId"
},
"response": {
"mime_type": "application/json+ld",
"body_type": {
"@type": "http://id.ibm.com/Resource",
"resource_id": "http://id.ibm.com/resourceID",
"resource_name": "http://id.ibm.com/resourceName",
"resource_owner": "http://id.ibm.com/personId"
}
},
"error_mime_type": "text/plain"
},
{
"name": "updateResource",
"path": "https://1.1.1.1/console/plugins/1001/
app_proxy:resourceservice/resource/{resource_id}",
"http_method": "PUT",
"request_mime_type": "application/json+ld",
"request_body_type": {
"@type": "http://id.ibm.com/Resource",
"resource_name": "http://id.ibm.com/resourceName",
"resource_owner": "http://id.ibm.com/personId"
},
"parameters": [
{ "location": "PATH", "name": "resource_id" }
],
"response": {

928 QRadar API Reference Guide

 "mime_type": "application/json+ld",
"body_type": {
"@type": "http://id.ibm.com/Resource",
"resource_id": "http://id.ibm.com/resourceID",
"resource_name": "http://id.ibm.com/resourceName",
"resource_owner": "http://id.ibm.com/personId"
}
},
"error_mime_type": "text/plain"
}
]
}]

GET /gui_app_framework/named_services/{uuid}
Retrieves a named service.

Retrieves a named service registered with the Application Framework by using the supplied uuid.
Table 2045. GET /gui_app_framework/named_services/{uuid} resource details
MIME Type
application/json

Table 2046. GET /gui_app_framework/named_services/{uuid} request parameter details

Parameter Type Optionality Data Type MIME Type Description
uuid path Required String text/plain Required - A named service
uuid.

Response Description
Table 2047. GET /gui_app_framework/named_services/{uuid} response codes
HTTP Response Code Unique Code Description
200 The requested named service was returned.
404 1002 The requested named service could not be found.
500 1020 An error occurred while trying to retrieve the requested named
service.

The details of a named service:

v name - String - Service name.
v version - String - Service version.
v application_id - Integer - ID of the application that implements this service.
v uuid - Integer - Unique identifier for this service.
v endpoints - Array - List of endpoints provided by this service.
– name - String - Endpoint name.
– path - String - Endpoint URL.
– http_method - String - One of GET/POST/PUT/DELETE.
– request_mime_type - String - MIME type of request body.
– request_body_type - Object - JSON definition of request body.
– parameters - Array - List of request parameters.
- location - String - Where the parameter goes in the request. One of PATH/QUERY/BODY.
– name - String - Parameter name.
– definition - String - Parameter definition, e.g. "String".
7 Previous REST API versions 929
 – response - Object - Response definition.
- mime_type - String - MIME type of response body.
- body_type - Object - JSON definition of response body.
– error_mime_type - String - MIME type of response body when an error occurs.

Response Sample
{
"name": "resourceservice",
"version": "1",
"application_id": 1001,
"uuid": "e4081cd1-c3c8-4089-afc7-c32039bd796c",
"endpoints": [
{
"name": "getResource",
"path": "https://1.1.1.1/console/plugins/1001/
app_proxy:resourceservice/resource/{resource_id}",
"http_method": "GET",
"parameters": [
{ "location": "PATH", "name": "resource_id" }
],
"response": {
"mime_type": "application/json+ld",
"body_type": {
"@type": "http://id.ibm.com/Resource",
"resource_id": "http://id.ibm.com/resourceID",
"resource_name": "http://id.ibm.com/resourceName",
"resource_owner": "http://id.ibm.com/personId"
}
},
"error_mime_type": "text/plain"
},
{
"name": "createResource",
"path": "https://1.1.1.1/console/plugins/1001/
app_proxy:resourceservice/resource",
"http_method": "POST",
"request_mime_type": "application/json+ld",
"request_body_type": {
"@type": "http://id.ibm.com/Resource",
"resource_name": "http://id.ibm.com/resourceName",
"resource_owner": "http://id.ibm.com/personId"
},
"response": {
"mime_type": "application/json+ld",
"body_type": {
"@type": "http://id.ibm.com/Resource",
"resource_id": "http://id.ibm.com/resourceID",
"resource_name": "http://id.ibm.com/resourceName",
"resource_owner": "http://id.ibm.com/personId"
}
},
"error_mime_type": "text/plain"
},
{
"name": "updateResource",
"path": "https://1.1.1.1/console/plugins/1001/
app_proxy:resourceservice/resource/{resource_id}",
"http_method": "PUT",
"request_mime_type": "application/json+ld",
"request_body_type": {
"@type": "http://id.ibm.com/Resource",
"resource_name": "http://id.ibm.com/resourceName",
"resource_owner": "http://id.ibm.com/personId"
},
"parameters": [

930 QRadar API Reference Guide

 { "location": "PATH", "name": "resource_id" }
],
"response": {
"mime_type": "application/json+ld",
"body_type": {
"@type": "http://id.ibm.com/Resource",
"resource_id": "http://id.ibm.com/resourceID",
"resource_name": "http://id.ibm.com/resourceName",
"resource_owner": "http://id.ibm.com/personId"
}
},
"error_mime_type": "text/plain"
}
]
}

Help endpoints
Use the references for REST API V8.0 Help endpoints.

GET /help/endpoints
Retrieves a list of endpoint documentation objects that are currently in the system.

Retrieves a list of endpoint documentation objects that are currently in the system.
Table 2048. GET /help/endpoints resource details
MIME Type
application/json

Table 2049. GET /help/endpoints request parameter details

Parameter Type Optionality Data Type MIME Type Description
filter query Optional String text/plain Optional - This parameter is
used to restrict the elements in
a list base on the contents of
various fields.
fields query Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.
Range header Optional String text/plain Optional - Use this parameter
to restrict the number of
elements that are returned in
the list to a specified range.
The list is indexed starting at
zero.

Table 2050. GET /help/endpoints response codes

HTTP Response Code Unique Code Description
200 The endpoint documentation list was retrieved.
500 1020 An unexpected error has occurred.

7 Previous REST API versions 931

Response Description

An array of endpoint documentation objects. An endpoint documentation object contains the following
fields:
v id - Number - The ID of the endpoint documentation. This ID is not permanent. It might change any
time services are restarted.
v summary - String - A brief summary of the endpoint.
v deprecated - Boolean - Returns true if the endpoint is deprecated. Returns false otherwise.
v http_method - String - The HTTP request type. One of OPTIONS, GET, HEAD, POST, PUT, DELETE,
TRACE, CONNECT, PATCH.
v error_responses - Array of Objects - A list of potential error responses of this endpoint.
v error_responses(response_code) - Number - The HTTP code for this error response.
v error_responses(description) - String - The description for this error response.
v error_responses(unique_code) - Number - The unique code for this error response.
v error_responses(response_code_description) - String - The description of the response.
v response_description - String - The description of the response.
v version - String - The version of this endpoint.
v success_responses - Array of Objects - A list of potential success responses for this endpoint.
v success_responses(response_code) - Number - The HTTP code for this response.
v success_responses(description) - String - The description of this response.
v success_responses(response_code_description) - String - The name for the response code from RFC
2616.
v description - String - A description of this endpoint.
v path - String - The path of this endpoint.
v response_mime_types - Array of Objects - A list of possible response MIME types for this endpoint.
v response_mime_types(mime_type) - String - The MIME type.
v response_mime_types(sample) - String - The sample of this response MIME type.
v parameters - Array of Objects - A list of user parameters for this endpoint.
v parameters(description) - String - A description of this parameter.
v parameters(default_value) - String - The default value of this parameter. Null if there is no default
value for this parameter. This is always a String, regardless of the underlying data type of the
parameter.
v parameters(type) - String - The type of parameter, one of QUERY, HEADER, PATH, BODY.
v parameters(parameter_name) - String - The name of this parameter.
v parameters(mime_types) - Array of Objects - A list of possible mime_types for this parameter.
v parameters(mime_types(data_type)) - String - A description of the data type of this parameter.
v parameters(mime_types(mime_type)) - String - The MIME type of the parameter.
v parameters(mime_types(sample)) - String - The sample for this parameter.
v resource_id - Number - The ID of the associated resource.
v last_modified_version - String - The API version this endpoint was last modified. It is less than or
equal to the version in the version field.
v caller_has_access - Boolean - True if the user has the required capabilities to call this endpoint, false
otherwise.

Response Sample
[
{
"caller_has_access": true,

932 QRadar API Reference Guide

 "deprecated": true,
"description": "String",
"error_responses": [
{
"description": "String",
"response_code": 42,
"response_code_description": "String",
"unique_code": 42
}
],
"http_method": "String <one of: OPTIONS,
GET,
HEAD,
POST,
PUT,
DELETE,
TRACE,
CONNECT,
PATCH>",
"id": 42,
"last_modified_version": "String",
"parameters": [
{
"default_value": "String",
"description": "String",
"mime_types": [
{
"data_type": "String",
"mime_type": "String",
"sample": "String"
}
],
"parameter_name": "String",
"type": "String <one of: QUERY,
HEADER,
PATH,
BODY>"
}
],
"path": "String",
"resource_id": 42,
"response_description": "String",
"response_mime_types": [
{
"mime_type": "String",
"sample": "String"
}
],
"success_responses": [
{
"description": "String",
"response_code": 42,
"response_code_description": "String"
}
],
"summary": "String",
"version": "String"
}
]

GET /help/endpoints/{endpoint_id}
Retrieves a single endpoint documentation object.

Retrieves a single endpoint documentation object.

7 Previous REST API versions 933

Table 2051. GET /help/endpoints/{endpoint_id} resource details
MIME Type
application/json

Table 2052. GET /help/endpoints/{endpoint_id} request parameter details

Parameter Type Optionality Data Type MIME Type Description
endpoint_id path Required Number text/plain The endpoint id.
(Integer)
fields query Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.

Table 2053. GET /help/endpoints/{endpoint_id} response codes

HTTP Response Code Unique Code Description
200 The endpoint documentation object was retrieved.
404 1002 No endpoint documentation object was found for the provided
endpoint id.
500 1020 An unexpected error has occurred.

Response Description

An endpoint documentation object. An endpoint documentation object contains the following fields:
v id - Number - The ID of the endpoint documentation. This ID is not permanent. It might change any
time services are restarted.
v summary - String - A brief summary of the endpoint.
v deprecated - Boolean - Returns true if the endpoint is deprecated. Returns false otherwise.
v http_method - String - The HTTP request type. One of OPTIONS, GET, HEAD, POST, PUT, DELETE,
TRACE, CONNECT, PATCH.
v error_responses - Array of Objects - A list of potential error responses of this endpoint.
v error_responses(response_code) - Number - The HTTP code for this error response.
v error_responses(description) - String - The description for this error response.
v error_responses(unique_code) - Number - The unique code for this error response.
v error_responses(response_code_description) - String - The description of the response.
v response_description - String - The description of the response.
v version - String - The version of this endpoint.
v success_responses - Array of Objects - A list of potential success responses for this endpoint.
v success_responses(response_code) - Number - The HTTP code for this response.
v success_responses(description) - String - The description of this response.
v success_responses(response_code_description) - String - The name for the response code from RFC
2616.
v description - String - A description of this endpoint.
v path - String - The path of this endpoint.

934 QRadar API Reference Guide

v response_mime_types - Array of Objects - A list of possible response MIME types for this endpoint.
v response_mime_types(mime_type) - String - The MIME type.
v response_mime_types(sample) - String - The sample of this response MIME type.
v parameters - Array of Objects - A list of user parameters for this endpoint.
v parameters(description) - String - A description of this parameter.
v parameters(default_value) - String - The default value of this parameter. Null if there is no default
value for this parameter. This is always a String, regardless of the underlying data type of the
parameter.
v parameters(type) - String - The type of parameter, one of QUERY, HEADER, PATH, BODY.
v parameters(parameter_name) - String - The name of this parameter.
v parameters(mime_types) - Array of Objects - A list of possible mime_types for this parameter.
v parameters(mime_types(data_type)) - String - A description of the data type of this parameter.
v parameters(mime_types(mime_type)) - String - The MIME type of the parameter.
v parameters(mime_types(sample)) - String - The sample for this parameter.
v resource_id - Number - The ID of the associated resource.
v last_modified_version - String - The API version this endpoint was last modified. It will be less than
or equal to the version in the version field.
v caller_has_access - Boolean - Returns true if the user has the required capabilities to call this endpoint.
Returns false otherwise.

Response Sample
{
"caller_has_access": true,
"deprecated": true,
"description": "String",
"error_responses": [
{
"description": "String",
"response_code": 42,
"response_code_description": "String",
"unique_code": 42
}
],
"http_method": "String <one of: OPTIONS,
GET,
HEAD,
POST,
PUT,
DELETE,
TRACE,
CONNECT,
PATCH>",
"id": 42,
"last_modified_version": "String",
"parameters": [
{
"default_value": "String",
"description": "String",
"mime_types": [
{
"data_type": "String",
"mime_type": "String",
"sample": "String"
}
],
"parameter_name": "String",
"type": "String <one of: QUERY,
HEADER,

7 Previous REST API versions 935

 PATH,
BODY>"
}
],
"path": "String",
"resource_id": 42,
"response_description": "String",
"response_mime_types": [
{
"mime_type": "String",
"sample": "String"
}
],
"success_responses": [
{
"description": "String",
"response_code": 42,
"response_code_description": "String"
}
],
"summary": "String",
"version": "String"
}

GET /help/resources
Retrieves a list of resource documentation objects currently in the system.

Retrieves a list of resource documentation objects currently in the system.

Table 2054. GET /help/resources resource details
MIME Type
application/json

Table 2055. GET /help/resources request parameter details

Parameter Type Optionality Data Type MIME Type Description
filter query Optional String text/plain Optional - This parameter is
used to restrict the elements in
a list base on the contents of
various fields.
fields query Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.
Range header Optional String text/plain Optional - Use this parameter
to restrict the number of
elements that are returned in
the list to a specified range.
The list is indexed starting at
zero.

Table 2056. GET /help/resources response codes

HTTP Response Code Unique Code Description
200 The resource documentation list was retrieved.

936 QRadar API Reference Guide

Table 2056. GET /help/resources response codes (continued)
HTTP Response Code Unique Code Description
500 1020 An unexpected error has occurred.

Response Description

An array of resource documentation objects. A resource documentation object contains the following
fields:
v id - Number - The ID of the resource documentation object. This ID is not permanent. It might change
any time services are restarted.
v child_resource_ids - Array of Numbers - A list of resource documentation IDs that are the children of
this resource.
v endpoint_ids - Array of Numbers - A list of endpoint documentation IDs for endpoints on this
resource.
v resource - String - The current resource.
v path - String - The full path of the current resource.
v parent_resource_id - Number - The resource documentation ID of the parent of this resource. Null if
this is a root resource.
v version - String - The version of this resource.

Response Sample
[
{
"child_resource_ids": [
42
],
"endpoint_ids": [
42
],
"id": 42,
"parent_resource_id": 42,
"path": "String",
"resource": "String",
"version": "String"
}
]

GET /help/resources/{resource_id}
Retrieves a single resource documentation object.

Retrieves a single resource documentation object.

Table 2057. GET /help/resources/{resource_id} resource details
MIME Type
application/json

Table 2058. GET /help/resources/{resource_id} request parameter details

Parameter Type Optionality Data Type MIME Type Description
resource_id path Required Number text/plain The resource id.
(Integer)

7 Previous REST API versions 937

Table 2058. GET /help/resources/{resource_id} request parameter details (continued)
Parameter Type Optionality Data Type MIME Type Description
fields query Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.

Table 2059. GET /help/resources/{resource_id} response codes

HTTP Response Code Unique Code Description
200 The resource documentation object was retrieved.
404 1002 No resource documentation object was found for the provided
resource ID.
500 1020 An unexpected error has occurred.

Response Description

A resource documentation object. A resource documentation object contains the following fields:
v id - Number - The ID of the resource documentation object. This ID is not permanent. It might change
any time services are restarted.
v child_resource_ids - Array of Numbers - A list of resource documentation IDs that are the children of
this resource.
v endpoint_ids - Array of Numbers - A list of endpoint documentation IDs for endpoints on this
resource.
v resource - String - The current resource.
v path - String - The full path of the current resource.
v parent_resource_id - Number - The resource documentation ID of the parent of this resource. Null if
this is a root resource.
v version - String - The version of this resource.

Response Sample
{
"child_resource_ids": [
42
],
"endpoint_ids": [
42
],
"id": 42,
"parent_resource_id": 42,
"path": "String",
"resource": "String",
"version": "String"
}

GET /help/versions
Retrieves a list of version documentation objects currently in the system.

Retrieves a list of version documentation objects currently in the system.

938 QRadar API Reference Guide

Table 2060. GET /help/versions resource details
MIME Type
application/json

Table 2061. GET /help/versions request parameter details

Parameter Type Optionality Data Type MIME Type Description
filter query Optional String text/plain Optional - This parameter is
used to restrict the elements in
a list base on the contents of
various fields.
fields query Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.
Range header Optional String text/plain Optional - Use this parameter
to restrict the number of
elements that are returned in
the list to a specified range.
The list is indexed starting at
zero.

Table 2062. GET /help/versions response codes

HTTP Response Code Unique Code Description
200 The version documentation list was retrieved.
500 1020 An unexpected error has occurred.

Response Description

An array of version documentation objects. A version documentation object contains the following fields:
v id - Number - The ID of the version documentation object. This ID is not permanent. It might change
any time services are restarted.
v deprecated - Boolean - Returns true if this version is deprecated. Returns false otherwise.
v removed - Boolean - Returns true if this version is removed. Returns false otherwise. Endpoints cannot
be called from an API version that is removed.
v root_resource_ids - Array of Numbers - Resource IDs of the root resources in this version of the API.
v version - String - The API version that this version documentation represents.

Response Sample
[
{
"deprecated": true,
"id": 42,
"removed": true,
"root_resource_ids": [
42

7 Previous REST API versions 939

 ],
"version": "String"
}
]

GET /help/versions/{version_id}
Retrieves a single version documentation object.

Retrieves a single version documentation object.

Table 2063. GET /help/versions/{version_id} resource details
MIME Type
application/json

Table 2064. GET /help/versions/{version_id} request parameter details

Parameter Type Optionality Data Type MIME Type Description
version_id path Required Number text/plain The ID of the version
(Integer) documentation to retrieve.
fields query Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.

Table 2065. GET /help/versions/{version_id} response codes

HTTP Response Code Unique Code Description
200 The version documentation object was retrieved.
404 1002 No version documentation object was found for the provided
version id.
500 1020 An unexpected error has occurred.

Response Description

A version documentation object. A version documentation object contains the following fields:
v id - Number - The ID of the version documentation object. This ID is not permanent. It might change
any time services are restarted.
v deprecated - Boolean - Returns true if this version is deprecated. Returns false otherwise.
v removed - Boolean - Returns true if this version is removed. Returns false otherwise. Endpoints cannot
be called with an API version that is removed.
v root_resource_ids - Array of Numbers - Resource IDs of the root resources in this version of the API.
v version - String - The API version that this version documentation represents.

Response Sample
{
"deprecated": true,
"id": 42,
"removed": true,
"root_resource_ids": [

940 QRadar API Reference Guide

 42
],
"version": "String"
}

IBM Security QRadar Risk Manager endpoints

Use the references for REST API V8.0 QRadar Risk Manager endpoints.

GET /qrm/model_groups
Retrieves a list of model groups.

Retrieves a list of model groups.

Table 2066. GET /qrm/model_groups resource details
MIME Type
application/json

Table 2067. GET /qrm/model_groups request parameter details

Parameter Type Optionality Data Type MIME Type Description
Range header Optional String text/plain Optional - Use this parameter
to restrict the number of
elements that are returned in
the list to a specified range.
The list is indexed starting at
zero.
filter query Optional String text/plain Optional - This parameter is
used to restrict the elements in
a list base on the contents of
various fields.
fields query Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.

Table 2068. GET /qrm/model_groups response codes

HTTP Response Code Unique Code Description
200 The model groups were retrieved.
500 1020 An error occurred during the attempt to retrieve the model groups.

Response Description

List of the Group objects. A Group object contains the following fields:
v id - Long - The ID of the group.
v parent_id - Long - The ID of the parent group (default resources can have localized names).
v type - String - The type of the group.
v level - Long - The depth of the group in the group hierarchy.
v name - String - The name of the group (default groups can have localized names).

7 Previous REST API versions 941

v description - String - The description of the group (default groups can have localized names).
v owner - String - The owner of the group.
v modified_time - Long - The time in milliseconds since epoch since the group was last modified.
v child_group_ids - Array of Longs - List of the child group IDs.

Response Sample
[
{
"child_groups": [
42
],
"child_items": [
"String"
],
"description": "String",
"id": 42,
"level": 42,
"modified_time": 42,
"name": "String",
"owner": "String",
"parent_id": 42,
"type": "String <one of:
LOG_SOURCE_GROUP,
REPORT_GROUP,
RULE_GROUP,
EVENT_SAVED_SEARCH_GROUP,
FLOW_SAVED_SEARCH_GROUP,
OFFENSE_SAVED_SEARCH_GROUP,
QRM_SAVED_SEARCH_GROUP,
MODEL_SAVED_SEARCH_GROUP,
QUESTION_SAVED_SEARCH_GROUP,
SIMULATION_SAVED_SEARCH_GROUP,
TOPOLOGY_SAVED_SEARCH_GROUP,
ASSET_SAVED_SEARCH_GROUP,
VULNERABILITY_SAVED_SEARCH_GROUP>"
}
]

GET /qrm/model_groups/{group_id}
Retrieves a model group.

Retrieves a model group.

Table 2069. GET /qrm/model_groups/{group_id} resource details
MIME Type
application/json

Table 2070. GET /qrm/model_groups/{group_id} request parameter details

Parameter Type Optionality Data Type MIME Type Description
group_id path Required Number text/plain null
(Integer)

942 QRadar API Reference Guide

Table 2070. GET /qrm/model_groups/{group_id} request parameter details (continued)
Parameter Type Optionality Data Type MIME Type Description
fields query Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.

Table 2071. GET /qrm/model_groups/{group_id} response codes

HTTP Response Code Unique Code Description
200 The model group was retrieved.
404 1002 The model group does not exist.
500 1020 An error occurred during the attempt to retrieve the model group.

Response Description

A single Group object. A Group object contains the following fields:

v id - Long - The ID of the group.
v parent_id - Long - The ID of the parent group (default resources can have localized names).
v type - String - The type of the group.
v level - Long - The depth of the group in the group hierarchy.
v name - String - The name of the group (default groups can have localized names).
v description - String - The description of the group (default groups can have localized names).
v owner - String - The owner of the group.
v modified_time - Long - The time in milliseconds since epoch since the group was last modified.
v child_group_ids - Array of Longs - List of the child group IDs.

Response Sample
{
"child_groups": [
42
],
"child_items": [
"String"
],
"description": "String",
"id": 42,
"level": 42,
"modified_time": 42,
"name": "String",
"owner": "String",
"parent_id": 42,
"type": "String <one of:
LOG_SOURCE_GROUP,
REPORT_GROUP,
RULE_GROUP,
EVENT_SAVED_SEARCH_GROUP,
FLOW_SAVED_SEARCH_GROUP,
OFFENSE_SAVED_SEARCH_GROUP,
QRM_SAVED_SEARCH_GROUP,

7 Previous REST API versions 943

 MODEL_SAVED_SEARCH_GROUP,
QUESTION_SAVED_SEARCH_GROUP,
SIMULATION_SAVED_SEARCH_GROUP,
TOPOLOGY_SAVED_SEARCH_GROUP,
ASSET_SAVED_SEARCH_GROUP,
VULNERABILITY_SAVED_SEARCH_GROUP>"
}

POST /qrm/model_groups/{group_id}
Updates the owner of a model group.

Updates the owner of a model group.

Table 2072. POST /qrm/model_groups/{group_id} resource details
MIME Type
application/json

Table 2073. POST /qrm/model_groups/{group_id} request parameter details

Parameter Type Optionality Data Type MIME Type Description
group_id path Required Number text/plain null
(Integer)
fields header Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.

Table 2074. POST /qrm/model_groups/{group_id} request body details

Parameter Data Type MIME Type Description Sample
group Object application/ Required - Group object with { "child_groups": [ 42 ], "child_items": [ "String" ], "description":
json the owner set to a valid "String", "id": 42, "level": 42, "name": "String", "owner": "String",
deployed user. "parent_id": 42, "type": "String <one of:
LOG_SOURCE_GROUP, REPORT_GROUP, RULE_GROUP,
EVENT_SAVED_SEARCH_GROUP,
FLOW_SAVED_SEARCH_GROUP,
OFFENSE_SAVED_SEARCH_GROUP,
QRM_SAVED_SEARCH_GROUP,
MODEL_SAVED_SEARCH_GROUP,
QUESTION_SAVED_SEARCH_GROUP,
SIMULATION_SAVED_SEARCH_GROUP,
TOPOLOGY_SAVED_SEARCH_GROUP,
ASSET_SAVED_SEARCH_GROUP,
VULNERABILITY_SAVED_SEARCH_GROUP>" }

Table 2075. POST /qrm/model_groups/{group_id} response codes

HTTP Response Code Unique Code Description
200 The model group was updated.
404 1002 The model group does not exist.
409 1004 The provided user does not have the required capabilities to own
the model group.
422 1005 A request parameter is not valid.
500 1020 An error occurred during the attempt to update the model group.

944 QRadar API Reference Guide

Response Description

The updated Group object. A Group object contains the following fields:
v id - Long - The ID of the group.
v parent_id - Long - The ID of the parent group (default resources can have localized names).
v type - String - The type of the group.
v level - Long - The depth of the group in the group hierarchy.
v name - String - The name of the group (default groups can have localized names).
v description - String - The description of the group (default groups can have localized names).
v owner - String - The owner of the group.
v modified_time - Long - The time in milliseconds since epoch since the group was last modified.
v child_group_ids - Array of Longs - List of the child group IDs.

Response Sample
{
"child_groups": [
42
],
"child_items": [
"String"
],
"description": "String",
"id": 42,
"level": 42,
"modified_time": 42,
"name": "String",
"owner": "String",
"parent_id": 42,
"type": "String <one of:
LOG_SOURCE_GROUP,
REPORT_GROUP,
RULE_GROUP,
EVENT_SAVED_SEARCH_GROUP,
FLOW_SAVED_SEARCH_GROUP,
OFFENSE_SAVED_SEARCH_GROUP,
QRM_SAVED_SEARCH_GROUP,
MODEL_SAVED_SEARCH_GROUP,
QUESTION_SAVED_SEARCH_GROUP,
SIMULATION_SAVED_SEARCH_GROUP,
TOPOLOGY_SAVED_SEARCH_GROUP,
ASSET_SAVED_SEARCH_GROUP,
VULNERABILITY_SAVED_SEARCH_GROUP>"
}

DELETE /qrm/model_groups/{group_id}
Deletes a model group.

Deletes a model group.

Table 2076. DELETE /qrm/model_groups/{group_id} resource details
MIME Type
text/plain

Table 2077. DELETE /qrm/model_groups/{group_id} request parameter details

Parameter Type Optionality Data Type MIME Type Description
group_id path Required Number text/plain null
(Integer)

7 Previous REST API versions 945

Table 2078. DELETE /qrm/model_groups/{group_id} response codes
HTTP Response Code Unique Code Description
204 The model group was deleted.
404 1002 The model group does not exist.
409 1004 null
500 1020 An error occurred during the attempt to delete the model group.

Response Description

Response Sample

GET /qrm/qrm_saved_search_groups
Retrieves a list of QRM saved search groups.

Retrieves a list of QRM saved search groups.

Table 2079. GET /qrm/qrm_saved_search_groups resource details
MIME Type
application/json

Table 2080. GET /qrm/qrm_saved_search_groups request parameter details

Parameter Type Optionality Data Type MIME Type Description
Range header Optional String text/plain Optional - Use this parameter
to restrict the number of
elements that are returned in
the list to a specified range.
The list is indexed starting at
zero.
filter query Optional String text/plain Optional - This parameter is
used to restrict the elements in
a list base on the contents of
various fields.
fields query Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.

Table 2081. GET /qrm/qrm_saved_search_groups response codes

HTTP Response Code Unique Code Description
200 The QRM saved search groups were returned.
500 1020 An error occurred during the attempt to retrieve the QRM saved
search groups.

946 QRadar API Reference Guide

Response Description

List of the Group objects. A Group object contains the following fields:
v id - Long - The ID of the group.
v parent_id - Long - The ID of the parent group (default resources can have localized names).
v type - String - The type of the group.
v level - Long - The depth of the group in the group hierarchy.
v name - String - The name of the group (default groups can have localized names).
v description - String - The description of the group (default groups can have localized names).
v owner - String - The owner of the group.
v modified_time - Long - The time in milliseconds since epoch since the group was last modified.
v child_group_ids - Array of Longs - List of the child group IDs.

Response Sample
[
{
"child_groups": [
42
],
"child_items": [
"String"
],
"description": "String",
"id": 42,
"level": 42,
"modified_time": 42,
"name": "String",
"owner": "String",
"parent_id": 42,
"type": "String <one of:
LOG_SOURCE_GROUP,
REPORT_GROUP,
RULE_GROUP,
EVENT_SAVED_SEARCH_GROUP,
FLOW_SAVED_SEARCH_GROUP,
OFFENSE_SAVED_SEARCH_GROUP,
QRM_SAVED_SEARCH_GROUP,
MODEL_SAVED_SEARCH_GROUP,
QUESTION_SAVED_SEARCH_GROUP,
SIMULATION_SAVED_SEARCH_GROUP,
TOPOLOGY_SAVED_SEARCH_GROUP,
ASSET_SAVED_SEARCH_GROUP,
VULNERABILITY_SAVED_SEARCH_GROUP>"
}
]

GET /qrm/qrm_saved_search_groups/{group_id}
Retrieves a QRM saved search group.

Retrieves a QRM saved search group.

Table 2082. GET /qrm/qrm_saved_search_groups/{group_id} resource details
MIME Type
application/json

7 Previous REST API versions 947

Table 2083. GET /qrm/qrm_saved_search_groups/{group_id} request parameter details
Parameter Type Optionality Data Type MIME Type Description
group_id path Required Number text/plain null
(Integer)
fields query Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.

Table 2084. GET /qrm/qrm_saved_search_groups/{group_id} response codes

HTTP Response Code Unique Code Description
200 The QRM saved search group was retrieved.
404 1002 The QRM saved search group does not exist.
500 1020 An error occurred during the attempt to retrieve the QRM saved
search group.

Response Description

A single Group object. A Group object contains the following fields:

v id - Long - The ID of the group.
v parent_id - Long - The ID of the parent group (default resources can have localized names).
v type - String - The type of the group.
v level - Long - The depth of the group in the group hierarchy.
v name - String - The name of the group (default groups can have localized names).
v description - String - The description of the group (default groups can have localized names).
v owner - String - The owner of the group.
v modified_time - Long - The time in milliseconds since epoch since the group was last modified.
v child_group_ids - Array of Longs - List of the child group IDs.

Response Sample
{
"child_groups": [
42
],
"child_items": [
"String"
],
"description": "String",
"id": 42,
"level": 42,
"modified_time": 42,
"name": "String",
"owner": "String",
"parent_id": 42,
"type": "String <one of:
LOG_SOURCE_GROUP,
REPORT_GROUP,
RULE_GROUP,
EVENT_SAVED_SEARCH_GROUP,

948 QRadar API Reference Guide

 FLOW_SAVED_SEARCH_GROUP,
OFFENSE_SAVED_SEARCH_GROUP,
QRM_SAVED_SEARCH_GROUP,
MODEL_SAVED_SEARCH_GROUP,
QUESTION_SAVED_SEARCH_GROUP,
SIMULATION_SAVED_SEARCH_GROUP,
TOPOLOGY_SAVED_SEARCH_GROUP,
ASSET_SAVED_SEARCH_GROUP,
VULNERABILITY_SAVED_SEARCH_GROUP>"
}

POST /qrm/qrm_saved_search_groups/{group_id}
Updates the owner of a QRM saved search group.

Updates the owner of a QRM saved search group.

Table 2085. POST /qrm/qrm_saved_search_groups/{group_id} resource details
MIME Type
application/json

Table 2086. POST /qrm/qrm_saved_search_groups/{group_id} request parameter details

Parameter Type Optionality Data Type MIME Type Description
group_id path Required Number text/plain null
(Integer)
fields header Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.

Table 2087. POST /qrm/qrm_saved_search_groups/{group_id} request body details

Parameter Data Type MIME Type Description Sample
group Object application/json Required - Group object with the { "child_groups": [ 42 ], "child_items": [ "String" ], "description":
owner set to a valid deployed "String", "id": 42, "level": 42, "name": "String", "owner": "String",
user. "parent_id": 42, "type": "String <one of: LOG_SOURCE_GROUP,
REPORT_GROUP, RULE_GROUP,
EVENT_SAVED_SEARCH_GROUP,
FLOW_SAVED_SEARCH_GROUP,
OFFENSE_SAVED_SEARCH_GROUP,
QRM_SAVED_SEARCH_GROUP,
MODEL_SAVED_SEARCH_GROUP,
QUESTION_SAVED_SEARCH_GROUP,
SIMULATION_SAVED_SEARCH_GROUP,
TOPOLOGY_SAVED_SEARCH_GROUP,
ASSET_SAVED_SEARCH_GROUP,
VULNERABILITY_SAVED_SEARCH_GROUP>" }

Table 2088. POST /qrm/qrm_saved_search_groups/{group_id} response codes

HTTP Response Code Unique Code Description
200 The QRM saved search group was updated.
404 1002 The QRM saved search group does not exist.
409 1004 The provided user does not have the required capabilities to own
the QRM saved search group.
422 1005 A request parameter is not valid.

7 Previous REST API versions 949

Table 2088. POST /qrm/qrm_saved_search_groups/{group_id} response codes (continued)
HTTP Response Code Unique Code Description
500 1020 An error occurred during the attempt to update the QRM saved
search group.

Response Description

The updated Group object. A Group object contains the following fields:
v id - Long - The ID of the group.
v parent_id - Long - The ID of the parent group (default resources can have localized names).
v type - String - The type of the group.
v level - Long - The depth of the group in the group hierarchy.
v name - String - The name of the group (default groups can have localized names).
v description - String - The description of the group (default groups can have localized names).
v owner - String - The owner of the group.
v modified_time - Long - The time in milliseconds since epoch since the group was last modified.
v child_group_ids - Array of Longs - List of the child group IDs.

Response Sample
{
"child_groups": [
42
],
"child_items": [
"String"
],
"description": "String",
"id": 42,
"level": 42,
"modified_time": 42,
"name": "String",
"owner": "String",
"parent_id": 42,
"type": "String <one of:
LOG_SOURCE_GROUP,
REPORT_GROUP,
RULE_GROUP,
EVENT_SAVED_SEARCH_GROUP,
FLOW_SAVED_SEARCH_GROUP,
OFFENSE_SAVED_SEARCH_GROUP,
QRM_SAVED_SEARCH_GROUP,
MODEL_SAVED_SEARCH_GROUP,
QUESTION_SAVED_SEARCH_GROUP,
SIMULATION_SAVED_SEARCH_GROUP,
TOPOLOGY_SAVED_SEARCH_GROUP,
ASSET_SAVED_SEARCH_GROUP,
VULNERABILITY_SAVED_SEARCH_GROUP>"
}

DELETE /qrm/qrm_saved_search_groups/{group_id}
Deletes a QRM saved search group.

Deletes a QRM saved search group.

950 QRadar API Reference Guide

Table 2089. DELETE /qrm/qrm_saved_search_groups/{group_id} resource details
MIME Type
text/plain

Table 2090. DELETE /qrm/qrm_saved_search_groups/{group_id} request parameter details

Parameter Type Optionality Data Type MIME Type Description
group_id path Required Number text/plain null
(Integer)

Table 2091. DELETE /qrm/qrm_saved_search_groups/{group_id} response codes

HTTP Response Code Unique Code Description
204 The QRM saved search group was deleted.
404 1002 The QRM saved search group does not exist.
409 1004 null
500 1020 An error occurred during the attempt to delete the QRM saved
search group.

Response Description

Response Sample

GET /qrm/question_groups
Retrieves a list of question groups.

Retrieves a list of question groups.

Table 2092. GET /qrm/question_groups resource details
MIME Type
application/json

Table 2093. GET /qrm/question_groups request parameter details

Parameter Type Optionality Data Type MIME Type Description
Range header Optional String text/plain Optional - Use this parameter
to restrict the number of
elements that are returned in
the list to a specified range.
The list is indexed starting at
zero.
filter query Optional String text/plain Optional - This parameter is
used to restrict the elements in
a list base on the contents of
various fields.

7 Previous REST API versions 951

Table 2093. GET /qrm/question_groups request parameter details (continued)
Parameter Type Optionality Data Type MIME Type Description
fields query Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.

Table 2094. GET /qrm/question_groups response codes

HTTP Response Code Unique Code Description
200 The question groups were retrieved.
500 1020 An error occurred during the attempt to retrieve the question
groups.

Response Description

List of the Group objects. A Group object contains the following fields:
v id - Long - The ID of the group.
v parent_id - Long - The ID of the parent group (default resources can have localized names).
v type - String - The type of the group.
v level - Long - The depth of the group in the group hierarchy.
v name - String - The name of the group (default groups can have localized names).
v description - String - The description of the group (default groups can have localized names).
v owner - String - The owner of the group.
v modified_time - Long - The time in milliseconds since epoch since the group was last modified.
v child_group_ids - Array of Longs - List of the child group IDs.

Response Sample
[
{
"child_groups": [
42
],
"child_items": [
"String"
],
"description": "String",
"id": 42,
"level": 42,
"modified_time": 42,
"name": "String",
"owner": "String",
"parent_id": 42,
"type": "String <one of:
LOG_SOURCE_GROUP,
REPORT_GROUP,
RULE_GROUP,
EVENT_SAVED_SEARCH_GROUP,
FLOW_SAVED_SEARCH_GROUP,
OFFENSE_SAVED_SEARCH_GROUP,
QRM_SAVED_SEARCH_GROUP,

952 QRadar API Reference Guide

 MODEL_SAVED_SEARCH_GROUP,
QUESTION_SAVED_SEARCH_GROUP,
SIMULATION_SAVED_SEARCH_GROUP,
TOPOLOGY_SAVED_SEARCH_GROUP,
ASSET_SAVED_SEARCH_GROUP,
VULNERABILITY_SAVED_SEARCH_GROUP>"
}
]

GET /qrm/question_groups/{group_id}
Retrieves a question group.

Retrieves a question group.

Table 2095. GET /qrm/question_groups/{group_id} resource details
MIME Type
application/json

Table 2096. GET /qrm/question_groups/{group_id} request parameter details

Parameter Type Optionality Data Type MIME Type Description
group_id path Required Number text/plain null
(Integer)
fields query Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.

Table 2097. GET /qrm/question_groups/{group_id} response codes

HTTP Response Code Unique Code Description
200 The question group was retrieved.
404 1002 The question group does not exist.
500 1020 An error occurred during the attempt to retrieve the question
group.

Response Description

A single Group object. A Group object contains the following fields:

v id - Long - The ID of the group.
v parent_id - Long - The ID of the parent group (default resources can have localized names).
v type - String - The type of the group.
v level - Long - The depth of the group in the group hierarchy.
v name - String - The name of the group (default groups can have localized names).
v description - String - The description of the group (default groups can have localized names).
v owner - String - The owner of the group.
v modified_time - Long - The time in milliseconds since epoch since the group was last modified.
v child_group_ids - Array of Longs - List of the child group IDs.

7 Previous REST API versions 953

Response Sample
{
"child_groups": [
42
],
"child_items": [
"String"
],
"description": "String",
"id": 42,
"level": 42,
"modified_time": 42,
"name": "String",
"owner": "String",
"parent_id": 42,
"type": "String <one of:
LOG_SOURCE_GROUP,
REPORT_GROUP,
RULE_GROUP,
EVENT_SAVED_SEARCH_GROUP,
FLOW_SAVED_SEARCH_GROUP,
OFFENSE_SAVED_SEARCH_GROUP,
QRM_SAVED_SEARCH_GROUP,
MODEL_SAVED_SEARCH_GROUP,
QUESTION_SAVED_SEARCH_GROUP,
SIMULATION_SAVED_SEARCH_GROUP,
TOPOLOGY_SAVED_SEARCH_GROUP,
ASSET_SAVED_SEARCH_GROUP,
VULNERABILITY_SAVED_SEARCH_GROUP>"
}

POST /qrm/question_groups/{group_id}
Updates the owner of a question group.

Updates the owner of a question group.

Table 2098. POST /qrm/question_groups/{group_id} resource details
MIME Type
application/json

Table 2099. POST /qrm/question_groups/{group_id} request parameter details

Parameter Type Optionality Data Type MIME Type Description
group_id path Required Number text/plain null
(Integer)
fields header Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.

954 QRadar API Reference Guide

Table 2100. POST /qrm/question_groups/{group_id} request body details
Parameter Data Type MIME Type Description Sample
group Object application/ Required - Group object with { "child_groups": [ 42 ], "child_items": [ "String" ], "description":
json the owner set to a valid "String", "id": 42, "level": 42, "name": "String", "owner": "String",
deployed user. "parent_id": 42, "type": "String <one of:
LOG_SOURCE_GROUP, REPORT_GROUP, RULE_GROUP,
EVENT_SAVED_SEARCH_GROUP,
FLOW_SAVED_SEARCH_GROUP,
OFFENSE_SAVED_SEARCH_GROUP,
QRM_SAVED_SEARCH_GROUP,
MODEL_SAVED_SEARCH_GROUP,
QUESTION_SAVED_SEARCH_GROUP,
SIMULATION_SAVED_SEARCH_GROUP,
TOPOLOGY_SAVED_SEARCH_GROUP,
ASSET_SAVED_SEARCH_GROUP,
VULNERABILITY_SAVED_SEARCH_GROUP>" }

Table 2101. POST /qrm/question_groups/{group_id} response codes

HTTP Response Code Unique Code Description
200 The question group was updated.
404 1002 The question group does not exist.
409 1004 The provided user does not have the required capabilities to own
the question group.
422 1005 A request parameter is not valid.
500 1020 An error occurred during the attempt to update the question group.

Response Description

The updated Group object. A Group object contains the following fields:
v id - Long - The ID of the group.
v parent_id - Long - The ID of the parent group (default resources can have localized names).
v type - String - The type of the group.
v level - Long - The depth of the group in the group hierarchy.
v name - String - The name of the group (default groups can have localized names).
v description - String - The description of the group (default groups can have localized names).
v owner - String - The owner of the group.
v modified_time - Long - The time in milliseconds since epoch since the group was last modified.
v child_group_ids - Array of Longs - List of the child group IDs.

Response Sample
{
"child_groups": [
42
],
"child_items": [
"String"
],
"description": "String",
"id": 42,
"level": 42,
"modified_time": 42,
"name": "String",
"owner": "String",
"parent_id": 42,
"type": "String <one of:
LOG_SOURCE_GROUP,
REPORT_GROUP,

7 Previous REST API versions 955

 RULE_GROUP,
EVENT_SAVED_SEARCH_GROUP,
FLOW_SAVED_SEARCH_GROUP,
OFFENSE_SAVED_SEARCH_GROUP,
QRM_SAVED_SEARCH_GROUP,
MODEL_SAVED_SEARCH_GROUP,
QUESTION_SAVED_SEARCH_GROUP,
SIMULATION_SAVED_SEARCH_GROUP,
TOPOLOGY_SAVED_SEARCH_GROUP,
ASSET_SAVED_SEARCH_GROUP,
VULNERABILITY_SAVED_SEARCH_GROUP>"
}

DELETE /qrm/question_groups/{group_id}
Deletes a question group.

Deletes a question group.

Table 2102. DELETE /qrm/question_groups/{group_id} resource details
MIME Type
text/plain

Table 2103. DELETE /qrm/question_groups/{group_id} request parameter details

Parameter Type Optionality Data Type MIME Type Description
group_id path Required Number text/plain null
(Integer)

Table 2104. DELETE /qrm/question_groups/{group_id} response codes

HTTP Response Code Unique Code Description
204 The question group was deleted.
404 1002 The question group does not exist.
409 1004 null
500 1020 An error occurred during the attempt to delete the question group.

Response Description

Response Sample

GET /qrm/simulation_groups
Retrieves a of list the simulation groups.

Retrieves a list of the simulation groups.

Table 2105. GET /qrm/simulation_groups resource details
MIME Type
application/json

956 QRadar API Reference Guide

Table 2106. GET /qrm/simulation_groups request parameter details
Parameter Type Optionality Data Type MIME Type Description
Range header Optional String text/plain Optional - Use this parameter
to restrict the number of
elements that are returned in
the list to a specified range.
The list is indexed starting at
zero.
filter query Optional String text/plain Optional - This parameter is
used to restrict the elements in
a list base on the contents of
various fields.
fields query Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.

Table 2107. GET /qrm/simulation_groups response codes

HTTP Response Code Unique Code Description
200 The simulation groups were retrieved.
500 1020 An error occurred during the attempt to retrieve the simulation
groups.

Response Description

List of the Group objects. A Group object contains the following fields:
v id - Long - The ID of the group.
v parent_id - Long - The ID of the parent group (default resources can have localized names).
v type - String - The type of the group.
v level - Long - The depth of the group in the group hierarchy.
v name - String - The name of the group (default groups can have localized names).
v description - String - The description of the group (default groups can have localized names).
v owner - String - The owner of the group.
v modified_time - Long - The time in milliseconds since epoch since the group was last modified.
v child_group_ids - Array of Longs - List of the child group IDs.

Response Sample
[
{
"child_groups": [
42
],
"child_items": [
"String"
],
"description": "String",
"id": 42,
"level": 42,

7 Previous REST API versions 957

 "modified_time": 42,
"name": "String",
"owner": "String",
"parent_id": 42,
"type": "String <one of:
LOG_SOURCE_GROUP,
REPORT_GROUP,
RULE_GROUP,
EVENT_SAVED_SEARCH_GROUP,
FLOW_SAVED_SEARCH_GROUP,
OFFENSE_SAVED_SEARCH_GROUP,
QRM_SAVED_SEARCH_GROUP,
MODEL_SAVED_SEARCH_GROUP,
QUESTION_SAVED_SEARCH_GROUP,
SIMULATION_SAVED_SEARCH_GROUP,
TOPOLOGY_SAVED_SEARCH_GROUP,
ASSET_SAVED_SEARCH_GROUP,
VULNERABILITY_SAVED_SEARCH_GROUP>"
}
]

GET /qrm/simulation_groups/{group_id}
Retrieves a simulation group.

Retrieves a simulation group.

Table 2108. GET /qrm/simulation_groups/{group_id} resource details
MIME Type
application/json

Table 2109. GET /qrm/simulation_groups/{group_id} request parameter details

Parameter Type Optionality Data Type MIME Type Description
group_id path Required Number text/plain null
(Integer)
fields query Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.

Table 2110. GET /qrm/simulation_groups/{group_id} response codes

HTTP Response Code Unique Code Description
200 The simulation group were retrieved.
404 1002 The simulation group does not exist.
500 1020 An error occurred during the attempt to retrieve the simulation
group.

Response Description

A single Group object. A Group object contains the following fields:

v id - Long - The ID of the group.

958 QRadar API Reference Guide

v parent_id - Long - The ID of the parent group (default resources can have localized names).
v type - String - The type of the group.
v level - Long - The depth of the group in the group hierarchy.
v name - String - The name of the group (default groups can have localized names).
v description - String - The description of the group (default groups can have localized names).
v owner - String - The owner of the group.
v modified_time - Long - The time in milliseconds since epoch since the group was last modified.
v child_group_ids - Array of Longs - List of the child group IDs.

Response Sample
{
"child_groups": [
42
],
"child_items": [
"String"
],
"description": "String",
"id": 42,
"level": 42,
"modified_time": 42,
"name": "String",
"owner": "String",
"parent_id": 42,
"type": "String <one of:
LOG_SOURCE_GROUP,
REPORT_GROUP,
RULE_GROUP,
EVENT_SAVED_SEARCH_GROUP,
FLOW_SAVED_SEARCH_GROUP,
OFFENSE_SAVED_SEARCH_GROUP,
QRM_SAVED_SEARCH_GROUP,
MODEL_SAVED_SEARCH_GROUP,
QUESTION_SAVED_SEARCH_GROUP,
SIMULATION_SAVED_SEARCH_GROUP,
TOPOLOGY_SAVED_SEARCH_GROUP,
ASSET_SAVED_SEARCH_GROUP,
VULNERABILITY_SAVED_SEARCH_GROUP>"
}

POST /qrm/simulation_groups/{group_id}
Updates the owner of a simulation group.

Updates the owner of a simulation group.

Table 2111. POST /qrm/simulation_groups/{group_id} resource details
MIME Type
application/json

Table 2112. POST /qrm/simulation_groups/{group_id} request parameter details

Parameter Type Optionality Data Type MIME Type Description
group_id path Required Number text/plain null
(Integer)

7 Previous REST API versions 959

Table 2112. POST /qrm/simulation_groups/{group_id} request parameter details (continued)
Parameter Type Optionality Data Type MIME Type Description
fields header Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.

Table 2113. POST /qrm/simulation_groups/{group_id} request body details

Parameter Data Type MIME Type Description Sample
group Object application/ Required - Group object with { "child_groups": [ 42 ], "child_items": [ "String" ], "description":
json the owner set to a valid "String", "id": 42, "level": 42, "name": "String", "owner": "String",
deployed user. "parent_id": 42, "type": "String <one of:
LOG_SOURCE_GROUP, REPORT_GROUP, RULE_GROUP,
EVENT_SAVED_SEARCH_GROUP,
FLOW_SAVED_SEARCH_GROUP,
OFFENSE_SAVED_SEARCH_GROUP,
QRM_SAVED_SEARCH_GROUP,
MODEL_SAVED_SEARCH_GROUP,
QUESTION_SAVED_SEARCH_GROUP,
SIMULATION_SAVED_SEARCH_GROUP,
TOPOLOGY_SAVED_SEARCH_GROUP,
ASSET_SAVED_SEARCH_GROUP,
VULNERABILITY_SAVED_SEARCH_GROUP>" }

Table 2114. POST /qrm/simulation_groups/{group_id} response codes

HTTP Response Code Unique Code Description
200 The simulation group was updated.
404 1002 The simulation group does not exist.
409 1004 The provided user does not have the required capabilities to own
the simulation group.
422 1005 A request parameter is not valid.
500 1020 An error occurred during the attempt to update the simulation
group.

Response Description

The updated Group object. A Group object contains the following fields:
v id - Long - The ID of the group.
v parent_id - Long - The ID of the parent group (default resources can have localized names).
v type - String - The type of the group.
v level - Long - The depth of the group in the group hierarchy.
v name - String - The name of the group (default groups can have localized names).
v description - String - The description of the group (default groups can have localized names).
v owner - String - The owner of the group.
v modified_time - Long - The time in milliseconds since epoch since the group was last modified.
v child_group_ids - Array of Longs - List of the child group IDs.

960 QRadar API Reference Guide

Response Sample
{
"child_groups": [
42
],
"child_items": [
"String"
],
"description": "String",
"id": 42,
"level": 42,
"modified_time": 42,
"name": "String",
"owner": "String",
"parent_id": 42,
"type": "String <one of:
LOG_SOURCE_GROUP,
REPORT_GROUP,
RULE_GROUP,
EVENT_SAVED_SEARCH_GROUP,
FLOW_SAVED_SEARCH_GROUP,
OFFENSE_SAVED_SEARCH_GROUP,
QRM_SAVED_SEARCH_GROUP,
MODEL_SAVED_SEARCH_GROUP,
QUESTION_SAVED_SEARCH_GROUP,
SIMULATION_SAVED_SEARCH_GROUP,
TOPOLOGY_SAVED_SEARCH_GROUP,
ASSET_SAVED_SEARCH_GROUP,
VULNERABILITY_SAVED_SEARCH_GROUP>"
}

DELETE /qrm/simulation_groups/{group_id}
Deletes a simulation group.

Deletes a simulation group.

Table 2115. DELETE /qrm/simulation_groups/{group_id} resource details
MIME Type
text/plain

Table 2116. DELETE /qrm/simulation_groups/{group_id} request parameter details

Parameter Type Optionality Data Type MIME Type Description
group_id path Required Number text/plain null
(Integer)

Table 2117. DELETE /qrm/simulation_groups/{group_id} response codes

HTTP Response Code Unique Code Description
204 The simulation group has been deleted.
404 1002 The simulation group does not exist.
409 1004 null
500 1020 An error occurred during the attempt to delete the simulation
group.

7 Previous REST API versions 961

Response Description

Response Sample

GET /qrm/topology_saved_search_groups
Retrieves a list of topology saved search groups.

Retrieves a list of topology saved search groups.

Table 2118. GET /qrm/topology_saved_search_groups resource details
MIME Type
application/json

Table 2119. GET /qrm/topology_saved_search_groups request parameter details

Parameter Type Optionality Data Type MIME Type Description
Range header Optional String text/plain Optional - Use this parameter
to restrict the number of
elements that are returned in
the list to a specified range.
The list is indexed starting at
zero.
filter query Optional String text/plain Optional - This parameter is
used to restrict the elements in
a list base on the contents of
various fields.
fields query Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.

Table 2120. GET /qrm/topology_saved_search_groups response codes

HTTP Response Code Unique Code Description
200 The topology saved search groups were returned.
500 1020 An error occurred during the attempt to retrieve the topology saved
search groups.

Response Description

List of the Group objects. A Group object contains the following fields:
v id - Long - The ID of the group.
v parent_id - Long - The ID of the parent group (default resources can have localized names).
v type - String - The type of the group.
v level - Long - The depth of the group in the group hierarchy.
v name - String - The name of the group (default groups can have localized names).
v description - String - The description of the group (default groups can have localized names).
v owner - String - The owner of the group.

962 QRadar API Reference Guide

v modified_time - Long - The time in milliseconds since epoch since the group was last modified.
v child_group_ids - Array of Longs - List of the child group IDs.

Response Sample
[
{
"child_groups": [
42
],
"child_items": [
"String"
],
"description": "String",
"id": 42,
"level": 42,
"modified_time": 42,
"name": "String",
"owner": "String",
"parent_id": 42,
"type": "String <one of:
LOG_SOURCE_GROUP,
REPORT_GROUP,
RULE_GROUP,
EVENT_SAVED_SEARCH_GROUP,
FLOW_SAVED_SEARCH_GROUP,
OFFENSE_SAVED_SEARCH_GROUP,
QRM_SAVED_SEARCH_GROUP,
MODEL_SAVED_SEARCH_GROUP,
QUESTION_SAVED_SEARCH_GROUP,
SIMULATION_SAVED_SEARCH_GROUP,
TOPOLOGY_SAVED_SEARCH_GROUP,
ASSET_SAVED_SEARCH_GROUP,
VULNERABILITY_SAVED_SEARCH_GROUP>"
}
]

GET /qrm/topology_saved_search_groups/{group_id}
Retrieves a topology saved search group.

Retrieves a topology saved search group.

Table 2121. GET /qrm/topology_saved_search_groups/{group_id} resource details
MIME Type
application/json

Table 2122. GET /qrm/topology_saved_search_groups/{group_id} request parameter details

Parameter Type Optionality Data Type MIME Type Description
group_id path Required Number text/plain null
(Integer)
fields query Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.

7 Previous REST API versions 963

Table 2123. GET /qrm/topology_saved_search_groups/{group_id} response codes
HTTP Response Code Unique Code Description
200 The topology saved search group was retrieved.
404 1002 The topology saved search group does not exist.
500 1020 An error occurred during the attempt to retrieve the topology saved
search group.

Response Description

A single Group object. A Group object contains the following fields:

v id - Long - The ID of the group.
v parent_id - Long - The ID of the parent group (default resources can have localized names).
v type - String - The type of the group.
v level - Long - The depth of the group in the group hierarchy.
v name - String - The name of the group (default groups can have localized names).
v description - String - The description of the group (default groups can have localized names).
v owner - String - The owner of the group.
v modified_time - Long - The time in milliseconds since epoch since the group was last modified.
v child_group_ids - Array of Longs - List of the child group IDs.

Response Sample
{
"child_groups": [
42
],
"child_items": [
"String"
],
"description": "String",
"id": 42,
"level": 42,
"modified_time": 42,
"name": "String",
"owner": "String",
"parent_id": 42,
"type": "String <one of:
LOG_SOURCE_GROUP,
REPORT_GROUP,
RULE_GROUP,
EVENT_SAVED_SEARCH_GROUP,
FLOW_SAVED_SEARCH_GROUP,
OFFENSE_SAVED_SEARCH_GROUP,
QRM_SAVED_SEARCH_GROUP,
MODEL_SAVED_SEARCH_GROUP,
QUESTION_SAVED_SEARCH_GROUP,
SIMULATION_SAVED_SEARCH_GROUP,
TOPOLOGY_SAVED_SEARCH_GROUP,
ASSET_SAVED_SEARCH_GROUP,
VULNERABILITY_SAVED_SEARCH_GROUP>"
}

POST /qrm/topology_saved_search_groups/{group_id}
Updates the owner of an topology saved search group.

Updates the owner of an topology saved search group.

964 QRadar API Reference Guide

Table 2124. POST /qrm/topology_saved_search_groups/{group_id} resource details
MIME Type
application/json

Table 2125. POST /qrm/topology_saved_search_groups/{group_id} request parameter details

Parameter Type Optionality Data Type MIME Type Description
group_id path Required Number text/plain null
(Integer)
fields header Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.

Table 2126. POST /qrm/topology_saved_search_groups/{group_id} request body details

Parameter Data Type MIME Type Description Sample
group Object application/ Required - Group object with { "child_groups": [ 42 ], "child_items": [ "String" ], "description":
json the owner set to a valid "String", "id": 42, "level": 42, "name": "String", "owner": "String",
deployed user. "parent_id": 42, "type": "String <one of:
LOG_SOURCE_GROUP, REPORT_GROUP, RULE_GROUP,
EVENT_SAVED_SEARCH_GROUP,
FLOW_SAVED_SEARCH_GROUP,
OFFENSE_SAVED_SEARCH_GROUP,
QRM_SAVED_SEARCH_GROUP,
MODEL_SAVED_SEARCH_GROUP,
QUESTION_SAVED_SEARCH_GROUP,
SIMULATION_SAVED_SEARCH_GROUP,
TOPOLOGY_SAVED_SEARCH_GROUP,
ASSET_SAVED_SEARCH_GROUP,
VULNERABILITY_SAVED_SEARCH_GROUP>" }

Table 2127. POST /qrm/topology_saved_search_groups/{group_id} response codes

HTTP Response Code Unique Code Description
200 The topology saved search group was updated.
404 1002 The topology saved search group does not exist.
409 1004 The provided user does not have the required capabilities to own
the topology saved search group.
422 1005 A request parameter is not valid.
500 1020 An error occurred during the attempt to update the topology saved
search group.

Response Description

The updated Group object. A Group object contains the following fields:
v id - Long - The ID of the group.
v parent_id - Long - The ID of the parent group (default resources can have localized names).
v type - String - The type of the group.
v level - Long - The depth of the group in the group hierarchy.
v name - String - The name of the group (default groups can have localized names).

7 Previous REST API versions 965

v description - String - The description of the group (default groups can have localized names).
v owner - String - The owner of the group.
v modified_time - Long - The time in milliseconds since epoch since the group was last modified.
v child_group_ids - Array of Longs - List of the child group IDs.

Response Sample
{
"child_groups": [
42
],
"child_items": [
"String"
],
"description": "String",
"id": 42,
"level": 42,
"modified_time": 42,
"name": "String",
"owner": "String",
"parent_id": 42,
"type": "String <one of:
LOG_SOURCE_GROUP,
REPORT_GROUP,
RULE_GROUP,
EVENT_SAVED_SEARCH_GROUP,
FLOW_SAVED_SEARCH_GROUP,
OFFENSE_SAVED_SEARCH_GROUP,
QRM_SAVED_SEARCH_GROUP,
MODEL_SAVED_SEARCH_GROUP,
QUESTION_SAVED_SEARCH_GROUP,
SIMULATION_SAVED_SEARCH_GROUP,
TOPOLOGY_SAVED_SEARCH_GROUP,
ASSET_SAVED_SEARCH_GROUP,
VULNERABILITY_SAVED_SEARCH_GROUP>"
}

DELETE /qrm/topology_saved_search_groups/{group_id}
Deletes a topology saved search group.

Deletes a topology saved search group.

Table 2128. DELETE /qrm/topology_saved_search_groups/{group_id} resource details
MIME Type
text/plain

Table 2129. DELETE /qrm/topology_saved_search_groups/{group_id} request parameter details

Parameter Type Optionality Data Type MIME Type Description
group_id path Required Number text/plain null
(Integer)

Table 2130. DELETE /qrm/topology_saved_search_groups/{group_id} response codes

HTTP Response Code Unique Code Description
204 The topology saved search group was deleted.
404 1002 The topology saved search group does not exist.
409 1004 null

966 QRadar API Reference Guide

Table 2130. DELETE /qrm/topology_saved_search_groups/{group_id} response codes (continued)
HTTP Response Code Unique Code Description
500 1020 An error occurred during the attempt to delete the topology saved
search group.

Response Description

Response Sample

QRadar Vulnerability Manager endpoints

Use the references for REST API V8.0 QRadar Vulnerability Manager endpoints.

GET /qvm/assets
List the assets with discovered vulnerabilities present in the asset model. The response contains all
available RESTful resources.
Table 2131. GET /qvm/assets resource details
MIME Type
application/json

Table 2132. GET /qvm/assets request parameter details

Parameter Type Optionality Data Type MIME Type Description
savedSearchId query Optional String text/plain Id of saved search
savedSearchName query Optional String text/plain Saved search name
filters query Optional Array<Object> application/json List of JSON objects for
application of bespoke query
search dataset filter. Format
[{"parameter":"<value>",
"operator":"<value>",
"value":"<value>"}] e.g.
[{"parameter":"IPv4 Address",
"operator":"Equals",
"value":"10.100.85.111"}]

Table 2133. GET /qvm/assets response codes

HTTP Response Code Unique Code Description
200 The request to retrieve vulnerabilities by asset completed
successfully
420 9101 Invalid search parameters, search cannot be performed

Response Description

list of assets data

Response Sample

GET /qvm/filters
Get a list of the allowable filters that can be used or applied against /qvm endpoints.
v /qvm/assets
v /qvm/vulns
v /qvm/vulninstances
v /qvm/openservices
v /qvm/networks

7 Previous REST API versions 967

v queries
Table 2134. GET /qvm/filters resource details
MIME Type
application/json

There are no parameters for this endpoint.

Table 2135. GET /qvm/filters response codes
HTTP Response Code Unique Code Description
200 The search executed successfully
420 9102 An error occurred while executing the search

Response Description

list of Filters.

Response Sample

GET /qvm/network
List the networks present in the asset model with vulnerabilities present. The response contains all
available RESTful resources
Table 2136. GET /qvm/network resource details
MIME Type
application/json

Table 2137. GET /qvm/network request parameter details

Parameter Type Optionality Data Type MIME Type Description
savedSearchId query Optional String text/plain Id of saved search
savedSearchName query Optional String text/plain Saved search name
filters query Optional Array<Object> application/json List of JSON objects for
application of bespoke query
search dataset filter. Format
[{"parameter":"<value>",
"operator":"<value>",
"value":"<value>"}] e.g.
[{"parameter":"IPv4 Address",
"operator":"Equals",
"value":"10.100.85.111"}]

Table 2138. GET /qvm/network response codes

HTTP Response Code Unique Code Description
200 The request to retrieve vulnerabilities by network completed
successfully
420 9101 Invalid search parameters, search cannot be performed

Response Description

list of network related data

968 QRadar API Reference Guide

Response Sample

GET /qvm/openservices
List the openservices present in the asset model with vulnerabilities present. The response will contain all
available RESTful resources
Table 2139. GET /qvm/openservices resource details
MIME Type
application/json

Table 2140. GET /qvm/openservices request parameter details

Parameter Type Optionality Data Type MIME Type Description
savedSearchId query Optional String text/plain Id of saved search
savedSearchName query Optional String text/plain Saved search name
filters query Optional Array<Object> application/json List of JSON objects for
application of bespoke query
search dataset filter. Format
[{"parameter":"<value>",
"operator":"<value>",
"value":"<value>"}] e.g.
[{"parameter":"IPv4 Address",
"operator":"Equals",
"value":"10.100.85.111"}]

Table 2141. GET /qvm/openservices response codes

HTTP Response Code Unique Code Description
200 The request to retrieve vulnerabilities by open service completed
successfully
420 9101 Invalid search parameters, search cannot be performed

Response Description

list of open services related data

Response Sample

GET /qvm/saved_search_groups
Retrieves a list of vulnerability saved search groups.

Retrieves a list of vulnerability saved search groups.

Table 2142. GET /qvm/saved_search_groups resource details
MIME Type
application/json

Table 2143. GET /qvm/saved_search_groups request parameter details

Parameter Type Optionality Data Type MIME Type Description
fields query Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.

7 Previous REST API versions 969

Table 2143. GET /qvm/saved_search_groups request parameter details (continued)
Parameter Type Optionality Data Type MIME Type Description
Range header Optional String text/plain Optional - Use this parameter
to restrict the number of
elements that are returned in
the list to a specified range.
The list is indexed starting at
zero.
filter query Optional String text/plain Optional - This parameter is
used to restrict the elements in
a list base on the contents of
various fields.

Table 2144. GET /qvm/saved_search_groups response codes

HTTP Response Code Unique Code Description
200 The vulnerability saved search groups were returned.
500 1020 An error occurred during the attempt to retrieve the vulnerability
saved search groups.

Response Description

List of the Group objects. A Group object contains the following fields:
v id - Long - The ID of the group.
v parent_id - Long - The ID of the parent group (default resources can have localized names).
v type - String - The type of the group.
v level - Long - The depth of the group in the group hierarchy.
v name - String - The name of the group (default groups can have localized names).
v description - String - The description of the group (default groups can have localized names).
v owner - String - The owner of the group.
v modified_time - Long - The time in milliseconds since epoch since the group was last modified.
v child_group_ids - Array of Longs - List of the child group IDs.

Response Sample
[
{
"child_groups": [
42
],
"child_items": [
"String"
],
"description": "String",
"id": 42,
"level": 42,
"modified_time": 42,
"name": "String",
"owner": "String",
"parent_id": 42,
"type": "String <one of:
LOG_SOURCE_GROUP,
REPORT_GROUP,
RULE_GROUP,
EVENT_SAVED_SEARCH_GROUP,
FLOW_SAVED_SEARCH_GROUP,

970 QRadar API Reference Guide

 OFFENSE_SAVED_SEARCH_GROUP,
QRM_SAVED_SEARCH_GROUP,
MODEL_SAVED_SEARCH_GROUP,
QUESTION_SAVED_SEARCH_GROUP,
SIMULATION_SAVED_SEARCH_GROUP,
TOPOLOGY_SAVED_SEARCH_GROUP,
ASSET_SAVED_SEARCH_GROUP,
VULNERABILITY_SAVED_SEARCH_GROUP>"
}
]

GET /qvm/saved_search_groups/{group_id}
Retrieves a vulnerability saved search group.

Retrieves a vulnerability saved search group.

Table 2145. GET /qvm/saved_search_groups/{group_id} resource details
MIME Type
application/json

Table 2146. GET /qvm/saved_search_groups/{group_id} request parameter details

Parameter Type Optionality Data Type MIME Type Description
group_id path Required Number text/plain null
(Integer)
fields query Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.

Table 2147. GET /qvm/saved_search_groups/{group_id} response codes

HTTP Response Code Unique Code Description
200 The vulnerability saved search group was retrieved.
404 1002 The vulnerability saved search group does not exist.
422 1005 null
500 1020 An error occurred during the attempt to retrieve the vulnerability
saved search group.

Response Description

A single Group object. A Group object contains the following fields:

v id - Long - The ID of the group.
v parent_id - Long - The ID of the parent group. (default resources can have localized names).
v type - String - The type of the group.
v level - Long - The depth of the group in the group hierarchy.
v name - String - The name of the group (default groups can have localized names).
v description - String - The description of the group (default groups can have localized names).
v owner - String - The owner of the group.

7 Previous REST API versions 971

v modified_time - Long - The time in milliseconds since epoch since the group was last modified.
v child_group_ids - Array of Longs - List of the child group IDs.

Response Sample
{
"child_groups": [
42
],
"child_items": [
"String"
],
"description": "String",
"id": 42,
"level": 42,
"modified_time": 42,
"name": "String",
"owner": "String",
"parent_id": 42,
"type": "String <one of:
LOG_SOURCE_GROUP,
REPORT_GROUP,
RULE_GROUP,
EVENT_SAVED_SEARCH_GROUP,
FLOW_SAVED_SEARCH_GROUP,
OFFENSE_SAVED_SEARCH_GROUP,
QRM_SAVED_SEARCH_GROUP,
MODEL_SAVED_SEARCH_GROUP,
QUESTION_SAVED_SEARCH_GROUP,
SIMULATION_SAVED_SEARCH_GROUP,
TOPOLOGY_SAVED_SEARCH_GROUP,
ASSET_SAVED_SEARCH_GROUP,
VULNERABILITY_SAVED_SEARCH_GROUP>"
}

POST /qvm/saved_search_groups/{group_id}
Updates the owner of an vulnerability saved search group.

Updates the owner of an vulnerability saved search group.

Table 2148. POST /qvm/saved_search_groups/{group_id} resource details
MIME Type
application/json

Table 2149. POST /qvm/saved_search_groups/{group_id} request parameter details

Parameter Type Optionality Data Type MIME Type Description
group_id path Required Number text/plain null
(Integer)
fields header Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.

972 QRadar API Reference Guide

Table 2150. POST /qvm/saved_search_groups/{group_id} request body details
Parameter Data Type MIME Type Description Sample
group Object application/json Required - Group object with the { "child_groups": [ 42 ], "child_items": [ "String" ], "description":
owner set to a valid deployed "String", "id": 42, "level": 42, "name": "String", "owner": "String",
user. "parent_id": 42, "type": "String <one of: LOG_SOURCE_GROUP,
REPORT_GROUP, RULE_GROUP,
EVENT_SAVED_SEARCH_GROUP,
FLOW_SAVED_SEARCH_GROUP,
OFFENSE_SAVED_SEARCH_GROUP,
QRM_SAVED_SEARCH_GROUP,
MODEL_SAVED_SEARCH_GROUP,
QUESTION_SAVED_SEARCH_GROUP,
SIMULATION_SAVED_SEARCH_GROUP,
TOPOLOGY_SAVED_SEARCH_GROUP,
ASSET_SAVED_SEARCH_GROUP,
VULNERABILITY_SAVED_SEARCH_GROUP>" }

Table 2151. POST /qvm/saved_search_groups/{group_id} response codes

HTTP Response Code Unique Code Description
200 The vulnerability saved search group was updated.
404 1002 The vulnerability saved search group does not exist.
409 1004 The provided user does not have the required capabilities to own
the vulnerability saved search group.
422 1005 A request parameter is not valid.
500 1020 An error occurred during the attempt to update the vulnerability
saved search group.

Response Description

The updated Group object. A Group object contains the following fields:
v id - Long - The ID of the group.
v parent_id - Long - The ID of the parent group (default resources can have localized names).
v type - String - The type of the group.
v level - Long - The depth of the group in the group hierarchy.
v name - String - The name of the group (default groups can have localized names).
v description - String - The description of the group (default groups can have localized names).
v owner - String - The owner of the group.
v modified_time - Long - The time in milliseconds since epoch since the group was last modified.
v child_group_ids - Array of Longs - List of the child group IDs.

Response Sample
{
"child_groups": [
42
],
"child_items": [
"String"
],
"description": "String",
"id": 42,
"level": 42,
"modified_time": 42,
"name": "String",
"owner": "String",
"parent_id": 42,
"type": "String <one of:
LOG_SOURCE_GROUP,
REPORT_GROUP,
RULE_GROUP,

7 Previous REST API versions 973

 EVENT_SAVED_SEARCH_GROUP,
FLOW_SAVED_SEARCH_GROUP,
OFFENSE_SAVED_SEARCH_GROUP,
QRM_SAVED_SEARCH_GROUP,
MODEL_SAVED_SEARCH_GROUP,
QUESTION_SAVED_SEARCH_GROUP,
SIMULATION_SAVED_SEARCH_GROUP,
TOPOLOGY_SAVED_SEARCH_GROUP,
ASSET_SAVED_SEARCH_GROUP,
VULNERABILITY_SAVED_SEARCH_GROUP>"
}

DELETE /qvm/saved_search_groups/{group_id}
Deletes a vulnerability saved search group.

Deletes a vulnerability saved search group.

Table 2152. DELETE /qvm/saved_search_groups/{group_id} resource details
MIME Type
text/plain

Table 2153. DELETE /qvm/saved_search_groups/{group_id} request parameter details

Parameter Type Optionality Data Type MIME Type Description
group_id path Required Number text/plain null
(Integer)

Table 2154. DELETE /qvm/saved_search_groups/{group_id} response codes

HTTP Response Code Unique Code Description
204 The vulnerability saved search group was deleted.
404 1002 The vulnerability saved search group does not exist.
409 1004 null
500 1020 An error occurred during the attempt to delete the vulnerability
saved search group.

Response Description

Response Sample

GET /qvm/saved_searches
Retrieves a list of vulnerability instance saved searches.

Retrieves a list of vulnerability instance saved searches.

Table 2155. GET /qvm/saved_searches resource details
MIME Type
application/json

974 QRadar API Reference Guide

Table 2156. GET /qvm/saved_searches request parameter details
Parameter Type Optionality Data Type MIME Type Description
Range header Optional String text/plain Optional - Use this parameter
to restrict the number of
elements that are returned in
the list to a specified range.
The list is indexed starting at
zero.
filter query Optional String text/plain Optional - This parameter is
used to restrict the elements in
a list base on the contents of
various fields.
fields query Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.

Table 2157. GET /qvm/saved_searches response codes

HTTP Response Code Unique Code Description
200 The request to retrieve the list of vulnerability instance saved
searches completed successfully.
500 1020 An error occurred while trying to retrieve the list of saved searches.

Response Description

A list of vulnerability instance saved searches that can be used or applied against:
v /qvm/saved_searches/{saved_search_id}/vuln_instances
v /qvm/assets
v /qvm/vulns
v /qvm/openservices
v /qvm/networks

Each saved search that is returned includes an ID, name, and list of filters that make up this saved
search.

Response Sample
[
{
"filters": [
{
"operator": "String",
"parameter": "String",
"value": "String"
}
],
"id": 42,
"name": "String"
}
]

7 Previous REST API versions 975

GET /qvm/saved_searches/vuln_instances/{task_id}/results/assets
Lists the Vulnerability Instances assets that are returned from the vulnerability instance saved search.

Lists the Vulnerability Instances assets that are returned from the saved search.
Table 2158. GET /qvm/saved_searches/vuln_instances/{task_id}/results/assets resource details
MIME Type
application/json

Table 2159. GET /qvm/saved_searches/vuln_instances/{task_id}/results/assets request parameter details

Parameter Type Optionality Data Type MIME Type Description
task_id path Required Number text/plain null
(Integer)
Range header Optional String text/plain Optional - Use this parameter
to restrict the number of
elements that are returned in
the list to a specified range.
The list is indexed starting at
zero.
filter query Optional String text/plain Optional - This parameter is
used to restrict the elements in
a list base on the contents of
various fields.
fields query Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.

Table 2160. GET /qvm/saved_searches/vuln_instances/{task_id}/results/assets response codes

HTTP Response Code Unique Code Description
200 The request to retrieve vulnerabilities by instance completed
successfully.
404 1002 Resource not found.
500 1020 An error occurred while retrieving results.

Response Description

A list of assets associated with the vulnerability instance data.

Response Sample
[{"risk_policies": [{"passed": true,
"name": "String",
"last_evaluated": 42,
"question_type": "String",
"groups": ["String"]}],
"id": 42,
"domain_id": 42,
"interfaces": [{"first_seen_scanner": 42,

976 QRadar API Reference Guide

 "id": 42,
"first_seen_profiler": 42,
"created": 42,
"last_seen_profiler": 42,
"last_seen_scanner": 42,
"mac_address": "String",
"ip_addresses": [{"first_seen_scanner": 42,
"id": 42,
"first_seen_profiler": 42,
"created": 42,
"value": "String",
"last_seen_profiler": 42,
"last_seen_scanner": 42,
"type": "String",
"network_name": "String"
}]
}],
"hostnames": ["String"],
"properties": [{"id": 42,
"name": "String",
"value": "String",
"last_reported": 42,
"type_id": 42,
"last_reported_by": "String"
}],
"operating_systems": [{"last_seen_date": 42,
"name": "String"
}]
}]

GET /qvm/saved_searches/vuln_instances/{task_id}/results/vuln_instances
Lists the Vulnerability Instances returned from a vulnerability instance saved search.

Lists the Vulnerability Instances returned from a saved search.

Table 2161. GET /qvm/saved_searches/vuln_instances/{task_id}/results/vuln_instances resource details
MIME Type
application/json

Table 2162. GET /qvm/saved_searches/vuln_instances/{task_id}/results/vuln_instances request parameter details

Parameter Type Optionality Data Type MIME Type Description
task_id path Required Number text/plain null
(Integer)
Range header Optional String text/plain Optional - Use this parameter
to restrict the number of
elements that are returned in
the list to a specified range.
The list is indexed starting at
zero.
filter query Optional String text/plain Optional - This parameter is
used to restrict the elements in
a list base on the contents of
various fields.

7 Previous REST API versions 977

Table 2162. GET /qvm/saved_searches/vuln_instances/{task_id}/results/vuln_instances request parameter
details (continued)
Parameter Type Optionality Data Type MIME Type Description
fields query Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.

Table 2163. GET /qvm/saved_searches/vuln_instances/{task_id}/results/vuln_instances response codes

HTTP Response Code Unique Code Description
200 The request to retrieve vulnerabilities by instance completed
successfully.
404 1002 Resource not found
500 1020 An error occurred while retrieving results

Response Description

A list of vulnerability instance data.

Response Sample
[{"id": 42,
"cvss_environmental_score_string": "String",
"last_seen_date": 42,
"asset_id": 42,
"domain_id": 42,
"relevant_patches": [{"security_notice": "String",
"description": "String",
"patch_type": "String <one of: OS, NONOS>"
}],
"cvss_environmental_score": 42.5,
"seen_by_scan_profile": "String",
"risk_score": 42.5,
"vulnerability_id": 42,
"first_seen_date": 42
}]

GET /qvm/saved_searches/vuln_instances/{task_id}/results/vulnerabilities
List the Vulnerability Instances vulnerabilities returned from the saved search.
Table 2164. GET /qvm/saved_searches/vuln_instances/{task_id}/results/vulnerabilities resource details
MIME Type
application/json

Table 2165. GET /qvm/saved_searches/vuln_instances/{task_id}/results/vulnerabilities request parameter details

Parameter Type Optionality Data Type MIME Type Description
task_id path Required Number text/plain null
(Integer)

978 QRadar API Reference Guide

Table 2165. GET /qvm/saved_searches/vuln_instances/{task_id}/results/vulnerabilities request parameter
details (continued)
Parameter Type Optionality Data Type MIME Type Description
Range header Optional String text/plain Optional - Use this parameter
to restrict the number of
elements that are returned in
the list to a specified range.
The list is indexed starting at
zero.
filter query Optional String text/plain Optional - This parameter is
used to restrict the elements in
a list base on the contents of
various fields.
fields query Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.

Table 2166. GET /qvm/saved_searches/vuln_instances/{task_id}/results/vulnerabilities response codes

HTTP Response Code Unique Code Description
200 The request to retrieve vulnerabilities by instance completed
successfully
404 1002 Resource not found
500 1020 Error while retrieving results

Response Description

list of vulnerability instance data

Response Sample
[{"cvss_base_score_string": "String",
"virtual_patches": [{"device": "String",
"qid": "String",
"signature": "String"
}],
"osvdb_title": "String",
"cvss_temporal_score": 42.5,
"cvss_base_score": 42.5,
"concern": "String",
"cve_ids": ["String"],
"critical_details": "String",
"risk_factor": {"name": "String <one of: High,
Medium,
Low,
Warning>",
"code": 42
},
"cvss_temporal_score_string": "String",
"severity": {"name": "String <one of: Patch,
Urgent,
Critical,
High,

7 Previous REST API versions 979

 Medium,
Low>",
"code": 42
},
"remediation": "String",
"id": 42, "patches": [{"security_notice": "String",
"description": "String"
}],
"description": "String"
}]

GET /qvm/saved_searches/vuln_instances/{task_id}/status
Retrieves the current status of a vulnerability instance search that was initiated.

Retrieves the current status of a vulnerability instance search that was initiated.
Table 2167. GET /qvm/saved_searches/vuln_instances/{task_id}/status resource details
MIME Type
application/json

Table 2168. GET /qvm/saved_searches/vuln_instances/{task_id}/status request parameter details

Parameter Type Optionality Data Type MIME Type Description
task_id path Required Number text/plain null
(Integer)
fields query Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.

Table 2169. GET /qvm/saved_searches/vuln_instances/{task_id}/status response codes

HTTP Response Code Unique Code Description
200 The request to retrieve the current status of the vulnerability
instance search completed successfully.
404 1002 Resource not found.
500 1020 An error occurred while retrieving status.

Response Description

Returns the status of the selected vulnerability instance search.

Response Sample
{
"id": 42,
"retention_period_in_days": 42,
"status": "String <one of: CANCELLED,
CANCELING,
CANCEL_REQUESTED,
COMPLETED, EXCEPTION,
INITIALIZING,
INTERRUPTED,

980 QRadar API Reference Guide

 PAUSED,
PROCESSING,
QUEUED,
RESUMING>"
}

POST /qvm/saved_searches/vuln_instances/{task_id}/status
Updates the status of a vulnerability instance saved search.

Updates the status of a vulnerability instance saved search.

Table 2170. POST /qvm/saved_searches/vuln_instances/{task_id}/status resource details
MIME Type
application/json

Table 2171. POST /qvm/saved_searches/vuln_instances/{task_id}/status request parameter details

Parameter Type Optionality Data Type MIME Type Description
task_id path Required Number (Integer) text/plain Required. The ID of the task to
update.
status query Optional String text/plain Optional. The only accepted value
is CANCELLED. If this value is
provided, the search is cancelled.
retention_period_in_days query Optional Number (Integer) text/plain Optional. Set the data retention
period in days for the results.
Accepted values 0 - 14. Use 0 to
delete a result at the next clean up
cycle. Default data retention
period is 2 days.
fields query Optional String text/plain Optional - Use this parameter to
specify which fields you would
like to get back in the response.
Fields that are not named are
excluded. Specify subfields in
brackets and multiple fields in the
same object are separated by
commas.

Table 2172. POST /qvm/saved_searches/vuln_instances/{task_id}/status response codes

HTTP Response Code Unique Code Description
200 The request to retrieve the list of vulnerability instance saved
searches completed successfully.
403 1009 You do not have the proper capabilities to retrieve the Vulnerability
Instance Saved Search.
404 1002 Resource not found.
409 1004 The current status of the search prevented the task from being
cancelled.
422 1005 A request parameter is not valid.
500 1020 An error occurred while retrieving status.

Response Description

Returns the status of the selected Vulnerability Instance search.

Response Sample
{
"id": 42,
"retention_period_in_days": 42,

7 Previous REST API versions 981

 "status": "String <one of: CANCELLED,
CANCELING,
CANCEL_REQUESTED,
COMPLETED,
CONFLICT,
EXCEPTION,
INITIALIZING,
INTERRUPTED,
PAUSED,
PROCESSING,
QUEUED,
RESUMING>"
}

GET /qvm/saved_searches/{saved_search_id}
Retrieves a vulnerability instance saved search.

Retrieves a vulnerability instance saved search.

Table 2173. GET /qvm/saved_searches/{saved_search_id} resource details
MIME Type
application/json

Table 2174. GET /qvm/saved_searches/{saved_search_id} request parameter details

Parameter Type Optionality Data Type MIME Type Description
saved_search_id path Required Number text/plain null
(Integer)
fields query Optional String text/plain Optional - Use this parameter to
specify which fields you would
like to get back in the response.
Fields that are not named are
excluded. Specify subfields in
brackets and multiple fields in
the same object are separated by
commas.

Table 2175. GET /qvm/saved_searches/{saved_search_id} response codes

HTTP Response Code Unique Code Description
200 The request to retrieve the list of vulnerability instance saved
searches completed successfully
404 1002 The Saved Search does not exist
500 1020 An error occurred while trying to retrieve the vulnerability instance
saved search

Response Description

A vulnerability instance saved search that can be used or applied against:

v /qvm/saved_searches/{saved_search_id}/vuln_instances
v /qvm/assets
v /qvm/vulns
v /qvm/openservices
v /qvm/networks

The saved search contains an ID, name, and list of filters that make up this saved search.

982 QRadar API Reference Guide

Response Sample
{
"filters": [
{
"operator": "String",
"parameter": "String",
"value": "String"
}
],
"id": 42,
"name": "String"
}

POST /qvm/saved_searches/{saved_search_id}
Updates the vulnerability saved search owner only.

Updates the vulnerability saved search owner only.

Table 2176. POST /qvm/saved_searches/{saved_search_id} resource details
MIME Type
application/json

Table 2177. POST /qvm/saved_searches/{saved_search_id} request parameter details

Parameter Type Optionality Data Type MIME Type Description
saved_search_id path Required Number text/plain null
(Integer)
fields header Optional String text/plain Optional - Use this parameter to
specify which fields you would
like to get back in the response.
Fields that are not named are
excluded. Specify subfields in
brackets and multiple fields in
the same object are separated by
commas.

Table 2178. POST /qvm/saved_searches/{saved_search_id} request body details

Parameter Data Type MIME Type Description Sample
saved_search Object application/json null { "filters": [ { "operator": "String",
"parameter": "String", "value":
"String" } ], "id": 42, "name":
"String", "owner": "String" }

Table 2179. POST /qvm/saved_searches/{saved_search_id} response codes

HTTP Response Code Unique Code Description
200 The vulnerability saved search was updated.
403 1009 You do not have the required capabilities to update the
vulnerability saved search.
404 1002 The vulnerability saved search does not exist.
409 1004 The provided user does not have the required capabilities to own
the vulnerability saved search.
422 1005 A request parameter is not valid.
500 1020 null

7 Previous REST API versions 983

Response Description

The vulnerability saved search after it was updated. A Vulnerability Saved Search object contains the
following fields:
v id - Long - The ID of the asset saved search.
v name - String - The name of the asset saved search.
v owner - String - The owner of the asset saved search.
v isShared - Boolean - True if the asset saved search is shared with other users.
v description - String - The description of the asset saved search.
v filters - List of Strings - The asset saved search filters.
v columns - List of Strings - The asset saved search columns.

Response Sample
{
"filters": [
{
"operator": "String",
"parameter": "String",
"value": "String"
}
],
"id": 42,
"name": "String",
"owner": "String"
}

DELETE /qvm/saved_searches/{saved_search_id}
Deletes a vulnerability saved search.

Deletes a vulnerability saved search.

Table 2180. DELETE /qvm/saved_searches/{saved_search_id} resource details
MIME Type
text/plain

Table 2181. DELETE /qvm/saved_searches/{saved_search_id} request parameter details

Parameter Type Optionality Data Type MIME Type Description
saved_search_id path Required Number (Integer) text/plain null

Table 2182. DELETE /qvm/saved_searches/{saved_search_id} response codes

HTTP Response Code Unique Code Description
204 The vulnerability saved search was deleted.
403 1009 You do not have the required capabilities to delete the vulnerability
saved search.
404 1002 The vulnerability saved search does not exist.
500 1020 null

984 QRadar API Reference Guide

Response Description

Response Sample

GET /qvm/saved_searches/{saved_search_id}/vuln_instances
Creates the Vulnerability Instances search. This search returns a maximum of 100,000 results.
Table 2183. GET /qvm/saved_searches/{saved_search_id}/vuln_instances resource details
MIME Type
application/json

Table 2184. GET /qvm/saved_searches/{saved_search_id}/vuln_instances request parameter details

Parameter Type Optionality Data Type MIME Type Description
saved_search_id path Required Number text/plain ID of saved search
(Integer)
fields query Optional String text/plain Optional - Use this parameter to
specify which fields you would
like to get back in the response.
Fields that are not named are
excluded. Specify subfields in
brackets and multiple fields in
the same object are separated by
commas.
filter query Optional String text/plain Optional - This parameter is
used to restrict the elements in a
list based on the contents of
various fields.
Range header Optional String text/plain Optional - Specify the range for
the results that you want to
return, up to 100,000 results. For
example, 0-599, 200-99999. The
list is indexed and begins at
zero.

Result pagination example:

To return the first 100,000 rows, follow these steps:

1. Run the GET - /qvm/saved_searches/{saved_search_id}/vuln_instances endpoint with a range of
0-99999 and a saved_search_id that equals 2.
2. Run the GET - /qvm/saved_searches/vuln_instances/{task_id}/status endpoint to check search the
status
3. When the search status changes to COMPLETED, run the GET - /qvm/saved_searches/vuln_instances/
{task_id}/results/vuln_instances to get the vulnerability instances results.
Table 2185. GET /qvm/saved_searches/{saved_search_id}/vuln_instances response codes
HTTP Response Code Unique Code Description
201 The vulnerability instance search is queued.
404 1002 null
500 1020 null

Response Description

The response returns a task ID.

7 Previous REST API versions 985

Response Sample
{
"id": 42,
"retention_period_in_days": 42,
"status": "String <one of: CANCELLED,
CANCELING,
CANCEL_REQUESTED,
COMPLETED,
EXCEPTION,
INITIALIZING,
INTERRUPTED,
PAUSED,
PROCESSING,
QUEUED,
RESUMING>"
}

POST /qvm/tickets/assign
Update the remediation ticket for the assigned vulnerability
Table 2186. POST /qvm/tickets/assign resource details
MIME Type
application/json

Table 2187. POST /qvm/tickets/assign request body details

Parameter Data Type MIME Type Description Sample
ticket JSON application/json [ { "ticketId":"1000", "status":"Opened",
'ticketId': required. "priority":"Critical", "dueDate":"2015-01-04
12:00:00", "assignedUser":"admin",
"comment":"testComment",
'priority' one of required : Critical,
"commentUser":"admin" } ]
Major, Minor, Warning, Informational.

'status' one of required : Opened,

Fixed, Re-Opened, Closed .

'dueDate' Optional : yyyy-MM-dd

HH:mm:ss.

'assignedUser' required : valid QRadar

user account name or a valid email.

'comment' Optional : text.

'commentUser' Optional : valid

QRadar user account name, if not
included will default current API user.

Table 2188. POST /qvm/tickets/assign response codes

HTTP Response Code Unique Code Description
200 The request to assign a ticket completed successfully
420 9104 An error occurred while trying to assign a ticket due to invalid
arguments

Response Description

success message if update succeed

Response Sample

GET /qvm/vulns
List the Vulnerabilities present in the asset model. The response will contain all available RESTful
resources

986 QRadar API Reference Guide

Table 2189. GET /qvm/vulns resource details
MIME Type
application/json

Table 2190. GET /qvm/vulns request parameter details

Parameter Type Optionality Data Type MIME Type Description
savedSearchId query Optional String text/plain Id of saved search
savedSearchName query Optional String text/plain Saved search name
filters query Optional Array<Object> application/json List of JSON objects for
application of bespoke query
search dataset filter. Format
[{"parameter":"<value>",
"operator":"<value>",
"value":"<value>"}] e.g.
[{"parameter":"IPv4 Address",
"operator":"Equals",
"value":"10.100.85.111"}]

Table 2191. GET /qvm/vulns response codes

HTTP Response Code Unique Code Description
200 The request to retrieve vulnerabilities completed successfully
420 9101 Invalid search parameters, search cannot be performed

Response Description

list of vulnerability data

Response Sample

Reference data endpoints

Use the references for REST API V8.0 reference data endpoints.

GET /reference_data/map_delete_tasks/{task_id}
Retrieves the delete reference data map task status.

Retrieves the delete reference data map task status.

Table 2192. GET /reference_data/map_delete_tasks/{task_id} resource details
MIME Type
application/json

Table 2193. GET /reference_data/map_delete_tasks/{task_id} request parameter details

Parameter Type Optionality Data Type MIME Type Description
task_id path Required Number text/plain null
(Integer)
fields query Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.

7 Previous REST API versions 987

Table 2194. GET /reference_data/map_delete_tasks/{task_id} response codes
HTTP Response Code Unique Code Description
200 The delete task status was retrieved.
404 1002 The delete task status does not exist.
500 1020 An error occurred during the attempt to retrieve the delete task
status.

Response Description

A Delete Task Status object and the location header set to the task status url "/api/reference_data/maps/
map_delete_tasks/{task_id}". A Delete Task Status object contains the following fields:
v id - Long - The ID of the task.
v message - String - The localized task message.
v status - String - The current state of the task.
v name - String - The name of the task.
v created_by - String - The name of the user who started the task.
v created - Long - The time in milliseconds since epoch since the task was created.
v started - Long - The time in milliseconds since epoch since the task was started.
v modified - Long - The time in milliseconds since epoch since the task was modified.
v completed - Long - The time in milliseconds since epoch since the task was completed.

Response Sample
{
"completed": 42,
"created": 42,
"created_by": "String",
"id": 42,
"message": "String",
"modified": 42,
"name": "String",
"started": 42,
"status": "String <one of:
CANCELLED,
CANCELING,
CANCEL_REQUESTED,
COMPLETED,
CONFLICT,
EXCEPTION,
INITIALIZING,
INTERRUPTED,
PAUSED,
PROCESSING,
QUEUED,
RESUMING>"
}

GET /reference_data/map_dependent_tasks/{task_id}
Retrieves the dependent reference data map task status.

Retrieves the dependent reference data map task status.

Table 2195. GET /reference_data/map_dependent_tasks/{task_id} resource details
MIME Type
application/json

988 QRadar API Reference Guide

Table 2196. GET /reference_data/map_dependent_tasks/{task_id} request parameter details
Parameter Type Optionality Data Type MIME Type Description
task_id path Required Number text/plain null
(Integer)
fields query Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.

Table 2197. GET /reference_data/map_dependent_tasks/{task_id} response codes

HTTP Response Code Unique Code Description
200 The delete task status was retrieved.
404 1002 The delete task status does not exist.
500 1020 An error occurred during the attempt to retrieve the delete task
status.

Response Description

A Dependent Task Status object and the location header set to the task status url "/api/reference_data/
maps/map_dependent_tasks/{task_id}". A Dependent Task Status object contains the following fields:
v id - Long - The ID of the task.
v message - String - The localized task message.
v status - String - The current state of the task.
v name - String - The name of the task.
v created_by - String - The name of the user who started the task.
v cancelled_by - String - The name of the user who requested the cancellation the task.
v created - Long - The time in milliseconds since epoch since the task was created.
v started - Long - The time in milliseconds since epoch since the task was started.
v modified - Long - The time in milliseconds since epoch since the task was modified.
v completed - Long - The time in milliseconds since epoch since the task was completed.
v number_of_dependents - Long - The number of dependents found. The value is null until the task
completes.
v maximum - Long - The maximum number of objects to check for dependency.
v progress - Long - The number of objects that were checked for dependency.
v task_components - Array - An array of task component objects. A task component object contains the
following fields
– message - String - The localized sub-task status message.
– status - String - The current state of the sub-task.
– sub_task_type - String - The type of the sub-task
– maximum - Long - The maximum number of objects to check for dependency.
– progress - Long - The number of objects that were checked for dependency.
– created - Long - The time in milliseconds since epoch since the sub-task was created.
– started - Long - The time in milliseconds since epoch since the sub-task was started.

7 Previous REST API versions 989

 – modified - Long - The time in milliseconds since epoch since the sub-task was modified.
– completed - Long - The time in milliseconds since epoch since the sub-task was completed.

Response Sample
{
"cancelled_by": "String",
"completed": 42,
"created": 42,
"created_by": "String",
"id": 42,
"maximum": 42,
"message": "String",
"modified": 42,
"name": "String",
"number_of_dependents": 42,
"progress": 42,
"started": 42,
"status": "String <one of:
CANCELLED,
CANCELING,
CANCEL_REQUESTED,
COMPLETED,
CONFLICT,
EXCEPTION,
INITIALIZING,
INTERRUPTED,
PAUSED,
PROCESSING,
QUEUED,
RESUMING>",
"task_components": [
{
"completed": 42,
"created": 42,
"maximum": 42,
"message": "String",
"modified": 42,
"number_of_dependents": 42,
"progress": 42,
"started": 42,
"status": "String <one of: CANCELLED,
CANCELING,
CANCEL_REQUESTED,
COMPLETED,
CONFLICT,
EXCEPTION,
INITIALIZING,
INTERRUPTED,
PAUSED,
PROCESSING,
QUEUED,
RESUMING>",
"task_sub_type": "String <one of:
FIND_DEPENDENT_ARIEL_SAVED_SEARCHES,
FIND_DEPENDENT_OFFENSE_SAVED_SEARCHES,
FIND_DEPENDENT_ASSET_SAVED_SEARCHES,
FIND_DEPENDENT_VULNERABILITY_SAVED_SEARCHES,
FIND_DEPENDENT_ADE_RULES,
FIND_DEPENDENT_RULES,
FIND_DEPENDENT_CALCULATED_PROPERTIES,
FIND_DEPENDENT_LOG_SOURCE_GROUPS,
FIND_DEPENDENT_CUSTOM_PROPERTIES,
FIND_DEPENDENT_REPORTS,
FIND_DEPENDENT_DASHBOARDS,
FIND_DEPENDENT_STORE_AND_FORWARD_POLICIES,
FIND_DEPENDENT_AUTHORIZED_SERVICES,

990 QRadar API Reference Guide

 FIND_DEPENDENT_OFFENSE_TYPES,
FIND_DEPENDENT_ASSIGNED_OFFENSES,
FIND_DEPENDENT_VULNERABILITIES,
FIND_DEPENDENT_GROUPS,
FIND_DEPENDENT_HISTORICAL_CORRELATION_PROFILES>"
}
]
}

POST /reference_data/map_dependent_tasks/{task_id}
Cancels the dependent reference data map task.

Cancels the dependent reference data map task.

Table 2198. POST /reference_data/map_dependent_tasks/{task_id} resource details
MIME Type
application/json

Table 2199. POST /reference_data/map_dependent_tasks/{task_id} request parameter details

Parameter Type Optionality Data Type MIME Type Description
task_id path Required Number text/plain null
(Integer)
fields header Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.

Table 2200. POST /reference_data/map_dependent_tasks/{task_id} request body details

Parameter Data Type MIME Type Description Sample
task Object application/ null { "status": "String <one of:
json CANCELLED, CANCELING,
CANCEL_REQUESTED,
COMPLETED, CONFLICT,
EXCEPTION, INITIALIZING,
INTERRUPTED, PAUSED,
PROCESSING, QUEUED,
RESUMING>" }

Table 2201. POST /reference_data/map_dependent_tasks/{task_id} response codes

HTTP Response Code Unique Code Description
200 The Delete task status was retrieved.
404 1002 The dependent task status does not exist.
409 1004 The task is in a completed state
422 1005 A request parameter is not valid
500 1020 An error occurred during the attempt to update the dependent task
status.

7 Previous REST API versions 991

Response Description

A Dependent Task Status object and the location header set to the task status url "/api/reference_data/
maps/map_dependent_tasks/{task_id}". A Dependent Task Status object contains the following fields:
v id - Long - The ID of the task.
v message - String - The localized task message.
v status - String - The current state of the task.
v name - String - The name of the task.
v created_by - String - The name of the user who started the task.
v cancelled_by - String - The name of the user who requested the cancellation the task.
v created - Long - The time in milliseconds since epoch since the task was created.
v started - Long - The time in milliseconds since epoch since the task was started.
v modified - Long - The time in milliseconds since epoch since the task was modified.
v completed - Long - The time in milliseconds since epoch since the task was completed.
v number_of_dependents - Long - The number of dependents found. The value is null until the task
completes.
v maximum - Long - The maximum number of objects to check for dependency.
v progress - Long - The number of objects that were checked for dependency.
v task_components - Array - An array of task component objects. A task component object contains the
following fields
– message - String - The localized sub-task status message.
– status - String - The current state of the sub-task.
– sub_task_type - String - The type of the sub-task
– maximum - Long - The maximum number of objects to check for dependency.
– progress - Long - The number of objects that were checked for dependency.
– created - Long - The time in milliseconds since epoch since the sub-task was created.
– started - Long - The time in milliseconds since epoch since the sub-task was started.
– modified - Long - The time in milliseconds since epoch since the sub-task was modified.
– completed - Long - The time in milliseconds since epoch since the sub-task was completed.

Response Sample
{
"cancelled_by": "String",
"completed": 42,
"created": 42,
"created_by": "String",
"id": 42,
"maximum": 42,
"message": "String",
"modified": 42,
"name": "String",
"number_of_dependents": 42,
"progress": 42,
"started": 42,
"status": "String <one of:
CANCELLED,
CANCELING,
CANCEL_REQUESTED,
COMPLETED,
CONFLICT,
EXCEPTION,
INITIALIZING,
INTERRUPTED,
PAUSED,

992 QRadar API Reference Guide

 PROCESSING,
QUEUED,
RESUMING>",
"task_components": [
{
"completed": 42,
"created": 42,
"maximum": 42,
"message": "String",
"modified": 42,
"number_of_dependents": 42,
"progress": 42,
"started": 42,
"status": "String <one of: CANCELLED,
CANCELING,
CANCEL_REQUESTED,
COMPLETED,
CONFLICT,
EXCEPTION,
INITIALIZING,
INTERRUPTED,
PAUSED,
PROCESSING,
QUEUED,
RESUMING>",
"task_sub_type": "String <one of:
FIND_DEPENDENT_ARIEL_SAVED_SEARCHES,
FIND_DEPENDENT_OFFENSE_SAVED_SEARCHES,
FIND_DEPENDENT_ASSET_SAVED_SEARCHES,
FIND_DEPENDENT_VULNERABILITY_SAVED_SEARCHES,
FIND_DEPENDENT_ADE_RULES,
FIND_DEPENDENT_RULES,
FIND_DEPENDENT_CALCULATED_PROPERTIES,
FIND_DEPENDENT_LOG_SOURCE_GROUPS,
FIND_DEPENDENT_CUSTOM_PROPERTIES,
FIND_DEPENDENT_REPORTS,
FIND_DEPENDENT_DASHBOARDS,
FIND_DEPENDENT_STORE_AND_FORWARD_POLICIES,
FIND_DEPENDENT_AUTHORIZED_SERVICES,
FIND_DEPENDENT_OFFENSE_TYPES,
FIND_DEPENDENT_ASSIGNED_OFFENSES,
FIND_DEPENDENT_VULNERABILITIES,
FIND_DEPENDENT_GROUPS,
FIND_DEPENDENT_HISTORICAL_CORRELATION_PROFILES>"
}
]
}

GET /reference_data/map_dependent_tasks/{task_id}/results
Retrieves the reference data map dependent task results.

Retrieves the reference data map dependent task results.

Table 2202. GET /reference_data/map_dependent_tasks/{task_id}/results resource details
MIME Type
application/json

Table 2203. GET /reference_data/map_dependent_tasks/{task_id}/results request parameter details

Parameter Type Optionality Data Type MIME Type Description
task_id path Required Number text/plain null
(Integer)

7 Previous REST API versions 993

Table 2203. GET /reference_data/map_dependent_tasks/{task_id}/results request parameter details (continued)
Parameter Type Optionality Data Type MIME Type Description
fields query Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.

Table 2204. GET /reference_data/map_dependent_tasks/{task_id}/results response codes

HTTP Response Code Unique Code Description
200 The reference data map dependents were retrieved.
404 1002 The dependent task status does not exist.
500 1020 An error occurred during the attempt to retrieve the reference data
maps.

Response Description

An list of Dependent objects. A Dependent object contains the following fields:

v dependent_id - String - The ID of the dependent resource.
v dependent_name - String - The name of the dependent resource. ( Default resources can have localized
names )
v dependent_owner - String - The owner of the dependent resource
v dependent_type - String - The type of the dependent resource
v dependent_database - String - The database of the dependent resource.
v dependent_group_ids - Array of Longs - List of groups that the dependent resource belongs to.
v user_has_edit_permissions - Boolean - The true if the user who created the task has permission to edit
this dependent resource.

Response Sample
[
{
"blocking": true,
"dependent_database": "String <one of: EVENTS, FLOWS>",
"dependent_group_ids": [
42
],
"dependent_id": "String",
"dependent_name": "String",
"dependent_owner": "String",
"dependent_type": "String <one of:
ARIEL_SAVED_SEARCH,
ASSET_SAVED_SEARCH,
OFFENSE_SAVED_SEARCH,
VULNERABILITY_SAVED_SEARCH,
QRM_SAVED_SEARCH_GROUP,
ASSET_SAVED_SEARCH_GROUP,
CUSTOM_RULE_GROUP,
EVENT_ARIEL_SAVED_SEARCH_GROUP,
FLOW_ARIEL_SAVED_SEARCH_GROUP,
LOG_SOURCE_GROUP, MODEL_GROUP,
OFFENSE_SAVED_SEARCH_GROUP,

994 QRadar API Reference Guide

 QUESTION_GROUP,
REPORT_GROUP,
SIMULATION_GROUP,
TOPOLOGY_SAVED_SEARCH_GROUP,
VULNERABILITY_SAVED_SEARCH_GROUP,
ASSIGNED_OFFENSE,
ASSIGNED_VULNERABILITY,
AUTHORIZED_SERVICE,
BUILDING_BLOCK,
CRE_RULE,
CRE_ADE_RULE,
EVENT_REGEX_PROPERTY,
EVENT_CALCULATED_PROPERTY,
FLOW_REGEX_PROPERTY,
FLOW_CALCULATED_PROPERTY,
DASHBOARD,
GV_REFERENCE,
REPORT,
REFERENCE_DATA,
REFERENCE_DATA_MAP_OF_SETS,
REFERENCE_DATA_MAPS,
REFERENCE_DATA_SETS,
REFERENCE_DATA_TABLES,
REFERENCE_DATA_RESPONSE,
REFERENCE_SET_RESPONSE,
EVENT_RETENTION_BUCKET,
FLOW_RETENTION_BUCKET,
ROUTING_RULE,
STORE_AND_FORWARD_POLICY,
USER,
HISTORICAL_PROFILE,
OFFENSE_TYPE>",
"user_has_edit_permissions": true
}
]

GET /reference_data/map_of_sets
Retrieve a list of all reference map of sets.
Table 2205. GET /reference_data/map_of_sets resource details
MIME Type
application/json

Table 2206. GET /reference_data/map_of_sets request parameter details

Parameter Type Optionality Data Type MIME Type Description
fields query Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.
Range header Optional String text/plain Optional - Use this parameter
to restrict the number of
elements that are returned in
the list to a specified range.
The list is indexed starting at
zero.

7 Previous REST API versions 995

Table 2206. GET /reference_data/map_of_sets request parameter details (continued)
Parameter Type Optionality Data Type MIME Type Description
filter query Optional String text/plain Optional - This parameter is
used to restrict the elements in
a list base on the contents of
various fields.

Table 2207. GET /reference_data/map_of_sets response codes

HTTP Response Code Unique Code Description
200 The reference map of sets list has been retrieved
500 1020 An error occurred while attempting to retrieve all of the reference
map of sets

Response Description

A list of all of the reference map of sets. This returns information about the map of sets but not the
contained data.

Response Sample
[
{
"creation_time": 42,
"element_type": "String <one of: ALN, NUM, IP, PORT, ALNIC, DATE>",
"key_label": "String",
"name": "String",
"number_of_elements": 42,
"time_to_live": "String",
"timeout_type": "String <one of: UNKNOWN, FIRST_SEEN, LAST_SEEN>",
"value_label": "String"
}
]

POST /reference_data/map_of_sets
Create a new reference map of sets.
Table 2208. POST /reference_data/map_of_sets resource details
MIME Type
application/json

Table 2209. POST /reference_data/map_of_sets request parameter details

Parameter Type Optionality Data Type MIME Type Description
name query Required String text/plain Required - The name of the
reference map of sets to create
element_type query Required String text/plain Required - The element type for
the values allowed in the
reference map of sets. The
allowed values are: ALN
(alphanumeric), ALNIC
(alphanumeric ignore case), IP
(IP address), NUM (numeric),
PORT (port number) or DATE.
Note that date values need to be
represented in milliseconds
since the Unix Epoch January
1st 1970.

996 QRadar API Reference Guide

Table 2209. POST /reference_data/map_of_sets request parameter details (continued)
Parameter Type Optionality Data Type MIME Type Description
key_label query Optional String text/plain Optional - The label to describe
the keys
value_label query Optional String text/plain Optional - The label to describe
the data values
timeout_type query Optional String text/plain Optional - The allowed values
are "FIRST_SEEN",
"LAST_SEEN" and
"UNKNOWN". The default
value is "UNKNOWN". This
indicates if the time_to_live
interval is based on when the
data was first seen or last seen.
time_to_live query Optional String text/plain Optional - The time to live
interval, for example: "1 month"
or "5 minutes"
fields query Optional String text/plain Optional - Use this parameter to
specify which fields you would
like to get back in the response.
Fields that are not named are
excluded. Specify subfields in
brackets and multiple fields in
the same object are separated by
commas.

Table 2210. POST /reference_data/map_of_sets response codes

HTTP Response Code Unique Code Description
201 A new reference map of sets was successfully created
409 1004 The reference map of sets could not be created, the name provided
is already in use. Please change the name and try again.
422 1005 A request parameter is not valid
500 1020 An error occurred while attempting to create the reference map of
sets

Response Description

Information about the newly created reference map of sets.

Response Sample
{
"creation_time": 42,
"element_type": "String <one of: ALN, NUM, IP, PORT, ALNIC, DATE>",
"key_label": "String",
"name": "String",
"number_of_elements": 42,
"time_to_live": "String",
"timeout_type": "String <one of: UNKNOWN, FIRST_SEEN, LAST_SEEN>",
"value_label": "String"
}

POST /reference_data/map_of_sets/bulk_load/{name}
Adds or updates data in a reference map of sets.

Adds or updates data in a reference map of sets.

7 Previous REST API versions 997

Table 2211. POST /reference_data/map_of_sets/bulk_load/{name} resource details
MIME Type
application/json

Table 2212. POST /reference_data/map_of_sets/bulk_load/{name} request parameter details

Parameter Type Optionality Data Type MIME Type Description
name path Required String text/plain Required - The name of the
map of sets to add or update
data in.
fields header Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.

Table 2213. POST /reference_data/map_of_sets/bulk_load/{name} request body details

Parameter Data Type MIME Type Description Sample
data Array application/ Required - The {"key1":["Data11","Data12"],
json JSON-formatted data to "key2":["Data21","Data22"],
add or update in the "key3":["Data31","Data32"],
reference map of sets. "key4":["Data41","Data42"],
"key5":["Data51","Data52"],
"key6":["Data61","Data62"]}

Table 2214. POST /reference_data/map_of_sets/bulk_load/{name} response codes

HTTP Response Code Unique Code Description
200 Data was successfully added or updated in the reference map of
sets.
400 1001 An error occurred parsing the JSON-formatted message body.
404 1002 The reference map of sets does not exist.
422 1005 A request parameter is not valid.
500 1020 An error occurred during the attempt to add or update data in the
reference map of sets.

Response Description

Information about the reference map of sets where data was added or updated. This returns information
about the reference map of sets but not the data that it contains.

Response Sample
{
"creation_time": 42,
"element_type": "String <one of: ALN, NUM, IP, PORT, ALNIC, DATE>",
"name": "String",
"number_of_elements": 42,
"time_to_live": "String",
"timeout_type": "String <one of: UNKNOWN, FIRST_SEEN, LAST_SEEN>"
}

998 QRadar API Reference Guide

GET /reference_data/map_of_sets/{name}
Return the reference map of sets identified by name.

Return the reference map of sets identified by name. If provided, limit specifies the number of records to
return starting at the record that is specified by offset. If the number is not specified, then the first 20
records is returned.
Table 2215. GET /reference_data/map_of_sets/{name} resource details
MIME Type
application/json

Table 2216. GET /reference_data/map_of_sets/{name} request parameter details

Parameter Type Optionality Data Type MIME Type Description
name path Required String text/plain Required - The name of the
reference map of sets to
retrieve
fields query Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.
Range header Optional String text/plain Optional - Use this parameter
to restrict the number of
elements that are returned in
the list to a specified range.
The list is indexed starting at
zero.

Table 2217. GET /reference_data/map_of_sets/{name} response codes

HTTP Response Code Unique Code Description
200 The reference map of sets has been retrieved
404 1002 The reference map of sets does not exist
422 1005 A request parameter is not valid
500 1020 An error occurred while attempting to retrieve the reference map of
sets

Response Description

The reference map of sets identified by the name specified in the request. The portion of the reference
map of sets' data returned is dependent on the limit and offset specified in the request.

Response Sample
{
"creation_time": 42,
"data": {
"String": [
{
"first_seen": 42,
"last_seen": 42,

7 Previous REST API versions 999

 "source": "String",
"value": "String"
}
]
},
"element_type": "String <one of: ALN, NUM, IP, PORT, ALNIC, DATE>",
"key_label": "String",
"name": "String",
"number_of_elements": 42,
"time_to_live": "String",
"timeout_type": "String <one of: UNKNOWN, FIRST_SEEN, LAST_SEEN>",
"value_label": "String"
}

POST /reference_data/map_of_sets/{name}
Add or update an element in a reference map of sets.
Table 2218. POST /reference_data/map_of_sets/{name} resource details
MIME Type
application/json

Table 2219. POST /reference_data/map_of_sets/{name} request parameter details

Parameter Type Optionality Data Type MIME Type Description
name path Required String text/plain Required - The name of the
reference map of sets to add or
update an element in
key query Required String text/plain Required - The key of the set
to add or update
value query Required String text/plain Required - The value to add or
update in the reference map of
sets. Note: Date values must
be represented in milliseconds
since the Unix Epoch January
1st 1970.
source query Optional String text/plain Optional - This indicates
where the data originated. The
default value is 'reference data
api'
fields query Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.

Table 2220. POST /reference_data/map_of_sets/{name} response codes

HTTP Response Code Unique Code Description
200 The reference map of sets has had an element added or updated
404 1002 The reference map of sets does not exist
422 1005 A request parameter is not valid
500 1020 An error occurred while attempting to add or update data in the
reference map of sets

1000 QRadar API Reference Guide

Response Description

Information about the reference map of sets that has had an element added or updated. This returns
information about the reference map of sets but not the contained data.

Response Sample
{
"creation_time": 42,
"element_type": "String <one of: ALN, NUM, IP, PORT, ALNIC, DATE>",
"key_label": "String",
"name": "String",
"number_of_elements": 42,
"time_to_live": "String",
"timeout_type": "String <one of: UNKNOWN, FIRST_SEEN, LAST_SEEN>",
"value_label": "String"
}

DELETE /reference_data/map_of_sets/{name}
Remove a map of sets or purge its contents.
Table 2221. DELETE /reference_data/map_of_sets/{name} resource details
MIME Type
application/json

Table 2222. DELETE /reference_data/map_of_sets/{name} request parameter details

Parameter Type Optionality Data Type MIME Type Description
name path Required String text/plain Required - The name of the
reference map of sets to
remove or purge
purge_only query Optional String text/plain Optional - The allowed values
are "false" or "true". The
default value is false. This
indicates if the reference map
of sets should have its contents
purged (true), keeping the
reference map of sets structure.
If the value is "false" or not
specified the reference map of
sets will be removed
completely.
fields query Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.

Table 2223. DELETE /reference_data/map_of_sets/{name} response codes

HTTP Response Code Unique Code Description
202 The Reference Data Map of Sets deletion or purge request has been
accepted and is in progress

7 Previous REST API versions 1001

Table 2223. DELETE /reference_data/map_of_sets/{name} response codes (continued)
HTTP Response Code Unique Code Description
404 1002 The reference map of sets does not exist
422 1005 A request parameter is not valid
500 1020 An error occurred while attempting to remove or purge values
from the reference map of sets

Response Description

A status_id to retrieve the Reference Data Map of Sets deletion or purge status with at
/api/system/task_management/task/{status_id}. You can also find the url in the Location header

Response Sample
{
"current_status": {
"cancel_requested": true,
"cancelled_by": "String",
"child_tasks": [
42
],
"completed": 42,
"created": 42,
"created_by": "String",
"id": 42,
"maximum": 42,
"message": "String",
"modified": 42,
"name": "String",
"progress": 42,
"result_url": "String",
"started": 42,
"status": "String <one of: CANCELLED,
CANCELING,
CANCEL_REQUESTED,
COMPLETED,
EXCEPTION,
INITIALIZING,
INTERRUPTED,
PAUSED,
PROCESSING,
QUEUED,
RESUMING>",
"task_components": [
{
"completed": 42,
"created": 42,
"maximum": 42,
"message": "String",
"modified": 42,
"progress": 42,
"started": 42,
"status": "String <one of: CANCELLED,
CANCELING,
CANCEL_REQUESTED,
COMPLETED,
EXCEPTION,
INITIALIZING,
INTERRUPTED,
PAUSED,
PROCESSING,
QUEUED,
RESUMING>"

1002 QRadar API Reference Guide

 }
]
},
"message": "String",
"status_location": "String"
}

GET /reference_data/map_of_sets/{name}/dependents
Retrieves the dependents of the Map of Sets.

Initiates the retrieval of dependents of the Map of Sets

Table 2224. GET /reference_data/map_of_sets/{name}/dependents resource details
MIME Type
application/json

Table 2225. GET /reference_data/map_of_sets/{name}/dependents request parameter details

Parameter Type Optionality Data Type MIME Type Description
name path Required String text/plain Required - The name of the
reference map of sets retrieve
dependents for
fields query Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.

Table 2226. GET /reference_data/map_of_sets/{name}/dependents response codes

HTTP Response Code Unique Code Description
202 The Reference Data Map of Sets dependent retrieval request has
been accepted and is in progress
404 1002 The reference map of sets does not exist
422 1005 A request parameter is not valid
500 1020 An error occurred while attempting to get the dependents for the
reference map of sets

Response Description

A status_id to retrieve the Reference Data Map of Sets dependent retrieval status with at
/api/system/task_management/task/{status_id}. You can also find the url in the Location header

Response Sample
{
"current_status": {
"cancel_requested": true,
"cancelled_by": "String",
"child_tasks": [
42
],
"completed": 42,

7 Previous REST API versions 1003

 "created": 42,
"created_by": "String",
"id": 42,
"maximum": 42,
"message": "String",
"modified": 42,
"name": "String",
"progress": 42,
"result_url": "String",
"started": 42,
"status": "String <one of: CANCELLED,
CANCELING,
CANCEL_REQUESTED,
COMPLETED,
EXCEPTION,
INITIALIZING,
INTERRUPTED,
PAUSED,
PROCESSING,
QUEUED,
RESUMING>",
"task_components": [
{
"completed": 42,
"created": 42,
"maximum": 42,
"message": "String",
"modified": 42,
"progress": 42,
"started": 42,
"status": "String <one of: CANCELLED,
CANCELING,
CANCEL_REQUESTED,
COMPLETED,
EXCEPTION,
INITIALIZING,
INTERRUPTED,
PAUSED,
PROCESSING,
QUEUED,
RESUMING>"
}
]
},
"message": "String",
"status_location": "String"
}

DELETE /reference_data/map_of_sets/{name}/{key}
Remove a value from a reference map of sets.

Remove a value from a reference map of sets.

Table 2227. DELETE /reference_data/map_of_sets/{name}/{key} resource details
MIME Type
application/json

Table 2228. DELETE /reference_data/map_of_sets/{name}/{key} request parameter details

Parameter Type Optionality Data Type MIME Type Description
name path Required String text/plain Required - The name of the
reference map of sets to
remove a value from

1004 QRadar API Reference Guide

Table 2228. DELETE /reference_data/map_of_sets/{name}/{key} request parameter details (continued)
Parameter Type Optionality Data Type MIME Type Description
key path Required String text/plain Required - The key of the
value to remove
value query Required String text/plain Required - The value to
remove from the reference
map of sets. Note: Date values
must be represented in
milliseconds since the Unix
Epoch January 1st 1970.
fields query Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.

Table 2229. DELETE /reference_data/map_of_sets/{name}/{key} response codes

HTTP Response Code Unique Code Description
200 The reference map of sets has had a value removed
404 1002 The reference map of sets does not exist
404 1003 The record does not exist in the reference map of sets
422 1005 A request parameter is not valid
500 1020 An error occurred while attempting to remove the reference map of
sets value

Response Description

Information about the reference map of sets that had a value removed. This returns information about the
reference map of sets but not the contained data.

Response Sample
{
"creation_time": 42,
"element_type": "String <one of: ALN, NUM, IP, PORT, ALNIC, DATE>",
"key_label": "String",
"name": "String",
"number_of_elements": 42,
"time_to_live": "String",
"timeout_type": "String <one of: UNKNOWN, FIRST_SEEN, LAST_SEEN>",
"value_label": "String"
}

GET /reference_data/map_of_sets_delete_tasks/{task_id}
Retrieves the delete reference data map of sets task status.

Retrieves the delete reference data map of sets task status.

7 Previous REST API versions 1005

Table 2230. GET /reference_data/map_of_sets_delete_tasks/{task_id} resource details
MIME Type
application/json

Table 2231. GET /reference_data/map_of_sets_delete_tasks/{task_id} request parameter details

Parameter Type Optionality Data Type MIME Type Description
task_id path Required Number text/plain null
(Integer)
fields query Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.

Table 2232. GET /reference_data/map_of_sets_delete_tasks/{task_id} response codes

HTTP Response Code Unique Code Description
200 The delete task status was retrieved.
404 1002 The delete task status does not exist.
500 1020 An error occurred during the attempt to retrieve the delete task
status.

Response Description

A Delete Task Status object and the location header set to the task status url "/api/reference_data/
map_of_sets/map_of_sets_delete_tasks/{task_id}". A Delete Task Status object contains the following
fields:
v id - Long - The ID of the task.
v message - String - The localized task message.
v status - String - The current state of the task.
v name - String - The name of the task.
v created_by - String - The name of the user who started the task.
v created - Long - The time in milliseconds since epoch since the task was created.
v started - Long - The time in milliseconds since epoch since the task was started.
v modified - Long - The time in milliseconds since epoch since the task was modified.
v completed - Long - The time in milliseconds since epoch since the task was completed.

Response Sample
{
"completed": 42,
"created": 42,
"created_by": "String",
"id": 42,
"message": "String",
"modified": 42,
"name": "String",
"started": 42,
"status": "String <one of: CANCELLED,

1006 QRadar API Reference Guide

 CANCELING,
CANCEL_REQUESTED,
COMPLETED,
CONFLICT,
EXCEPTION,
INITIALIZING,
INTERRUPTED,
PAUSED,
PROCESSING,
QUEUED,
RESUMING>"
}

GET /reference_data/map_of_sets_dependent_tasks/{task_id}
Retrieves the dependent reference data map of sets task status.

Retrieves the dependent reference data map of sets task status.

Table 2233. GET /reference_data/map_of_sets_dependent_tasks/{task_id} resource details
MIME Type
application/json

Table 2234. GET /reference_data/map_of_sets_dependent_tasks/{task_id} request parameter details

Parameter Type Optionality Data Type MIME Type Description
task_id path Required Number text/plain null
(Integer)
fields query Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.

Table 2235. GET /reference_data/map_of_sets_dependent_tasks/{task_id} response codes

HTTP Response Code Unique Code Description
200 The dependent task status was retrieved.
404 1002 The dependent task status does not exist.
500 1020 An error occurred during the attempt to retrieve the dependent task
status.

Response Description

A Dependent Task Status object and the location header set to the task status URL "/api/reference_data/
map_of_sets/map_of_sets_dependent_tasks/{task_id}". A Dependent Task Status object contains the
following fields:
v id - Long - The ID of the task.
v message - String - The localized task message.
v status - String - The current state of the task
v name - String - The name of the task.
v created_by - String - The name of the user who started the task.

7 Previous REST API versions 1007

v cancelled_by - String - The name of the user who requested to cancel the task.
v created - Long - The time in milliseconds since epoch since the task was created.
v started - Long - The time in milliseconds since epoch since the task was started.
v modified - Long - The time in milliseconds since epoch since the task was modified.
v completed - Long - The time in milliseconds since epoch since the task was completed.
v number_of_dependents - Long - The number of dependents found. The value is null until the task
completes.
v maximum - Long - The maximum number of objects to check for dependency.
v progress - Long - The number of objects that were checked for dependency.
v task_components - Array - An array of task component objects. A task component object contains the
following fields
– message - String - The localized sub-task status message.
– status - String - The current state of the sub-task.
– sub_task_type - String - The type of the sub-task.
– maximum - Long - The maximum number of objects to check for dependency.
– progress - Long - The number of objects that were checked for dependency.
– created - Long - The time in milliseconds since epoch since the sub-task was created.
– started - Long - The time in milliseconds since epoch since the sub-task was started.
– modified - Long - The time in milliseconds since epoch since the sub-task was modified.
– completed - Long - The time in milliseconds since epoch since the sub-task was completed.

Response Sample
{
"cancelled_by": "String",
"completed": 42,
"created": 42,
"created_by": "String",
"id": 42,
"maximum": 42,
"message": "String",
"modified": 42,
"name": "String",
"number_of_dependents": 42,
"progress": 42,
"started": 42,
"status": "String <one of: CANCELLED,
CANCELING,
CANCEL_REQUESTED,
COMPLETED,
CONFLICT,
EXCEPTION,
INITIALIZING,
INTERRUPTED,
PAUSED,
PROCESSING,
QUEUED,
RESUMING>",
"task_components": [
{
"completed": 42,
"created": 42,
"maximum": 42,
"message": "String",
"modified": 42,
"number_of_dependents": 42,
"progress": 42,
"started": 42,

1008 QRadar API Reference Guide

 "status": "String <one of: CANCELLED,
CANCELING,
CANCEL_REQUESTED,
COMPLETED,
CONFLICT,
EXCEPTION,
INITIALIZING,
INTERRUPTED,
PAUSED,
PROCESSING,
QUEUED,
RESUMING>",
"task_sub_type": "String <one of:
FIND_DEPENDENT_ARIEL_SAVED_SEARCHES,
FIND_DEPENDENT_OFFENSE_SAVED_SEARCHES,
FIND_DEPENDENT_ASSET_SAVED_SEARCHES,
FIND_DEPENDENT_VULNERABILITY_SAVED_SEARCHES,
FIND_DEPENDENT_ADE_RULES,
FIND_DEPENDENT_RULES,
FIND_DEPENDENT_CALCULATED_PROPERTIES,
FIND_DEPENDENT_LOG_SOURCE_GROUPS,
FIND_DEPENDENT_CUSTOM_PROPERTIES,
FIND_DEPENDENT_REPORTS,
FIND_DEPENDENT_DASHBOARDS,
FIND_DEPENDENT_STORE_AND_FORWARD_POLICIES,
FIND_DEPENDENT_AUTHORIZED_SERVICES,
FIND_DEPENDENT_OFFENSE_TYPES,
FIND_DEPENDENT_ASSIGNED_OFFENSES,
FIND_DEPENDENT_VULNERABILITIES,
FIND_DEPENDENT_GROUPS,
FIND_DEPENDENT_HISTORICAL_CORRELATION_PROFILES>"
}
]
}

POST /reference_data/map_of_sets_dependent_tasks/{task_id}
Cancels the dependent reference data map of sets task.

Cancels the dependent reference data map of sets task.

Table 2236. POST /reference_data/map_of_sets_dependent_tasks/{task_id} resource details
MIME Type
application/json

Table 2237. POST /reference_data/map_of_sets_dependent_tasks/{task_id} request parameter details

Parameter Type Optionality Data Type MIME Type Description
task_id path Required Number text/plain null
(Integer)
fields header Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.

7 Previous REST API versions 1009

Table 2238. POST /reference_data/map_of_sets_dependent_tasks/{task_id} request body details
Parameter Data Type MIME Type Description Sample
task Object application/ null { "status": "String <one of:
json CANCELLED, CANCELING,
CANCEL_REQUESTED,
COMPLETED, CONFLICT,
EXCEPTION, INITIALIZING,
INTERRUPTED, PAUSED,
PROCESSING, QUEUED,
RESUMING>" }

Table 2239. POST /reference_data/map_of_sets_dependent_tasks/{task_id} response codes

HTTP Response Code Unique Code Description
200 The dependent task status was retrieved.
404 1002 The dependent task status does not exist.
409 1004 The task is in a completed state.
422 1005 A request parameter is not valid.
500 1020 An error occurred during the attempt to update the dependent task
status.

Response Description

A Dependent Task Status object and the location header set to the task status url "/api/reference_data/
map_of_sets/map_of_sets_dependent_tasks/{task_id}". A Dependent Task Status object contains the
following fields:
v id - Long - The ID of the task.
v message - String - The localized task message.
v status - String - The current state of the task.
v name - String - The name of the task.
v created_by - String - The name of the user who started the task.
v cancelled_by - String - The name of the user who requested to cancel the task.
v created - Long - The time in milliseconds since epoch since the task was created.
v started - Long - The time in milliseconds since epoch since the task was started.
v modified - Long - The time in milliseconds since epoch since the task was modified.
v completed - Long - The time in milliseconds since epoch since the task was completed.
v number_of_dependents - Long - The number of dependents found. The value is null until the task
completes.
v maximum - Long - The maximum number of objects to check for dependency.
v progress - Long - The number of objects that were checked for dependency.
v task_components - Array - An array of task component objects. A task component object contains the
following fields
– message - String - The localized sub-task status message.
– status - String - The current state of the sub-task.
– sub_task_type - String - The type of the sub-task.
– maximum - Long - The maximum number of objects to check for dependency.
– progress - Long - The number of objects that were checked for dependency.
– created - Long - The time in milliseconds since epoch since the sub-task was created.

1010 QRadar API Reference Guide

 – started - Long - The time in milliseconds since epoch since the sub-task was started.
– modified - Long - The time in milliseconds since epoch since the sub-task was modified.
– completed - Long - The time in milliseconds since epoch since the sub-task was completed.

Response Sample
{
"cancelled_by": "String",
"completed": 42,
"created": 42,
"created_by": "String",
"id": 42,
"maximum": 42,
"message": "String",
"modified": 42,
"name": "String",
"number_of_dependents": 42,
"progress": 42,
"started": 42,
"status": "String <one of: CANCELLED,
CANCELING,
CANCEL_REQUESTED,
COMPLETED,
CONFLICT,
EXCEPTION,
INITIALIZING,
INTERRUPTED,
PAUSED,
PROCESSING,
QUEUED,
RESUMING>",
"task_components": [
{
"completed": 42,
"created": 42,
"maximum": 42,
"message": "String",
"modified": 42,
"number_of_dependents": 42,
"progress": 42,
"started": 42,
"status": "String <one of: CANCELLED,
CANCELING,
CANCEL_REQUESTED,
COMPLETED,
CONFLICT,
EXCEPTION,
INITIALIZING,
INTERRUPTED,
PAUSED,
PROCESSING,
QUEUED,
RESUMING>",
"task_sub_type": "String <one of:
FIND_DEPENDENT_ARIEL_SAVED_SEARCHES,
FIND_DEPENDENT_OFFENSE_SAVED_SEARCHES,
FIND_DEPENDENT_ASSET_SAVED_SEARCHES,
FIND_DEPENDENT_VULNERABILITY_SAVED_SEARCHES,
FIND_DEPENDENT_ADE_RULES,
FIND_DEPENDENT_RULES,
FIND_DEPENDENT_CALCULATED_PROPERTIES,
FIND_DEPENDENT_LOG_SOURCE_GROUPS,
FIND_DEPENDENT_CUSTOM_PROPERTIES,
FIND_DEPENDENT_REPORTS,
FIND_DEPENDENT_DASHBOARDS,
FIND_DEPENDENT_STORE_AND_FORWARD_POLICIES,

7 Previous REST API versions 1011

 FIND_DEPENDENT_AUTHORIZED_SERVICES,
FIND_DEPENDENT_OFFENSE_TYPES,
FIND_DEPENDENT_ASSIGNED_OFFENSES,
FIND_DEPENDENT_VULNERABILITIES,
FIND_DEPENDENT_GROUPS,
FIND_DEPENDENT_HISTORICAL_CORRELATION_PROFILES>"
}
]
}

GET /reference_data/map_of_sets_dependent_tasks/{task_id}/results
Retrieves the reference data map of sets dependent task results.

Retrieves the reference data map of sets dependent task results.

Table 2240. GET /reference_data/map_of_sets_dependent_tasks/{task_id}/results resource details
MIME Type
application/json

Table 2241. GET /reference_data/map_of_sets_dependent_tasks/{task_id}/results request parameter details

Parameter Type Optionality Data Type MIME Type Description
task_id path Required Number text/plain null
(Integer)
fields query Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.

Table 2242. GET /reference_data/map_of_sets_dependent_tasks/{task_id}/results response codes

HTTP Response Code Unique Code Description
200 The reference data map of sets dependents have been retrieved.
404 1002 The dependent task status does not exist.
500 1020 An error occurred during the attempt to retrieve the reference data
map of sets.

Response Description

An list of Dependent objects. A Dependent object contains the following fields:

v dependent_id - String - The ID of the dependent resource.
v dependent_name - String - The name of the dependent resource default resources can have localized
names).
v dependent_owner - String - The owner of the dependent resource.
v dependent_type - String - The type of the dependent resource.
v dependent_database - String - The database of the dependent resource.
v dependent_group_ids - Array of Longs - List of groups that the dependent resource belongs to.
v user_has_edit_permissions - Boolean - True if the user who created the task has permission to edit this
dependent resource.

1012 QRadar API Reference Guide

Response Sample
[
{
"blocking": true,
"dependent_database": "String <one of: EVENTS, FLOWS>",
"dependent_group_ids": [
42
],
"dependent_id": "String",
"dependent_name": "String",
"dependent_owner": "String",
"dependent_type": "String <one of:
ARIEL_SAVED_SEARCH,
ASSET_SAVED_SEARCH,
OFFENSE_SAVED_SEARCH,
VULNERABILITY_SAVED_SEARCH,
QRM_SAVED_SEARCH_GROUP,
ASSET_SAVED_SEARCH_GROUP,
CUSTOM_RULE_GROUP,
EVENT_ARIEL_SAVED_SEARCH_GROUP,
FLOW_ARIEL_SAVED_SEARCH_GROUP,
LOG_SOURCE_GROUP, MODEL_GROUP,
OFFENSE_SAVED_SEARCH_GROUP,
QUESTION_GROUP,
REPORT_GROUP,
SIMULATION_GROUP,
TOPOLOGY_SAVED_SEARCH_GROUP,
VULNERABILITY_SAVED_SEARCH_GROUP,
ASSIGNED_OFFENSE,
ASSIGNED_VULNERABILITY,
AUTHORIZED_SERVICE,
BUILDING_BLOCK,
CRE_RULE,
CRE_ADE_RULE,
EVENT_REGEX_PROPERTY,
EVENT_CALCULATED_PROPERTY,
FLOW_REGEX_PROPERTY,
FLOW_CALCULATED_PROPERTY,
DASHBOARD,
GV_REFERENCE,
REPORT,
REFERENCE_DATA,
REFERENCE_DATA_MAP_OF_SETS,
REFERENCE_DATA_MAPS,
REFERENCE_DATA_SETS,
REFERENCE_DATA_TABLES,
REFERENCE_DATA_RESPONSE,
REFERENCE_SET_RESPONSE,
EVENT_RETENTION_BUCKET,
FLOW_RETENTION_BUCKET,
ROUTING_RULE,
STORE_AND_FORWARD_POLICY,
USER,
HISTORICAL_PROFILE,
OFFENSE_TYPE>",
"user_has_edit_permissions": true
}
]

GET /reference_data/maps
Retrieve a list of all reference maps.
Table 2243. GET /reference_data/maps resource details
MIME Type
application/json

7 Previous REST API versions 1013

Table 2244. GET /reference_data/maps request parameter details
Parameter Type Optionality Data Type MIME Type Description
fields query Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.
Range header Optional String text/plain Optional - Use this parameter
to restrict the number of
elements that are returned in
the list to a specified range.
The list is indexed starting at
zero.
filter query Optional String text/plain Optional - This parameter is
used to restrict the elements in
a list base on the contents of
various fields.

Table 2245. GET /reference_data/maps response codes

HTTP Response Code Unique Code Description
200 The reference map list has been retrieved
500 1020 An error occurred while attempting to retrieve all of the reference
maps

Response Description

A list of all of the reference maps. This returns information about the maps but not the contained data.

Response Sample
[
{
"creation_time": 42,
"element_type": "String <one of: ALN, NUM, IP, PORT, ALNIC, DATE>",
"key_label": "String",
"name": "String",
"number_of_elements": 42,
"time_to_live": "String",
"timeout_type": "String <one of: UNKNOWN, FIRST_SEEN, LAST_SEEN>",
"value_label": "String"
}
]

POST /reference_data/maps
Create a new reference map.
Table 2246. POST /reference_data/maps resource details
MIME Type
application/json

1014 QRadar API Reference Guide

Table 2247. POST /reference_data/maps request parameter details
Parameter Type Optionality Data Type MIME Type Description
name query Required String text/plain Required - The name of the
reference map to create
key_label query Optional String text/plain Optional - The label to describe
the keys
value_label query Optional String text/plain Optional - The label to describe
the data values
element_type query Required String text/plain Required - The element type for
the values allowed in the
reference map. The allowed
values are: ALN (alphanumeric),
ALNIC (alphanumeric ignore
case), IP (IP address), NUM
(numeric), PORT (port number)
or DATE. Note that date values
need to be represented in
milliseconds since the Unix
Epoch January 1st 1970.
timeout_type query Optional String text/plain Optional - The allowed values
are "FIRST_SEEN",
"LAST_SEEN" and
"UNKNOWN". The default
value is "UNKNOWN". This
indicates if the time_to_live
interval is based on when the
data was first seen or last seen.
time_to_live query Optional String text/plain Optional - The time to live
interval, for example: "1 month"
or "5 minutes"
fields query Optional String text/plain Optional - Use this parameter to
specify which fields you would
like to get back in the response.
Fields that are not named are
excluded. Specify subfields in
brackets and multiple fields in
the same object are separated by
commas.

Table 2248. POST /reference_data/maps response codes

HTTP Response Code Unique Code Description
201 A new reference map was successfully created
409 1004 The reference map could not be created, the name provided is
already in use. Please change the name and try again.
422 1005 A request parameter is not valid
500 1020 An error occurred while attempting to create the reference map

Response Description

Information about the newly created reference map.

Response Sample
{
"creation_time": 42,
"element_type": "String <one of: ALN, NUM, IP, PORT, ALNIC, DATE>",
"key_label": "String",
"name": "String",
"number_of_elements": 42,

7 Previous REST API versions 1015

 "time_to_live": "String",
"timeout_type": "String <one of: UNKNOWN, FIRST_SEEN, LAST_SEEN>",
"value_label": "String"
}

POST /reference_data/maps/bulk_load/{name}
Adds or updates data in a reference map.

Adds or updates data in a reference map.

Table 2249. POST /reference_data/maps/bulk_load/{name} resource details
MIME Type
application/json

Table 2250. POST /reference_data/maps/bulk_load/{name} request parameter details

Parameter Type Optionality Data Type MIME Type Description
name path Required String text/plain Required - The name of map
to add or update data in.
fields header Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.

Table 2251. POST /reference_data/maps/bulk_load/{name} request body details

Parameter Data Type MIME Type Description Sample
data Array application/ Required - The JSON-formatted {"key1":"Data1", "key2":"Data2",
json data to add or update in the "key3":"Data3", "key4":"Data4",
reference map. "key5":"Data5", "key6":"Data6"}

Table 2252. POST /reference_data/maps/bulk_load/{name} response codes

HTTP Response Code Unique Code Description
200 Data was successfully added or updated in the reference map.
400 1001 An error occurred parsing the JSON-formatted message body.
404 1002 The reference map does not exist.
422 1005 A request parameter is not valid.
500 1020 An error occurred during the attempt to add or update data in the
reference map.

Response Description

Information about the reference map where data was added or updated. This returns information about
the reference map but not the data that it contains.

Response Sample
{
"creation_time": 42,
"element_type": "String <one of: ALN, NUM, IP, PORT, ALNIC, DATE>",

1016 QRadar API Reference Guide

 "name": "String",
"number_of_elements": 42,
"time_to_live": "String",
"timeout_type": "String <one of: UNKNOWN, FIRST_SEEN, LAST_SEEN>"
}

GET /reference_data/maps/{name}
Retrieve the reference map identified by name.

Retrieve the reference map identified by name. If it is provided, limit specifies the number of records to
return starting at record that is specified by offset. If the number is not specified, then the first 20 records
are returned.
Table 2253. GET /reference_data/maps/{name} resource details
MIME Type
application/json

Table 2254. GET /reference_data/maps/{name} request parameter details

Parameter Type Optionality Data Type MIME Type Description
name path Required String text/plain Required - The name of the
reference map to retrieve
fields query Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.
Range header Optional String text/plain Optional - Use this parameter
to restrict the number of
elements that are returned in
the list to a specified range.
The list is indexed starting at
zero.
filter query Optional String text/plain Optional - This parameter is
used to restrict the elements in
a list base on the contents of
various fields.

Table 2255. GET /reference_data/maps/{name} response codes

HTTP Response Code Unique Code Description
200 The reference map has been retrieved
404 1002 The reference map does not exist
422 1005 A request parameter is not valid
500 1020 An error occurred while attempting to retrieve the reference map

Response Description

The reference map identified by the name specified in the request. The portion of the reference map's
data returned is dependent on the limit and offset specified in the request.

7 Previous REST API versions 1017

Response Sample
{
"creation_time": 42,
"data": {
"String": {
"first_seen": 42,
"last_seen": 42,
"source": "String",
"value": "String"
}
},
"element_type": "String <one of: ALN, NUM, IP, PORT, ALNIC, DATE>",
"key_label": "String",
"name": "String",
"number_of_elements": 42,
"time_to_live": "String",
"timeout_type": "String <one of: UNKNOWN, FIRST_SEEN, LAST_SEEN>",
"value_label": "String"
}

POST /reference_data/maps/{name}
Add or update an element in a reference map.
Table 2256. POST /reference_data/maps/{name} resource details
MIME Type
application/json

Table 2257. POST /reference_data/maps/{name} request parameter details

Parameter Type Optionality Data Type MIME Type Description
name path Required String text/plain Required - The name of the
reference map to add or
update an element in
key query Required String text/plain Required - The key who's
value we want to add or
update
value query Required String text/plain Required - The value to add or
update in the reference map.
Note: Date values must be
represented in milliseconds
since the Unix Epoch January
1st 1970.
source query Optional String text/plain Optional - An indication of
where the data originated. The
default value is 'reference data
api'
fields query Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.

1018 QRadar API Reference Guide

Table 2258. POST /reference_data/maps/{name} response codes
HTTP Response Code Unique Code Description
200 The reference map has had an element added or updated
404 1002 The reference map does not exist
422 1005 A request parameter is not valid
500 1020 An error occurred while attempting to add or update data in the
reference map

Response Description

Information about the reference map that had an element added or updated. This returns information
about reference map but not the contained data.

Response Sample
{
"creation_time": 42,
"element_type": "String <one of: ALN, NUM, IP, PORT, ALNIC, DATE>",
"key_label": "String",
"name": "String",
"number_of_elements": 42,
"time_to_live": "String",
"timeout_type": "String <one of: UNKNOWN, FIRST_SEEN, LAST_SEEN>",
"value_label": "String"
}

DELETE /reference_data/maps/{name}
Remove a reference map or purge its contents.
Table 2259. DELETE /reference_data/maps/{name} resource details
MIME Type
application/json

Table 2260. DELETE /reference_data/maps/{name} request parameter details

Parameter Type Optionality Data Type MIME Type Description
name path Required String text/plain Required - The name of the
reference map to remove or
purge
purge_only query Optional String text/plain Optional - The allowed values
are "false" or "true". The
default value is false. This
indicates if the reference map
should have its contents
purged (true), keeping the
reference map structure. If the
value is "false" or not specified
the reference map will be
removed completely.

7 Previous REST API versions 1019

Table 2260. DELETE /reference_data/maps/{name} request parameter details (continued)
Parameter Type Optionality Data Type MIME Type Description
fields query Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.

Table 2261. DELETE /reference_data/maps/{name} response codes

HTTP Response Code Unique Code Description
202 The Reference Data Maps deletion or purge request has been
accepted and is in progress
404 1002 The reference map does not exist
422 1005 A request parameter is not valid
500 1020 An error occurred while attempting to remove or purge values
from the reference map

Response Description

A status_id to retrieve the Reference Data Maps deletion or purge status with at /api/system/
task_management/task/{status_id}. You can also find the url in the Location header

Response Sample
{
"current_status": {
"cancel_requested": true,
"cancelled_by": "String",
"child_tasks": [
42
],
"completed": 42,
"created": 42,
"created_by": "String",
"id": 42,
"maximum": 42,
"message": "String",
"modified": 42,
"name": "String",
"progress": 42,
"result_url": "String",
"started": 42,
"status": "String <one of: CANCELLED,
CANCELING,
CANCEL_REQUESTED,
COMPLETED,
EXCEPTION,
INITIALIZING,
INTERRUPTED,
PAUSED,
PROCESSING,
QUEUED,
RESUMING>",
"task_components": [
{

1020 QRadar API Reference Guide

 "completed": 42,
"created": 42,
"maximum": 42,
"message": "String",
"modified": 42,
"progress": 42,
"started": 42,
"status": "String <one of: CANCELLED,
CANCELING,
CANCEL_REQUESTED,
COMPLETED,
EXCEPTION,
INITIALIZING,
INTERRUPTED,
PAUSED,
PROCESSING,
QUEUED,
RESUMING>"
}
]
},
"message": "String",
"status_location": "String"
}

GET /reference_data/maps/{name}/dependents
Retrieves the dependents of the Map.
Table 2262. GET /reference_data/maps/{name}/dependents resource details
MIME Type
application/json

Table 2263. GET /reference_data/maps/{name}/dependents request parameter details

Parameter Type Optionality Data Type MIME Type Description
name path Required String text/plain Required - The name of the
reference map retrieve
dependents for
fields query Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.

Table 2264. GET /reference_data/maps/{name}/dependents response codes

HTTP Response Code Unique Code Description
202 The Reference Data Maps dependent retrieval request has been
accepted and is in progress
404 1002 The reference Map does not exist
422 1005 A request parameter is not valid
500 1020 An error occurred while attempting to get the dependents for the
reference map

7 Previous REST API versions 1021

Response Description

A status_id to retrieve the Reference Data Maps dependent retrieval status with at /api/system/
task_management/task/{status_id}. You can also find the url in the Location header

Response Sample
{
"current_status": {
"cancel_requested": true,
"cancelled_by": "String",
"child_tasks": [
42
],
"completed": 42,
"created": 42,
"created_by": "String",
"id": 42,
"maximum": 42,
"message": "String",
"modified": 42,
"name": "String",
"progress": 42,
"result_url": "String",
"started": 42,
"status": "String <one of: CANCELLED,
CANCELING,
CANCEL_REQUESTED,
COMPLETED,
EXCEPTION,
INITIALIZING,
INTERRUPTED,
PAUSED,
PROCESSING,
QUEUED,
RESUMING>",
"task_components": [
{
"completed": 42,
"created": 42,
"maximum": 42,
"message": "String",
"modified": 42,
"progress": 42,
"started": 42,
"status": "String <one of: CANCELLED,
CANCELING,
CANCEL_REQUESTED,
COMPLETED,
EXCEPTION,
INITIALIZING,
INTERRUPTED,
PAUSED,
PROCESSING,
QUEUED,
RESUMING>"
}
]
},
"message": "String",
"status_location": "String"
}

1022 QRadar API Reference Guide

DELETE /reference_data/maps/{name}/{key}
Remove a value from a reference map.

Remove a value from a reference map.

Table 2265. DELETE /reference_data/maps/{name}/{key} resource details
MIME Type
application/json

Table 2266. DELETE /reference_data/maps/{name}/{key} request parameter details

Parameter Type Optionality Data Type MIME Type Description
name path Required String text/plain Required - The name of the
reference map to remove a
value from
key path Required String text/plain Required - The key of the
value to remove
value query Required String text/plain Required - The value to
remove from the reference
map. Note: Date values must
be represented in milliseconds
since the Unix Epoch January
1st 1970.
fields query Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.

Table 2267. DELETE /reference_data/maps/{name}/{key} response codes

HTTP Response Code Unique Code Description
200 The reference map has had a value removed
404 1002 The reference map does not exist
404 1003 The record does not exist in the reference map
422 1005 A request parameter is not valid
500 1020 An error occurred while attempting to remove the value from the
reference map

Response Description

Information about the reference map that had an element removed. This returns information about map
but not the contained data.

Response Sample
{
"creation_time": 42,
"element_type": "String <one of: ALN, NUM, IP, PORT, ALNIC, DATE>",
"key_label": "String",
"name": "String",

7 Previous REST API versions 1023

 "number_of_elements": 42,
"time_to_live": "String",
"timeout_type": "String <one of: UNKNOWN, FIRST_SEEN, LAST_SEEN>",
"value_label": "String"
}

GET /reference_data/set_delete_tasks/{task_id}
Retrieves the delete reference data set task status.

Retrieves the delete reference data set task status.

Table 2268. GET /reference_data/set_delete_tasks/{task_id} resource details
MIME Type
application/json

Table 2269. GET /reference_data/set_delete_tasks/{task_id} request parameter details

Parameter Type Optionality Data Type MIME Type Description
task_id path Required Number text/plain null
(Integer)
fields query Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.

Table 2270. GET /reference_data/set_delete_tasks/{task_id} response codes

HTTP Response Code Unique Code Description
200 The delete task status was retrieved.
404 1002 The delete task status does not exist.
500 1020 An error occurred during the attempt to retrieve the delete task
status.

Response Description

A Delete Task Status object and the location header set to the task status url "/api/reference_data/sets/
set_delete_tasks/{task_id}". A Delete Task Status object contains the following fields:
v id - Long - The ID of the task.
v message - String - The localized task message.
v status - String - The current state of the task.
v name - String - The name of the task.
v created_by - String - The name of the user who started the task.
v created - Long - The time in milliseconds since epoch since the task was created.
v started - Long - The time in milliseconds since epoch since the task was started.
v modified - Long - The time in milliseconds since epoch since the task was modified.
v completed - Long - The time in milliseconds since epoch since the task was completed.

1024 QRadar API Reference Guide

Response Sample
{
"completed": 42,
"created": 42,
"created_by": "String",
"id": 42,
"message": "String",
"modified": 42,
"name": "String",
"started": 42,
"status": "String <one of:
CANCELLED,
CANCELING,
CANCEL_REQUESTED,
COMPLETED,
CONFLICT,
EXCEPTION,
INITIALIZING,
INTERRUPTED,
PAUSED,
PROCESSING,
QUEUED,
RESUMING>"
}

GET /reference_data/set_dependent_tasks/{task_id}
Retrieves the dependent reference data set task status.

Retrieves the dependent reference data set task status.

Table 2271. GET /reference_data/set_dependent_tasks/{task_id} resource details
MIME Type
application/json

Table 2272. GET /reference_data/set_dependent_tasks/{task_id} request parameter details

Parameter Type Optionality Data Type MIME Type Description
task_id path Required Number text/plain null
(Integer)
fields query Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.

Table 2273. GET /reference_data/set_dependent_tasks/{task_id} response codes

HTTP Response Code Unique Code Description
200 The dependent task status was retrieved.
404 1002 The dependent task status does not exist.
500 1020 An error occurred during the attempt to retrieve the dependent task
status.

7 Previous REST API versions 1025

Response Description

A Dependent Task Status object and the location header set to the task status URL "/api/reference_data/
sets/set_dependent_tasks/{task_id}". A Dependent Task Status object contains the following fields:
v id - Long - The ID of the task.
v message - String - The localized task message.
v status - String - The current state of the task.
v name - String - The name of the task.
v created_by - String - The name of the user who started the task.
v cancelled_by - String - The name of the user who requested cancellation of the task.
v created - Long - The time in milliseconds since epoch since the task was created.
v started - Long - The time in milliseconds since epoch since the task was started.
v modified - Long - The time in milliseconds since epoch since the task was modified.
v completed - Long - The time in milliseconds since epoch since the task was completed.
v number_of_dependents - Long - The number of dependents found. The value is null until the task
completes.
v maximum - Long - The maximum number of objects to check for dependency.
v progress - Long - The number of objects that were checked for dependency.
v task_components - Array - An array of task component objects. A task component object contains the
following fields
– message - String - The localized sub-task status message.
– status - String - The current state of the sub-task.
– sub_task_type - String - The type of the sub-task
– maximum - Long - The maximum number of objects to check for dependency.
– progress - Long - The number of objects that were checked for dependency.
– created - Long - The time in milliseconds since epoch since the sub-task was created.
– started - Long - The time in milliseconds since epoch since the sub-task was started.
– modified - Long - The time in milliseconds since epoch since the sub-task was modified.
– completed - Long - The time in milliseconds since epoch since the sub-task was completed.

Response Sample
{
"cancelled_by": "String",
"completed": 42,
"created": 42,
"created_by": "String",
"id": 42,
"maximum": 42,
"message": "String",
"modified": 42,
"name": "String",
"number_of_dependents": 42,
"progress": 42,
"started": 42,
"status": "String <one of: CANCELLED,
CANCELING,
CANCEL_REQUESTED,
COMPLETED,
CONFLICT,
EXCEPTION,
INITIALIZING,
INTERRUPTED,
PAUSED,
PROCESSING,

1026 QRadar API Reference Guide

 QUEUED,
RESUMING>",
"task_components": [
{
"completed": 42,
"created": 42,
"maximum": 42,
"message": "String",
"modified": 42,
"number_of_dependents": 42,
"progress": 42,
"started": 42,
"status": "String <one of: CANCELLED,
CANCELING,
CANCEL_REQUESTED,
COMPLETED,
CONFLICT,
EXCEPTION,
INITIALIZING,
INTERRUPTED,
PAUSED,
PROCESSING,
QUEUED,
RESUMING>",
"task_sub_type": "String <one of:
FIND_DEPENDENT_ARIEL_SAVED_SEARCHES,
FIND_DEPENDENT_OFFENSE_SAVED_SEARCHES,
FIND_DEPENDENT_ASSET_SAVED_SEARCHES,
FIND_DEPENDENT_VULNERABILITY_SAVED_SEARCHES,
FIND_DEPENDENT_ADE_RULES,
FIND_DEPENDENT_RULES,
FIND_DEPENDENT_CALCULATED_PROPERTIES,
FIND_DEPENDENT_LOG_SOURCE_GROUPS,
FIND_DEPENDENT_CUSTOM_PROPERTIES,
FIND_DEPENDENT_REPORTS,
FIND_DEPENDENT_DASHBOARDS,
FIND_DEPENDENT_STORE_AND_FORWARD_POLICIES,
FIND_DEPENDENT_AUTHORIZED_SERVICES,
FIND_DEPENDENT_OFFENSE_TYPES,
FIND_DEPENDENT_ASSIGNED_OFFENSES,
FIND_DEPENDENT_VULNERABILITIES,
FIND_DEPENDENT_GROUPS,
FIND_DEPENDENT_HISTORICAL_CORRELATION_PROFILES>"
}
]
}

POST /reference_data/set_dependent_tasks/{task_id}
Cancels the dependent reference data set task.

Cancels the dependent reference data set task.

Table 2274. POST /reference_data/set_dependent_tasks/{task_id} resource details
MIME Type
application/json

Table 2275. POST /reference_data/set_dependent_tasks/{task_id} request parameter details

Parameter Type Optionality Data Type MIME Type Description
task_id path Required Number text/plain null
(Integer)

7 Previous REST API versions 1027

Table 2275. POST /reference_data/set_dependent_tasks/{task_id} request parameter details (continued)
Parameter Type Optionality Data Type MIME Type Description
fields header Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.

Table 2276. POST /reference_data/set_dependent_tasks/{task_id} request body details

Parameter Data Type MIME Type Description Sample
task Object application/ null { "status": "String <one of:
json CANCELLED, CANCELING,
CANCEL_REQUESTED,
COMPLETED, CONFLICT,
EXCEPTION, INITIALIZING,
INTERRUPTED, PAUSED,
PROCESSING, QUEUED,
RESUMING>" }

Table 2277. POST /reference_data/set_dependent_tasks/{task_id} response codes

HTTP Response Code Unique Code Description
200 The dependent task status was retrieved.
404 1002 The dependent task status does not exist.
409 1004 The task is in a completed state.
422 1005 A request parameter is not valid.
500 1020 An error occurred during the attempt to update the dependent task
status.

Response Description

A Dependent Task Status object and the location header set to the task status url "/api/reference_data/
sets/set_dependent_tasks/{task_id}". A Dependent Task Status object contains the following fields:
v id - Long - The ID of the task.
v message - String - The localized task message.
v status - String - The current state of the task.
v name - String - The name of the task.
v created_by - String - The name of the user who started the task.
v cancelled_by - String - The name of the user who requested cancellation of the task.
v created - Long - The time in milliseconds since epoch since the task was created.
v started - Long - The time in milliseconds since epoch since the task was started.
v modified - Long - The time in milliseconds since epoch since the task was modified.
v completed - Long - The time in milliseconds since epoch since the task was completed.
v number_of_dependents - Long - The number of dependents found. The value is null until the task
completes.
v maximum - Long - The maximum number of objects to check for dependency.

1028 QRadar API Reference Guide

v progress - Long - The number of objects that were checked for dependency.
v task_components - Array - An array of task component objects. A task component object contains the
following fields
– message - String - The localized sub-task status message.
– status - String - The current state of the sub-task.
– sub_task_type - String - The type of the sub-task
– maximum - Long - The maximum number of objects to check for dependency.
– progress - Long - The number of objects that were checked for dependency.
– created - Long - The time in milliseconds since epoch since the sub-task was created.
– started - Long - The time in milliseconds since epoch since the sub-task was started.
– modified - Long - The time in milliseconds since epoch since the sub-task was modified.
– completed - Long - The time in milliseconds since epoch since the sub-task was completed.

Response Sample
{
"cancelled_by": "String",
"completed": 42,
"created": 42,
"created_by": "String",
"id": 42,
"maximum": 42,
"message": "String",
"modified": 42,
"name": "String",
"number_of_dependents": 42,
"progress": 42,
"started": 42,
"status": "String <one of: CANCELLED,
CANCELING,
CANCEL_REQUESTED,
COMPLETED,
CONFLICT,
EXCEPTION,
INITIALIZING,
INTERRUPTED,
PAUSED,
PROCESSING,
QUEUED,
RESUMING>",
"task_components": [
{
"completed": 42,
"created": 42,
"maximum": 42,
"message": "String",
"modified": 42,
"number_of_dependents": 42,
"progress": 42,
"started": 42,
"status": "String <one of: CANCELLED,
CANCELING,
CANCEL_REQUESTED,
COMPLETED,
CONFLICT,
EXCEPTION,
INITIALIZING,
INTERRUPTED,
PAUSED,
PROCESSING,
QUEUED,
RESUMING>",

7 Previous REST API versions 1029

 "task_sub_type": "String <one of:
FIND_DEPENDENT_ARIEL_SAVED_SEARCHES,
FIND_DEPENDENT_OFFENSE_SAVED_SEARCHES,
FIND_DEPENDENT_ASSET_SAVED_SEARCHES,
FIND_DEPENDENT_VULNERABILITY_SAVED_SEARCHES,
FIND_DEPENDENT_ADE_RULES,
FIND_DEPENDENT_RULES,
FIND_DEPENDENT_CALCULATED_PROPERTIES,
FIND_DEPENDENT_LOG_SOURCE_GROUPS,
FIND_DEPENDENT_CUSTOM_PROPERTIES,
FIND_DEPENDENT_REPORTS,
FIND_DEPENDENT_DASHBOARDS,
FIND_DEPENDENT_STORE_AND_FORWARD_POLICIES,
FIND_DEPENDENT_AUTHORIZED_SERVICES,
FIND_DEPENDENT_OFFENSE_TYPES,
FIND_DEPENDENT_ASSIGNED_OFFENSES,
FIND_DEPENDENT_VULNERABILITIES,
FIND_DEPENDENT_GROUPS,
FIND_DEPENDENT_HISTORICAL_CORRELATION_PROFILES>"
}
]
}

GET /reference_data/set_dependent_tasks/{task_id}/results
Retrieves the reference data set dependent task results.

Retrieves the reference data set dependent task results.

Table 2278. GET /reference_data/set_dependent_tasks/{task_id}/results resource details
MIME Type
application/json

Table 2279. GET /reference_data/set_dependent_tasks/{task_id}/results request parameter details

Parameter Type Optionality Data Type MIME Type Description
task_id path Required Number text/plain null
(Integer)
fields query Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.

Table 2280. GET /reference_data/set_dependent_tasks/{task_id}/results response codes

HTTP Response Code Unique Code Description
200 The reference data set dependents were retrieved.
404 1002 The dependent task status does not exist.
500 1020 An error occurred during the attempt to retrieve the reference data
sets.

1030 QRadar API Reference Guide

Response Description

An list of Dependent objects. A Dependent object contains the following fields:

v dependent_id - String - The ID of the dependent resource.
v dependent_name - String - The name of the dependent resource (default resources can have localized
names).
v dependent_owner - String - The owner of the dependent resource.
v dependent_type - String - The type of the dependent resource
v dependent_database - String - The database of the dependent resource.
v dependent_group_ids - Array of Longs - List of groups that the dependent resource belongs to.
v user_has_edit_permissions - Boolean - True if the user who created the task has permission to edit this
dependent resource.

Response Sample
[
{
"blocking": true,
"dependent_database": "String <one of: EVENTS, FLOWS>",
"dependent_group_ids": [
42
],
"dependent_id": "String",
"dependent_name": "String",
"dependent_owner": "String",
"dependent_type": "String <one of:
ARIEL_SAVED_SEARCH,
ASSET_SAVED_SEARCH,
OFFENSE_SAVED_SEARCH,
VULNERABILITY_SAVED_SEARCH,
QRM_SAVED_SEARCH_GROUP,
ASSET_SAVED_SEARCH_GROUP,
CUSTOM_RULE_GROUP,
EVENT_ARIEL_SAVED_SEARCH_GROUP,
FLOW_ARIEL_SAVED_SEARCH_GROUP,
LOG_SOURCE_GROUP, MODEL_GROUP,
OFFENSE_SAVED_SEARCH_GROUP,
QUESTION_GROUP,
REPORT_GROUP,
SIMULATION_GROUP,
TOPOLOGY_SAVED_SEARCH_GROUP,
VULNERABILITY_SAVED_SEARCH_GROUP,
ASSIGNED_OFFENSE,
ASSIGNED_VULNERABILITY,
AUTHORIZED_SERVICE,
BUILDING_BLOCK,
CRE_RULE,
CRE_ADE_RULE,
EVENT_REGEX_PROPERTY,
EVENT_CALCULATED_PROPERTY,
FLOW_REGEX_PROPERTY,
FLOW_CALCULATED_PROPERTY,
DASHBOARD,
GV_REFERENCE,
REPORT,
REFERENCE_DATA,
REFERENCE_DATA_MAP_OF_SETS,
REFERENCE_DATA_MAPS,
REFERENCE_DATA_SETS,
REFERENCE_DATA_TABLES,
REFERENCE_DATA_RESPONSE,
REFERENCE_SET_RESPONSE,
EVENT_RETENTION_BUCKET,

7 Previous REST API versions 1031

 FLOW_RETENTION_BUCKET,
ROUTING_RULE,
STORE_AND_FORWARD_POLICY,
USER,
HISTORICAL_PROFILE,
OFFENSE_TYPE>",
"user_has_edit_permissions": true
}
]

GET /reference_data/sets
Retrieve a list of all reference sets.
Table 2281. GET /reference_data/sets resource details
MIME Type
application/json

Table 2282. GET /reference_data/sets request parameter details

Parameter Type Optionality Data Type MIME Type Description
fields query Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.
Range header Optional String text/plain Optional - Use this parameter
to restrict the number of
elements that are returned in
the list to a specified range.
The list is indexed starting at
zero.
filter query Optional String text/plain Optional - This parameter is
used to restrict the elements in
a list base on the contents of
various fields.

Table 2283. GET /reference_data/sets response codes

HTTP Response Code Unique Code Description
200 The reference set list has been retrieved
500 1020 An error occurred while attempting to retrieve all of the reference
sets

Response Description

A list of all of the reference sets. This returns information about the sets but not the contained data.

Response Sample
[
{
"creation_time": 42,
"element_type": "String <one of: ALN, NUM, IP, PORT, ALNIC, DATE>",
"name": "String",

1032 QRadar API Reference Guide

 "number_of_elements": 42,
"time_to_live": "String",
"timeout_type": "String <one of: UNKNOWN, FIRST_SEEN, LAST_SEEN>"
}
]

POST /reference_data/sets
Create a new reference set.
Table 2284. POST /reference_data/sets resource details
MIME Type
application/json

Table 2285. POST /reference_data/sets request parameter details

Parameter Type Optionality Data Type MIME Type Description
name query Required String text/plain Required - The name of the
reference set being created
element_type query Required String text/plain Required - The element type for
the values allowed in the
reference set. The allowed
values are: ALN (alphanumeric),
ALNIC (alphanumeric ignore
case), IP (IP address), NUM
(numeric), PORT (port number)
or DATE. Note that date values
need to be represented in
milliseconds since the Unix
Epoch January 1st 1970.
timeout_type query Optional String text/plain Optional - The allowed values
are "FIRST_SEEN",
"LAST_SEEN" and
"UNKNOWN". The default
value is "UNKNOWN". This
indicates if the time_to_live
interval is based on when the
data was first seen or last seen.
time_to_live query Optional String text/plain Optional - The time to live
interval, for example: "1 month"
or "5 minutes"
fields query Optional String text/plain Optional - Use this parameter to
specify which fields you would
like to get back in the response.
Fields that are not named are
excluded. Specify subfields in
brackets and multiple fields in
the same object are separated by
commas.

Table 2286. POST /reference_data/sets response codes

HTTP Response Code Unique Code Description
201 A new reference set was successfully created
409 1004 The reference set could not be created, the name provided is
already in use. Please change the name and try again.
422 1005 A request parameter is not valid
500 1020 An error occurred while attempting to create the reference set

7 Previous REST API versions 1033

Response Description

Information about the newly created reference set.

Response Sample
{
"creation_time": 42,
"element_type": "String <one of: ALN, NUM, IP, PORT, ALNIC, DATE>",
"name": "String",
"number_of_elements": 42,
"time_to_live": "String",
"timeout_type": "String <one of: UNKNOWN, FIRST_SEEN, LAST_SEEN>"
}

POST /reference_data/sets/bulk_load/{name}
Add or update data in a reference set.
Table 2287. POST /reference_data/sets/bulk_load/{name} resource details
MIME Type
application/json

Table 2288. POST /reference_data/sets/bulk_load/{name} request parameter details

Parameter Type Optionality Data Type MIME Type Description
name path Required String text/plain Required - The name of set to
add or update data in
fields header Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.

Table 2289. POST /reference_data/sets/bulk_load/{name} request body details

Parameter Data Type MIME Type Description Sample
data Array application/json Required - The JSON formated ["String", "String", "String",
data to add or update in the "String", "String", "String",
reference set "String", "String", "String",
"String", "String"]

Table 2290. POST /reference_data/sets/bulk_load/{name} response codes

HTTP Response Code Unique Code Description
200 The reference set has had data added or updated
400 1001 An error occurred parsing the JSON formatted message body
404 1002 The reference set does not exist
422 1005 A request parameter is not valid
500 1020 An error occurred while attempting to add or update data in the
reference set

1034 QRadar API Reference Guide

Response Description

Information about the reference set that had data added or updated. This returns information about the
reference set but not the contained data.

Response Sample
{
"creation_time": 42,
"element_type": "String <one of: ALN, NUM, IP, PORT, ALNIC, DATE>",
"name": "String",
"number_of_elements": 42,
"time_to_live": "String",
"timeout_type": "String <one of: UNKNOWN, FIRST_SEEN, LAST_SEEN>"
}

GET /reference_data/sets/{name}
Retrieve the reference set identified by name.

Retrieve the reference set that is identified by name. If it is provided, limit specifies the number of
records to return starting at the record that is specified by offset. If the number is not specified, then the
first 20 records are returned.
Table 2291. GET /reference_data/sets/{name} resource details
MIME Type
application/json

Table 2292. GET /reference_data/sets/{name} request parameter details

Parameter Type Optionality Data Type MIME Type Description
name path Required String text/plain Required - The name of the
reference set to retrieve
fields query Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.
Range header Optional String text/plain Optional - Use this parameter
to restrict the number of
elements that are returned in
the list to a specified range.
The list is indexed starting at
zero.
filter query Optional String text/plain Optional - This parameter is
used to restrict the elements in
a list base on the contents of
various fields.

Table 2293. GET /reference_data/sets/{name} response codes

HTTP Response Code Unique Code Description
200 The reference set has been retrieved
404 1002 The reference set does not exist.

7 Previous REST API versions 1035

Table 2293. GET /reference_data/sets/{name} response codes (continued)
HTTP Response Code Unique Code Description
422 1005 A request parameter is not valid
500 1020 An error occurred while attempting to retrieve the reference set

Response Description

The reference set identified by the name specified in the request. The portion of the set's data returned is
dependent on the limit and offset specified in the request.

Response Sample
{
"creation_time": 42,
"data": [
{
"first_seen": 42,
"last_seen": 42,
"source": "String",
"value": "String"
}
],
"element_type": "String <one of: ALN, NUM, IP, PORT, ALNIC, DATE>",
"name": "String",
"number_of_elements": 42,
"time_to_live": "String",
"timeout_type": "String <one of: UNKNOWN, FIRST_SEEN, LAST_SEEN>"
}

POST /reference_data/sets/{name}
Add or update an element in a reference set.
Table 2294. POST /reference_data/sets/{name} resource details
MIME Type
application/json

Table 2295. POST /reference_data/sets/{name} request parameter details

Parameter Type Optionality Data Type MIME Type Description
name path Required String text/plain Required - The name of the
reference set to add or update
an element in
value query Required String text/plain Required - The value to add or
update in the reference set.
Note: Date values must be
represented in milliseconds
since the Unix Epoch January
1st 1970.
source query Optional String text/plain Optional - An indication of
where the data originated. The
default value is 'reference data
api'

1036 QRadar API Reference Guide

Table 2295. POST /reference_data/sets/{name} request parameter details (continued)
Parameter Type Optionality Data Type MIME Type Description
fields query Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.

Table 2296. POST /reference_data/sets/{name} response codes

HTTP Response Code Unique Code Description
200 The reference set has had an element added or updated
404 1002 The reference set does not exist
422 1005 A request parameter is not valid
500 1020 An error occurred while attempting to add or update an element in
the reference set

Response Description

Information about the reference set that had an element added or updated. This returns information
about the reference set but not the contained data.

Response Sample
{
"creation_time": 42,
"element_type": "String <one of: ALN, NUM, IP, PORT, ALNIC, DATE>",
"name": "String",
"number_of_elements": 42,
"time_to_live": "String",
"timeout_type": "String <one of: UNKNOWN, FIRST_SEEN, LAST_SEEN>"
}

DELETE /reference_data/sets/{name}
Remove a reference set or purge its contents.
Table 2297. DELETE /reference_data/sets/{name} resource details
MIME Type
application/json

Table 2298. DELETE /reference_data/sets/{name} request parameter details

Parameter Type Optionality Data Type MIME Type Description
name path Required String text/plain Required - The name of the set
to remove or purge

7 Previous REST API versions 1037

Table 2298. DELETE /reference_data/sets/{name} request parameter details (continued)
Parameter Type Optionality Data Type MIME Type Description
purge_only query Optional String text/plain Optional - The allowed values
are "false" or "true". The
default value is false. This
indicates if the reference set
should have its contents
purged (true), keeping the
reference set structure. If the
value is "false" or not specified
the reference set will be
removed completely.
fields query Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.

Table 2299. DELETE /reference_data/sets/{name} response codes

HTTP Response Code Unique Code Description
202 The Reference Data Sets deletion or purge request has been
accepted and is in progress
404 1002 The reference set does not exist
422 1005 A request parameter is not valid
500 1020 An error occurred while attempting to remove or purge values
from the reference set

Response Description

A status_id to retrieve the Reference Data Sets deletion or purge status with at /api/system/
task_management/task/{status_id}. You can also find the url in the Location header

Response Sample
{
"current_status": {
"cancel_requested": true,
"cancelled_by": "String",
"child_tasks": [
42
],
"completed": 42,
"created": 42,
"created_by": "String",
"id": 42,
"maximum": 42,
"message": "String",
"modified": 42,
"name": "String",
"progress": 42,
"result_url": "String",
"started": 42,
"status": "String <one of: CANCELLED,

1038 QRadar API Reference Guide

 CANCELING,
CANCEL_REQUESTED,
COMPLETED,
EXCEPTION,
INITIALIZING,
INTERRUPTED,
PAUSED,
PROCESSING,
QUEUED,
RESUMING>",
"task_components": [
{
"completed": 42,
"created": 42,
"maximum": 42,
"message": "String",
"modified": 42,
"progress": 42,
"started": 42,
"status": "String <one of: CANCELLED,
CANCELING,
CANCEL_REQUESTED,
COMPLETED,
EXCEPTION,
INITIALIZING,
INTERRUPTED,
PAUSED,
PROCESSING,
QUEUED,
RESUMING>"
}
]
},
"message": "String",
"status_location": "String"
}

DELETE /reference_data/sets/{name}/{value}
Remove a value from a reference set.

Remove a value from a reference set.

Table 2300. DELETE /reference_data/sets/{name}/{value} resource details
MIME Type
application/json

Table 2301. DELETE /reference_data/sets/{name}/{value} request parameter details

Parameter Type Optionality Data Type MIME Type Description
name path Required String text/plain Required - The name of the
reference set to remove a value
from
value path Required String text/plain Required - The value to
remove from the reference set.
Note: Date values must be
represented in milliseconds
since the Unix Epoch January
1st 1970.

7 Previous REST API versions 1039

Table 2301. DELETE /reference_data/sets/{name}/{value} request parameter details (continued)
Parameter Type Optionality Data Type MIME Type Description
fields query Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.

Table 2302. DELETE /reference_data/sets/{name}/{value} response codes

HTTP Response Code Unique Code Description
200 The reference set that had a value removed
404 1002 The reference set does not exist
404 1003 The record does not exist in the reference set
422 1005 A request parameter is not valid
500 1020 An error occurred while attempting to remove the value from the
reference set.

Response Description

Information about the reference set that had an value removed. This returns information about the
reference set but not the contained data.

Response Sample
{
"creation_time": 42,
"element_type": "String <one of: ALN, NUM, IP, PORT, ALNIC, DATE>",
"name": "String",
"number_of_elements": 42,
"time_to_live": "String",
"timeout_type": "String <one of: UNKNOWN, FIRST_SEEN, LAST_SEEN>"
}

GET /reference_data/sets/{name}/dependents
Retrieves the dependents of the set.
Table 2303. GET /reference_data/sets/{name}/dependents resource details
MIME Type
application/json

Table 2304. GET /reference_data/sets/{name}/dependents request parameter details

Parameter Type Optionality Data Type MIME Type Description
name path Required String text/plain Required - The name of the
Reference Set retrieve
dependents for

1040 QRadar API Reference Guide

Table 2304. GET /reference_data/sets/{name}/dependents request parameter details (continued)
Parameter Type Optionality Data Type MIME Type Description
fields query Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.

Table 2305. GET /reference_data/sets/{name}/dependents response codes

HTTP Response Code Unique Code Description
202 The Reference Data Sets dependent retrieval request has been
accepted and is in progress
404 1002 The Reference Set does not exist
422 1005 A request parameter is not valid
500 1020 An error occurred while attempting to get the dependents for the
Reference Set

Response Description

A status_id to retrieve the Reference Data Sets dependent retrieval status with at /api/system/
task_management/task/{status_id}. You can also find the url in the Location header

Response Sample
{
"current_status": {
"cancel_requested": true,
"cancelled_by": "String",
"child_tasks": [
42
],
"completed": 42,
"created": 42,
"created_by": "String",
"id": 42,
"maximum": 42,
"message": "String",
"modified": 42,
"name": "String",
"progress": 42,
"result_url": "String",
"started": 42,
"status": "String <one of: CANCELLED,
CANCELING,
CANCEL_REQUESTED,
COMPLETED,
EXCEPTION,
INITIALIZING,
INTERRUPTED,
PAUSED,
PROCESSING,
QUEUED,
RESUMING>",
"task_components": [
{

7 Previous REST API versions 1041

 "completed": 42,
"created": 42,
"maximum": 42,
"message": "String",
"modified": 42,
"progress": 42,
"started": 42,
"status": "String <one of: CANCELLED,
CANCELING,
CANCEL_REQUESTED,
COMPLETED,
EXCEPTION,
INITIALIZING,
INTERRUPTED,
PAUSED,
PROCESSING,
QUEUED,
RESUMING>"
}
]
},
"message": "String",
"status_location": "String"
}

GET /reference_data/tables
Retrieve a list of all reference tables.
Table 2306. GET /reference_data/tables resource details
MIME Type
application/json

Table 2307. GET /reference_data/tables request parameter details

Parameter Type Optionality Data Type MIME Type Description
fields query Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.
Range header Optional String text/plain Optional - Use this parameter
to restrict the number of
elements that are returned in
the list to a specified range.
The list is indexed starting at
zero.
filter query Optional String text/plain Optional - This parameter is
used to restrict the elements in
a list base on the contents of
various fields.

Table 2308. GET /reference_data/tables response codes

HTTP Response Code Unique Code Description
200 The reference table list has been retrieved

1042 QRadar API Reference Guide

Table 2308. GET /reference_data/tables response codes (continued)
HTTP Response Code Unique Code Description
500 1020 An error occurred while attempting to retrieve all of the reference
tables

Response Description

A list of all of the reference tables. This returns information about the tables but not the contained data.

Response Sample
[
{
"creation_time": 42,
"element_type": "String <one of: ALN, NUM, IP, PORT, ALNIC, DATE>",
"key_label": "String",
"key_name_types": {
"String": "String <one of: ALN, NUM, IP, PORT, ALNIC, DATE>"
},
"name": "String",
"number_of_elements": 42,
"time_to_live": "String",
"timeout_type": "String <one of: UNKNOWN, FIRST_SEEN, LAST_SEEN>"
}
]

POST /reference_data/tables
Create a new reference table.
Table 2309. POST /reference_data/tables resource details
MIME Type
application/json

Table 2310. POST /reference_data/tables request parameter details

Parameter Type Optionality Data Type MIME Type Description
name query Required String text/plain Required - The name of the
reference table to create
element_type query Required String text/plain Required - The default element
type for the values allowed in the
reference table. This is used when
values are added or updated in
the reference table who's inner
key was not defined in the
key_name_types parameter. The
allowed values are: ALN
(alphanumeric), ALNIC
(alphanumeric ignore case), IP (IP
address), NUM (numeric), PORT
(port number) or DATE. Note that
date values need to be
represented in milliseconds since
the Unix Epoch January 1st 1970.
outer_key_label query Optional String text/plain Optional - The label to describe
the outer keys
timeout_type query Optional String text/plain Optional - The allowed values are
"FIRST_SEEN", "LAST_SEEN" and
"UNKNOWN". The default value
is "UNKNOWN". This indicates if
the time_to_live interval is based
on when the data was first seen
or last seen.
time_to_live query Optional String text/plain Optional - The time to live
interval, for example: "1 month"
or "5 minutes"

7 Previous REST API versions 1043

Table 2310. POST /reference_data/tables request parameter details (continued)
Parameter Type Optionality Data Type MIME Type Description
key_name_types query Optional Array<Object> application/json Optional - A JSON formatted
string. This array creates the inner
key names and corresponding
value types for the table
fields query Optional String text/plain Optional - Use this parameter to
specify which fields you would
like to get back in the response.
Fields that are not named are
excluded. Specify subfields in
brackets and multiple fields in the
same object are separated by
commas.

Table 2311. POST /reference_data/tables response codes

HTTP Response Code Unique Code Description
201 A new reference table was successfully created
409 1004 The reference table could not be created, the name provided is
already in use. Please change the name and try again.
422 1005 A request parameter is not valid
500 1020 An error occurred while attempting to create the reference table

Response Description

Information about the newly created reference table.

Response Sample
{
"creation_time": 42,
"element_type": "String <one of: ALN, NUM, IP, PORT, ALNIC, DATE>",
"key_label": "String",
"key_name_types": {
"String": "String <one of: ALN, NUM, IP, PORT, ALNIC, DATE>"
},
"name": "String",
"number_of_elements": 42,
"time_to_live": "String",
"timeout_type": "String <one of: UNKNOWN, FIRST_SEEN, LAST_SEEN>"
}

POST /reference_data/tables/bulk_load/{name}
Adds or updates data in a reference table.

Adds or updates data in a reference table.

Table 2312. POST /reference_data/tables/bulk_load/{name} resource details
MIME Type
application/json

Table 2313. POST /reference_data/tables/bulk_load/{name} request parameter details

Parameter Type Optionality Data Type MIME Type Description
name path Required String text/plain Required - The name of table
to add or update data in.

1044 QRadar API Reference Guide

Table 2313. POST /reference_data/tables/bulk_load/{name} request parameter details (continued)
Parameter Type Optionality Data Type MIME Type Description
fields header Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.

Table 2314. POST /reference_data/tables/bulk_load/{name} request body details

Parameter Data Type MIME Type Description Sample
data Array application/ Required - The JSON-formatted {"key1":{"col1":"Data11","col2":"Data12",
json data to add or update in the "col3":"Data13","col4":"Data14"},
reference table. "key2":{"col1":"Data21","col2":"Data22",
"col3":"Data23","col4":"Data24"},
"key3":{"col1":"Data31","col2":"Data32",
"col3":"Data33","col4":"Data34"},
"key4":{"col1":"Data41","col2":"Data42",
"col3":"Data43","col4":"Data44"},
"key5":{"col1":"Data51","col2":"Data52",
"col3":"Data53","col4":"Data54"},
"key6":{"col1":"Data61","col2":"Data62",
"col3":"Data63","col4":"Data64"}}

Table 2315. POST /reference_data/tables/bulk_load/{name} response codes

HTTP Response Code Unique Code Description
200 Data was successfully added or updated in the reference table.
400 1001 An error occurred parsing the JSON-formatted message body.
404 1002 The reference table does not exist.
422 1005 A request parameter is not valid.
500 1020 An error occurred during the attempt to add or update data in the
reference table.

Response Description

Information about the reference table where data was added or updated. This returns information about
the reference table but not the data that it contains.

Response Sample
{
"creation_time": 42,
"element_type": "String <one of: ALN, NUM, IP, PORT, ALNIC, DATE>",
"name": "String",
"number_of_elements": 42,
"time_to_live": "String",
"timeout_type": "String <one of: UNKNOWN, FIRST_SEEN, LAST_SEEN>"
}

GET /reference_data/tables/{name}
Return the reference table identified by name.

7 Previous REST API versions 1045

Return the reference table that is identified by name. If it is provided, limit specifies the number of
records to return starting at the record that is specified by offset. If the number is not specified, then the
first 20 records are returned.
Table 2316. GET /reference_data/tables/{name} resource details
MIME Type
application/json

Table 2317. GET /reference_data/tables/{name} request parameter details

Parameter Type Optionality Data Type MIME Type Description
name path Required String text/plain Required - The name of the
reference table to retrieve
fields query Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.
Range header Optional String text/plain Optional - Use this parameter
to restrict the number of
elements that are returned in
the list to a specified range.
The list is indexed starting at
zero.

Table 2318. GET /reference_data/tables/{name} response codes

HTTP Response Code Unique Code Description
200 The reference table has been retrieved
404 1002 The reference table does not exist
422 1005 A request parameter is not valid
500 1020 An error occurred while attempting to retrieve the reference table

Response Description

The reference table identified by the name specified in the request. The portion of the reference table's
data returned is dependent on the limit and offset specified in the request.

Response Sample
{
"creation_time": 42,
"data": {
"String": {
"String": {
"first_seen": 42,
"last_seen": 42,
"source": "String",
"value": "String"
}
}
},
"element_type": "String <one of: ALN, NUM, IP, PORT, ALNIC, DATE>",

1046 QRadar API Reference Guide

 "key_label": "String",
"key_name_types": {
"String": "String <one of: ALN, NUM, IP, PORT, ALNIC, DATE>"
},
"name": "String",
"number_of_elements": 42,
"time_to_live": "String",
"timeout_type": "String <one of: UNKNOWN, FIRST_SEEN, LAST_SEEN>"
}

POST /reference_data/tables/{name}
Add or update an element in a reference table.

Add or update an element in a reference table. The value to be added must be of the appropriate type.
Either the type that corresponds to the innerKey that is predefined for the reference table, or the default
elementType of the reference table
Table 2319. POST /reference_data/tables/{name} resource details
MIME Type
application/json

Table 2320. POST /reference_data/tables/{name} request parameter details

Parameter Type Optionality Data Type MIME Type Description
name path Required String text/plain Required - The name of the
reference table to add or
update an element in
outer_key query Required String text/plain Required - The outer key for
the element to add or update
inner_key query Required String text/plain Required - The inner key for
the element to add or update
value query Required String text/plain Required - The value to add or
update in the reference table.
Note: Date values must be
represented in milliseconds
since the Unix Epoch January
1st 1970.
source query Optional String text/plain Optional - An indication of
where the data originated. The
default value is 'reference data
api'
fields query Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.

Table 2321. POST /reference_data/tables/{name} response codes

HTTP Response Code Unique Code Description
200 The reference table has had an element added or updated
404 1002 The reference table does not exist

7 Previous REST API versions 1047

Table 2321. POST /reference_data/tables/{name} response codes (continued)
HTTP Response Code Unique Code Description
422 1005 A request parameter is not valid
500 1020 An error occurred while attempting to add or update data in the
reference table

Response Description

Information about the reference table that had an element added or updated. This returns information
about the reference table but not the contained data.

Response Sample
{
"creation_time": 42,
"element_type": "String <one of: ALN, NUM, IP, PORT, ALNIC, DATE>",
"key_label": "String",
"key_name_types": {
"String": "String <one of: ALN, NUM, IP, PORT, ALNIC, DATE>"
},
"name": "String",
"number_of_elements": 42,
"time_to_live": "String",
"timeout_type": "String <one of: UNKNOWN, FIRST_SEEN, LAST_SEEN>"
}

DELETE /reference_data/tables/{name}
Removes a reference table or purge its contents.
Table 2322. DELETE /reference_data/tables/{name} resource details
MIME Type
application/json

Table 2323. DELETE /reference_data/tables/{name} request parameter details

Parameter Type Optionality Data Type MIME Type Description
name path Required String text/plain Required - The name of the
reference table to remove or
purge
purge_only query Optional String text/plain Optional - The allowed values
are "false" or "true". The
default value is false. This
indicates if the reference table
should have its contents
purged (true), keeping the
reference table structure. If the
value is "false" or not specified
the reference table will be
removed completely.

1048 QRadar API Reference Guide

Table 2323. DELETE /reference_data/tables/{name} request parameter details (continued)
Parameter Type Optionality Data Type MIME Type Description
fields query Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.

Table 2324. DELETE /reference_data/tables/{name} response codes

HTTP Response Code Unique Code Description
202 The Reference Data Tables deletion or purge request has been
accepted and is in progress
404 1002 The reference table does not exist
422 1005 A request parameter is not valid
500 1020 An error occurred while attempting to remove or purge values
from the reference table

Response Description

A status_id to retrieve the Reference Data Tables deletion or purge status with at /api/system/
task_management/task/{status_id}. You can also find the url in the Location header

Response Sample
{
"current_status": {
"cancel_requested": true,
"cancelled_by": "String",
"child_tasks": [
42
],
"completed": 42,
"created": 42,
"created_by": "String",
"id": 42,
"maximum": 42,
"message": "String",
"modified": 42,
"name": "String",
"progress": 42,
"result_url": "String",
"started": 42,
"status": "String <one of: CANCELLED,
CANCELING,
CANCEL_REQUESTED,
COMPLETED,
EXCEPTION,
INITIALIZING,
INTERRUPTED,
PAUSED,
PROCESSING,
QUEUED,
RESUMING>",
"task_components": [
{

7 Previous REST API versions 1049

 "completed": 42,
"created": 42,
"maximum": 42,
"message": "String",
"modified": 42,
"progress": 42,
"started": 42,
"status": "String <one of: CANCELLED,
CANCELING,
CANCEL_REQUESTED,
COMPLETED,
EXCEPTION,
INITIALIZING,
INTERRUPTED,
PAUSED,
PROCESSING,
QUEUED,
RESUMING>"
}
]
},
"message": "String",
"status_location": "String"
}

GET /reference_data/tables/{name}/dependents
Retrieves the dependents of the table.
Table 2325. GET /reference_data/tables/{name}/dependents resource details
MIME Type
application/json

Table 2326. GET /reference_data/tables/{name}/dependents request parameter details

Parameter Type Optionality Data Type MIME Type Description
name path Required String text/plain Required - The name of the
reference map of sets retrieve
dependents for
fields query Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.

Table 2327. GET /reference_data/tables/{name}/dependents response codes

HTTP Response Code Unique Code Description
202 The Reference Data Tables dependent retrieval request has been
accepted and is in progress
404 1002 The reference map of sets does not exist
422 1005 A request parameter is not valid
500 1020 An error occurred while attempting to get the dependents for the
reference map of sets

1050 QRadar API Reference Guide

Response Description

A status_id to retrieve the Reference Data Tables dependent retrieval status with at /api/system/
task_management/task/{status_id}. You can also find the url in the Location header

Response Sample
{
"current_status": {
"cancel_requested": true,
"cancelled_by": "String",
"child_tasks": [
42
],
"completed": 42,
"created": 42,
"created_by": "String",
"id": 42,
"maximum": 42,
"message": "String",
"modified": 42,
"name": "String",
"progress": 42,
"result_url": "String",
"started": 42,
"status": "String <one of: CANCELLED,
CANCELING,
CANCEL_REQUESTED,
COMPLETED,
EXCEPTION,
INITIALIZING,
INTERRUPTED,
PAUSED,
PROCESSING,
QUEUED,
RESUMING>",
"task_components": [
{
"completed": 42,
"created": 42,
"maximum": 42,
"message": "String",
"modified": 42,
"progress": 42,
"started": 42,
"status": "String <one of: CANCELLED,
CANCELING,
CANCEL_REQUESTED,
COMPLETED,
EXCEPTION,
INITIALIZING,
INTERRUPTED,
PAUSED,
PROCESSING,
QUEUED,
RESUMING>"
}
]
},
"message": "String",
"status_location": "String"
}

7 Previous REST API versions 1051

DELETE /reference_data/tables/{name}/{outer_key}/{inner_key}
Removes a value from a reference table.

Remove a value from a reference table.

Table 2328. DELETE /reference_data/tables/{name}/{outer_key}/{inner_key} resource details
MIME Type
application/json

Table 2329. DELETE /reference_data/tables/{name}/{outer_key}/{inner_key} request parameter details

Parameter Type Optionality Data Type MIME Type Description
name path Required String text/plain Required - The name of the
reference table to remove a
value from
outer_key path Required String text/plain Required - The outer key of
the value to remove
inner_key path Required String text/plain Required - The inner key of
the value to remove
value query Required String text/plain Required - The value to
remove from the reference
table. Note: Date values must
be represented in milliseconds
since the Unix Epoch January
1st 1970.
fields query Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.

Table 2330. DELETE /reference_data/tables/{name}/{outer_key}/{inner_key} response codes

HTTP Response Code Unique Code Description
200 The reference table had had a value removed
404 1002 The reference table does not exist
404 1003 The record does not exist in the reference table
422 1005 A request parameter is not valid
500 1020 An error occurred while attempting to remove the reference table
value

Response Description

Information about the reference table that had an element removed. This returns information about table
but not the contained data.

1052 QRadar API Reference Guide

Response Sample
{
"creation_time": 42,
"element_type": "String <one of: ALN, NUM, IP, PORT, ALNIC, DATE>",
"key_label": "String",
"key_name_types": {
"String": "String <one of: ALN, NUM, IP, PORT, ALNIC, DATE>"
},
"name": "String",
"number_of_elements": 42,
"time_to_live": "String",
"timeout_type": "String <one of: UNKNOWN, FIRST_SEEN, LAST_SEEN>"
}

Scanner endpoints
Use the references for REST API V8.0 scanner endpoints.

GET /scanner/profiles
Retrieves all of the currently created scan profiles.

No parameters are required and the following information should be retrieved for each scan profile.
v scanProfileId
v scanProfileName
v description
v scanType
v scannerName
Table 2331. GET /scanner/profiles resource details
MIME Type
application/json

There are no parameters for this endpoint.

Table 2332. GET /scanner/profiles response codes
HTTP Response Code Unique Code Description
200 The list of scan profiles was successfully returned
500 1030 Occurs when an attempt is made to list scan profiles when certain
conditions are not met, or when too many scan requests have been
made

Response Description

The list of scan profiles currently configured in QVM

Response Sample

POST /scanner/profiles/create
Initiates a request to create a new Scan Profile.

The request takes one parameter - createScanRequest, which is just a POJO. To create the scan, you will
need to build up a JSON object that contains the Scan Profile name and IP addresses to scan. For
example:
{’name’:’New Scan Profile’, ’ips’:[’10.100.85.135’]}

7 Previous REST API versions 1053

Table 2333. POST /scanner/profiles/create resource details
MIME Type
text/plain

Table 2334. POST /scanner/profiles/create request body details

Parameter Data Type MIME Type Description Sample
scanProfile JSON application/json null null

Table 2335. POST /scanner/profiles/create response codes

HTTP Response Code Unique Code Description
200 The scan has been successfully created
419 9101 Occurs when a parameter is missing or invalid
500 1030 Occurs when an attempt is made to create a scan when certain
conditions are not met, or when too many scan requests have been
made

Response Description

An indicator of whether the scan has been created successfully or not.

Response Sample
String

POST /scanner/profiles/start
Initiates a request to start an already created scanProfile.

The request takes one parameter - scanProfileId. To get a list of scanProfileIds, get a list of the current
scan profiles by initiating a 'profiles' request on the scanner endpoint. The scanProfileId is validated and
an appropriate message is returned.
Table 2336. POST /scanner/profiles/start resource details
MIME Type
text/plain

Table 2337. POST /scanner/profiles/start request parameter details

Parameter Type Optionality Data Type MIME Type Description
scanProfileId query Required String text/plain The unique id of the scan profile
we want to start

Table 2338. POST /scanner/profiles/start response codes

HTTP Response Code Unique Code Description
200 The scan has been successfully started
403 1000 Occurs if the user does not have permission to start a scan, or the
scan is in progress
500 1030 Occurs when an attempt is made to start a scan when certain
conditions are not met, or when too many scan requests have been
made

1054 QRadar API Reference Guide

Response Description

An indicator of whether the scan has been started successfully or not.

Response Sample
String

GET /scanner/scanprofiles
Retrieves all of the currently created scan profiles.

No parameters are required and the following information should be retrieved for each scan profile.
v scanProfileId
v scanProfileName
v description
v scanType
v scannerName
v schedule
v status
v progress
v endTime
v duration
Table 2339. GET /scanner/scanprofiles resource details
MIME Type
application/json

Table 2340. GET /scanner/scanprofiles request parameter details

Parameter Type Optionality Data Type MIME Type Description
fields query Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.
filter query Optional String text/plain Optional - This parameter is
used to restrict the elements in
a list base on the contents of
various fields.
Range header Optional String text/plain Optional - Use this parameter
to restrict the number of
elements that are returned in
the list to a specified range.
The list is indexed starting at
zero.

Table 2341. GET /scanner/scanprofiles response codes

HTTP Response Code Unique Code Description
200 The list of scan profiles was successfully returned

7 Previous REST API versions 1055

Table 2341. GET /scanner/scanprofiles response codes (continued)
HTTP Response Code Unique Code Description
500 1030 Occurs when an attempt is made to list scan profiles when certain
conditions are not met, or when too many scan requests have been
made

Response Description

The list of scan profiles currently configured in QVM

Response Sample
[
{
"description": "String",
"duration": {
"days": 42,
"hours": 42,
"minutes": 42,
"months": 42,
"seconds": 42.5,
"type": "String",
"value": "String",
"years": 42
},
"endTime": {
"date": 42,
"day": 42,
"hours": 42,
"minutes": 42,
"month": 42,
"seconds": 42,
"time": 42,
"timezoneOffset": 42,
"year": 42
},
"progress": 42,
"scanProfileId": 42,
"scanProfileName": "String",
"scanType": "String",
"scannerName": "String",
"schedule": "String",
"status": "String"
}
]

POST /scanner/scanprofiles
Initiates a request to create a new scanProfile.

The request takes one parameter - createScanRequest, which is just a POJO. To create the scan, you will
need to build up a JSON object that contains the Scan Profile name and hosts to scan. For example:
{’name’:’New Scan Profile’, ’hosts’:[’10.100.85.135’]}
Table 2342. POST /scanner/scanprofiles resource details
MIME Type
text/plain

1056 QRadar API Reference Guide

Table 2343. POST /scanner/scanprofiles request body details
Parameter Data Type MIME Type Description Sample
scanProfile Object application/json null { "description": "String",
"hosts": [ "String" ], "name":
"String" }

Table 2344. POST /scanner/scanprofiles response codes

HTTP Response Code Unique Code Description
200 The scan has been successfully created
500 1030 Occurs when an attempt is made to create a scan when certain
conditions are not met, or when too many scan requests have been
made

Response Description

An indicator of whether the scan has been created successfully or not.

Response Sample
String

GET /scanner/scanprofiles/{profileid}
Retrieves a scan profile for a given Scan Profile ID.

No parameters are required and the following information should be retrieved for each scan profile.
v scanProfileId
v name
v description
v scanType
v scannerName
v schedule
v status
v progress
v endTime
v duration
Table 2345. GET /scanner/scanprofiles/{profileid} resource details
MIME Type
application/json

Table 2346. GET /scanner/scanprofiles/{profileid} request parameter details

Parameter Type Optionality Data Type MIME Type Description
profileid path Required String text/plain The unique id of the scan
profile we need to retrieve
information for

7 Previous REST API versions 1057

Table 2346. GET /scanner/scanprofiles/{profileid} request parameter details (continued)
Parameter Type Optionality Data Type MIME Type Description
fields query Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.
filter query Optional String text/plain Optional - This parameter is
used to restrict the elements in
a list base on the contents of
various fields.
Range header Optional String text/plain Optional - Use this parameter
to restrict the number of
elements that are returned in
the list to a specified range.
The list is indexed starting at
zero.

Table 2347. GET /scanner/scanprofiles/{profileid} response codes

HTTP Response Code Unique Code Description
200 The scan profile was successfully returned
500 1030 Occurs when an attempt is made to list a scan profile when certain
conditions are not met, or when too many scan requests have been
made

Response Description

The list of scan profiles currently configured in QVM

Response Sample
[
{
"description": "String",
"duration": {
"days": 42,
"hours": 42,
"minutes": 42,
"months": 42,
"seconds": 42.5,
"type": "String",
"value": "String",
"years": 42
},
"endTime": {
"date": 42,
"day": 42,
"hours": 42,
"minutes": 42,
"month": 42,
"seconds": 42,
"time": 42,
"timezoneOffset": 42,
"year": 42

1058 QRadar API Reference Guide

 },
"progress": 42,
"scanProfileId": 42,
"scanProfileName": "String",
"scanType": "String",
"scannerName": "String",
"schedule": "String",
"status": "String"
}
]

POST /scanner/scanprofiles/{profileid}
Update a scan profile. The Scan Profile ID is required.

The following information on a scan profile can be updated:

v name
v description
v IP addresses

For example:
{’name’:’Updated Scan Profile’, ’ips’:[’10.100.85.135’]}

Table 2348. POST /scanner/scanprofiles/{profileid} resource details

MIME Type
application/json

Table 2349. POST /scanner/scanprofiles/{profileid} request parameter details

Parameter Type Optionality Data Type MIME Type Description
profileid path Required String text/plain The unique id of the scan
profile used to update

Table 2350. POST /scanner/scanprofiles/{profileid} request body details

Parameter Data Type MIME Type Description Sample
scanProfile JSON application/json null null

Table 2351. POST /scanner/scanprofiles/{profileid} response codes

HTTP Response Code Unique Code Description
202 The scan profile was successfully updated
500 1030 Occurs when an attempt is made to update a scan profile when
certain conditions are not met, or when too many scan requests
have been made

Response Description

A message to indicate whether the scan profile has updated or not.

Response Sample

DELETE /scanner/scanprofiles/{profileid}
Initiates a request to delete a scanProfile.

The request takes one parameter - the Scan Profile ID.

7 Previous REST API versions 1059

Table 2352. DELETE /scanner/scanprofiles/{profileid} resource details
MIME Type
text/plain

Table 2353. DELETE /scanner/scanprofiles/{profileid} request parameter details

Parameter Type Optionality Data Type MIME Type Description
profileid path Required String text/plain null

Table 2354. DELETE /scanner/scanprofiles/{profileid} response codes

HTTP Response Code Unique Code Description
204 The scan has been successfully deleted
500 1030 Occurs when an attempt is made to delete a scan when certain
conditions are not met, or when too many scan requests have been
made

Response Description

An indicator of whether the scan has been deleted successfully or not.

Response Sample
String

POST /scanner/scanprofiles/{profileid}/start
Initiates a request to start an already created scanProfile.

The request takes one parameter, scanProfileId, and one optional parameter, ips. To get a list of
scanProfileIds, simply get a list of the current scan profiles by initiating a 'profiles' request on the scanner
endpoint. The scanProfileId, is validated and an appropriate message returned.
Table 2355. POST /scanner/scanprofiles/{profileid}/start resource details
MIME Type
text/plain

Table 2356. POST /scanner/scanprofiles/{profileid}/start request parameter details

Parameter Type Optionality Data Type MIME Type Description
profileid path Required String text/plain The unique id of the scan
profile we want to start

Table 2357. POST /scanner/scanprofiles/{profileid}/start request body details

Parameter Data Type MIME Type Description Sample
ips JSON application/json null null

Table 2358. POST /scanner/scanprofiles/{profileid}/start response codes

HTTP Response Code Unique Code Description
202 The scan has been successfully started
403 1000 Occurs if the user does not have permission to start a scan, or the
scan is in progress

1060 QRadar API Reference Guide

Table 2358. POST /scanner/scanprofiles/{profileid}/start response codes (continued)
HTTP Response Code Unique Code Description
500 1030 Occurs when an attempt is made to start a scan when certain
conditions are not met, or when too many scan requests have been
made

Response Description

An indicator of whether the scan has been started successfully or not.

Response Sample
String

Services endpoints
Use the references for REST API V8.0 services endpoints.

POST /services/dig_lookups
Creates a new DIG lookup.

Creates a new DIG lookup. Lookup completes in the background.

Table 2359. POST /services/dig_lookups resource details
MIME Type
application/json

Table 2360. POST /services/dig_lookups request parameter details

Parameter Type Optionality Data Type MIME Type Description
IP query Required String text/plain Used to retrieve the DIG
lookup.
fields query Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.

Table 2361. POST /services/dig_lookups response codes

HTTP Response Code Unique Code Description
201 The DIG lookup was created successfully.
500 1020 An internal server error occurred during the creation of the DIG
lookup.

Response Description

A DIG Lookup object, and the location header that is set to the task status URL "/services/dig_lookups/
{dig_lookup_id}". A DIG Lookup object contains the following fields:
v id - Long - The ID of the DIG lookup.

7 Previous REST API versions 1061

v ip - String - The IP address to be investigated.
v message - String - The result of the DIG lookup when it is complete.
v status - String - The current state of the task.

Response Sample
{
"id": 42,
"ip": "String",
"message": "String",
"status": "String <one of: CANCELLED,
CANCELING,
CANCEL_REQUESTED,
COMPLETED,
CONFLICT,
EXCEPTION,
INITIALIZING,
INTERRUPTED,
PAUSED,
PROCESSING,
QUEUED,
RESUMING>"
}

GET /services/dig_lookups/{dig_lookup_id}
Retrieves the DIG lookup status.

Retrieves the DIG Lookup status and result. The result is included if the lookup completed.
Table 2362. GET /services/dig_lookups/{dig_lookup_id} resource details
MIME Type
application/json

Table 2363. GET /services/dig_lookups/{dig_lookup_id} request parameter details

Parameter Type Optionality Data Type MIME Type Description
dig_lookup_id path Required Number text/plain Required - The ID of the Dig
(Integer) lookup to be retrieved.
fields query Optional String text/plain Optional - Use this parameter to
specify which fields you would
like to get back in the response.
Fields that are not named are
excluded. Specify subfields in
brackets and multiple fields in
the same object are separated by
commas.

Table 2364. GET /services/dig_lookups/{dig_lookup_id} response codes

HTTP Response Code Unique Code Description
200 The DIG lookup Status was retrieved.
404 1002 The DIG lookup status does not exist.
500 1020 An error occurred during the attempt to retrieve the DIG lookup
status.

Response Description

A DIG Lookup object, and the location header that is set to the task status URL "/services/dig_lookups/
{dig_lookup_id}". A DIG Lookup object contains the following fields:

1062 QRadar API Reference Guide

v id - Long - The ID of the DIG lookup.
v ip - String - The IP address to be investigated.
v message - String - The result of the DIG lookup when it is complete.
v status - String - The current state of the task.

Response Sample
{
"id": 42,
"ip": "String",
"message": "String",
"status": "String <one of: CANCELLED,
CANCELING,
CANCEL_REQUESTED,
COMPLETED,
CONFLICT,
EXCEPTION,
INITIALIZING,
INTERRUPTED,
PAUSED,
PROCESSING,
QUEUED,
RESUMING>"
}

POST /services/dns_lookups
Creates a new DNS lookup.

Creates a new DNS lookup. Lookup completes in the background.

Table 2365. POST /services/dns_lookups resource details
MIME Type
application/json

Table 2366. POST /services/dns_lookups request parameter details

Parameter Type Optionality Data Type MIME Type Description
IP query Required String text/plain Used to retrieve the DNS
lookup.
fields query Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.

Table 2367. POST /services/dns_lookups response codes

HTTP Response Code Unique Code Description
201 The DNS lookup was successfully created.
500 1020 An internal server error occurred during the creation of the DNS
lookup.

7 Previous REST API versions 1063

Response Description

A DNS Lookup object and the location header set to the task status URL "/services/dns_lookups/
{dns_lookup_id}". A DNS status object contains the following fields:
v id - Long - The ID of the DNS lookup.
v ip - String - The IP address to be investigated.
v message - String - The result of the DNS lookup when it is complete.
v status - String - The current state of the task.

Response Sample
{
"id": 42,
"ip": "String",
"message": "String",
"status": "String <one of: CANCELLED,
CANCELING,
CANCEL_REQUESTED,
COMPLETED,
CONFLICT,
EXCEPTION,
INITIALIZING,
INTERRUPTED,
PAUSED,
PROCESSING,
QUEUED,
RESUMING>"
}

GET /services/dns_lookups/{dns_lookup_id}
Retrieves the DNS lookup status.

Retrieves the DNS Lookup status. The result is included if the lookup completes.
Table 2368. GET /services/dns_lookups/{dns_lookup_id} resource details
MIME Type
application/json

Table 2369. GET /services/dns_lookups/{dns_lookup_id} request parameter details

Parameter Type Optionality Data Type MIME Type Description
dns_lookup_id path Required Number text/plain Required - The ID of the DNS
(Integer) lookup to be retrieved.
fields query Optional String text/plain Optional - Use this parameter to
specify which fields you would
like to get back in the response.
Fields that are not named are
excluded. Specify subfields in
brackets and multiple fields in
the same object are separated by
commas.

Table 2370. GET /services/dns_lookups/{dns_lookup_id} response codes

HTTP Response Code Unique Code Description
200 The DNS lookup status was retrieved.
404 1002 The DNS lookup status does not exist.
500 1020 An error occurred during the attempt to retrieve the DNS lookup
status.

1064 QRadar API Reference Guide

Response Description

A DNS Lookup object, and the location header set to the task status URL "/services/dns_lookups/
{dns_lookup_id}". A DNS status object contains the following fields:
v id - Long - The ID of the DNS lookup.
v ip - String - The IP address to be investigated.
v message - String - The result of the DNS lookup when it is complete.
v status - String - The current state of the task.

Response Sample
{
"id": 42,
"ip": "String",
"message": "String",
"status": "String <one of: CANCELLED,
CANCELING,
CANCEL_REQUESTED,
COMPLETED,
CONFLICT,
EXCEPTION,
INITIALIZING,
INTERRUPTED,
PAUSED,
PROCESSING,
QUEUED,
RESUMING>"
}

POST /services/port_scans
Creates a new PortScans lookup. Port scan completes in the background.

Creates a new port scan lookup. This endpoint is not available on SaaS systems. It return a 404 error.
Table 2371. POST /services/port_scans resource details
MIME Type
application/json

Table 2372. POST /services/port_scans request parameter details

Parameter Type Optionality Data Type MIME Type Description
IP query Required String text/plain Used to retrieve the port scan
lookup.
fields query Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.

7 Previous REST API versions 1065

Table 2373. POST /services/port_scans response codes
HTTP Response Code Unique Code Description
201 he PortScans lookup was created successfully.
500 1020 An internal server error occurred during the creation of the port
scan lookup.

Response Description

A port scan object and the location header set to the task status URL "/services/port_scans/
{port_scan_id}". A port scan status object contains the following fields:
v id - Long - The ID of the port scan.
v ip - String - The IP address to be investigated.
v message - String - The result of the port scan when it is complete.
v status - String - The current state of the task.

Response Sample
{
"id": 42,
"ip": "String",
"message": "String",
"status": "String <one of: CANCELLED,
CANCELING,
CANCEL_REQUESTED,
COMPLETED,
CONFLICT,
EXCEPTION,
INITIALIZING,
INTERRUPTED,
PAUSED,
PROCESSING,
QUEUED,
RESUMING>"
}

GET /services/port_scans/{port_scan_id}
Retrieves the port scan status. The result is included if the port scan completes.

Retrieves the port scan status.

Table 2374. GET /services/port_scans/{port_scan_id} resource details
MIME Type
application/json

Table 2375. GET /services/port_scans/{port_scan_id} request parameter details

Parameter Type Optionality Data Type MIME Type Description
port_scan_id path Required Number text/plain Required - The ID of the port
(Integer) scan to be retrieved.
fields query Optional String text/plain Optional - Use this parameter to
specify which fields you would
like to get back in the response.
Fields that are not named are
excluded. Specify subfields in
brackets and multiple fields in
the same object are separated by
commas.

1066 QRadar API Reference Guide

Table 2376. GET /services/port_scans/{port_scan_id} response codes
HTTP Response Code Unique Code Description
200 The port scan status was retrieved.
404 1002 The port scan sStatus does not exist.
500 1020 An error occurred during the attempt to retrieve the port scan
status.

Response Description

A port scan object and the location header set to the task status url "/services/port_scans/
{port_scan_id}". A port scan status object contains the following fields:
v id - Long - The ID of the port scan.
v message - String - The result of the port scan when complete.
v status - String - The current state of the task.

Response Sample
{
"id": 42,
"ip": "String",
"message": "String",
"status": "String <one of: CANCELLED,
CANCELING,
CANCEL_REQUESTED,
COMPLETED,
CONFLICT,
EXCEPTION,
INITIALIZING,
INTERRUPTED,
PAUSED,
PROCESSING,
QUEUED,
RESUMING>"
}

POST /services/whois_lookups
Creates a new WHOIS lookup.

Creates a new WHOIS lookup. Lookup completes in the background.

Table 2377. POST /services/whois_lookups resource details
MIME Type
application/json

Table 2378. POST /services/whois_lookups request parameter details

Parameter Type Optionality Data Type MIME Type Description
IP query Required String text/plain Used to retrieve the WHOIS
lookup.

7 Previous REST API versions 1067

Table 2378. POST /services/whois_lookups request parameter details (continued)
Parameter Type Optionality Data Type MIME Type Description
fields query Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.

Table 2379. POST /services/whois_lookups response codes

HTTP Response Code Unique Code Description
201 The WHOIS lookup was created successfully.
500 1020 An internal server error occurred during the creation of the WHOIS
lookup.

Response Description

A WHOIS lookup object, and the location header that is set to the task status URL "/services/
whois_lookups/{whois_lookup_id}". A WHOIS status object contains the following fields:
v id - Long - The ID of the WHOIS lookup.
v ip - String - The IP address to be investigated.
v message - String - The result of the WHOIS lookup when complete.
v status - String - The current state of the task.

Response Sample
{
"id": 42,
"ip": "String",
"message": "String",
"status": "String <one of: CANCELLED,
CANCELING,
CANCEL_REQUESTED,
COMPLETED,
CONFLICT,
EXCEPTION,
INITIALIZING,
INTERRUPTED,
PAUSED,
PROCESSING,
QUEUED,
RESUMING>"
}

GET /services/whois_lookups/{whois_lookup_id}
Retrieves the WHOIS lookup status.

Retrieves the WHOIS lookup status. The result is included if the lookup completes.
Table 2380. GET /services/whois_lookups/{whois_lookup_id} resource details
MIME Type
application/json

1068 QRadar API Reference Guide

Table 2381. GET /services/whois_lookups/{whois_lookup_id} request parameter details
Parameter Type Optionality Data Type MIME Type Description
whois_lookup_id path Required Number text/plain Required - The ID of the
(Integer) WHOIS lookup to be retrieved.
fields query Optional String text/plain Optional - Use this parameter to
specify which fields you would
like to get back in the response.
Fields that are not named are
excluded. Specify subfields in
brackets and multiple fields in
the same object are separated by
commas.

Table 2382. GET /services/whois_lookups/{whois_lookup_id} response codes

HTTP Response Code Unique Code Description
200 The WHOIS lookup status was retrieved.
404 1002 The WHOIS lookup status does not exist.
500 1020 An error occurred during the attempt to retrieve the WHOIS
lookup status.

Response Description

A WHOIS lookup object, and the location header that is set to the task status URL "/services/
whois_lookups/{whois_lookup_id}". A WHOIS status object contains the following fields:
v id - Long - The ID of the WHOIS lookup.
v ip - String - The IP address to be investigated.
v message - String - The result of the WHOIS lookup when it is complete.
v status - String - The current state of the task.

Response Sample
{
"id": 42,
"ip": "String",
"message": "String",
"status": "String <one of: CANCELLED,
CANCELING,
CANCEL_REQUESTED,
COMPLETED,
CONFLICT,
EXCEPTION,
INITIALIZING,
INTERRUPTED,
PAUSED,
PROCESSING,
QUEUED,
RESUMING>"
}

SIEM endpoints
Use the references for REST API V8.0 SIEM endpoints.

7 Previous REST API versions 1069

GET /siem/local_destination_addresses
Retrieve a list offense local destination addresses currently in the system.
Table 2383. GET /siem/local_destination_addresses resource details
MIME Type
application/json

Table 2384. GET /siem/local_destination_addresses request parameter details

Parameter Type Optionality Data Type MIME Type Description
fields query Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.
Range header Optional String text/plain Optional - Use this parameter
to restrict the number of
elements that are returned in
the list to a specified range.
The list is indexed starting at
zero.
filter query Optional String text/plain Optional - This parameter is
used to restrict the elements in
a list base on the contents of
various fields.

Table 2385. GET /siem/local_destination_addresses response codes

HTTP Response Code Unique Code Description
200 The local destination address list was retrieved.
422 1005 A request parameter is not valid.
422 1010 The filter parameter is not valid.
500 1020 An error occurred while the local destination address list was being
retrieved.

Response Description

An array of local destination address objects. A local destination address object contains the following
fields:
v id - Number - The ID of the destination address.
v local_destination_ip - String - The IP address.
v magnitude - Number - The magnitude of the destination address.
v network - String - The network of the destination address.
v offense_ids - Array of Numbers - List of offense IDs the destination address is part of.
v source_address_ids - Array of Numbers - List of source address IDs associated with the destination
address.
v event_flow_count - Number - The number of events and flows that are associated with the destination
address.

1070 QRadar API Reference Guide

v first_event_flow_seen - Number - The number of milliseconds since epoch when the first event or
flow was seen.
v last_event_flow_seen - Number - The number of milliseconds since epoch when the last event or flow
was seen.
v domain_id - Number - The ID of associated domain.

Response Sample
[
{
"domain_id": 42,
"event_flow_count": 42,
"first_event_flow_seen": 42,
"id": 42,
"last_event_flow_seen": 42,
"local_destination_ip": "String",
"magnitude": 42,
"network": "String",
"offense_ids": [
42
],
"source_address_ids": [
42
]
}
]

GET /siem/local_destination_addresses/{local_destination_address_id}
Retrieve an offense local destination address.
Table 2386. GET /siem/local_destination_addresses/{local_destination_address_id} resource details
MIME Type
application/json

Table 2387. GET /siem/local_destination_addresses/{local_destination_address_id} request parameter details

Parameter Type Optionality Data Type MIME Type Description
local_destination_address_id path Required Number text/plain Required - The ID of the local
(Integer) destination address to retrieve.
fields query Optional String text/plain Optional - Use this parameter to
specify which fields you would
like to get back in the response.
Fields that are not named are
excluded. Specify subfields in
brackets and multiple fields in
the same object are separated by
commas.

Table 2388. GET /siem/local_destination_addresses/{local_destination_address_id} response codes

HTTP Response Code Unique Code Description
200 The local destination was retrieved.
404 1002 No local destination address was found for the provided
local_destination_address_id.
422 1005 A request parameter is not valid.
500 1020 An error occurred while the local destination address was being
retrieved.

7 Previous REST API versions 1071

Response Description

A local destination address object. A local destination address object contains the following fields:
v id - Number - The ID of the destination address.
v local_destination_ip - String - The IP address.
v magnitude - Number - The magnitude of the destination address.
v network - String - The network of the destination address.
v offense_ids - Array of Numbers - List of offense IDs the destination address is part of.
v source_address_ids - Array of Numbers - List of source address IDs associated with the destination
address.
v event_flow_count - Number - The number of events and flows that are associated with the destination
address.
v first_event_flow_seen - Number - The number of milliseconds since epoch when the first event or
flow was seen.
v last_event_flow_seen - Number - The number of milliseconds since epoch when the last event or flow
was seen.
v domain_id - Number - The ID of associated domain.

Response Sample
{
"domain_id": 42,
"event_flow_count": 42,
"first_event_flow_seen": 42,
"id": 42,
"last_event_flow_seen": 42,
"local_destination_ip": "String",
"magnitude": 42,
"network": "String",
"offense_ids": [
42
],
"source_address_ids": [
42
]
}

GET /siem/offense_closing_reasons
Retrieve a list of all offense closing reasons.
Table 2389. GET /siem/offense_closing_reasons resource details
MIME Type
application/json

Table 2390. GET /siem/offense_closing_reasons request parameter details

Parameter Type Optionality Data Type MIME Type Description
include_reserved query Optional Boolean text/plain Optional - If true, reserved
closing reasons are included
in the response. Defaults to
false. Reserved closing reasons
cannot be used to close an
offense.

1072 QRadar API Reference Guide

Table 2390. GET /siem/offense_closing_reasons request parameter details (continued)
Parameter Type Optionality Data Type MIME Type Description
include_deleted query Optional Boolean text/plain Optional - If true, deleted
closing reasons are included
in the response. Defaults to
false. Deleted closing reasons
cannot be used to close an
offense.
fields query Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.
Range header Optional String text/plain Optional - Use this parameter
to restrict the number of
elements that are returned in
the list to a specified range.
The list is indexed starting at
zero.
filter query Optional String text/plain Optional - This parameter is
used to restrict the elements
in a list base on the contents
of various fields.

Table 2391. GET /siem/offense_closing_reasons response codes

HTTP Response Code Unique Code Description
200 The closing reasons list was retrieved.
500 1020 An error occurred while the closing reasons list was being
retrieved.

Response Description

An array of ClosingReason objects. A closing reason object contains the following fields:
v id - Number - The ID of the closing reason.
v text - String - The text of the closing reason.
v is_deleted - Boolean - Determines whether the closing reason is deleted. Deleted closing reasons cannot
be used to close an offense.
v is_reserved - Boolean - Determines whether the closing reason is reserved. Reserved closing reasons
cannot be used to close an offense.

Response Sample
[
{
"id": 42,
"is_deleted": true,
"is_reserved": true,
"text": "String"
}
]

7 Previous REST API versions 1073

POST /siem/offense_closing_reasons
Create an offense closing reason.
Table 2392. POST /siem/offense_closing_reasons resource details
MIME Type
application/json

Table 2393. POST /siem/offense_closing_reasons request parameter details

Parameter Type Optionality Data Type MIME Type Description
reason query Required String text/plain Required - The text of the
offense closing reason must be
5 - 60 characters in length.
fields query Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.

Table 2394. POST /siem/offense_closing_reasons response codes

HTTP Response Code Unique Code Description
201 The closing reason was created.
409 1004 The closing reason already exists.
422 1005 A request parameter is not valid.
500 1020 An error occurred while attempting to create the closing reason.

Response Description

A ClosingReason object. A closing reason object contains the following fields:

v id - Number - The ID of the closing reason.
v text - String - The text of the closing reason.
v is_deleted - Boolean - Determines whether the closing reason is deleted. Deleted closing reasons cannot
be used to close an offense.
v is_reserved - Boolean - Determines whether the closing reason is reserved. Reserved closing reasons
cannot be used to close an offense.

Response Sample
{
"id": 42,
"is_deleted": true,
"is_reserved": true,
"text": "String"
}

1074 QRadar API Reference Guide

GET /siem/offense_closing_reasons/{closing_reason_id}
Retrieve an offense closing reason.
Table 2395. GET /siem/offense_closing_reasons/{closing_reason_id} resource details
MIME Type
application/json

Table 2396. GET /siem/offense_closing_reasons/{closing_reason_id} request parameter details

Parameter Type Optionality Data Type MIME Type Description
closing_reason_id path Required Number text/plain Required - The closing reason
(Integer) ID.
fields query Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.

Table 2397. GET /siem/offense_closing_reasons/{closing_reason_id} response codes

HTTP Response Code Unique Code Description
200 The closing reason was retrieved.
404 1002 No closing reason was found for the provided closing_reason_id.
422 1005 A request parameter is not valid.
500 1020 An error occurred while attempting to retrieve the closing reason.

Response Description

A ClosingReason object. A closing reason object contains the following fields:

v id - Number - The ID of the closing reason.
v text - String - The text of the closing reason.
v is_deleted - Boolean - Determines whether the closing reason is deleted. Deleted closing reasons cannot
be used to close an offense.
v is_reserved - Boolean - Determines whether the closing reason is reserved. Reserved closing reasons
cannot be used to close an offense.

Response Sample
{
"id": 42,
"is_deleted": true,
"is_reserved": true,
"text": "String"
}

GET /siem/offense_saved_search_delete_tasks/{task_id}
Retrieves the delete the offense saved search task status.

Retrieves the delete offense saved search task status.

7 Previous REST API versions 1075

Table 2398. GET /siem/offense_saved_search_delete_tasks/{task_id} resource details
MIME Type
application/json

Table 2399. GET /siem/offense_saved_search_delete_tasks/{task_id} request parameter details

Parameter Type Optionality Data Type MIME Type Description
task_id path Required Number text/plain null
(Integer)
fields query Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.

Table 2400. GET /siem/offense_saved_search_delete_tasks/{task_id} response codes

HTTP Response Code Unique Code Description
200 The delete task status was retrieved.
404 1002 The delete task status does not exist.
500 1020 An error occurred during the attempt to retrieve the delete task
status.

Response Description

A Delete Task Status object and the location header set to the task status url "/api/siem/
offense_saved_search_delete_tasks/{task_id}". A Delete Task Status object contains the following fields:
v id - Long - The ID of the task.
v message - String - The localized task message.
v status - String - The current state of the task.
v name - String - The name of the task.
v created_by - String - The name of the user who started the task.
v created - Long - The time in milliseconds since epoch since the task was created.
v started - Long - The time in milliseconds since epoch since the task was started.
v modified - Long - The time in milliseconds since epoch since the task was modified.
v completed - Long - The time in milliseconds since epoch since the task was completed.

Response Sample
{
"completed": 42,
"created": 42,
"created_by": "String",
"id": 42,
"message": "String",
"modified": 42,
"name": "String",
"started": 42,
"status": "String <one of: CANCELLED,
CANCELING,

1076 QRadar API Reference Guide

 CANCEL_REQUESTED,
COMPLETED,
CONFLICT,
EXCEPTION,
INITIALIZING,
INTERRUPTED,
PAUSED,
PROCESSING,
QUEUED,
RESUMING>",
}

GET /siem/offense_saved_search_dependent_tasks/{task_id}
Retrieves the dependent the offense saved search task status.

Retrieves the dependent offense saved search task status.

Table 2401. GET /siem/offense_saved_search_dependent_tasks/{task_id} resource details
MIME Type
application/json

Table 2402. GET /siem/offense_saved_search_dependent_tasks/{task_id} request parameter details

Parameter Type Optionality Data Type MIME Type Description
task_id path Required Number (Integer) text/plain null
fields query Optional String text/plain Optional - Use this parameter to
specify which fields you would
like to get back in the response.
Fields that are not named are
excluded. Specify subfields in
brackets and multiple fields in the
same object are separated by
commas.

Table 2403. GET /siem/offense_saved_search_dependent_tasks/{task_id} response codes

HTTP Response Code Unique Code Description
200 The delete task status was retrieved.
404 1002 The delete task status does not exist.
500 1020 An error occurred during the attempt to retrieve the delete task
status.

Response Description

A Dependent Task Status object and the location header set to the task status url "/api/siem/
offense_saved_search_dependent_tasks/{task_id}". A Dependent Task Status object contains the following
fields:
v id - Long - The ID of the task.
v message - String - The localized task message.
v status - String - The current state of the task.
v name - String - The name of the task.
v created_by - String - The name of the user who started the task.
v cancelled_by - String - The name of the user who requested to cancel the task.
v created - Long - The time in milliseconds since epoch since the task was created.
v started - Long - The time in milliseconds since epoch since the task was started.

7 Previous REST API versions 1077

v modified - Long - The time in milliseconds since epoch since the task was modified.
v completed - Long - The time in milliseconds since epoch since the task was completed.
v number_of_dependents - Long - The number of dependents found. The value is null until the task
completes.
v maximum - Long - The maximum number of objects to check for dependency.
v progress - Long - The number of objects checked for dependency.
v task_components - Array - An array of task component objects. A task component object contains the
following fields:
– message - String - The localized sub-task status message.
– status - String - The current state of the sub-task.
– sub_task_type - String - The type of the sub-task.
– maximum - Long - The maximum number of objects to check for dependency.
– progress - Long - The number of objects that were checked for dependency.
– created - Long - The time in milliseconds since epoch since the sub-task was created.
– started - Long - The time in milliseconds since epoch since the sub-task was started.
– modified - Long - The time in milliseconds since epoch since the sub-task was modified.
– completed - Long - The time in milliseconds since epoch since the sub-task was completed.

Response Sample
{
"cancelled_by": "String",
"completed": 42,
"created": 42,
"created_by": "String",
"id": 42,
"maximum": 42,
"message": "String",
"modified": 42,
"name": "String",
"number_of_dependents": 42,
"progress": 42,
"started": 42,
"status": "String <one of: CANCELLED,
CANCELING,
CANCEL_REQUESTED,
COMPLETED,
CONFLICT,
EXCEPTION,
INITIALIZING,
INTERRUPTED,
PAUSED,
PROCESSING,
QUEUED,
RESUMING>",
"task_components": [
{
"completed": 42,
"created": 42,
"maximum": 42,
"message": "String",
"modified": 42,
"number_of_dependents": 42,
"progress": 42,
"started": 42,
"status": "String <one of: CANCELLED,
CANCELING,
CANCEL_REQUESTED,
COMPLETED,
CONFLICT,

1078 QRadar API Reference Guide

 EXCEPTION,
INITIALIZING,
INTERRUPTED,
PAUSED,
PROCESSING,
QUEUED,
RESUMING>",
"task_sub_type": "String <one of:
FIND_DEPENDENT_ARIEL_SAVED_SEARCHES,
FIND_DEPENDENT_OFFENSE_SAVED_SEARCHES,
FIND_DEPENDENT_ASSET_SAVED_SEARCHES,
FIND_DEPENDENT_VULNERABILITY_SAVED_SEARCHES,
FIND_DEPENDENT_ADE_RULES,
FIND_DEPENDENT_RULES,
FIND_DEPENDENT_CALCULATED_PROPERTIES,
FIND_DEPENDENT_LOG_SOURCE_GROUPS,
FIND_DEPENDENT_CUSTOM_PROPERTIES,
FIND_DEPENDENT_REPORTS,
FIND_DEPENDENT_DASHBOARDS,
FIND_DEPENDENT_STORE_AND_FORWARD_POLICIES,
FIND_DEPENDENT_AUTHORIZED_SERVICES,
FIND_DEPENDENT_OFFENSE_TYPES,
FIND_DEPENDENT_ASSIGNED_OFFENSES,
FIND_DEPENDENT_VULNERABILITIES,
FIND_DEPENDENT_GROUPS,
FIND_DEPENDENT_HISTORICAL_CORRELATION_PROFILES>"
}
]
}

POST /siem/offense_saved _search_dependent_tasks/{task_id}

Cancels the dependent the offense saved search task.

Cancels the dependent offense saved search task.

Table 2404. POST /siem/offense_saved_search_dependent_tasks/{task_id} resource details
MIME Type
application/json

Table 2405. POST /siem/offense_saved_search_dependent_tasks/{task_id} request parameter details

Parameter Type Optionality Data Type MIME Type Description
task_id path Required Number text/plain null
(Integer)
fields header Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.

7 Previous REST API versions 1079

Table 2406. POST /siem/offense_saved_search_dependent_tasks/{task_id} request body details
Parameter Data Type MIME Type Description Sample
task Object application/ null { "status": "String <one of:
json CANCELLED, CANCELING,
CANCEL_REQUESTED,
COMPLETED, CONFLICT,
EXCEPTION, INITIALIZING,
INTERRUPTED, PAUSED,
PROCESSING, QUEUED,
RESUMING>" }

Table 2407. POST /siem/offense_saved_search_dependent_tasks/{task_id} response codes

HTTP Response Code Unique Code Description
200 The dependent task status was retrieved.
404 1002 The dependent task status does not exist.
409 1004 The task is in a completed state.
422 1005 A request parameter is not valid.
500 1020 An error occurred during the attempt to update the dependent task
status.

Response Description

A Dependent Task Status object and the location header set to the task status url "/api/siem/
offense_saved_search_dependent_tasks/{task_id}". A Dependent Task Status object contains the following
fields:
v id - Long - The ID of the task.
v message - String - The localized task message.
v status - String - The current state of the task.
v name - String - The name of the task.
v created_by - String - The name of the user who started the task.
v cancelled_by - String - The name of the user who requested to cancel the task.
v created - Long - The time in milliseconds since epoch since the task was created.
v started - Long - The time in milliseconds since epoch since the task was started.
v modified - Long - The time in milliseconds since epoch since the task was modified.
v completed - Long - The time in milliseconds since epoch since the task was completed.
v number_of_dependents - Long - The number of dependents found. The value is null until the task
completes.
v maximum - Long - The maximum number of objects to check for dependency.
v progress - Long - The number of objects checked for dependency.
v task_components - Array - An array of task component objects. A task component object contains the
following fields:
– message - String - The localized sub-task status message.
– status - String - The current state the sub-task is in.
– sub_task_type - String - The type of the sub-task
– maximum - Long - The maximum number of objects to check for dependency.
– progress - Long - The number of objects that were checked for dependency.
– created - Long - The time in milliseconds since epoch since the sub-task was created.

1080 QRadar API Reference Guide

 – started - Long - The time in milliseconds since epoch since the sub-task was started.
– modified - Long - The time in milliseconds since epoch since the sub-task was modified.
– completed - Long - The time in milliseconds since epoch since the sub-task was completed.

Response Sample
{
"cancelled_by": "String",
"completed": 42,
"created": 42,
"created_by": "String",
"id": 42,
"maximum": 42,
"message": "String",
"modified": 42,
"name": "String",
"number_of_dependents": 42,
"progress": 42,
"started": 42,
"status": "String <one of: CANCELLED,
CANCELING,
CANCEL_REQUESTED,
COMPLETED,
CONFLICT,
EXCEPTION,
INITIALIZING,
INTERRUPTED,
PAUSED,
PROCESSING,
QUEUED,
RESUMING>",
"task_components": [
{
"completed": 42,
"created": 42,
"maximum": 42,
"message": "String",
"modified": 42,
"number_of_dependents": 42,
"progress": 42,
"started": 42,
"status": "String <one of: CANCELLED,
CANCELING,
CANCEL_REQUESTED,
COMPLETED,
CONFLICT,
EXCEPTION,
INITIALIZING,
INTERRUPTED,
PAUSED,
PROCESSING,
QUEUED,
RESUMING>",
"task_sub_type": "String <one of:
FIND_DEPENDENT_ARIEL_SAVED_SEARCHES,
FIND_DEPENDENT_OFFENSE_SAVED_SEARCHES,
FIND_DEPENDENT_ASSET_SAVED_SEARCHES,
FIND_DEPENDENT_VULNERABILITY_SAVED_SEARCHES,
FIND_DEPENDENT_ADE_RULES,
FIND_DEPENDENT_RULES,
FIND_DEPENDENT_CALCULATED_PROPERTIES,
FIND_DEPENDENT_LOG_SOURCE_GROUPS,
FIND_DEPENDENT_CUSTOM_PROPERTIES,
FIND_DEPENDENT_REPORTS,
FIND_DEPENDENT_DASHBOARDS,
FIND_DEPENDENT_STORE_AND_FORWARD_POLICIES,

7 Previous REST API versions 1081

 FIND_DEPENDENT_AUTHORIZED_SERVICES,
FIND_DEPENDENT_OFFENSE_TYPES,
FIND_DEPENDENT_ASSIGNED_OFFENSES,
FIND_DEPENDENT_VULNERABILITIES,
FIND_DEPENDENT_GROUPS,
FIND_DEPENDENT_HISTORICAL_CORRELATION_PROFILES>"
}
]
}

GET /siem/offense_saved _search_dependent_tasks/{task_id}/results

Retrieves the offense saved search dependent task results.

Retrieves the offense saved search dependent task results.

Table 2408. GET /siem/offense_saved_search_dependent_tasks/{task_id}/results resource details
MIME Type
application/json

Table 2409. GET /siem/offense_saved_search_dependent_tasks/{task_id}/results request parameter details

Parameter Type Optionality Data Type MIME Type Description
task_id path Required Number text/plain null
(Integer)
fields query Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.

Table 2410. GET /siem/offense_saved_search_dependent_tasks/{task_id}/results response codes

HTTP Response Code Unique Code Description
200 The offense saved search dependents were retrieved
404 1002 The dependent task status does not exist.
500 1020 An error occurred during the attempt to retrieve the offense saved
searches.

Response Description

An list of Dependent objects. A Dependent object contains the following fields:

v dependent_id - String - The ID of the dependent resource.
v dependent_name - String - The name of the dependent resource (default resources can have localized
names).
v dependent_owner - String - The owner of the dependent resource
v dependent_type - String - The type of the dependent resource
v dependent_database - String - The database of the dependent resource.
v dependent_group_ids - Array of Longs - List of groups that the dependent resource belongs to.
v user_has_edit_permissions - Boolean - True if the user who created the task has permission to edit this
dependent resource.

1082 QRadar API Reference Guide

Response Sample
[
{
"blocking": true,
"dependent_database": "String <one of: EVENTS, FLOWS>",
"dependent_group_ids": [
42
],
"dependent_id": "String",
"dependent_name": "String",
"dependent_owner": "String",
"dependent_type": "String <one of:
ARIEL_SAVED_SEARCH,
ASSET_SAVED_SEARCH,
OFFENSE_SAVED_SEARCH,
VULNERABILITY_SAVED_SEARCH,
QRM_SAVED_SEARCH_GROUP,
ASSET_SAVED_SEARCH_GROUP,
CUSTOM_RULE_GROUP,
EVENT_ARIEL_SAVED_SEARCH_GROUP,
FLOW_ARIEL_SAVED_SEARCH_GROUP,
LOG_SOURCE_GROUP, MODEL_GROUP,
OFFENSE_SAVED_SEARCH_GROUP,
QUESTION_GROUP,
REPORT_GROUP,
SIMULATION_GROUP,
TOPOLOGY_SAVED_SEARCH_GROUP,
VULNERABILITY_SAVED_SEARCH_GROUP,
ASSIGNED_OFFENSE,
ASSIGNED_VULNERABILITY,
AUTHORIZED_SERVICE,
BUILDING_BLOCK,
CRE_RULE,
CRE_ADE_RULE,
EVENT_REGEX_PROPERTY,
EVENT_CALCULATED_PROPERTY,
FLOW_REGEX_PROPERTY,
FLOW_CALCULATED_PROPERTY,
DASHBOARD,
GV_REFERENCE,
REPORT,
REFERENCE_DATA,
REFERENCE_DATA_MAP_OF_SETS,
REFERENCE_DATA_MAPS,
REFERENCE_DATA_SETS,
REFERENCE_DATA_TABLES,
REFERENCE_DATA_RESPONSE,
REFERENCE_SET_RESPONSE,
EVENT_RETENTION_BUCKET,
FLOW_RETENTION_BUCKET,
ROUTING_RULE,
STORE_AND_FORWARD_POLICY,
USER,
HISTORICAL_PROFILE,
OFFENSE_TYPE>",
"user_has_edit_permissions": true
}
]

GET /siem/offense_saved_search_groups
Retrieves a list of offense saved search groups.

Retrieves a list of offense saved search groups.

7 Previous REST API versions 1083

Table 2411. GET /siem/offense_saved_search_groups resource details
MIME Type
application/json

Table 2412. GET /siem/offense_saved_search_groups request parameter details

Parameter Type Optionality Data Type MIME Type Description
Range header Optional String text/plain Optional - Use this parameter
to restrict the number of
elements that are returned in
the list to a specified range.
The list is indexed starting at
zero.
filter query Optional String text/plain Optional - This parameter is
used to restrict the elements in
a list base on the contents of
various fields.
fields query Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.

Table 2413. GET /siem/offense_saved_search_groups response codes

HTTP Response Code Unique Code Description
200 The offense saved search groups were returned.
500 1020 An error occurred during the attempt to retrieve the offense saved
search groups.

Response Description

List of the Group objects. A Group object contains the following fields:
v id - Long - The ID of the group.
v parent_id - Long - The ID of the parent group (default resources can have localized names).
v type - String - The type of the group.
v level - Long - The depth of the group in the group hierarchy.
v name - String - The name of the group (default resources can have localized names).
v description - String - The description of the group (default resources can have localized names).
v owner - String - The owner of the group.
v modified_time - Long - The time in milliseconds since epoch since the group was last modified.
v child_group_ids - Array of Longs - List of the child group IDs.

Response Sample
[
{
"child_groups": [
42
],

1084 QRadar API Reference Guide

 "child_items": [
"String"
],
"description": "String",
"id": 42,
"level": 42,
"modified_time": 42,
"name": "String",
"owner": "String",
"parent_id": 42,
"type": "String <one of: LOG_SOURCE_GROUP,
REPORT_GROUP,
RULE_GROUP,
EVENT_SAVED_SEARCH_GROUP,
FLOW_SAVED_SEARCH_GROUP,
OFFENSE_SAVED_SEARCH_GROUP,
QRM_SAVED_SEARCH_GROUP,
MODEL_SAVED_SEARCH_GROUP,
QUESTION_SAVED_SEARCH_GROUP,
SIMULATION_SAVED_SEARCH_GROUP,
TOPOLOGY_SAVED_SEARCH_GROUP,
ASSET_SAVED_SEARCH_GROUP,
VULNERABILITY_SAVED_SEARCH_GROUP>"
}
]

GET /siem/offense_saved_search_groups/{group_id}
Retrieves an offense saved search group.

Retrieves an offense saved search group.

Table 2414. GET /siem/offense_saved_search_groups/{group_id} resource details
MIME Type
application/json

Table 2415. GET /siem/offense_saved_search_groups/{group_id} request parameter details

Parameter Type Optionality Data Type MIME Type Description
group_id path Required Number text/plain null
(Integer)
fields query Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.

Table 2416. GET /siem/offense_saved_search_groups/{group_id} response codes

HTTP Response Code Unique Code Description
200 The offense saved search group was retrieved.
404 1002 The offense saved search group does not exist.
500 1020 An error occurred during the attempt to retrieve the offense saved
search group.

7 Previous REST API versions 1085

Response Description

A single Group object. A Group object contains the following fields:

v id - Long - The ID of the group.
v parent_id - Long - The ID of the parent group (default resources can have localized names).
v type - String - The type of the group.
v level - Long - The depth of the group in the group hierarchy.
v name - String - The name of the group (default resources can have localized names).
v description - String - The description of the group (default resources can have localized names).
v owner - String - The owner of the group.
v modified_time - Long - The time in milliseconds since epoch since the group was last modified.
v child_group_ids - Array of Longs - List of the child group IDs.

Response Sample
{
"child_groups": [
42
],
"child_items": [
"String"
],
"description": "String",
"id": 42,
"level": 42,
"modified_time": 42,
"name": "String",
"owner": "String",
"parent_id": 42,
"type": "String <one of: LOG_SOURCE_GROUP,
REPORT_GROUP,
RULE_GROUP,
EVENT_SAVED_SEARCH_GROUP,
FLOW_SAVED_SEARCH_GROUP,
OFFENSE_SAVED_SEARCH_GROUP,
QRM_SAVED_SEARCH_GROUP,
MODEL_SAVED_SEARCH_GROUP,
QUESTION_SAVED_SEARCH_GROUP,
SIMULATION_SAVED_SEARCH_GROUP,
TOPOLOGY_SAVED_SEARCH_GROUP,
ASSET_SAVED_SEARCH_GROUP,
VULNERABILITY_SAVED_SEARCH_GROUP>"
}

POST /siem/offense_saved_search_groups/{group_id}
Updates the owner of an offense saved search group.

Updates the owner of an offense saved search group.

Table 2417. POST /siem/offense_saved_search_groups/{group_id} resource details
MIME Type
application/json

Table 2418. POST /siem/offense_saved_search_groups/{group_id} request parameter details

Parameter Type Optionality Data Type MIME Type Description
group_id path Required Number text/plain null
(Integer)

1086 QRadar API Reference Guide

Table 2418. POST /siem/offense_saved_search_groups/{group_id} request parameter details (continued)
Parameter Type Optionality Data Type MIME Type Description
fields header Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.

Table 2419. POST /siem/offense_saved_search_groups/{group_id} request body details

Parameter Data Type MIME Type Description Sample
group Object application/ Required - Group object with { "child_groups": [ 42 ], "child_items": [ "String" ], "description":
json the owner set to a valid "String", "id": 42, "level": 42, "name": "String", "owner": "String",
deployed user. "parent_id": 42, "type": "String <one of:
LOG_SOURCE_GROUP, REPORT_GROUP, RULE_GROUP,
EVENT_SAVED_SEARCH_GROUP,
FLOW_SAVED_SEARCH_GROUP,
OFFENSE_SAVED_SEARCH_GROUP,
QRM_SAVED_SEARCH_GROUP,
MODEL_SAVED_SEARCH_GROUP,
QUESTION_SAVED_SEARCH_GROUP,
SIMULATION_SAVED_SEARCH_GROUP,
TOPOLOGY_SAVED_SEARCH_GROUP,
ASSET_SAVED_SEARCH_GROUP,
VULNERABILITY_SAVED_SEARCH_GROUP>" }

Table 2420. POST /siem/offense_saved_search_groups/{group_id} response codes

HTTP Response Code Unique Code Description
200 The offense saved search group was updated.
404 1002 The offense saved search group does not exist.
409 1004 The provided user does not have the required capabilities to own
the offense saved search group.
422 1005 A request parameter is not valid.
500 1020 An error occurred during the attempt to update the offense saved
search group.

Response Description

The updated Group object. A Group object contains the following fields:
v id - Long - The ID of the group.
v parent_id - Long - The ID of the parent group (default resources can have localized names).
v type - String - The type of the group.
v level - Long - The depth of the group in the group hierarchy.
v name - String - The name of the group (default resources can have localized names).
v description - String - The description of the group (default resources can have localized names).
v owner - String - The owner of the group.
v modified_time - Long - The time in milliseconds since epoch since the group was last modified.
v child_group_ids - Array of Longs - List of the child group IDs.

7 Previous REST API versions 1087

Response Sample
{
"child_groups": [
42
],
"child_items": [
"String"
],
"description": "String",
"id": 42,
"level": 42,
"modified_time": 42,
"name": "String",
"owner": "String",
"parent_id": 42,
"type": "String <one of: LOG_SOURCE_GROUP,
REPORT_GROUP,
RULE_GROUP,
EVENT_SAVED_SEARCH_GROUP,
FLOW_SAVED_SEARCH_GROUP,
OFFENSE_SAVED_SEARCH_GROUP,
QRM_SAVED_SEARCH_GROUP,
MODEL_SAVED_SEARCH_GROUP,
QUESTION_SAVED_SEARCH_GROUP,
SIMULATION_SAVED_SEARCH_GROUP,
TOPOLOGY_SAVED_SEARCH_GROUP,
ASSET_SAVED_SEARCH_GROUP,
VULNERABILITY_SAVED_SEARCH_GROUP>"
}

DELETE /siem/offense_saved_search_groups/{group_id}
Deletes an offense saved search group.

Deletes an offense saved search group.

Table 2421. DELETE /siem/offense_saved_search_groups/{group_id} resource details
MIME Type
text/plain

Table 2422. DELETE /siem/offense_saved_search_groups/{group_id} request parameter details

Parameter Type Optionality Data Type MIME Type Description
group_id path Required Number text/plain null
(Integer)

Table 2423. DELETE /siem/offense_saved_search_groups/{group_id} response codes

HTTP Response Code Unique Code Description
204 The offense saved search group has been deleted.
404 1002 The offense saved search group does not exist.
409 1004 null
500 1020 An error occurred during the attempt to delete the offense saved
search group.

1088 QRadar API Reference Guide

Response Description

Response Sample

GET /siem/offense_saved_searches
Retrieves a list of offense saved searches.

Retrieves a list of offense saved searches.

Table 2424. GET /siem/offense_saved_searches resource details
MIME Type
application/json

Table 2425. GET /siem/offense_saved_searches request parameter details

Parameter Type Optionality Data Type MIME Type Description
Range header Optional String text/plain Optional - Use this parameter
to restrict the number of
elements that are returned in
the list to a specified range.
The list is indexed starting at
zero.
filter query Optional String text/plain Optional - This parameter is
used to restrict the elements in
a list base on the contents of
various fields.
fields query Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.

Table 2426. GET /siem/offense_saved_searches response codes

HTTP Response Code Unique Code Description
200 The offense saved searches were retrieved.
500 1020 An error occurred during the attempt to retrieve the offense saved
searches.

Response Description

An array of offense saved search objects. An offense saved search object contains the following fields:
v id - Long - The ID of the offense saved search.
v name - String - The name of the offense saved search.
v owner - String - The owner of the offense saved search.

Response Sample
[
{
"id": 42,

7 Previous REST API versions 1089

 "name": "String",
"owner": "String"
}
]

GET /siem/offense_saved_searches/{id}
Retrieves an offense saved search.

Retrieves an offense saved search.

Table 2427. GET /siem/offense_saved_searches/{id} resource details
MIME Type
application/json

Table 2428. GET /siem/offense_saved_searches/{id} request parameter details

Parameter Type Optionality Data Type MIME Type Description
id path Required Number text/plain null
(Integer)
Range header Optional String text/plain Optional - Use this parameter
to restrict the number of
elements that are returned in
the list to a specified range.
The list is indexed starting at
zero.
filter query Optional String text/plain Optional - This parameter is
used to restrict the elements in
a list base on the contents of
various fields.
fields query Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.

Table 2429. GET /siem/offense_saved_searches/{id} response codes

HTTP Response Code Unique Code Description
200 The offense saved search was retrieved.
404 1002 The offense saved search does not exist.
500 1020 An error occurred during the attempt to retrieve the offense saved
search.

Response Description

The offense saved search after it has been retrieved. An offense saved search object contains the following
fields:
v id - Long - The ID of the offense saved search.
v name - String - The name of the offense saved search.
v owner - String - The owner of the offense saved search.

1090 QRadar API Reference Guide

Response Sample
{
"id": 42,
"name": "String",
"owner": "String"
}

POST /siem/offense_saved_searches/{id}
Updates the offense saved search owner only.

Updates the offense saved search owner only.

Table 2430. POST /siem/offense_saved_searches/{id} resource details
MIME Type
application/json

Table 2431. POST /siem/offense_saved_searches/{id} request parameter details

Parameter Type Optionality Data Type MIME Type Description
id path Required Number text/plain null
(Integer)
Range header Optional String text/plain Optional - Use this parameter
to restrict the number of
elements that are returned in
the list to a specified range.
The list is indexed starting at
zero.
filter header Optional String text/plain Optional - This parameter is
used to restrict the elements
in a list base on the contents
of various fields.
fields header Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.

Table 2432. POST /siem/offense_saved_searches/{id} request body details

Parameter Data Type MIME Type Description Sample
saved_search Object application/ null { "id": "1", "name": "String",
json "is_shared": true, "owner":
"String" }

Table 2433. POST /siem/offense_saved_searches/{id} response codes

HTTP Response Code Unique Code Description
200 The offense saved search was updated.
403 1009 You do not have the required capabilities to update the offense
saved search.
404 1002 The offense saved search does not exist.

7 Previous REST API versions 1091

Table 2433. POST /siem/offense_saved_searches/{id} response codes (continued)
HTTP Response Code Unique Code Description
409 1004 The provided user does not have the required capabilities to own
the offense saved search.
422 1005 A request parameter is not valid.
500 1020 An error occurred during the attempt to update the offense saved
search.

Response Description

The offense saved search after it is updated. An offense saved search object contains the following fields:
v id - Long - The ID of the offense saved search.
v name - String - The name of the offense saved search.
v owner - String - The owner of the offense saved search.

Response Sample
{
"id": 42,
"name": "String",
"owner": "String"
}

DELETE /siem/offense_saved_searches/{id}
Deletes an offense saved search. To ensure safe deletion, a dependency check is carried out. This check
might take some time. An asynchronous task to do is started for this check.

Deletes an offense saved search. To ensure safe deletion, a dependency check is carried out. This check
might take some time. An asynchronous task to do is started for this check.
Table 2434. DELETE /siem/offense_saved_searches/{id} resource details
MIME Type
application/json

Table 2435. DELETE /siem/offense_saved_searches/{id} request parameter details

Parameter Type Optionality Data Type MIME Type Description
id path Required Number text/plain null
(Integer)
Range header Optional String text/plain Optional - Use this parameter
to restrict the number of
elements that are returned in
the list to a specified range.
The list is indexed starting at
zero.
filter query Optional String text/plain Optional - This parameter is
used to restrict the elements in
a list base on the contents of
various fields.

1092 QRadar API Reference Guide

Table 2435. DELETE /siem/offense_saved_searches/{id} request parameter details (continued)
Parameter Type Optionality Data Type MIME Type Description
fields query Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.

Table 2436. DELETE /siem/offense_saved_searches/{id} response codes

HTTP Response Code Unique Code Description
202 The offense saved search delete command was accepted and is in
progress.
403 1009 You do not have the required capabilities to delete the offense
saved search.
404 1002 The offense saved search does not exist.
500 1020 An error occurred during the attempt to delete the offense saved
search.

Response Description

A Delete Task Status object and the location header set to the task status url "/api/siem/
offense_saved_search_delete_tasks/{task_id}". A Delete Task Status object contains the following fields:
v id - Long - The ID of the task.
v message - String - The localized task message.
v status - String - The current state of the task.
v name - String - The name of the task.
v created_by - String - The name of the user who started the task.
v created - Long - The time in milliseconds since epoch since the task was created.
v started - Long - The time in milliseconds since epoch since the task was started.
v modified - Long - The time in milliseconds since epoch since the task was modified.
v completed - Long - The time in milliseconds since epoch since the task was completed.

Response Sample
{
"completed": 42,
"created": 42,
"created_by": "String",
"id": 42,
"message": "String",
"modified": 42,
"name": "String",
"started": 42,
"status": "String <one of: CANCELLED,
CANCELING,
CANCEL_REQUESTED,
COMPLETED,
CONFLICT,
EXCEPTION,
INITIALIZING,

7 Previous REST API versions 1093

 INTERRUPTED,
PAUSED,
PROCESSING,
QUEUED,
RESUMING>"
}

GET /siem/offense_saved_searches/{id}/dependents
Retrieves the objects that depend on an offense saved search.

Retrieves the objects that depend on an offense saved search.

Table 2437. GET /siem/offense_saved_searches/{id}/dependents resource details
MIME Type
application/json

Table 2438. GET /siem/offense_saved_searches/{id}/dependents request parameter details

Parameter Type Optionality Data Type MIME Type Description
id path Required Number text/plain null
(Integer)
fields query Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.

Table 2439. GET /siem/offense_saved_searches/{id}/dependents response codes

HTTP Response Code Unique Code Description
202 The offense saved search dependents retrieval was accepted and is
in progress.
404 1002 The offense saved search does not exist.
500 1020 An error occurred during the attempt to initiate the offense saved
search dependents retrieval task.

Response Description

A Dependents Task Status object and the location header set to the task status url "/api/siem/
offense_saved_search_dependents_tasks/{task_id}". A Dependent Task Status object contains the following
fields:
v id - Long - The ID of the task.
v message - String - The localized task message.
v status - String - The current state of the task.
v name - String - The name of the task.
v created_by - String - The name of the user who started the task.
v cancelled_by - String - The name of the user who requested to cancel the task.
v created - Long - The time in milliseconds since epoch since the task was created.
v started - Long - The time in milliseconds since epoch since the task was started.

1094 QRadar API Reference Guide

v modified - Long - The time in milliseconds since epoch since the task was modified.
v completed - Long - The time in milliseconds since epoch since the task was completed.
v number_of_dependents - Long - The number of dependents found. The value is null until the task
completes.
v maximum - Long - The maximum number of objects to check for dependency.
v progress - Long - The number of objects checked for dependency.
v task_components - Array - An array of task component objects. A task component object contains the
following fields:
– message - String - The localized sub-task status message.
– status - String - The current state of the sub-task.
– sub_task_type - String - The type of the sub-task
– maximum - Long - The maximum number of objects to check for dependency.
– progress - Long - The number of objects that were checked for dependency.
– created - Long - The time in milliseconds since epoch since the sub-task was created.
– started - Long - The time in milliseconds since epoch since the sub-task was started.
– modified - Long - The time in milliseconds since epoch since the sub-task was modified.
– completed - Long - The time in milliseconds since epoch since the sub-task was completed.

Response Sample
{
"cancelled_by": "String",
"completed": 42,
"created": 42,
"created_by": "String",
"id": 42,
"maximum": 42,
"message": "String",
"modified": 42,
"name": "String",
"number_of_dependents": 42,
"progress": 42,
"started": 42,
"status": "String <one of: CANCELLED,
CANCELING,
CANCEL_REQUESTED,
COMPLETED,
CONFLICT,
EXCEPTION,
INITIALIZING,
INTERRUPTED,
PAUSED,
PROCESSING,
QUEUED,
RESUMING>",
"task_components": [
{
"completed": 42,
"created": 42,
"maximum": 42,
"message": "String",
"modified": 42,
"number_of_dependents": 42,
"progress": 42,
"started": 42,
"status": "String <one of: CANCELLED,
CANCELING,
CANCEL_REQUESTED,
COMPLETED,
CONFLICT,

7 Previous REST API versions 1095

 EXCEPTION,
INITIALIZING,
INTERRUPTED,
PAUSED,
PROCESSING,
QUEUED,
RESUMING>",
"task_sub_type": "String <one of:
FIND_DEPENDENT_ARIEL_SAVED_SEARCHES,
FIND_DEPENDENT_OFFENSE_SAVED_SEARCHES,
FIND_DEPENDENT_ASSET_SAVED_SEARCHES,
FIND_DEPENDENT_VULNERABILITY_SAVED_SEARCHES,
FIND_DEPENDENT_ADE_RULES,
FIND_DEPENDENT_RULES,
FIND_DEPENDENT_CALCULATED_PROPERTIES,
FIND_DEPENDENT_LOG_SOURCE_GROUPS,
FIND_DEPENDENT_CUSTOM_PROPERTIES,
FIND_DEPENDENT_REPORTS,
FIND_DEPENDENT_DASHBOARDS,
FIND_DEPENDENT_STORE_AND_FORWARD_POLICIES,
FIND_DEPENDENT_AUTHORIZED_SERVICES,
FIND_DEPENDENT_OFFENSE_TYPES,
FIND_DEPENDENT_ASSIGNED_OFFENSES,
FIND_DEPENDENT_VULNERABILITIES,
FIND_DEPENDENT_GROUPS,
FIND_DEPENDENT_HISTORICAL_CORRELATION_PROFILES>"
}
]
}

GET /siem/offenses
Retrieve a list of offenses currently in the system.

Retrieve a list of offenses currently in the system.

Table 2440. GET /siem/offenses resource details
MIME Type
application/json

Table 2441. GET /siem/offenses request parameter details

Parameter Type Optionality Data Type MIME Type Description
filter query Optional String text/plain Optional - This parameter is
used to restrict the elements in
a list base on the contents of
various fields.
fields query Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.
Range header Optional String text/plain Optional - Use this parameter
to restrict the number of
elements that are returned in
the list to a specified range.
The list is indexed starting at
zero.

1096 QRadar API Reference Guide

Table 2442. GET /siem/offenses response codes
HTTP Response Code Unique Code Description
200 The offense list was retrieved.
422 1005 A request parameter is not valid.
422 1010 The filter parameter is not valid.
500 1020 An error occurred while the offense list was being retrieved.

Response Description

An array of Offense objects. An Offense object contains the following fields:

v id - Number - The ID of the offense.
v description - String - The description of the offense. Filtering is not supported on this field.
v assigned_to - String - The user the offense is assigned to.
v categories - Array of strings - Event categories that are associated with the offense.
v category_count - Number - The number of event categories that are associated with the offense.
v policy_category_count - Number - The number of policy event categories that are associated with the
offense.
v security_category_count - Number - The number of security event categories that are associated with
the offense.
v close_time - Number - The number of milliseconds since epoch when the offense was closed.
v closing_user - String - The user that closed the offense.
v closing_reason_id - Number - The ID of the offense closing reason. The reason the offense was closed.
v credibility - Number - The credibility of the offense.
v relevance - Number - The relevance of the offense.
v severity - Number - The severity of the offense.
v magnitude - Number - The magnitude of the offense.
v destination_networks - Array of strings - The destination networks that are associated with the
offense.
v source_network - String - The source network that is associated with the offense. Filtering is not
supported on this field.
v device_count - Number - The number of devices that are associated with the offense.
v event_count - Number - The number of events that are associated with the offense.
v flow_count - Number - The number of flows that are associated with the offense.
v inactive - Boolean - True if the offense is inactive.
v last_updated_time - Number - The number of milliseconds since epoch when the offense was last
updated.
v local_destination_count - Number - The number of local destinations that are associated with the
offense.
v offense_source - String - The source of the offense. Filtering is not supported on this field.
v offense_type - Number - A number that represents the offense type. Use GET /siem/offense_types to
retrieve the list.
v protected - Boolean - True if the offense is protected.
v follow_up - Boolean - True if the offense is marked for follow up.
v remote_destination_count - Number - The number of remote destinations that are associated wit the
offense.

7 Previous REST API versions 1097

v source_count - Number - The number of sources that are associated with the offense.
v start_time - Number - The number of milliseconds since epoch when the offense was started.
v status - String - The status of the offense. One of "OPEN", "HIDDEN", or "CLOSED". The following
operators are not supported when you filter on this field: "<", ">", "<=", ">=", "BETWEEN".
v username_count - The number of usernames that are associated with the offense.
v source_address_ids - Array of numbers -The source address IDs that are associated with the offense.
v local_destination_address_ids - Array of numbers - The local destination address IDs that are
associated with the offense.
v domain_id - Number - Optional. ID of associated domain if the offense is associated with a single
domain.

Response Sample
[{"credibility": 42,
"source_address_ids": [42],
"remote_destination_count": 42,
"local_destination_address_ids": [42],
"assigned_to": "String",
"local_destination_count": 42,
"source_count": 42,
"start_time": 42,
"id": 42,
"destination_networks": ["String"],
"inactive": true,
"protected": true,
"policy_category_count": 42,
"description": "String",
"category_count": 42,
"domain_id": 42,
"relevance": 42,
"device_count": 42,
"security_category_count": 42,
"flow_count": 42,
"event_count": 42,
"offense_source": "String",
"status": "String <one of: OPEN, HIDDEN, CLOSED>",
"magnitude": 42,
"severity": 42,
"username_count": 42,
"closing_user": "String",
"follow_up": true,
"closing_reason_id": 42,
"close_time": 42,
"source_network": "String",
"last_updated_time": 42,
"categories": ["String"],
"offense_type": 42
}]

GET /siem/offenses/{offense_id}
Retrieve an offense structure that describes properties of an offense

Retrieve an offense structure that describes properties of an offense

Table 2443. GET /siem/offenses/{offense_id} resource details
MIME Type
application/json

1098 QRadar API Reference Guide

Table 2444. GET /siem/offenses/{offense_id} request parameter details
Parameter Type Optionality Data Type MIME Type Description
offense_id path Required Number text/plain Required - The offense ID.
(Integer)
fields query Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.

Table 2445. GET /siem/offenses/{offense_id} response codes

HTTP Response Code Unique Code Description
200 The offense was retrieved.
404 1002 No offense was found for the provided offense_id.
422 1005 A request parameter is not valid.
500 1020 An error occurred while the offense was being retrieved.

Response Description

An Offense object. An Offense object contains the following fields:

v id - Number - The ID of the offense.
v description - String - The description of the offense.
v assigned_to - String - The user the offense is assigned to.
v categories - Array of strings - Event categories that are associated with the offense.
v category_count - Number - The number of event categories that are associated with the offense.
v policy_category_count - Number - The number of policy event categories that are associated with the
offense.
v security_category_count - Number - The number of security event categories that are associated with
the offense.
v close_time - Number - The number of milliseconds since epoch when the offense was closed.
v closing_user - String - The user that closed the offense.
v closing_reason_id - Number - The ID of the offense closing reason. The reason the offense was closed.
v credibility - Number - The credibility of the offense.
v relevance - Number - The relevance of the offense.
v severity - Number - The severity of the offense.
v magnitude - Number - The magnitude of the offense.
v destination_networks - Array of strings - The destination networks that are associated with the
offense.
v source_network - String - The source network that is associated with the offense.
v device_count - Number - The number of devices that are associated with the offense.
v event_count - Number - The number of events that are associated with the offense.
v flow_count - Number - The number of flows that are associated with the offense.
v inactive - Boolean - True if the offense is inactive.

7 Previous REST API versions 1099

v last_updated_time - Number - The number of milliseconds since epoch when the offense was last
updated.
v local_destination_count - Number - The number of local destinations that are associated with the
offense.
v offense_source - String - The source of the offense.
v offense_type - Number - A number that represents the offense type. Use GET /siem/offense_types to
retrieve the list.
v protected - Boolean - True if the offense is protected.
v follow_up - Boolean - True if the offense is marked for follow up.
v remote_destination_count - Number - The number of remote destinations that are associated wit the
offense.
v source_count - Number - The number of sources that are associated with the offense.
v start_time - Number - The number of milliseconds since epoch when the offense was started.
v status - String - The status of the offense. One of "OPEN", "HIDDEN", or "CLOSED".
v username_count - The number of usernames that are associated with the offense.
v source_address_ids - Array of numbers -The source address IDs that are associated with the offense.
v local_destination_address_ids - Array of numbers - The local destination address IDs that are
associated with the offense.
v domain_id - Number - Optional. ID of associated domain if the offense is associated with a single
domain.

Response Sample
{
"assigned_to": "String",
"categories": [
"String"
],
"category_count": 42,
"close_time": 42,
"closing_reason_id": 42,
"closing_user": "String",
"credibility": 42,
"description": "String",
"destination_networks": [
"String"
],
"device_count": 42,
"domain_id": 42,
"event_count": 42,
"flow_count": 42,
"follow_up": true,
"id": 42,
"inactive": true,
"last_updated_time": 42,
"local_destination_address_ids": [
42
],
"local_destination_count": 42,
"magnitude": 42,
"offense_source": "String",
"offense_type": 42,
"policy_category_count": 42,
"protected": true,
"relevance": 42,
"remote_destination_count": 42,
"security_category_count": 42,
"severity": 42,
"source_address_ids": [
42

1100 QRadar API Reference Guide

 ],
"source_count": 42,
"source_network": "String",
"start_time": 42,
"status": "String <one of: OPEN, HIDDEN, CLOSED>",
"username_count": 42
}

GET /siem/offenses/{offense_id}/notes
Retrieve a list of notes for an offense.
Table 2446. GET /siem/offenses/{offense_id}/notes resource details
MIME Type
application/json

Table 2447. GET /siem/offenses/{offense_id}/notes request parameter details

Parameter Type Optionality Data Type MIME Type Description
offense_id path Required Number text/plain Required - The offense ID to
(Integer) retrieve the notes for.
fields query Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.
Range header Optional String text/plain Optional - Use this parameter
to restrict the number of
elements that are returned in
the list to a specified range.
The list is indexed starting at
zero.
filter query Optional String text/plain Optional - This parameter is
used to restrict the elements in
a list base on the contents of
various fields.

Table 2448. GET /siem/offenses/{offense_id}/notes response codes

HTTP Response Code Unique Code Description
200 The note list was retrieved.
404 1002 No offense was found for the provided offense_id.
422 1005 A request parameter is not valid.
500 1020 An error occurred while the note list was being retrieved.

Response Description

An array of Note objects. A Note object contains the following fields:

v id - Number - The ID of the note.
v create_time - Number - The number of milliseconds since epoch when the note was created.
v username - String - The user or authorized service that created the note.

7 Previous REST API versions 1101

v note_text - String - The note text.

Response Sample
[
{
"create_time": 42,
"id": 42,
"note_text": "String",
"username": "String"
}
]

GET /siem/offenses/{offense_id}/notes/{note_id}
Retrieve a note for an offense.
Table 2449. GET /siem/offenses/{offense_id}/notes/{note_id} resource details
MIME Type
application/json

Table 2450. GET /siem/offenses/{offense_id}/notes/{note_id} request parameter details

Parameter Type Optionality Data Type MIME Type Description
offense_id path Required Number text/plain Required - The offense ID to
(Integer) retrieve the note from.
note_id path Required Number text/plain Required - The note ID.
(Integer)
fields query Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.

Table 2451. GET /siem/offenses/{offense_id}/notes/{note_id} response codes

HTTP Response Code Unique Code Description
200 The note was retrieved.
404 1002 No offense was found for the provided offense_id.
404 1003 No note was found for the provided note_id.
422 1005 A request parameter is not valid.
500 1020 An error occurred while attempting to retrieve the note.

Response Description

The Note object for the note ID. A Note object contains the following fields:
v id - Number - The ID of the note.
v create_time - Number - The number of milliseconds since epoch when the note was created.
v username - String - The user or authorized service that created the note.
v note_text - String - The note text.

1102 QRadar API Reference Guide

Response Sample
{
"create_time": 42,
"id": 42,
"note_text": "String",
"username": "String"
}

POST /siem/offenses/{offense_id}/notes
Create a note on an offense.
Table 2452. POST /siem/offenses/{offense_id}/notes resource details
MIME Type
application/json

Table 2453. POST /siem/offenses/{offense_id}/notes request parameter details

Parameter Type Optionality Data Type MIME Type Description
offense_id path Required Number text/plain Required - The offense ID to
(Integer) add the note to.
note_text query Required String text/plain Required - The note text.
fields query Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.

Table 2454. POST /siem/offenses/{offense_id}/notes response codes

HTTP Response Code Unique Code Description
201 The note was created.
404 1002 No offense was found for the provided offense_id.
422 1005 A request parameter is not valid.
500 1020 An error occurred while attempting to create the note.

Response Description

The Note object that was created. A Note object contains the following fields:
v id - Number - The ID of the note.
v create_time - Number - The number of milliseconds since epoch when the note was created.
v username - String - The user or authorized service that created the note.
v note_text - String - The note text.

Response Sample
{
"create_time": 42,
"id": 42,
"note_text": "String",
"username": "String"
}

7 Previous REST API versions 1103

POST /siem/offenses/{offense_id}
Update an offense.
Table 2455. POST /siem/offenses/{offense_id} resource details
MIME Type
application/json

Table 2456. POST /siem/offenses/{offense_id} request parameter details

Parameter Type Optionality Data Type MIME Type Description
offense_id path Required Number text/plain Required - The ID of the
(Integer) offense to update.
protected query Optional Boolean text/plain Optional - Set to true to
protect the offense.
follow_up query Optional Boolean text/plain Optional - Set to true to set
the follow up flag on the
offense.
status query Optional String text/plain Optional - The new status for
the offense. Set to one of:
OPEN, HIDDEN, CLOSED.
When the status of an offense
is being set to CLOSED, a
valid closing_reason_id must
be provided. To hide an
offense, use the HIDDEN
status. To show a previously
hidden offense, use the OPEN
status.
closing_reason_id query Optional Number text/plain Optional - The ID of a closing
(Integer) reason. You must provide a
valid closing_reason_id when
you close an offense.
assigned_to query Optional String text/plain Optional - A user to assign the
offense to.
fields query Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.

Table 2457. POST /siem/offenses/{offense_id} response codes

HTTP Response Code Unique Code Description
200 The offense was updated.
403 1009 User does not have the required capability to assign an offense.
404 1002 No offense was found for the provided offense_id.
409 1008 Request cannot be completed due to the state of the offense.
422 1005 A request parameter is not valid.
500 1020 An error occurred while the offense was being updated.

Response Description

An updated Offense object. An Offense object contains the following fields:

v id - Number - The ID of the offense.

1104 QRadar API Reference Guide

v description - String - The description of the offense.
v assigned_to - String - The user the offense is assigned to.
v categories - Array of strings - Event categories that are associated with the offense.
v category_count - Number - The number of event categories that are associated with the offense.
v policy_category_count - Number - The number of policy event categories that are associated with the
offense.
v security_category_count - Number - The number of security event categories that are associated with
the offense.
v close_time - Number - The number of milliseconds since epoch when the offense was closed.
v closing_user - String - The user that closed the offense.
v closing_reason_id - Number - The ID of the offense closing reason. The reason the offense was closed.
v credibility - Number - The credibility of the offense.
v relevance - Number - The relevance of the offense.
v severity - Number - The severity of the offense.
v magnitude - Number - The magnitude of the offense.
v destination_networks - Array of strings - The destination networks that are associated with the
offense.
v source_network - String - The source network that is associated with the offense.
v device_count - Number - The number of devices that are associated with the offense.
v event_count - Number - The number of events that are associated with the offense.
v flow_count - Number - The number of flows that are associated with the offense.
v inactive - Boolean - True if the offense is inactive.
v last_updated_time - Number - The number of milliseconds since epoch when the offense was last
updated.
v local_destination_count - Number - The number of local destinations that are associated with the
offense.
v offense_source - String - The source of the offense.
v offense_type - Number - A number that represents the offense type. See the Offense Type Codes table
for the code to offense type mapping.
v protected - Boolean - True if the offense is protected.
v follow_up - Boolean - True if the offense is marked for follow up.
v remote_destination_count - Number - The number of remote destinations that are associated wit the
offense.
v source_count - Number - The number of sources that are associated with the offense.
v start_time - Number - The number of milliseconds since epoch when the offense was started.
v status - String - The status of the offense. One of "OPEN", "HIDDEN", or "CLOSED".
v username_count - The number of usernames that are associated with the offense.
v source_address_ids - Array of numbers -The source address IDs that are associated with the offense.
v local_destination_address_ids - Array of numbers - The local destination address IDs that are
associated with the offense.
v domain_id - Number - Optional. ID of associated domain if the offense is associated with a single
domain.
Table 2458. Offense Type Codes
Code Offense Type
0 Source IP
1 Destination IP

7 Previous REST API versions 1105

Table 2458. Offense Type Codes (continued)
Code Offense Type
2 Event Name
3 Username
4 Source MAC Address
5 Destination MAC Address
6 Log Source
7 Hostname
8 Source Port
9 Destination Port
10 Source IPv6
11 Destination IPv6
12 Source ASN
13 Destination ASN
14 Rule
15 App Id
18 Scheduled Search

Response Sample
{
"assigned_to": "String",
"categories": [
"String"
],
"category_count": 42,
"close_time": 42,
"closing_reason_id": 42,
"closing_user": "String",
"credibility": 42,
"description": "String",
"destination_networks": [
"String"
],
"device_count": 42,
"domain_id": 42,
"event_count": 42,
"flow_count": 42,
"follow_up": true,
"id": 42,
"inactive": true,
"last_updated_time": 42,
"local_destination_address_ids": [
42
],
"local_destination_count": 42,
"magnitude": 42,
"offense_source": "String",
"offense_type": 42,
"policy_category_count": 42,
"protected": true,
"relevance": 42,
"remote_destination_count": 42,
"security_category_count": 42,
"severity": 42,
"source_address_ids": [

1106 QRadar API Reference Guide

 42
],
"source_count": 42,
"source_network": "String",
"start_time": 42,
"status": "String <one of: OPEN, HIDDEN, CLOSED>",
"username_count": 42
}

GET /siem/offense_types
Retrieve all the Offense Types

Retrieve all Offense Types

Table 2459. GET /siem/offense_types resource details
MIME Type
application/json

Table 2460. GET /siem/offense_types request parameter details

Parameter Type Optionality Data Type MIME Type Description
filter query Optional String text/plain Optional - This parameter is
used to restrict the elements in
a list base on the contents of
various fields.
fields query Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.
Range header Optional String text/plain Optional - Use this parameter
to restrict the number of
elements that are returned in
the list to a specified range.
The list is indexed starting at
zero.
sort query Optional String text/plain Optional - This parameter is
used to sort the elements in a
list.

Table 2461. GET /siem/offense_types response codes

HTTP Response Code Unique Code Description
200 The requested offense types list has been retrieved.
422 1005 A request parameter is not valid.
422 1012 The selected field cannot be used for sorting or it does not exist.
500 1020 An error occurred while attempting to retrieve the offense type list.

7 Previous REST API versions 1107

Response Description

The Offense Types that exist at the moment. Offense types may include custom flow/event properties
only if they have been selected as part of a rule action or rule response limiter.
v id - Number - The ID of the offense type and what is presented in the offense's offense_type.
v property_name - String - The name of the event or flow property represented by this offense type for
flow or event properties or the unique identifier for custom flow or event properties.
v name - String - The offense type's name.
v database_type - String - Database where this type is present. Possible values are: EVENTS, FLOWS, or
COMMON (if it belongs to both events and flows)
v custom - boolean - True if the offense type is based on a custom flow or event property.
The following field can be sorted on: id.

Response Sample
[
{
"custom": true,
"database_type": "String <one of: EVENTS,
FLOWS,
COMMON>",
"id": 42,
"name": "String",
"property_name": "String"
}
]

GET /siem/offense_types/{offense_type_id}
Retrieve an offense type structure that describes the properties of an offense type.

Retrieve an Offense Type

Table 2462. GET /siem/offense_types/{offense_type_id} resource details
MIME Type
application/json

Table 2463. GET /siem/offense_types/{offense_type_id} request parameter details

Parameter Type Optionality Data Type MIME Type Description
offense_type_id path Required Number text/plain Required - int - The offense type
(Integer) id.
fields query Optional String text/plain Optional - Use this parameter to
specify which fields you would
like to get back in the response.
Fields that are not named are
excluded. Specify subfields in
brackets and multiple fields in
the same object are separated by
commas.

Table 2464. GET /siem/offense_types/{offense_type_id} response codes

HTTP Response Code Unique Code Description
200 The requested offense type has been retrieved.
404 1002 The requested offense type cannot be found.
422 1005 A request parameter is not valid.

1108 QRadar API Reference Guide

Table 2464. GET /siem/offense_types/{offense_type_id} response codes (continued)
HTTP Response Code Unique Code Description
500 1020 An error occurred while attempting to retrieve the requested
offense type.

Response Description

The Offense Type with the entered offense_type_id.

v id - Number - The ID of the offense type and what is presented in the offense's offense_type.
v property_name - String - The name of the of the event or flow property represented by this offense
type for flow or event properties or the unique identifier for custom flow or event properties.
v name - String - The offense type's name.
v database_type - String - Database where this type is present. Possible values are: EVENTS, FLOWS, or
COMMON (if it belongs to both events and flows)
v custom - boolean - True if the offense type is based on a custom flow or event property.

Response Sample
{
"custom": true,
"database_type": "String <one of: EVENTS,
FLOWS,
COMMON>",
"id": 42,
"name": "String",
"property_name": "String"
}

GET /siem/source_addresses
Retrieve a list offense source addresses currently in the system.
Table 2465. GET /siem/source_addresses resource details
MIME Type
application/json

Table 2466. GET /siem/source_addresses request parameter details

Parameter Type Optionality Data Type MIME Type Description
fields query Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.
Range header Optional String text/plain Optional - Use this parameter
to restrict the number of
elements that are returned in
the list to a specified range.
The list is indexed starting at
zero.

7 Previous REST API versions 1109

Table 2466. GET /siem/source_addresses request parameter details (continued)
Parameter Type Optionality Data Type MIME Type Description
filter query Optional String text/plain Optional - This parameter is
used to restrict the elements in
a list base on the contents of
various fields.

Table 2467. GET /siem/source_addresses response codes

HTTP Response Code Unique Code Description
200 The source address list was retrieved.
422 1005 A request parameter is not valid.
422 1010 The filter parameter is not valid.
500 1020 An error occurred while the source address list was being retrieved.

Response Description

An array of source address objects. A source address object contains the following fields:
v id - Number - The ID of the source.
v source_ip - String - The IP address.
v magnitude - Number - The magnitude of the source address.
v network - String - The network of the source address.
v offense_ids - Array of Numbers - List of offense IDs the source is part of.
v local_destination_address_ids - Array of Numbers - List of local destination address IDs associated
with the source address.
v event_flow_count - Number - The number of events and flows that are associated with the source.
v first_event_flow_seen - Number - The number of milliseconds since epoch when the first event or
flow was seen.
v last_event_flow_seen - Number - The number of milliseconds since epoch when the last event or flow
was seen.
v domain_id - Number - The ID of associated domain.

Response Sample
[
{
"domain_id": 42,
"event_flow_count": 42,
"first_event_flow_seen": 42,
"id": 42,
"last_event_flow_seen": 42,
"local_destination_address_ids": [
42
],
"magnitude": 42,
"network": "String",
"offense_ids": [
42
],
"source_ip": "String"
}
]

1110 QRadar API Reference Guide

GET /siem/source_addresses/{source_address_id}
Retrieve an offense source address.
Table 2468. GET /siem/source_addresses/{source_address_id} resource details
MIME Type
application/json

Table 2469. GET /siem/source_addresses/{source_address_id} request parameter details

Parameter Type Optionality Data Type MIME Type Description
source_address_id path Required Number text/plain Required - The ID of the source
(Integer) address to retrieve.
fields query Optional String text/plain Optional - Use this parameter to
specify which fields you would
like to get back in the response.
Fields that are not named are
excluded. Specify subfields in
brackets and multiple fields in
the same object are separated by
commas.

Table 2470. GET /siem/source_addresses/{source_address_id} response codes

HTTP Response Code Unique Code Description
200 The source address was retrieved.
404 1002 No source address was found for the provided source_address_id.
422 1005 A request parameter is not valid.
500 1020 An error occurred while the source address was being retrieved.

Response Description

A source address object. A source address object contains the following fields:
v id - Number - The ID of the source.
v source_ip - String - The IP address.
v magnitude - Number - The magnitude of the source address.
v network - String - The network of the source address.
v offense_ids - Array of Numbers - List of offense IDs the source is part of.
v local_destination_address_ids - Array of Numbers - List of local destination address IDs associated
with the source address.
v event_flow_count - Number - The number of events and flows that are associated with the source.
v first_event_flow_seen - Number - The number of milliseconds since epoch when the first event or
flow was seen.
v last_event_flow_seen - Number - The number of milliseconds since epoch when the last event or flow
was seen.
v domain_id - Number - The ID of associated domain.

Response Sample
{
"domain_id": 42,
"event_flow_count": 42,
"first_event_flow_seen": 42,
"id": 42,
"last_event_flow_seen": 42,

7 Previous REST API versions 1111

 "local_destination_address_ids": [
42
],
"magnitude": 42,
"network": "String",
"offense_ids": [
42
],
"source_ip": "String"
}

Staged configuration endpoints

Use the references for REST API V7.0 staged configuration endpoints.

GET /staged_config/deploy_status
Retrieves the status of a deploy in progress.

Retrieves the status of a deploy in progress.

Table 2471. GET /staged_config/deploy_status resource details
MIME Type
application/json

There are no parameters for this endpoint.

Table 2472. GET /staged_config/deploy_status response codes
HTTP Response Code Unique Code Description
200 The event Ariel saved search group was updated.
500 1020 An error occurred during the attempt to retrieve the status of the
running deploy,

Response Description

The deploy status object. A deploy status object contains the following fields:
v initiated_by - String - The name of the user who initiated the deploy.
v initiated_from - String - The hostname from where the deploy was initiated.
v type - String - The type of deploy: FULL or INCREMENTAL.
v status - String - The status of the deploy: UNKNOWN, START, DONE.
v hosts - Map of < String, List of String > - A map of status states and a list of hosts.
v error_message - String - The deployment error message.
v has_errors - Boolean - True if the deploy has encountered an error.
v percent_complete - Integer - The percentage of completion of the deploy. ( 0 - 100 )

Response Sample
{
"hosts": [
{
"host_status": "String <one of: SUCCESS,
INITIATING,
IN_PROGRESS,
TIMED_OUT, ERROR>",
"ip": "String",
"status": "String <one of: SUCCESS,
INITIATING,

1112 QRadar API Reference Guide

 IN_PROGRESS,
TIMED_OUT, ERROR>"
}
],
"initiated_by": "String",
"initiated_from": "String",
"percent_complete": 42,
"status": "String <one of: INITIALIZING,
IN_PROGRESS,
COMPLETE>",
"type": "String <one of: INCREMENTAL, FULL>"
}

POST /staged_config/deploy_status
Executes a deploy.

Executes a deploy.
Table 2473. POST /staged_config/deploy_status resource details
MIME Type
application/json

Table 2474. POST /staged_config/deploy_status request body details

Parameter Data Type MIME Type Description Sample
deploy_status Object application/ null { "hosts": [ { "host_status":
json "String <one of: SUCCESS,
INITIATING, IN_PROGRESS,
TIMED_OUT, ERROR>", "ip":
"String", "status": "String
<one of: SUCCESS,
INITIATING, IN_PROGRESS,
TIMED_OUT, ERROR>" } ],
"initiated_by": "String",
"initiated_from": "String",
"percent_complete": 42,
"status": "String <one of:
INITIALIZING,
IN_PROGRESS,
COMPLETE>", "type":
"String <one of:
INCREMENTAL, FULL>" }

Table 2475. POST /staged_config/deploy_status response codes

HTTP Response Code Unique Code Description
200 The deploy was scheduled.
409 1002 Theere already exists a deploy in action, or there are no changes to
deploy.
409 1003 null
409 1004 null
422 1005 null
500 1020 An error occurred during the attempt to run the deploy

7 Previous REST API versions 1113

Response Description

The deploy status object. A deploy status object contains the following fields:
v initiated_by - String - The name of the user who initiated the deploy.
v initiated_from - String - The hostname from where the deploy was initiated.
v type - String - The type of deploy: FULL or INCREMENTAL.
v status - String - The status of the deploy: UNKNOWN, START, DONE.
v hosts - Map of < String, List of String > - A map of status states and a list of hosts.
v error_message - String - The deployment error message.
v has_errors - Boolean - True if the deploy has encountered an error.
v percent_complete - Integer - The percentage of completion of the deploy. ( 0 - 100 )

Response Sample
{
"hosts": [
{
"host_status": "String <one of: SUCCESS,
INITIATING,
IN_PROGRESS,
TIMED_OUT, ERROR>",
"ip": "String",
"status": "String <one of: SUCCESS,
INITIATING,
IN_PROGRESS,
TIMED_OUT, ERROR>"
}
],
"initiated_by": "String",
"initiated_from": "String",
"percent_complete": 42,
"status": "String <one of: INITIALIZING,
IN_PROGRESS,
COMPLETE>",
"type": "String <one of: INCREMENTAL, FULL>"
}

GET /staged_config/deployment/hosts
Retrieves a list of all staged hosts.

Retrieves the list of all staged hosts.

Table 2476. GET /staged_config/deployment/hosts resource details
MIME Type
application/json

Table 2477. GET /staged_config/deployment/hosts request parameter details

Parameter Type Optionality Data Type MIME Type Description
fields query Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.

1114 QRadar API Reference Guide

Table 2477. GET /staged_config/deployment/hosts request parameter details (continued)
Parameter Type Optionality Data Type MIME Type Description
Range header Optional String text/plain Optional - Use this parameter
to restrict the number of
elements that are returned in
the list to a specified range.
The list is indexed starting at
zero.
filter query Optional String text/plain Optional - This parameter is
used to restrict the elements in
a list base on the contents of
various fields.

Table 2478. GET /staged_config/deployment/hosts response codes

HTTP Response Code Unique Code Description
200 The host list was successfully retrieved.
500 1005 An error occurred during the attempt to retrieve the host list.

Response Description

A list of all the hosts. Each Host object has the following fields:
v id - The ID of this managed host.
v hostname - The host name of this managed host.
v private_ip - The private IP of this managed host.
v public_ip - The public IP of this managed host.
v appliance - An object that represents the appliance type ID and description of this managed host.
v version - The installed version on this managed host.
v status - The status of this managed host.
v eps_rate_hardware_limit - The upper limit for eps_allocation based on hardware constraints for this
managed host.
v eps_allocation - The allocated eps rate of this managed host.
v average_eps - The average eps rate of this managed host over the previous month.
v peak_eps - The peak eps rate that was experienced by this managed host over the previous month.
v fpm_rate_hardware_limit - The upper limit for fpm_allocation based on hardware constraints for this
managed host.
v fpm_allocation - The allocated fpm rate of this managed host.
v average_fpm - The average fpm rate of this managed host over the previous month.
v peak_fpm - The peak fpm rate that was experienced by this managed host over the previous month.
v primary_server_id - The ID for the primary server host for this managed host.
v secondary_server_id - If configured, the ID for the secondary server host for this managed host.
v license_serial_number - The serial number that is associated with this managed host's license.
v components - A list of components that are associated with this managed host.
v compression_enabled - Whether or not compression is enabled for this managed host.
v encryption_enabled - Whether or not encryption is enabled for this managed host.

7 Previous REST API versions 1115

Response Sample
[
{
"appliance": {
"id": "String",
"type": "String"
},
"average_eps": 42,
"average_fpm": 42,
"components": [
"String <one of: eventcollector,
eventprocessor,
dataNode,
magistrate,
ariel_query_server,
ariel_proxy_server,
vis,
assetprofiler,
qflow,
hostcontext,
tunnel,
setuptunnel,
ecs-ec,
ecs-ep,
resolveragent,
resolver_manager,
offsiteSource,
offsiteTarget,
accumulator,
offline_forwarder,
qvm,
qvmprocessor,
qvmscanner,
qvmhostedscanner,
qvmsiteprotector,
arc_builder,
tomcat-rm,
ziptie-server,
qrm,
asset_change_publisher,
forensicsnode,
forensics_realtime,
masterdaemon>"
],
"compression_enabled": true,
"encryption_enabled": true,
"eps_allocation": 42,
"eps_rate_hardware_limit": 42,
"fpm_allocation": 42,
"fpm_rate_hardware_limit": 42,
"hostname": "String",
"id": 42,
"license_serial_number": "String",
"peak_eps": 42,
"peak_fpm": 42,
"primary_server_id": 42,
"private_ip": "String",
"public_ip": "String",
"secondary_server_id": 42,
"status": "String <one of: Active,
ADDING,
Deleted,
Deleting,
ADD_FAILED,
New,
ADD_FAILED_VERSION_CHECK,
ADD_FAILED_DEPLOY_IN_PROGRESS,

1116 QRadar API Reference Guide

 ADD_FAILED_RETRY_CONNECTION,
ADD_FAILED_HA,
ADD_FAILED_CHECK_LOGS>",
"version": "String"
}
]

GET /staged_config/deployment/hosts/{id}
Retrieves a staged host by ID.

Retrieves a staged host by ID.

Table 2479. GET /staged_config/deployment/hosts/{id} resource details
MIME Type
application/json

Table 2480. GET /staged_config/deployment/hosts/{id} request parameter details

Parameter Type Optionality Data Type MIME Type Description
id path Required Number text/plain Required - The ID of the
(Integer) staged host to be retrieved.
fields query Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.

Table 2481. GET /staged_config/deployment/hosts/{id} response codes

HTTP Response Code Unique Code Description
200 The host was successfully retrieved.
404 1006 No such staged host for the given ID
422 1007 The provided ID was a negative number or zero.
500 1008 An error occurred during the retrieval of the host.

Response Description

The associated staged host object. The Host object has the following fields:
v id - The ID of this managed host.
v hostname - The host name of this managed host.
v private_ip - The private IP of this managed host.
v public_ip - The public IP of this managed host.
v appliance - An object that represents the appliance type ID and description of this managed host.
v version - The installed version on this managed host.
v status - The status of this managed host.
v eps_rate_hardware_limit - The upper limit for eps_allocation based on hardware constraints for this
managed host.
v eps_allocation - The allocated eps rate of this managed host.

7 Previous REST API versions 1117

v average_eps - The average eps rate of this managed host over the previous month.
v peak_eps - The peak eps rate that was experienced by this managed host over the previous month.
v fpm_rate_hardware_limit - The upper limit for fpm_allocation based on hardware constraints for this
managed host.
v fpm_allocation - The allocated fpm rate of this managed host.
v average_fpm - The average fpm rate of this managed host over the previous month.
v peak_fpm - The peak fpm rate that was experienced by this managed host over the previous month.
v primary_server_id - The ID for the primary server host for this managed host.
v secondary_server_id - If configured, the ID for the secondary server host for this managed host.
v license_serial_number - The serial number that is associated with this managed host's license.
v components - A list of components that are associated with this managed host.
v compression_enabled - Whether or not compression is enabled for this managed host.
v encryption_enabled - Whether or not encryption is enabled for this managed host.

Response Sample
{
"appliance": {
"id": "String",
"type": "String"
},
"average_eps": 42,
"average_fpm": 42,
"components": [
"String <one of: eventcollector,
eventprocessor,
dataNode,
magistrate,
ariel_query_server,
ariel_proxy_server,
vis,
assetprofiler,
qflow,
hostcontext,
tunnel,
setuptunnel,
ecs-ec,
ecs-ep,
resolveragent,
resolver_manager,
offsiteSource,
offsiteTarget,
accumulator,
offline_forwarder,
qvm,
qvmprocessor,
qvmscanner,
qvmhostedscanner,
qvmsiteprotector,
arc_builder,
tomcat-rm,
ziptie-server,
qrm,
asset_change_publisher,
forensicsnode,
forensics_realtime,
masterdaemon>"
],
"compression_enabled": true,
"encryption_enabled": true,
"eps_allocation": 42,
"eps_rate_hardware_limit": 42,

1118 QRadar API Reference Guide

 "fpm_allocation": 42,
"fpm_rate_hardware_limit": 42,
"hostname": "String",
"id": 42,
"license_serial_number": "String",
"peak_eps": 42,
"peak_fpm": 42,
"primary_server_id": 42,
"private_ip": "String",
"public_ip": "String",
"secondary_server_id": 42,
"status": "String <one of: Active,
ADDING,
Deleted,
Deleting,
ADD_FAILED,
New,
ADD_FAILED_VERSION_CHECK,
ADD_FAILED_DEPLOY_IN_PROGRESS,
ADD_FAILED_RETRY_CONNECTION,
ADD_FAILED_HA,
ADD_FAILED_CHECK_LOGS>",
"version": "String"
}

GET /staged_config/global_system_notifications
Retrieves a list of all staged global system notifications.

Retrieves the list of staged global system notifications.

Table 2482. GET /staged_config/global_system_notifications resource details
MIME Type
application/json

Table 2483. GET /staged_config/global_system_notifications request parameter details. .

Parameter Type Optionality Data Type MIME Type Description
Range header Optional String text/plain Optional - Use this parameter
to restrict the number of
elements that are returned in
the list to a specified range.
The list is indexed starting at
zero.
filter query Optional String text/plain Optional - This parameter is
used to restrict the elements in
a list base on the contents of
various fields.
fields query Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.

7 Previous REST API versions 1119

Table 2484. GET /staged_config/global_system_notifications response codes
HTTP Response Code Unique Code Description
200 The staged global system notifications list was successfully
retrieved.
500 1020 An internal server error occurred during retrieval of the list of
staged global system notifications.

Response Description

A list of all staged global system notifications. A notification contains the following fields:
v id - Long - The ID of the notification.
v name - String - The name of the notification.
v operator - String - The notification criteria operator.
v value - String - The notification criteria value.
v message - Double - The notification message.
v default - Boolean - Whether the notification message is modified by the user or not.
v enabled - Boolean - Whether the notification is enabled or not.

Response Sample
[
{
"default": true,
"enabled": true,
"id": 42,
"message": "String",
"name": "String",
"operator": "String",
"value": 42.5
}
]

GET /staged_config/global_system_notifications/{notification_id}
Retrieves a staged global system notification by ID.

Retrieves a staged global system notification by ID.

Table 2485. GET /staged_config/global_system_notifications/{notification_id} resource details
MIME Type
application/json

Table 2486. GET /staged_config/global_system_notifications/{notification_id} request parameter details

Parameter Type Optionality Data Type MIME Type Description
notification_id path Required Number text/plain ID that is used for retrieving a
(Integer) staged global system notification.
fields query Optional String text/plain Optional - Use this parameter to
specify which fields you would
like to get back in the response.
Fields that are not named are
excluded. Specify subfields in
brackets and multiple fields in
the same object are separated by
commas.

1120 QRadar API Reference Guide

Table 2487. GET /staged_config/global_system_notifications/{notification_id} response codes
HTTP Response Code Unique Code Description
200 The staged global system notification was successfully retrieved.
404 1002 No staged global system notification was found for the provided
notification ID.
500 1020 An error occurred during the retrieval of the notification.

Response Description

The associated staged global system notification object. A notification contains the following fields:
v id - Long - The ID of the notification.
v name - String - The name of the notification.
v operator - String - The notification criteria operator.
v value - String - The notification criteria value.
v message - Double - The notification message.
v default - Boolean - Whether the notification message is modified by the user or not.
v enabled - Boolean - Whether the notification is enabled or not.

Response Sample
{
"default": true,
"enabled": true,
"id": 42,
"message": "String",
"name": "String",
"operator": "String",
"value": 42.5
}

POST /staged_config/global_system_notifications/{notification_id}
Updates an existing staged global system notification.

Updates an existing staged global system notification.

Table 2488. POST /staged_config/global_system_notifications/{notification_id} resource details
MIME Type
application/json

Table 2489. POST /staged_config/global_system_notifications/{notification_id} request parameter details

Parameter Type Optionality Data Type MIME Type Description
notification_id path Required Number text/plain ID that is used for updating a
(Integer) staged global system notification.
fields header Optional String text/plain Optional - Use this parameter to
specify which fields you would
like to get back in the response.
Fields that are not named are
excluded. Specify subfields in
brackets and multiple fields in
the same object are separated by
commas.

7 Previous REST API versions 1121

Table 2490. POST /staged_config/global_system_notifications/{notification_id} request body details
Parameter Data Type MIME Type Description Sample
notification Object application/ The updated global system { "id": 1, "name": "Systemloadover1minute",
json notification object. "operator": "GT", "value": 3.6, "message": "If
your system continues to exhibit this behavior,
please contact Customer Support.", "enabled":
true, "isDefault": true }

Table 2491. POST /staged_config/global_system_notifications/{notification_id} response codes

HTTP Response Code Unique Code Description
200 The staged global system notification was successfully updated.
404 1002 No staged global system notification was found for the provided
notification ID.
422 1005 A request parameter is invalid.
500 1020 An error occurred during the retrieval of the notification.

Response Description

The associated updated staged global system notification object. A notification contains the following
fields:
v id - Long - The ID of the notification.
v name - String - The name of the notification.
v operator - String - The notification criteria operator.
v value - String - The notification criteria value.
v message - Double - The notification message.
v default - Boolean - Whether the notification message is modified by the user or not.
v enabled - Boolean - Whether the notification is enabled or not.

Response Sample
{
"default": true,
"enabled": true,
"id": 42,
"message": "String",
"name": "String",
"operator": "String",
"value": 42.5
}

GET /staged_config/remote_networks
Retrieves a list of staged remote networks.

Retrieves the list of staged remote networks.

Table 2492. GET /staged_config/remote_networks resource details
MIME Type
application/json

1122 QRadar API Reference Guide

Table 2493. GET /staged_config/remote_networks request parameter details
Parameter Type Optionality Data Type MIME Type Description
fields query Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets. Multiple
fields in the same object are
separated by commas.
filter query Optional String text/plain Optional - This parameter is
used to restrict the elements in
a list base on the contents of
various fields.
Range header Optional String text/plain Optional - Use this parameter
to restrict the number of
elements that are returned in
the list to a specified range.
The list is indexed starting at
zero.

Table 2494. GET /staged_config/remote_networks response codes

HTTP Response Code Unique Code Description
200 The staged remote networks list was successfully retrieved.
500 1020 An internal server error occurred during the retrieval of the list of
staged remote networks.

Response Description

A list of staged remote networks.

v id - Long - The ID of the remote network.
v name - String - The name of the remote network.
v description - String - The description of the remote network.
v group - String - The group to which the remote network belongs.
v cidrs - Array of <String> - A list of all the CIDR ranges that belong to the remote network.

Response Sample
[
{
"cidrs": [
"String"
],
"description": "String",
"group": "String",
"id": 42,
"name": "String"
}
]

POST /staged_config/remote_networks
Adds a new staged remote network.

Creates a new staged remote network.

7 Previous REST API versions 1123

Table 2495. POST /staged_config/remote_networks resource details
MIME Type
application/json

Table 2496. POST /staged_config/remote_networks request parameter details

Parameter Type Optionality Data Type MIME Type Description
fields header Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets. Multiple
fields in the same object are
separated by commas.

Table 2497. POST /staged_config/remote_networks request body details

Parameter Data Type MIME Type Description Sample
network Object application/ The new remote network { "cidrs": [ "String" ],
json object. "description": "String", "group":
"String", "id": 42, "name":
"String" }

Table 2498. POST /staged_config/remote_networks response codes

HTTP Response Code Unique Code Description
201 The new staged remote network was successfully created.
409 1008 The remote network name already exists in the selected group.
422 1005 A request parameter is invalid.
500 1020 An error occurred during the creation of the remote network.

Response Description

The associated new created staged remote network object.

v id - Long - The ID of the remote network.
v name - String - The name of the remote network.
v description - String - The description of the remote network.
v group - String - The group to which the remote network belongs.
v cidrs - Array of <String> - A list of all the CIDR ranges that belong to the remote network.

Response Sample
{
"cidrs": [
"String"
],
"description": "String",
"group": "String",
"id": 42,
"name": "String"
}

1124 QRadar API Reference Guide

GET /staged_config/remote_networks/{network_id}
Retrieves a staged remote network by ID.

Retrieves a staged remote network by ID.

Table 2499. GET /staged_config/remote_networks/{network_id} resource details
MIME Type
application/json

Table 2500. GET /staged_config/remote_networks/{network_id} request parameter details

Parameter Type Optionality Data Type MIME Type Description
network_id path Required Number text/plain ID that is used to retrieve a
(Integer) staged remote network.
fields query Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets. Multiple
fields in the same object are
separated by commas.

Table 2501. GET /staged_config/remote_networks/{network_id} response codes

HTTP Response Code Unique Code Description
200 The staged remote network was successfully retrieved.
404 1002 No staged remote network was found with the provided ID.
500 1020 An error occurred during the retrieval of the remote network.

Response Description

The associated staged remote network object.

v id - Long - The ID of the remote network.
v name - String - The name of the remote network.
v description - String - The description of the remote network.
v group - String - The group to which the remote network belongs.
v cidrs - Array of <String> - A list of all the CIDR ranges that belong to the remote network.

Response Sample
{
"cidrs": [
"String"
],
"description": "String",
"group": "String",
"id": 42,
"name": "String"
}

POST /staged_config/remote_networks/{network_id}
Updates an existing staged remote network.

Updates an existing staged remote network.

7 Previous REST API versions 1125

Table 2502. POST /staged_config/remote_networks/{network_id} resource details
MIME Type
application/json

Table 2503. POST /staged_config/remote_networks/{network_id} request parameter details

Parameter Type Optionality Data Type MIME Type Description
network_id path Required Number text/plain ID that is used to update a
(Integer) staged remote network.
fields header Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets. Multiple
fields in the same object are
separated by commas.

Table 2504. POST /staged_config/remote_networks/{network_id} request body details

Parameter Data Type MIME Type Description Sample
network Object application/ The updated remote network { "cidrs": [ "String" ],
json object. "description": "String", "group":
"String", "id": 42, "name":
"String" }

Table 2505. POST /staged_config/remote_networks/{network_id} response codes

HTTP Response Code Unique Code Description
200 The staged remote network was successfully updated.
404 1002 No staged remote network was found for the provided network ID.
409 1008 The remote network name already exists in the selected group.
422 1005 A request parameter is invalid.
500 1020 An error occurred during the update of the remote network.

Response Description

The associated updated staged remote network object.

v id - Long - The ID of the remote network.
v name - String - The name of the remote network.
v description - String - The description of the remote network.
v group - String - The group to which the remote network belongs.
v cidrs - Array of <String> - A list of all the CIDR ranges that belong to the remote network.

Response Sample
{
"cidrs": [
"String"
],
"description": "String",

1126 QRadar API Reference Guide

 "group": "String",
"id": 42,
"name": "String"
}

DELETE /staged_config/remote_networks/{network_id}
Deletes an existing staged remote network.

Deletes an existing staged remote network.

Table 2506. DELETE /staged_config/remote_networks/{network_id} resource details
MIME Type
text/plain

Table 2507. DELETE /staged_config/remote_networks/{network_id} request parameter details

Parameter Type Optionality Data Type MIME Type Description
network_id path Required Number text/plain ID that is used to locate the
(Integer) staged remote network.

Table 2508. DELETE /staged_config/remote_networks/{network_id} response codes

HTTP Response Code Unique Code Description
204 The staged remote network was successfully deleted.
404 1002 No staged remote network was found for the provided network ID.
500 1020 An error occurred during the deletion of the remote network.

Response Description

Response Sample

GET /staged_config/remote_services
Retrieves a list of staged remote services.

Retrieves the list of staged remote services

Table 2509. GET /staged_config/remote_services resource details
MIME Type
application/json

Table 2510. GET /staged_config/remote_services request parameter details

Parameter Type Optionality Data Type MIME Type Description
fields query Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets. Multiple
fields in the same object are
separated by commas.

7 Previous REST API versions 1127

Table 2510. GET /staged_config/remote_services request parameter details (continued)
Parameter Type Optionality Data Type MIME Type Description
filter query Optional String text/plain Optional - This parameter is
used to restrict the elements in
a list base on the contents of
various fields.
Range header Optional String text/plain Optional - Use this parameter
to restrict the number of
elements that are returned in
the list to a specified range.
The list is indexed starting at
zero.

Table 2511. GET /staged_config/remote_services response codes

HTTP Response Code Unique Code Description
200 The staged remote services list was successfully retrieved.
500 1020 An internal server error occurred during the retrieval of the list of
staged remote services.

Response Description

A list of staged remote services.

v id - Long - The ID of the remote service.
v name - String - The name of the remote service.
v description - String - The description of the remote service.
v group - String - The group to which the remote service belongs.
v cidrs - Array of <String> - A list of all the CIDR ranges that belong to the remote service.

Response Sample
[
{
"cidrs": [
"String"
],
"description": "String",
"group": "String",
"id": 42,
"name": "String"
}
]

POST /staged_config/remote_services
Adds a staged remote service.

Creates a staged remote service.

Table 2512. POST /staged_config/remote_services resource details
MIME Type
application/json

1128 QRadar API Reference Guide

Table 2513. POST /staged_config/remote_services request parameter details
Parameter Type Optionality Data Type MIME Type Description
fields header Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets. Multiple
fields in the same object are
separated by commas.

Table 2514. POST /staged_config/remote_services request body details

Parameter Data Type MIME Type Description Sample
service Object application/ The new remote service object. { "cidrs": [ "String" ],
json "description": "String", "group":
"String", "id": 42, "name":
"String" }

Table 2515. POST /staged_config/remote_services response codes

HTTP Response Code Unique Code Description
201 The new staged remote service was successfully created.
409 1008 The remote service name already exists in the selected group.
422 1005 A request parameter is invalid.
500 1020 An error occurred during the creation of the remote service.

Response Description

The associated new created staged remote service object.

v id - Long - The ID of the remote service.
v name - String - The name of the remote service.
v description - String - The description of the remote service.
v group - String - The group to which the remote service belongs.
v cidrs - Array of <String> - A list of all the CIDR ranges that belong to the remote service.

Response Sample
{
"cidrs": [
"String"
],
"description": "String",
"group": "String",
"id": 42,
"name": "String"
}

GET /staged_config/remote_services/{service_id}
Retrieves a staged remote service by ID.

Retrieves a staged remote service by ID.

7 Previous REST API versions 1129

Table 2516. GET /staged_config/remote_services/{service_id} resource details
MIME Type
application/json

Table 2517. GET /staged_config/remote_services/{service_id} request parameter details

Parameter Type Optionality Data Type MIME Type Description
service_id path Required Number text/plain ID that is used for the retrieval
(Integer) of a staged remote service.
fields query Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets. Multiple
fields in the same object are
separated by commas.

Table 2518. GET /staged_config/remote_services/{service_id} response codes

HTTP Response Code Unique Code Description
200 The staged remote service was successfully retrieved.
404 1002 No staged remote service was found with the provided ID.
500 1020 An error occurred during the retrieval of the remote service.

Response Description

The associated staged remote service object.

v id - Long - The ID of the remote service.
v name - String - The name of the remote service.
v description - String - The description of the remote service.
v group - String - The group to which the remote service belongs.
v cidrs - Array of <String> - A list of all the CIDR ranges that belong to the remote service.

Response Sample
{
"cidrs": [
"String"
],
"description": "String",
"group": "String",
"id": 42,
"name": "String"
}

POST /staged_config/remote_services/{service_id}
Updates an existing staged remote service.

Updates an existing staged remote service.

Table 2519. POST /staged_config/remote_services/{service_id} resource details
MIME Type
application/json

1130 QRadar API Reference Guide

Table 2520. POST /staged_config/remote_services/{service_id} request parameter details
Parameter Type Optionality Data Type MIME Type Description
service_id path Required Number text/plain ID that is used for updating a
(Integer) staged remote service.
fields header Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets. Multiple
fields in the same object are
separated by commas.

Table 2521. POST /staged_config/remote_services/{service_id} request body details

Parameter Data Type MIME Type Description Sample
service Object application/ null { "cidrs": [ "String" ],
json "description": "String", "group":
"String", "id": 42, "name":
"String" }

Table 2522. POST /staged_config/remote_services/{service_id} response codes

HTTP Response Code Unique Code Description
200 The staged remote service was successfully updated.
404 1002 No staged remote service was found for the provided service ID.
409 1008 The remote service name already exists in the selected group.
422 1005 A request parameter is invalid.
500 1020 An error occurred during the update of the remote service.

Response Description

The associated updated staged remote service object.

v id - Long - The ID of the remote service.
v name - String - The name of the remote service.
v description - String - The description of the remote service.
v group - String - The group to which the remote service belongs.
v cidrs - Array of <String> - A list of all the CIDR ranges that belong to the remote service.

Response Sample
{
"cidrs": [
"String"
],
"description": "String",
"group": "String",
"id": 42,
"name": "String"
}

7 Previous REST API versions 1131

DELETE /staged_config/remote_services/{service_id}
Deletes an existing staged remote service.

Deletes an existing staged remote service.

Table 2523. DELETE /staged_config/remote_services/{service_id} resource details
MIME Type
text/plain

Table 2524. DELETE /staged_config/remote_services/{service_id} request parameter details

Parameter Type Optionality Data Type MIME Type Description
service_id path Required Number text/plain ID that is used for locating the
(Integer) staged remote service.

Table 2525. DELETE /staged_config/remote_services/{service_id} response codes

HTTP Response Code Unique Code Description
204 The staged remote service was successfully deleted.
404 1002 No staged remote service was found for the provided service ID.
500 1020 An error occurred during the deletion of the remote service.

Response Description

Response Sample

DELETE /staged_config/yara_rules
Deletes all Yara rules from the QRadar system.

Deletes all Yara rules from the QRadar system.

Table 2526. DELETE /staged_config/yara_rules resource details
MIME Type
text/plain

There are no parameters for this endpoint.

Table 2527. DELETE /staged_config/yara_rules response codes
HTTP Response Code Unique Code Description
204 Yara rules were successfully deleted from the system.
500 1020 An error occurred during the attempt to delete the Yara rules.

Response Description

In case of an error, the method returns an exception.

Response Sample

PUT /staged_config/yara_rules
Uploads the supplied Yara rule file to the QRadar system. If the provided Yara file is empty - all rules are
deleted from the system.

1132 QRadar API Reference Guide

Uploads the supplied Yara rule file to the QRadar system.
Table 2528. PUT /staged_config/yara_rules resource details
MIME Type
text/plain

Table 2529. PUT /staged_config/yara_rules request body details

Parameter Data Type MIME Type Description Sample
file File application/zip Required - The Yara rule file. File
Must be properly-formed Yara
rule content, either a TEXT file,
or a TEXT file within a ZIP or
TAR.GZ archive. Must be
provided with MIME type
text/plain, application/zip,
application/x-gzip or
multipart/form-data

Table 2530. PUT /staged_config/yara_rules response codes

HTTP Response Code Unique Code Description
200 The supplied Yara rule file was uploaded.
422 1101 Must be a correctly-formatted Yara rule file.
422 1103 The archive file must only contain a single Yara rule file.
422 1107 Invalid archive file was provided.
500 1104 Failed to extract the contents of the archive file.
500 1105 Yara validator script was terminated owing to timeout.
500 1106 Yara validator script encountered an unknown exception.

Response Description

In case of an error, the method returns an exception.

Response Sample

System endpoints
Use the references for REST API V8.0 system endpoints.

GET /system/information/locales
Retrieves a list of locales from the system, with the option to include samples.

Retrieves a list of locales from the system, with the option to include samples.
Table 2531. GET /system/information/locales resource details
MIME Type
application/json

7 Previous REST API versions 1133

Table 2532. GET /system/information/locales request parameter details
Parameter Type Optionality Data Type MIME Type Description
sample_type query Optional String text/plain Optional - type of samples for
the locale. Currently the only
supported option is NUMBER.
Range header Optional String text/plain Optional - Use this parameter to
restrict the number of elements
that are returned in the list to a
specified range. The list is
indexed starting at zero.
filter query Optional String text/plain Optional - This parameter is
used to restrict the elements in a
list base on the contents of
various fields.
fields query Optional String text/plain Optional - Use this parameter to
specify which fields you would
like to get back in the response.
Fields that are not named are
excluded. Specify subfields in
brackets and multiple fields in
the same object are separated by
commas.

Table 2533. GET /system/information/locales response codes

HTTP Response Code Unique Code Description
200 The requested list of locales was retrieved.
500 1020 An error occurred during the attempt to retrieve the list of locales.

Response Description

A list of locales. A locale contains the following fields:

v id - String - The tag of the locale.
v label - String - The name of the locale.
v sample - String - The optional sample for the locale.

Response Sample
[
{
"id": "sq",
"label": "Albanian",
"sample": "1 234 567,89"
},
{
"id": "sq-AL",
"label": "Albanian (Albania)",
"sample": "1 234 567,89"
},
{
"id": "ar",
"label": "Arabic",
"sample": "١٬٢٣٤٬٥٦٧٫Ù}Ù©"
},
{
"id": "ar-DZ",
"label": "Arabic (Algeria)",
"sample": "1.234.567,89"
},
{

1134 QRadar API Reference Guide

 "id": "ar-BH",
"label": "Arabic (Bahrain)",
"sample": "١٬٢٣٤٬٥٦٧٫Ù}Ù©"
}
]

GET /system/servers
Retrieve a list of all server hosts in the deployment.
Table 2534. GET /system/servers resource details
MIME Type
application/json

Table 2535. GET /system/servers request parameter details

Parameter Type Optionality Data Type MIME Type Description
filter query Optional String text/plain Optional - This parameter is
used to restrict the elements in
a list base on the contents of
various fields.
Range header Optional String text/plain Optional - Use this parameter
to restrict the number of
elements that are returned in
the list to a specified range.
The list is indexed starting at
zero.
fields query Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.

Table 2536. GET /system/servers response codes

HTTP Response Code Unique Code Description
200 The requested list of server records has been successfully retrieved.
500 1020 An error has occurred while trying to retrieve the requested servers.

Response Description

A list of the servers. A server record contains the following fields:

v hostname - String - hostname
v managed_host_id - Number - Id of the managed host the server host belongs to
v private_ip - String - The private ip of this server
v status - String - The status of this server

Response Sample
[
{
"hostname": "String",
"managed_host_id": 42,

7 Previous REST API versions 1135

 "private_ip": "String",
"server_id": 42,
"status": "String"
}
]

GET /system/servers/{server_id}
Retrieve a server host based on the supplied server ID.
Table 2537. GET /system/servers/{server_id} resource details
MIME Type
application/json

Table 2538. GET /system/servers/{server_id} request parameter details

Parameter Type Optionality Data Type MIME Type Description
server_id path Required Number text/plain Required - The id of the server
(Integer)
fields query Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.

Table 2539. GET /system/servers/{server_id} response codes

HTTP Response Code Unique Code Description
200 The requested server record has been retrieved.
404 1002 The requested server record with the given server_id cannot be
found.
422 1005 One or more parameters are invalid in request.
500 1020 An error has occurred while trying to retrieve the requested server
host with the given Id.

Response Description

A server record containing the following fields:

v email_server_address - String - email server address
v hostname - String - hostname
v managed_host_id - Number - Id of the managed host the server host belongs to
v private_ip - String - The private ip of this server
v status - String - The status of this server

Response Sample
{
"email_server_address": "String",
"hostname": "String",
"managed_host_id": 42,

1136 QRadar API Reference Guide

 "private_ip": "String",
"server_id": 42,
"status": "String"
}

POST /system/servers/{server_id}
Updates an existing server.
Table 2540. POST /system/servers/{server_id} resource details
MIME Type
application/json

Table 2541. POST /system/servers/{server_id} request parameter details

Parameter Type Optionality Data Type MIME Type Description
server_id path Required Number text/plain Required - The id of the
(Integer) server.

Table 2542. POST /system/servers/{server_id} request body details

Parameter Data Type MIME Type Description Sample
details Object application/json Required - A server details { "email_server_address":
record containing the "String" }
following field:

email_server_address - String
- email server address. Must
be a valid server address that
the server can connect to
through port 25.

Table 2543. POST /system/servers/{server_id} response codes

HTTP Response Code Unique Code Description
200 The server record has been updated.
404 1002 The requested server record with the given server_id cannot be
found.
422 1005 One or more parameters are invalid in request.
422 1006 Cannot connect to the mail server address on port 25.
500 1020 An error has occurred while trying to retrieve the requested server
host with the given Id.

Response Description

The updated server record containing the following fields:

v email_server_address - String - email server address.
v hostname - String - hostname
v managed_host_id - Number - Id of the managed host the server host belongs to
v private_ip - String - The private ip of this server
v status - String - The status of this server

Response Sample
{
"email_server_address": "String",
"hostname": "String",

7 Previous REST API versions 1137

 "managed_host_id": 42,
"private_ip": "String",
"server_id": 42,
"status": "String"
}

GET /system/servers/{server_id}/firewall_rules
Retrieve a list of access control firewall rules based on the supplied server ID.
Table 2544. GET /system/servers/{server_id}/firewall_rules resource details
MIME Type
application/json

Table 2545. GET /system/servers/{server_id}/firewall_rules request parameter details

Parameter Type Optionality Data Type MIME Type Description
server_id path Required Number text/plain Required - The id of the
(Integer) server.
filter query Optional String text/plain Optional - This parameter is
used to restrict the elements in
a list base on the contents of
various fields.
Range header Optional String text/plain Optional - Use this parameter
to restrict the number of
elements that are returned in
the list to a specified range.
The list is indexed starting at
zero.
fields query Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.

Table 2546. GET /system/servers/{server_id}/firewall_rules response codes

HTTP Response Code Unique Code Description
200 The rules records have been retrieved.
404 1002 The requested server with the given server_id cannot be found.
422 1005 One or more parameters are invalid in request.
500 1020 An error has occurred while trying to retrieve the requested access
control firewall rules on the server with the given Id.

Response Description

A list of the rules. Each rule record contains the following fields:
v is_any_source_ip - Boolean - Whether any source IP is accepted
v port_range - String - A port range in the format of start-end
v port_type - String - one of: ANY, SINGLE, RANGE
v protocol - String - one of: ANY, TCP, UDP

1138 QRadar API Reference Guide

v single_port - String - A single port
v source_ip - String - A specific IP address

Response Sample
[
{
"is_any_source_ip": true,
"port_range": "String",
"port_type": "String <one of: ANY, SINGLE, RANGE>",
"protocol": "String <one of: ANY, TCP, UDP>",
"single_port": "String",
"source_ip": "String"
}
]

PUT /system/servers/{server_id}/firewall_rules
Set the access control firewall rules based on the supplied server ID.
Table 2547. PUT /system/servers/{server_id}/firewall_rules resource details
MIME Type
application/json

Table 2548. PUT /system/servers/{server_id}/firewall_rules request parameter details

Parameter Type Optionality Data Type MIME Type Description
server_id path Required Number text/plain Required - The id of the
(Integer) server.

Table 2549. PUT /system/servers/{server_id}/firewall_rules request body details

Parameter Data Type MIME Type Description Sample
rules Array<Object> application/json Required - A list of new rules [ { "is_any_source_ip": true,
in a JSON string. Each rule "port_range": "String",
record contains the following "port_type": "String <one of:
field: ANY, SINGLE, RANGE>",
v is_any_source_ip - Boolean - "protocol": "String <one of:
Whether any source IP is ANY, TCP, UDP>",
"single_port": "String",
accepted
"source_ip": "String" } ]
v port_range - String - A port
range in the format of
start-end
v port_type - String - one of:
ANY, SINGLE, RANGE
v protocol - String - one of:
ANY, TCP, UDP
v single_port - String - A
single port
v source_ip - String - A
specific IP address.

Table 2550. PUT /system/servers/{server_id}/firewall_rules response codes

HTTP Response Code Unique Code Description
200 The rules have been updated.
404 1002 The requested server with the given server_id cannot be found.
422 1005 One or more parameters are invalid in request.
500 1020 An error has occurred while trying to set the access control firewall
rules on the server with the given Id.

7 Previous REST API versions 1139

Response Description

A list of the rules in a JSON string. Each rule contains the following fields:
v is_any_source_ip - Boolean - Whether any source IP is accepted
v port_range - String - A port range in the format of start-end
v port_type - String - one of: ANY, SINGLE, RANGE
v protocol - String - one of: ANY, TCP, UDP
v single_port - String - A single port
v source_ip - String - A specific IP address

Response Sample
[
{
"is_any_source_ip": true,
"port_range": "String",
"port_type": "String <one of: ANY, SINGLE, RANGE>",
"protocol": "String <one of: ANY, TCP, UDP>",
"single_port": "String",
"source_ip": "String"
}
]

GET /system/servers/{server_id}/network_interfaces/bonded
Retrieves a list of the bonded network interfaces based on the supplied server ID.
Table 2551. GET /system/servers/{server_id}/network_interfaces/bonded resource details
MIME Type
application/json

Table 2552. GET /system/servers/{server_id}/network_interfaces/bonded request parameter details

Parameter Type Optionality Data Type MIME Type Description
server_id path Required Number text/plain Required - The id of the
(Integer) server.
fields query Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.
filter query Optional String text/plain Optional - This parameter is
used to restrict the elements in
a list base on the contents of
various fields.
Range header Optional String text/plain Optional - Use this parameter
to restrict the number of
elements that are returned in
the list to a specified range.
The list is indexed starting at
zero.

1140 QRadar API Reference Guide

Table 2553. GET /system/servers/{server_id}/network_interfaces/bonded response codes
HTTP Response Code Unique Code Description
200 A list of the bonded network interfaces were retrieved.
404 1002 The requested server with the given server ID cannot be found.
422 1005 One or more parameters are invalid in request.
500 1020 An error occurred while trying to retrieve the bonded interfaces on
the server with the given ID.
500 1022 Timeout while performing the task.

Response Description

A list of the bonded network interfaces. Each record contains the following fields:
v device_name - String - The name of the network interface.
v desc - String - The description of the network interface.
v role - String - The role of the network interface. One of: regular, management, hacrossover,
hacrossover_disabled, monitor, disabled.
v ipversion - String - The verson of the IP address configured on the network interface. One of: ipv4,
ipv6.
v ip - String - The IP address that is configured on the network interface.
v mask - String - The netmask that is configured on the network interface.
v is_auto_ip - Boolean - Is the IP address auto-configured?
v is_cable_linked - String - Is the network interface cable linked? One of: YES, NO, UNKNOWN
v is_moving_config_with_active_ha - Boolean - Will apply the same settings to a new active HA server
during failover.
v hacrossover_params - String - A map of key-value pairs of HA crossover parameters if the network
interface is used for HA crossover.
v bonding_opts - String - The bonding options that are configured on the bonded network interface.
v slaves - List - The slaves of the bonded network interface. Each slave record contains the follow fields:
– device_name - String - The name of the slave interface.
– desc - String - The description of the slave interface.
– role - String - The role of the slave interface. One of: slave, slave_disabled
– is_cable_linked - String - Is the slave interface cable linked. One of: true, false, unknown

Response Sample
[
{
"bonding_opts": "String",
"desc": "String",
"device_name": "String",
"hacrossover_params": {
"String": "String"
},
"ip": "String",
"ipversion": "String <one of: ipv4,
ipv6>",
"is_auto_ip": true,
"is_cable_linked": "String <one of: true,
false,
unknown>",
"is_moving_config_with_active_ha": true,
"mask": "String",
"role": "String <one of: regular,

7 Previous REST API versions 1141

 management,
hacrossover,
hacrossover_disabled,
monitor,
disabled,
slave,
slave_disabled>",
"slaves": [
{
"desc": "String",
"device_name": "String",
"is_cable_linked": "String <one of: true,
false,
unknown>",
"role": "String <one of: regular,
management,
hacrossover,
hacrossover_disabled,
monitor,
disabled,
slave,
slave_disabled>"
}
]
}
]

POST /system/servers/{server_id}/network_interfaces/bonded
Creates a new bonded network interface.
Table 2554. POST /system/servers/{server_id}/network_interfaces/bonded resource details
MIME Type
application/json

Table 2555. POST /system/servers/{server_id}/network_interfaces/bonded request parameter details

Parameter Type Optionality Data Type MIME Type Description
server_id path Required Number text/plain Required - The ID of the
(Integer) server.

Table 2556. POST /system/servers/{server_id}/network_interfaces/bonded request body details

Parameter Data Type MIME Type Description Sample
details Object application/json Required - The details of the bonded network interface { "bonding_opts": "String", "ip": "String", "ipversion": "String <one of: ipv4,
that contains the following fields: ipv6>", "is_auto_ip": true, "is_moving_config_with_active_ha": true, "mask":
"String", "role": "String <one of: regular, management, hacrossover,
v role - String - The role of the network interface. One of:
hacrossover_disabled, monitor, disabled, slave, slave_disabled>", "slaves": [ {
regular, monitor, disabled. "device_name": "String" } ] }
v ipversion - String - The verson of the IP address that is
configured on the network interface. One of: ipv4, ipv6.

v ip - String - The IP address that is configured on the

network interface. This parameter is required when
ipversion is ipv4 or (ipversion is ipv6 and is_auto_ip is
false). The subnet that is computed from the IP address
and the mask must not be the same subnet that is
configured on the management interface.

v mask - String - The netmask that is configured on the

network interface. This parameter is equired when
ipversion is ipv4. The subnet that is computed from
the ip and the mask must not be the same subnet that
is configured on the management interface.

v is_auto_ip - Boolean - Is the address auto-configured?

Required.

v is_moving_config_with_active_ha - Boolean - Applies

the same settings to a new active HA server during
failover. This parameter can be true only when the
server host is an active HA server host.

v bonding_opts - String - The bonding options that are

configured on the bonded network interface.

1142 QRadar API Reference Guide

Table 2557. POST /system/servers/{server_id}/network_interfaces/bonded response codes
HTTP Response Code Unique Code Description
201 The bonded network interface was created.
404 1002 The requested server with the given server_id cannot be found.
409 1004 The ip address has been used by another network interface.
422 1005 One or more parameters are invalid in request.
500 1020 An error occurred while trying to create the bonded interface on
the server with the given ID.
500 1022 Timeout while performing the task.

Response Description

The created bonded network interface that contains the following fields:
v device_name - String - The name of the network interface.
v role - String - The role of the network interface. One of: regular, management, hacrossover,
hacrossover_disabled, monitor, disabled.
v ipversion - String - The verson of the IP address that is configured on the network interface. One of:
ipv4, ipv6.
v ip - String - The Ip address that is configured on the network interface.
v mask - String - The netmask that is configured on the network interface.
v is_auto_ip - Boolean - Is the Ip address auto-configured?
v is_moving_config_with_active_ha - Boolean - Applies the same settings to a new active HA server
during failover.
v bonding_opts - String - The bonding options that are configured on the bonded network interface.
v slaves - Array - The slave ethernet interfaces of the bonded interface. Each slave interface has one field:
device_name. The device_name must be an existing ethernet interface that cannot be the management
interface, the HA crossover interface or a slave interface of another bonded network interface. The
array must contain at least one ethernet interface.

Response Sample
{
"bonding_opts": "String",
"desc": "String",
"device_name": "String",
"hacrossover_params": {
"String": "String"
},
"ip": "String",
"ipversion": "String <one of: ipv4, ipv6>",
"is_auto_ip": true,
"is_cable_linked": "String <one of: true, false, unknown>",
"is_moving_config_with_active_ha": true,
"mask": "String",
"role": "String <one of: regular,
management,
hacrossover,
hacrossover_disabled,
monitor,
disabled,
slave,
slave_disabled>",
"slaves": [
{
"desc": "String",

7 Previous REST API versions 1143

 "device_name": "String",
"is_cable_linked": "String <one of: true, false, unknown>",
"role": "String <one of: regular,
management,
hacrossover,
hacrossover_disabled,
monitor,
disabled,
slave,
slave_disabled>"
}
]
}

POST /system/servers/{server_id}/network_interfaces/bonded/{device_name}
Updates an existing bonded network interface.
Table 2558. POST /system/servers/{server_id}/network_interfaces/bonded/{device_name} resource details
MIME Type
application/json

Table 2559. POST /system/servers/{server_id}/network_interfaces/bonded/{device_name} request parameter details

Parameter Type Optionality Data Type MIME Type Description
server_id path Required Number (Integer) text/plain Required - The ID of the server.
device_name path Required String text/plain Required - The name of an existing bonded network
interface. The interface cannot be the management
interface or HA crossover interface. The interface must be
cable linked.

Table 2560. POST /system/servers/{server_id}/network_interfaces/bonded/{device_name} request body details

Parameter Data Type MIME Type Description Sample
details Object application/json Required - The details of the bonded network interface that { "bonding_opts": "String", "ip": "String", "ipversion": "String <one
contains the following fields: of: ipv4, ipv6>", "is_auto_ip": true,
"is_moving_config_with_active_ha": true, "mask": "String", "role":
v role - String - The role of the network interface. One of: regular,
"String <one of: regular, management, hacrossover,
monitor, disabled hacrossover_disabled, monitor, disabled, slave, slave_disabled>",
v ipversion - String - The verson of the IP address that is "slaves": [ { "device_name": "String" } ] }
configured on the network interface. one of: ipv4, ipv6.

v ip - String - The IP address that is configured on the network

interface. This parameter is required when ipversion is ipv4 or
(ipversion is ipv6 and is_auto_ip is false). The subnet that is
computed from the IP address and the mask must not be the
same subnet that is configured on the management interface.

v mask - String - The netmask that is configured on the network

interface. This parameter is equired when ipversion is ipv4. The
subnet that is computed from the IP address and the mask
must not be the same subnet that is configured on the
management interface.

v is_auto_ip - Boolean - Is the IP address auto-configured?

Required.

v is_moving_config_with_active_ha - Boolean - Applies the same

settings to a new active HA server during failover. This
parameter can be true only when the server host is an active
HA server host

v slaves - Array - The slave ethernet interfaces of the bonded

interface. Each slave interface has one field: device_name. The
device_name must be an existing ethernet interface wthat
cannot be the management interface, the HA crossover
interface, or a slave interface of another bonded network
interface. If slaves are not null, the slaves in this array will
override the existing slaves of the bonded interface. When not
null, the array must contain at least one ethernet interface. If
null, the endpoint does not change the existing slave interfaces.

v bonding_opts - String - The bonding options that are

configured on the bonded network interface

Table 2561. POST /system/servers/{server_id}/network_interfaces/bonded/{device_name} response codes

HTTP Response Code Unique Code Description
200 The bonded network interface was updated.
404 1002 The requested server with the given server ID cannot be found.

1144 QRadar API Reference Guide

Table 2561. POST /system/servers/{server_id}/network_interfaces/bonded/{device_name} response
codes (continued)
HTTP Response Code Unique Code Description
409 1004 The ip address has been used by another network interface.
422 1005 One or more parameters are invalid in request.
500 1020 An error occurred while trying to update the specified bonded
interfaces on the server with the given ID.
500 1022 Timeout while performing the task.

Response Description

The updated bonded network interface that contains the following fields:
v device_name - String - The name of the network interface.
v role - String - The role of the network interface. One of: regular, management, hacrossover,
hacrossover_disabled, monitor, disabled.
v ipversion - String - The verson of the IP address that is configured on the network interface. one of:
ipv4, ipv6
v ip - String - The IP address that is configured on the network interface.
v mask - String - The netmask that is configured on the network interface.
v is_auto_ip - Boolean - Is the IP address auto-configured?
v is_moving_config_with_active_ha - Boolean - Applies the same settings to a new active HA server
during failover.
v bonding_opts - String - The bonding options that are configured on the bonded network interface.
v slaves - Array - The slave ethernet interfaces of the bonded interface. Each slave interface has two
fields: device_name and role. The role is slave or slave_disabled.

Response Sample
{
"bonding_opts": "String",
"desc": "String",
"device_name": "String",
"hacrossover_params": {
"String": "String"
},
"ip": "String",
"ipversion": "String <one of: ipv4, ipv6>",
"is_auto_ip": true,
"is_cable_linked": "String <one of: true, false, unknown>",
"is_moving_config_with_active_ha": true,
"mask": "String",
"role": "String <one of: regular,
management,
hacrossover,
hacrossover_disabled,
monitor,
disabled,
slave,
slave_disabled>",
"slaves": [
{
"desc": "String",
"device_name": "String",
"is_cable_linked": "String <one of: true, false, unknown>",
"role": "String <one of: regular,
management,
hacrossover,

7 Previous REST API versions 1145

 hacrossover_disabled,
monitor,
disabled,
slave,
slave_disabled>"
}
]
}

DELETE /system/servers/{server_id}/network_interfaces/bonded/{device_name}
Removes a bonded network interface.
Table 2562. DELETE /system/servers/{server_id}/network_interfaces/bonded/{device_name} resource details
MIME Type
text/plain

Table 2563. DELETE /system/servers/{server_id}/network_interfaces/bonded/{device_name} request parameter details

Parameter Type Optionality Data Type MIME Type Description
server_id path Required Number text/plain Required - The ID of the server.
(Integer)
device_name path Required String text/plain Required - The device name of
the bonded network interface.

Table 2564. DELETE /system/servers/{server_id}/network_interfaces/bonded/{device_name} response codes

HTTP Response Code Unique Code Description
200 The bonded network interface was removed.
404 1002 The requested server with the given server ID or the bonded
network interface cannot be found.
422 1005 One or more parameters are invalid in request.
500 1020 An error occurred while trying to remove the bonded interface on
the server with the given ID.
500 1022 Timeout while performing the task.

Response Description

Response Sample

GET /system/servers/{server_id}/network_interfaces/ethernet
Retrieves a list of the ethernet network interfaces based on the supplied server ID.
Table 2565. GET /system/servers/{server_id}/network_interfaces/ethernet resource details
MIME Type
application/json

Table 2566. GET /system/servers/{server_id}/network_interfaces/ethernet request parameter details

Parameter Type Optionality Data Type MIME Type Description
server_id path Required Number text/plain Required - The id of the
(Integer) server.

1146 QRadar API Reference Guide

Table 2566. GET /system/servers/{server_id}/network_interfaces/ethernet request parameter details (continued)
Parameter Type Optionality Data Type MIME Type Description
fields query Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.
filter query Optional String text/plain Optional - This parameter is
used to restrict the elements in
a list base on the contents of
various fields.
Range header Optional String text/plain Optional - Use this parameter
to restrict the number of
elements that are returned in
the list to a specified range.
The list is indexed starting at
zero.

Table 2567. GET /system/servers/{server_id}/network_interfaces/ethernet response codes

HTTP Response Code Unique Code Description
200 A list of the ethernet network interfaces were retrieved.
404 1002 The requested server with the given server ID cannot be found.
422 1005 One or more parameters are invalid in request.
500 1020 An error occurred while trying to retrieve the ethernet interfaces on
the server with the given ID.
500 1022 Timeout while performing the task.

Response Description

A list of the ethernet network interfaces. Each ethernet network interface contains the following fields:
v device_name - String - The name of the network interface.
v desc - String - The description of the network interface.
v role - String - The role of the network interface. One of: regular, management, hacrossover,
hacrossover_disabled, monitor, disabled.
v ipversion - String - The verson of the IP address that is configured on the network interface. One of:
ipv4, ipv6.
v ip - String - The IP that is configured on the network interface.
v mask - String - The netmask that is configured on the network interface
v is_auto_ip - Boolean - Is the IP auto-configured?
v is_cable_linked - String - Is the network interface cable linked? One of: true, false, unknown.
v is_moving_config_with_active_ha - Boolean -Applies the same settings to a new active HA server
during failover.
v hacrossover_params - String - A map of key-value pairs of HA crossover parameters if the network
interface is used for HA crossover.

7 Previous REST API versions 1147

Response Sample
[
{
"desc": "String",
"device_name": "String",
"hacrossover_params": {
"String": "String"
},
"ip": "String",
"ipversion": "String <one of: ipv4,
ipv6>",
"is_auto_ip": true,
"is_cable_linked": "String <one of: true,
false,
unknown>",
"is_moving_config_with_active_ha": true,
"mask": "String",
"role": "String <one of: regular,
management,
hacrossover,
hacrossover_disabled,
monitor,
disabled,
slave,
slave_disabled>"
}
]

POST /system/servers/{server_id}/network_interfaces/ethernet/{device_name}
Updates an ethernet network interface based on the suppied server_Id and device_name.
Table 2568. POST /system/servers/{server_id}/network_interfaces/ethernet/{device_name} resource details
MIME Type
application/json

Table 2569. POST /system/servers/{server_id}/network_interfaces/ethernet/{device_name} request parameter details

Parameter Type Optionality Data Type MIME Type Description
server_id path Required Number text/plain Required - The ID of the
(Integer) server.
device_name path Required String text/plain Required - The name of an
existing ethernet network
interface. The interface
cannot be the management
interface, HA crossover
interface or a slave of a
bonded interface. The
interface must be cable
linked.

1148 QRadar API Reference Guide

Table 2570. POST /system/servers/{server_id}/network_interfaces/ethernet/{device_name} request body details
Parameter Data Type MIME Type Description Sample
details Object application/json Required - An ethernet network interface { "ip": "String", "ipversion": "String <one of: ipv4, ipv6>",
record containing the following fields: "is_auto_ip": true, "is_moving_config_with_active_ha": true,
"mask": "String", "role": "String <one of: regular, management,
v role - String - The role of the network
hacrossover, hacrossover_disabled, monitor, disabled, slave,
interface. One of: regular, monitor,
slave_disabled>" }
disabled.
v ipversion - String - The verson of the
IP address that is configured on the
network interface. One of: ipv4, ipv6.
v ip - String - The IP address that is
configured on the network interface.
Required when ipversion is ipv4 or
(ipversion is ipv6 and is_auto_ip is
false). The subnet that is computed
from the IP address and the mask
must not be the same subnet that is
configured on the management
interface.
v mask - String - The netmask that is
configured on the network interface.
This parameter is required when
ipversion is ipv4. The subnet that is
computed from the IP address and the
mask must not be the same subnet
that is configured on the management
interface.
v is_auto_ip - Boolean - Is the IP
auto-configured. Required.
v is_moving_config _with_active_ha -
Boolean - Applies the same settings to
a new active HA server during
failover. This parameter can be true
only when the server host is an active
HA server host.

Table 2571. POST /system/servers/{server_id}/network_interfaces/ethernet/{device_name} response codes

HTTP Response Code Unique Code Description
200 The network interface has been updated.
404 1002 The requested server with the given server ID cannot be found.
409 1004 The ip address has been used by another network interface.
422 1005 One or more parameters are invalid in request.
500 1020 An error occurred while trying to update the specified ethernet
interfaces on the server with the given ID.
500 1022 Timeout while performing the task.

Response Description

The updated ethernet network interface containing the following fields:

v device_name - String - The name of the network interface.
v role - String - The role of the network interface. One of: regular, management, hacrossover,
hacrossover_disabled, monitor, disabled.
v ipversion - String - The verson of the that is IP address that is configured on the network interface.
One of: ipv4, ipv6.
v ip - String - The IP address that is configured on the network interface.
v mask - String - The netmask configured on the network interface.
v is_auto_ip - Boolean - Is the IP address auto-configured.
v is_moving_config_with_active_ha - Boolean - Applies the same settings to a new active HA server
during failover.

7 Previous REST API versions 1149

Response Sample
{
"desc": "String",
"device_name": "String",
"hacrossover_params": {
"String": "String"
},
"ip": "String",
"ipversion": "String <one of: ipv4,
ipv6>",
"is_auto_ip": true,
"is_cable_linked": "String <one of: true,
false,
unknown>",
"is_moving_config_with_active_ha": true,
"mask": "String",
"role": "String <one of: regular,
management,
hacrossover,
hacrossover_disabled,
monitor,
disabled,
slave,
slave_disabled>"
}

GET /system/servers/{server_id}/system_time_settings
Retrieves the system time and time zone settings of a server host based on the supplied server ID.

Retrieves the system time and time zone settings of a server host based on the supplied server ID.
Table 2572. GET /system/servers/{server_id}/system_time_settings resource details
MIME Type
application/json

Table 2573. GET /system/servers/{server_id}/system_time_settings request parameter details

Parameter Type Optionality Data Type MIME Type Description
server_id path Required Number text/plain Required - The ID of the
(Integer) server.
fields query Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.

Table 2574. GET /system/servers/{server_id}/system_time_settings response codes

HTTP Response Code Unique Code Description
200 The requested system time settings record was retrieved.
404 1002 The requested system time settings record with the given server ID
cannot be found.
422 1005 One or more parameters are invalid in the request.

1150 QRadar API Reference Guide

Table 2574. GET /system/servers/{server_id}/system_time_settings response codes (continued)
HTTP Response Code Unique Code Description
500 1020 An error occurred during the attempt to retrieve the requested
system time settings with the given server ID.
500 1022 Timeout while performing the task.

Response Description

Server system time settings that contain the following fields:

v timezone_id - String - the current time zone
v current_time - Long - The current epoch time (number of milliseconds after Epoch).
v is_sync_with_ntp_server - Boolean - Whether the NTP service is used to synchronize the system time
with configured NTP time servers.
v ntp_server_addresses - Array - The array of the configured NTP server addresses. Null if
is_sync_with_ntp_server is false.

Response Sample
{
"current_time": 42,
"ntp_server_addresses": [
"String"
],
"sync_with_ntp_server": true,
"timezone_id": "String"
}

POST /system/servers/{server_id}/system_time_settings
Sets the system time and time zone settings of a server host. Services are restarted after the call and
service interruptions will occur.

Sets the system time and time zone settings of a server host.
Table 2575. POST /system/servers/{server_id}/system_time_settings resource details
MIME Type
application/json

Table 2576. POST /system/servers/{server_id}/system_time_settings request parameter details

Parameter Type Optionality Data Type MIME Type Description
server_id path Required Number text/plain Required - The ID of the
(Integer) server
fields header Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.

7 Previous REST API versions 1151

Table 2577. POST /system/servers/{server_id}/system_time_settings request body details
Parameter Data Type MIME Type Description Sample
settings Object application/ Server system time settings that contain the { "current_time": 42,
json following fields: "ntp_server_addresses": [
v timezone_id - String - The current time "String" ],
zone. "sync_with_ntp_server": true,
"timezone_id": "String" }
v is_sync_with_ntp_server - boolean - Is the
NTP service used to synchronize the system
time with configured NTP time servers?
v current__time - Long - The current epoch
time (number of milliseconds after Epoch).
This parameter must be provided when
is_sync_with_ntp_server is false. This
parameter must be null if
is_sync_with_ntp_server is true.
v ntp_server_addresses - Array - The array of
the NTP server addresses to synchronize
the time with. This parameter must be
provided when is_sync_with_ntp_server is
true. Only the syntax and DNS lookups are
checked. The reachability to the ntp servers
from the server host are not verified
because most ntp servers are rate limited.
Four or more NTP servers are
recommended for time high accuracy. Must
be null if is_sync_with_ntp_server is false.

Table 2578. POST /system/servers/{server_id}/system_time_settings response codes

HTTP Response Code Unique Code Description
200 The system time settings have been applied.
404 1002 The requested server with the given server ID cannot be found.
422 1005 One or more parameters are invalid in request.
500 1020 An error occurred during the attempt to apply the system time
settings to the server.
500 1022 Timeout during performance of the task.

Response Description

Server system time settings that contain the following fields:

v timezone_id - String - The current time zone.
v current_time - Long - The current epoch time (number of milliseconds after Epoch).
v is_sync_with_ntp_server - Boolean - Whether the NTP service is used to synchronize the system time
with configured NTP time servers.
v ntp_server_addresses - Array - The array of the configured NTP server addresses. Null if
is_sync_with_ntp_server is false.

Response Sample
{
"current_time": 42,
"ntp_server_addresses": [
"String"
],
"sync_with_ntp_server": true,
"timezone_id": "String"
}

1152 QRadar API Reference Guide

GET /system/servers/{server_id}/timezones
Retrieves all the available time zones that can be set for a server.

Retrieves all the available time zones that can be set for a server.
Table 2579. GET /system/servers/{server_id}/timezones resource details
MIME Type
application/json

Table 2580. GET /system/servers/{server_id}/timezones request parameter details

Parameter Type Optionality Data Type MIME Type Description
server_id path Required Number text/plain Required - The ID of the
(Integer) server
fields query Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.

Table 2581. GET /system/servers/{server_id}/timezones response codes

HTTP Response Code Unique Code Description
200 The requested timezone records were retrieved.
404 1002 The requested timezone records with the given server ID cannot be
found.
422 1005 One or more parameters are invalid in the request.
500 1020 An error occurred during the attempt to retrieve the requested
timezone records with the given server Id.
500 1022 Timeout during the performance of the task.

Response Description

A list of time zones that contains the following fields:

v id - String - the ID of time zone.
v timezone - String - The formatted string representation of the timezone in the current locale.
v offset - Integer - Number of milliseconds offset to UTC time at the moment.

Response Sample
[
{
"id": "String",
"offset": 42,
"timezone": "String"
}
]

7 Previous REST API versions 1153

REST API V7.0 References
Each API reference provides information about the parameters, mime type, stability, and responses for
each endpoint.

Analytics endpoints
Use the references for REST API V7.0 analytics endpoints.

GET /analytics/ade_rules DEPRECATED

Retrieves a list of ADE rules.

Retrieves a list of ADE rules.

Table 2582. GET /analytics/ade_rules resource details
MIME Type
application/json

Table 2583. GET /analytics/ade_rules request parameter details

Parameter Type Optionality Data Type MIME Type Description
fields query Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.
filter query Optional String text/plain Optional - This parameter is
used to restrict the elements in
a list base on the contents of
various fields.
Range header Optional String text/plain Optional - Use this parameter
to restrict the number of
elements that are returned in
the list to a specified range.
The list is indexed starting at
zero.

Table 2584. GET /analytics/ade_rules response codes

HTTP Response Code Unique Code Description
200 The ADE rules were retrieved.
422 1010 A request parameter is not valid.
500 1020 An error occurred during the attempt to retrieve the ADE rules.

Response Description

An array of ADE Rule objects. An ADE Rule object contains the following fields:
v id - Long - The ID of the ADE rule.
v name - String - The name of the ADE rule.
v ade_rule_type - String - The type of ADE rule: ANOMALY, BEHAVIORAL, THRESHOLD.

1154 QRadar API Reference Guide

v enabled - Boolean - True if the ADE rule is enabled.
v owner - String - The owner of the ADE rule.

Response Sample
[
{
"enabled": true,
"id": 42,
"name": "String",
"owner": "String",
"type": "String <one of: ANOMALY, BEHAVIORAL, THRESHOLD>"
}
]

GET /analytics/ade_rules/{id} DEPRECATED

Retrieves an ADE rule.

Retrieves an ADE rule.

Table 2585. GET /analytics/ade_rules/{id} resource details
MIME Type
application/json

Table 2586. GET /analytics/ade_rules/{id} request parameter details

Parameter Type Optionality Data Type MIME Type Description
id path Required Number text/plain null
(Integer)
fields query Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.

Table 2587. GET /analytics/ade_rules/{id} response codes

HTTP Response Code Unique Code Description
200 The ADE rule was retrieved.
404 1002 The ADE rule does not exist.
500 1020 An error occurred during the attempt to retrieve the ADE rule.

Response Description

The ADE rule after it is retrieved. An ADE Rule object contains the following fields:
v id - Long - The ID of the ADE rule.
v name - String - The name of the ADE rule.
v ade_rule_type - String - The type of ADE rule: ANOMALY, BEHAVIORAL, THRESHOLD.
v enabled - Boolean - True if the ADE rule is enabled.
v owner - String - The owner of the ADE rule.

7 Previous REST API versions 1155

Response Sample
{
"enabled": true,
"id": 42,
"name": "String",
"owner": "String",
"type": "String <one of: ANOMALY, BEHAVIORAL, THRESHOLD>"
}

POST /analytics/ade_rules/{id} DEPRECATED

Updates the ADE rule owner or enabled/disabled only.

Updates the ADE rule owner or enabled/disabled only.

Table 2588. POST /analytics/ade_rules/{id} resource details
MIME Type
application/json

Table 2589. POST /analytics/ade_rules/{id} request parameter details

Parameter Type Optionality Data Type MIME Type Description
id path Required Number text/plain null
(Integer)
fields header Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.

Table 2590. POST /analytics/ade_rules/{id} request body details

Parameter Data Type MIME Type Description Sample
ade_rule Object application/ null { "id": "1", "name": "String",
json "type": "String", "owner":
"String" }

Table 2591. POST /analytics/ade_rules/{id} response codes

HTTP Response Code Unique Code Description
200 The ADE rule was updated.
403 1009 You do not have the required capabilities to update the ADE rule.
404 1002 The ADE rule does not exist.
409 1004 The provided user does not have the required capabilities to own
the ADE rule.
422 1005 A request parameter is not valid.
500 1020 An error occurred during the attempt to update the ADE rule.

1156 QRadar API Reference Guide

Response Description

The ADE rule after it is updated. An ADE Rule object contains the following fields:
v id - Long - The ID of the ADE rule.
v name - String - The name of the ADE rule.
v ade_rule_type - String - The type of ADE rule: ANOMALY, BEHAVIORAL, THRESHOLD.
v enabled - Boolean - True if the ADE rule is enabled.
v owner - String - The owner of the ADE rule.

Response Sample
{
"enabled": true,
"id": 42,
"name": "String",
"owner": "String",
"type": "String <one of: ANOMALY, BEHAVIORAL, THRESHOLD>"
}

DELETE /analytics/ade_rules/{id} DEPRECATED

Deletes an ADE rule. To ensure safe deletion, a dependency check is carried out. The check might take
some time. An asynchronous task is started to do this check.

Deletes an ADE rule. To ensure safe deletion, a dependency check is carried out. The check might take
some time. An asynchronous task is started to do this check.
Table 2592. DELETE /analytics/ade_rules/{id} resource details
MIME Type
application/json

Table 2593. DELETE /analytics/ade_rules/{id} request parameter details

Parameter Type Optionality Data Type MIME Type Description
id path Required Number text/plain null
(Integer)
fields query Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.

Table 2594. DELETE /analytics/ade_rules/{id} response codes

HTTP Response Code Unique Code Description
202 The ADE rule delete command was accepted and is in progress.
403 1009 You do not have the required capabilities to delete the ADE rule.
404 1002 The ADE rule does not exist.
500 1020 An error occurred during the attempt to delete the ADE rule.

7 Previous REST API versions 1157

Response Description

A Delete Task Status object and the location header set to the task status url "/api/analytics/ade_rules/
ade_rule_delete_tasks/{task_id}". A Delete Task Status object contains the following fields:
v id - Long - The ID of the task.
v message - String - The localized task message.
v status - String - The current state that the task is in.
v name - String - The name of the task.
v created_by - String - The name of the user who started the task.
v created - Long - The time in milliseconds since epoch since the task was created.
v started - Long - The time in milliseconds since epoch since the task was started.
v modified - Long - The time in milliseconds since epoch since the task was modified.
v completed - Long - The time in milliseconds since epoch since the task was completed.

Response Sample
{
"completed": 42,
"created": 42,
"created_by": "String",
"id": 42,
"message": "String",
"modified": 42,
"name": "String",
"started": 42,
"status": "String <one of: CANCELLED,
CANCELING,
CANCEL_REQUESTED,
COMPLETED,
CONFLICT,
EXCEPTION,
INITIALIZING,
INTERRUPTED,
PAUSED,
PROCESSING,
QUEUED,
RESUMING>"
}

GET /analytics/ade_rules/{id}/dependents DEPRECATED

Retrieves the objects that depend on the ADE rule.

Retrieves the objects that depend on the ADE rule.

Table 2595. GET /analytics/ade_rules/{id}/dependents resource details
MIME Type
application/json

Table 2596. GET /analytics/ade_rules/{id}/dependents request parameter details

Parameter Type Optionality Data Type MIME Type Description
id path Required Number text/plain null
(Integer)

1158 QRadar API Reference Guide

Table 2596. GET /analytics/ade_rules/{id}/dependents request parameter details (continued)
Parameter Type Optionality Data Type MIME Type Description
fields query Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.

Table 2597. GET /analytics/ade_rules/{id}/dependents response codes

HTTP Response Code Unique Code Description
202 The ADE rule dependents retrieval was accepted and is in progress.
404 1002 The ADE rule does not exist.
500 1020 An error occurred during the attempt to initiate the ADE rule
dependents retrieval task.

Response Description

A Dependents Task Status object and the location header set to the task status url "/api/analytics/
ade_rules/ade_rule_dependents_tasks/{task_id}". A Dependent Task Status object contains the following
fields:
v id - Long - The ID of the task.
v message - String - The localized task message.
v status - String - The current state of the task.
v name - String - The name of the task.
v created_by - String - The name of the user who started the task.
v cancelled_by - String - The name of the user who requested to cancel the task.
v created - Long - The time in milliseconds since epoch since the task was created.
v started - Long - The time in milliseconds since epoch since the task was started.
v modified - Long - The time in milliseconds since epoch since the task was modified.
v completed - Long - The time in milliseconds since epoch since the task was completed.
v number_of_dependents - Long - The number of dependents found. the value is null until the task
completes.
v maximum - Long - The maximum number of objects to check for dependency.
v progress - Long - The number of objects that were checked for dependency.
v task_components - Array - An array of task component objects. A task component object contains the
following fields
– message - String - The localized sub-task status message.
– status - String - The current state of the sub-task.
– sub_task_type - String - The type of the sub-task.
– maximum - Long - The maximum number of objects to check for dependency.
– progress - Long - The number of objects that were checked for dependency.
– created - Long - The time in milliseconds since epoch since the sub-task was created.
– started - Long - The time in milliseconds since epoch since the sub-task was started.
– modified - Long - The time in milliseconds since epoch since the sub-task was modified.

7 Previous REST API versions 1159

 – completed - Long - The time in milliseconds since epoch since the sub-task was completed.

Response Sample
{
"cancelled_by": "String",
"completed": 42,
"created": 42,
"created_by": "String",
"id": 42,
"maximum": 42,
"message": "String",
"modified": 42,
"name": "String",
"number_of_dependents": 42,
"progress": 42,
"started": 42,
"status": "String <one of: CANCELLED,
CANCELING,
CANCEL_REQUESTED,
COMPLETED,
CONFLICT,
EXCEPTION,
INITIALIZING,
INTERRUPTED,
PAUSED,
PROCESSING,
QUEUED,
RESUMING>",
"task_components": [
{
"completed": 42,
"created": 42,
"maximum": 42,
"message": "String",
"modified": 42,
"number_of_dependents": 42,
"progress": 42,
"started": 42,
"status": "String <one of: CANCELLED,
CANCELING,
CANCEL_REQUESTED,
COMPLETED,
CONFLICT,
EXCEPTION,
INITIALIZING,
INTERRUPTED,
PAUSED,
PROCESSING,
QUEUED,
RESUMING>",
"task_sub_type": "String <one of:
FIND_DEPENDENT_ARIEL_SAVED_SEARCHES,
FIND_DEPENDENT_OFFENSE_SAVED_SEARCHES,
FIND_DEPENDENT_ASSET_SAVED_SEARCHES,
FIND_DEPENDENT_VULNERABILITY_SAVED_SEARCHES,
FIND_DEPENDENT_ADE_RULES,
FIND_DEPENDENT_RULES,
FIND_DEPENDENT_CALCULATED_PROPERTIES,
FIND_DEPENDENT_LOG_SOURCE_GROUPS,
FIND_DEPENDENT_CUSTOM_PROPERTIES,
FIND_DEPENDENT_REPORTS,
FIND_DEPENDENT_DASHBOARDS,
FIND_DEPENDENT_STORE_AND_FORWARD_POLICIES,
FIND_DEPENDENT_AUTHORIZED_SERVICES,
FIND_DEPENDENT_OFFENSE_TYPES,
FIND_DEPENDENT_ASSIGNED_OFFENSES,

1160 QRadar API Reference Guide

 FIND_DEPENDENT_VULNERABILITIES,
FIND_DEPENDENT_GROUPS,
FIND_DEPENDENT_HISTORICAL_CORRELATION_PROFILES>"
}
]
}

GET /analytics/ade_rules/ade_rule_delete_tasks/{task_id} DEPRECATED

Retrieves the delete the ADE rule task status.

Retrieves the delete ADE rule task status.

Table 2598. GET /analytics/ade_rules/ade_rule_delete_tasks/{task_id} resource details
MIME Type
application/json

Table 2599. GET /analytics/ade_rules/ade_rule_delete_tasks/{task_id} request parameter details

Parameter Type Optionality Data Type MIME Type Description
task_id path Required Number text/plain null
(Integer)
fields query Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.

Table 2600. GET /analytics/ade_rules/ade_rule_delete_tasks/{task_id} response codes

HTTP Response Code Unique Code Description
200 The Delete Task Status was retrieved.
404 1002 The Delete Task Status does not exist.
500 1020 An error occurred during the attempt to retrieve the Delete Task
Status.

Response Description

A Delete Task Status object and the location header set to the task status url "/api/analytics/ade_rules/
ade_rule_delete_tasks/{task_id}". A Delete Task Status object contains the following fields:
v id - Long - The ID of the task.
v message - String - The localized task message.
v status - String - The current state of the task.
v name - String - The name of the task.
v created_by - String - The name of the user who started the task.
v created - Long - The time in milliseconds since epoch since the task was created.
v started - Long - The time in milliseconds since epoch since the task was started.
v modified - Long - The time in milliseconds since epoch since the task was modified.
v completed - Long - The time in milliseconds since epoch since the task was completed.

7 Previous REST API versions 1161

Response Sample
{
"completed": 42,
"created": 42,
"created_by": "String",
"id": 42,
"message": "String",
"modified": 42,
"name": "String",
"started": 42,
"status": "String <one of: CANCELLED,
CANCELING,
CANCEL_REQUESTED,
COMPLETED,
CONFLICT,
EXCEPTION,
INITIALIZING,
INTERRUPTED,
PAUSED,
PROCESSING,
QUEUED,
RESUMING>"
}

GET /analytics/ade_rules/ade_rule_dependent_tasks/{task_id} DEPRECATED

Retrieves the dependent the ADE rule task status.

Retrieves the dependent ADE rule task status.

Table 2601. GET /analytics/ade_rules/ade_rule_dependent_tasks/{task_id} resource details
MIME Type
application/json

Table 2602. GET /analytics/ade_rules/ade_rule_dependent_tasks/{task_id} request parameter details

Parameter Type Optionality Data Type MIME Type Description
task_id path Required Number text/plain null
(Integer)
fields query Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.

Table 2603. GET /analytics/ade_rules/ade_rule_dependent_tasks/{task_id} response codes

HTTP Response Code Unique Code Description
200 The Delete Task Status was retrieved.
404 1002 The Delete Task Status does not exist.
500 1020 An error occurred during the attempt to retrieve the Delete Task
Status.

1162 QRadar API Reference Guide

Response Description

A Dependent Task Status object and the location header set to the task status url "/api/analytics/
ade_rules/ade_rule_dependent_tasks/{task_id}". A Dependent Task Status object contains the following
fields:
v id - Long - The ID of the task.
v message - String - The localized task message.
v status - String - The current state of the task.
v name - String - The name of the task.
v created_by - String - The name of the user who started the task.
v cancelled_by - String - The name of the user who requested to cancel the task.
v created - Long - The time in milliseconds since epoch since the task was created.
v started - Long - The time in milliseconds since epoch since the task was started.
v modified - Long - The time in milliseconds since epoch since the task was modified.
v completed - Long - The time in milliseconds since epoch since the task was completed.
v number_of_dependents - Long - The number of dependents found. The value is null until task
completes.
v maximum - Long - The maximum number of objects to check for dependency.
v progress - Long - The number of objects tha were checked for dependency.
v task_components - Array - An array of task component objects. A task component object contains the
following fields
– message - String - The localized sub-task status message.
– status - String - The current state of the sub-task.
– sub_task_type - String - The type of the sub-task.
– maximum - Long - The maximum number of objects to check for dependency.
– progress - Long - The number of objects checked for dependency.
– created - Long - The time in milliseconds since epoch since the sub-task was created.
– started - Long - The time in milliseconds since epoch since the sub-task was started.
– modified - Long - The time in milliseconds since epoch since the sub-task was modified.
– completed - Long - The time in milliseconds since epoch since the sub-task was completed.

Response Sample
{
"cancelled_by": "String",
"completed": 42,
"created": 42,
"created_by": "String",
"id": 42,
"maximum": 42,
"message": "String",
"modified": 42,
"name": "String",
"number_of_dependents": 42,
"progress": 42,
"started": 42,
"status": "String <one of: CANCELLED,
CANCELING,
CANCEL_REQUESTED,
COMPLETED,
CONFLICT,
EXCEPTION,
INITIALIZING,
INTERRUPTED,
PAUSED,

7 Previous REST API versions 1163

 PROCESSING,
QUEUED,
RESUMING>",
"task_components": [
{
"completed": 42,
"created": 42,
"maximum": 42,
"message": "String",
"modified": 42,
"number_of_dependents": 42,
"progress": 42,
"started": 42,
"status": "String <one of: CANCELLED,
CANCELING,
CANCEL_REQUESTED,
COMPLETED,
CONFLICT,
EXCEPTION,
INITIALIZING,
INTERRUPTED,
PAUSED,
PROCESSING,
QUEUED,
RESUMING>",
"task_sub_type": "String <one of:
FIND_DEPENDENT_ARIEL_SAVED_SEARCHES,
FIND_DEPENDENT_OFFENSE_SAVED_SEARCHES,
FIND_DEPENDENT_ASSET_SAVED_SEARCHES,
FIND_DEPENDENT_VULNERABILITY_SAVED_SEARCHES,
FIND_DEPENDENT_ADE_RULES,
FIND_DEPENDENT_RULES,
FIND_DEPENDENT_CALCULATED_PROPERTIES,
FIND_DEPENDENT_LOG_SOURCE_GROUPS,
FIND_DEPENDENT_CUSTOM_PROPERTIES,
FIND_DEPENDENT_REPORTS,
FIND_DEPENDENT_DASHBOARDS,
FIND_DEPENDENT_STORE_AND_FORWARD_POLICIES,
FIND_DEPENDENT_AUTHORIZED_SERVICES,
FIND_DEPENDENT_OFFENSE_TYPES,
FIND_DEPENDENT_ASSIGNED_OFFENSES,
FIND_DEPENDENT_VULNERABILITIES,
FIND_DEPENDENT_GROUPS,
FIND_DEPENDENT_HISTORICAL_CORRELATION_PROFILES>"
}
]
}

POST /analytics/ade_rules/ade_rule_dependent_tasks/{task_id} DEPRECATED

Cancels a dependent the ADE rule task.

Cancels a dependent ADE rule task.

Table 2604. POST /analytics/ade_rules/ade_rule_dependent_tasks/{task_id} resource details
MIME Type
application/json

Table 2605. POST /analytics/ade_rules/ade_rule_dependent_tasks/{task_id} request parameter details

Parameter Type Optionality Data Type MIME Type Description
task_id path Required Number text/plain null
(Integer)

1164 QRadar API Reference Guide

Table 2605. POST /analytics/ade_rules/ade_rule_dependent_tasks/{task_id} request parameter details (continued)
Parameter Type Optionality Data Type MIME Type Description
fields header Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.

Table 2606. POST /analytics/ade_rules/ade_rule_dependent_tasks/{task_id} request body details

Parameter Data Type MIME Type Description Sample
task Object application/ null { "status": "String <one of:
json CANCELLED, CANCELING,
CANCEL_REQUESTED,
COMPLETED, CONFLICT,
EXCEPTION, INITIALIZING,
INTERRUPTED, PAUSED,
PROCESSING, QUEUED,
RESUMING>" }

Table 2607. POST /analytics/ade_rules/ade_rule_dependent_tasks/{task_id} response codes

HTTP Response Code Unique Code Description
200 The Delete Task Status was retrieved.
404 1002 The Dependent Task Status does not exist.
409 1004 The task is in a completed state.
422 1005 A request parameter is not valid.
500 1020 An error occurred during the attempt to update the Dependent
Task Status.

Response Description

A Dependent Task Status object and the location header set to the task status url "/api/analytics/
ade_rules/ade_rule_dependent_tasks/{task_id}". A Dependent Task Status object contains the following
fields:
v id - Long - The ID of the task.
v message - String - The localized task message.
v status - String - The current state of the task.
v name - String - The name of the task.
v created_by - String - The name of the user who started the task.
v cancelled_by - String - The name of the user who requested to cancel the task.
v created - Long - The time in milliseconds since epoch since the task was created.
v started - Long - The time in milliseconds since epoch since the task was started.
v modified - Long - The time in milliseconds since epoch since the task was modified.
v completed - Long - The time in milliseconds since epoch since the task was completed.
v number_of_dependents - Long - The number of dependents found. The value is null until the task
completes.

7 Previous REST API versions 1165

v maximum - Long - The maximum number of objects to check for dependency.
v progress - Long - The number of objects that were checked for dependency.
v task_components - Array - An array of task component objects. A task component object contains the
following fields:
– message - String - The localized sub-task status message.
– status - String - The current state of the sub-task.
– sub_task_type - String - The type of the sub-task.
– maximum - Long - The maximum number of objects to check for dependency.
– progress - Long - The number of objects that were checked for dependency.
– created - Long - The time in milliseconds since epoch since the sub-task was created.
– started - Long - The time in milliseconds since epoch since the sub-task was started.
– modified - Long - The time in milliseconds since epoch since the sub-task was modified.
– completed - Long - The time in milliseconds since epoch since the sub-task was completed.

Response Sample
{
"cancelled_by": "String",
"completed": 42,
"created": 42,
"created_by": "String",
"id": 42,
"maximum": 42,
"message": "String",
"modified": 42,
"name": "String",
"number_of_dependents": 42,
"progress": 42,
"started": 42,
"status": "String <one of: CANCELLED,
CANCELING,
CANCEL_REQUESTED,
COMPLETED,
CONFLICT,
EXCEPTION,
INITIALIZING,
INTERRUPTED,
PAUSED,
PROCESSING,
QUEUED,
RESUMING>",
"task_components": [
{
"completed": 42,
"created": 42,
"maximum": 42,
"message": "String",
"modified": 42,
"number_of_dependents": 42,
"progress": 42,
"started": 42,
"status": "String <one of: CANCELLED,
CANCELING,
CANCEL_REQUESTED,
COMPLETED,
CONFLICT,
EXCEPTION,
INITIALIZING,
INTERRUPTED,
PAUSED,
PROCESSING,
QUEUED,

1166 QRadar API Reference Guide

 RESUMING>",
"task_sub_type": "String <one of:
FIND_DEPENDENT_ARIEL_SAVED_SEARCHES,
FIND_DEPENDENT_OFFENSE_SAVED_SEARCHES,
FIND_DEPENDENT_ASSET_SAVED_SEARCHES,
FIND_DEPENDENT_VULNERABILITY_SAVED_SEARCHES,
FIND_DEPENDENT_ADE_RULES,
FIND_DEPENDENT_RULES,
FIND_DEPENDENT_CALCULATED_PROPERTIES,
FIND_DEPENDENT_LOG_SOURCE_GROUPS,
FIND_DEPENDENT_CUSTOM_PROPERTIES,
FIND_DEPENDENT_REPORTS,
FIND_DEPENDENT_DASHBOARDS,
FIND_DEPENDENT_STORE_AND_FORWARD_POLICIES,
FIND_DEPENDENT_AUTHORIZED_SERVICES,
FIND_DEPENDENT_OFFENSE_TYPES,
FIND_DEPENDENT_ASSIGNED_OFFENSES,
FIND_DEPENDENT_VULNERABILITIES,
FIND_DEPENDENT_GROUPS,
FIND_DEPENDENT_HISTORICAL_CORRELATION_PROFILES>"
}
]
}

GET /analytics/ade_rules/ade_rule_dependent_tasks/{task_id}/results
DEPRECATED
Retrieves the ADE rule dependent task results.

Retrieves the ADE rule dependent task results.

Table 2608. GET /analytics/ade_rules/ade_rule_dependent_tasks/{task_id}/results resource details
MIME Type
application/json

Table 2609. GET /analytics/ade_rules/ade_rule_dependent_tasks/{task_id}/results request parameter details

Parameter Type Optionality Data Type MIME Type Description
task_id path Required Number text/plain null
(Integer)
fields query Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.

Table 2610. GET /analytics/ade_rules/ade_rule_dependent_tasks/{task_id}/results response codes

HTTP Response Code Unique Code Description
200 The ADE rule dependents were retrieved.
404 1002 The dependent task dtatus does not exist.
500 1020 An error occurred during the attempt to retrieve the ADE rules.

7 Previous REST API versions 1167

Response Description

An list of Dependent objects. A Dependent object contains the following fields:

v dependent_id - String - The ID of the dependent resource.
v dependent_name - String - The name of the dependent resource (default resources can have localized
names).
v dependent_owner - String - The owner of the dependent resource
v dependent_type - String - The type of the dependent resource
v dependent_database - String - The database of the dependent resource.
v dependent_group_ids - Array of Longs - List of groups that the dependent resource belongs to.
v user_has_edit_permissions - Boolean - The true if the user who created the task has permission to edit
this dependent resource.

Response Sample
[
{
"blocking": true,
"dependent_database": "String <one of: EVENTS, FLOWS>",
"dependent_group_ids": [
42
],
"dependent_id": "String",
"dependent_name": "String",
"dependent_owner": "String",
"dependent_type": "String <one of: ARIEL_SAVED_SEARCH,
ASSET_SAVED_SEARCH,
OFFENSE_SAVED_SEARCH,
VULNERABILITY_SAVED_SEARCH,
QRM_SAVED_SEARCH_GROUP,
ASSET_SAVED_SEARCH_GROUP,
CUSTOM_RULE_GROUP,
EVENT_ARIEL_SAVED_SEARCH_GROUP,
FLOW_ARIEL_SAVED_SEARCH_GROUP,
LOG_SOURCE_GROUP,
MODEL_GROUP,
OFFENSE_SAVED_SEARCH_GROUP,
QUESTION_GROUP,
REPORT_GROUP,
SIMULATION_GROUP,
TOPOLOGY_SAVED_SEARCH_GROUP,
VULNERABILITY_SAVED_SEARCH_GROUP,
ASSIGNED_OFFENSE,
ASSIGNED_VULNERABILITY,
AUTHORIZED_SERVICE,
BUILDING_BLOCK,
CRE_RULE,
CRE_ADE_RULE,
EVENT_REGEX_PROPERTY,
EVENT_CALCULATED_PROPERTY,
FLOW_REGEX_PROPERTY,
FLOW_CALCULATED_PROPERTY,
DASHBOARD,
GV_REFERENCE, REPORT,
REFERENCE_DATA,
REFERENCE_DATA_MAP_OF_SETS,
REFERENCE_DATA_MAPS,
REFERENCE_DATA_SETS,
REFERENCE_DATA_TABLES,
REFERENCE_DATA_RESPONSE,
REFERENCE_SET_RESPONSE,
EVENT_RETENTION_BUCKET,
FLOW_RETENTION_BUCKET,

1168 QRadar API Reference Guide

 ROUTING_RULE,
STORE_AND_FORWARD_POLICY,
USER,
HISTORICAL_PROFILE,
OFFENSE_TYPE>",
"user_has_edit_permissions": true
}
]

GET /analytics/building_blocks DEPRECATED

Retrieves a list of building block rules.

Retrieves a list of building block rules.

Table 2611. GET /analytics/building_blocks resource details
MIME Type
application/json

Table 2612. GET /analytics/building_blocks request parameter details

Parameter Type Optionality Data Type MIME Type Description
Range header Optional String text/plain Optional - Use this parameter
to restrict the number of
elements that are returned in
the list to a specified range.
The list is indexed starting at
zero.
filter query Optional String text/plain Optional - This parameter is
used to restrict the elements in
a list base on the contents of
various fields.
fields query Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.

Table 2613. GET /analytics/building_blocks response codes

HTTP Response Code Unique Code Description
200 The building block rules were retrieved.
422 1010 A request parameter is not valid.
500 1020 An error occurred during the attempt to retrieve the building block
rules.

Response Description

An array of Building Block Rule objects. An Building Block Rule object contains the following fields:
v id - Long - The ID of the building block rule.
v name - String - The name of the building block rule.
v building_block_type - String - The type of building block rule: EVENT, FLOW, COMMON, USER.

7 Previous REST API versions 1169

v enabled - Boolean - True if the building block rule is enabled.
v owner - String - The owner of the building block rule.
v origin - String - The origin of the building block rule: SYSTEM, OVERRIDE, USER.

Response Sample
[
{
"enabled": true,
"id": 42,
"name": "String",
"origin": "String <one of: SYSTEM, OVERRIDE, USER>",
"owner": "String",
"type": "String <one of: EVENT, FLOW, COMMON, OFFENSE>"
}
]

GET /analytics/building_blocks/building_block_delete_tasks/{task_id}
DEPRECATED
Retrieves the delete the building block rule task status.

Retrieves the delete building block rule task status.

Table 2614. GET /analytics/building_blocks/building_block_delete_tasks/{task_id} resource details
MIME Type
application/json

Table 2615. GET /analytics/building_blocks/building_block_delete_tasks/{task_id} request parameter details

Parameter Type Optionality Data Type MIME Type Description
task_id path Required Number text/plain null
(Integer)
fields query Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.

Table 2616. GET /analytics/building_blocks/building_block_delete_tasks/{task_id} response codes

HTTP Response Code Unique Code Description
200 The Delete Task Status was retrieved.
404 1002 The Delete Task Status does not exist.
500 1020 An error occurred during the attempt to retrieve the Delete Task
Status.

Response Description

A Delete Task Status object and the location header set to the task status url "/api/analytics/
building_blocks/building_block_delete_tasks/{task_id}". A Delete Task Status object contains the
following fields:
v id - Long - The ID of the task.

1170 QRadar API Reference Guide

v message - String - The localized task message.
v status - String - The current state of the task.
v name - String - The name of the task.
v created_by - String - The name of the user who started the task.
v created - Long - The time in milliseconds since epoch since the task was created.
v started - Long - The time in milliseconds since epoch since the task was started.
v modified - Long - The time in milliseconds since epoch since the task was modified.
v completed - Long - The time in milliseconds since epoch since the task was completed.

Response Sample
{
"completed": 42,
"created": 42,
"created_by": "String",
"id": 42,
"message": "String",
"modified": 42,
"name": "String",
"started": 42,
"status": "String <one of: CANCELLED,
CANCELING,
CANCEL_REQUESTED,
COMPLETED,
CONFLICT,
EXCEPTION,
INITIALIZING,
INTERRUPTED,
PAUSED,
PROCESSING,
QUEUED,
RESUMING>"
}

GET /analytics/building_blocks/building_block_dependent_tasks/{task_id}
DEPRECATED
Retrieves the dependent the building block rule task status.

Retrieves the dependent building block rule task status.

Table 2617. GET /analytics/building_blocks/building_block_dependent_tasks/{task_id} resource details
MIME Type
application/json

Table 2618. GET /analytics/building_blocks/building_block_dependent_tasks/{task_id} request parameter details

Parameter Type Optionality Data Type MIME Type Description
task_id path Required Number text/plain null
(Integer)
fields query Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.

7 Previous REST API versions 1171

Table 2619. GET /analytics/building_blocks/building_block_dependent_tasks/{task_id} response codes
HTTP Response Code Unique Code Description
200 The Delete Task Status was retrieved.
404 1002 The Delete Task Status does not exist.
500 1020 An error occurred during the attempt to retrieve the Delete Task
Status.

Response Description

A Dependent Task Status object and the location header set to the task status url "/api/analytics/
building_blocks/building_block_dependent_tasks/{task_id}". A Dependent Task Status object contains the
following fields:
v id - Long - The ID of the task.
v message - String - The localized task message.
v status - String - The current state of the task.
v name - String - The name of the task.
v created_by - String - The name of the user who started the task.
v cancelled_by - String - The name of the user who requested to cancel the task.
v created - Long - The time in milliseconds since epoch since the task was created.
v started - Long - The time in milliseconds since epoch since the task was started.
v modified - Long - The time in milliseconds since epoch since the task was modified.
v completed - Long - The time in milliseconds since epoch since the task was completed.
v number_of_dependents - Long - The number of dependents found. The value is null until the task
completes.
v maximum - Long - The maximum number of objects to check for dependency.
v progress - Long - The number of objects that were checked for dependency.
v task_components - Array - An array of task component objects. A task component object contains the
following fields
– message - String - The localized sub-task status message.
– status - String - The current state of the sub-task.
– sub_task_type - String - The type of the sub-task
– maximum - Long - The maximum number of objects to check for dependency.
– progress - Long - The number of objects that were checked for dependency.
– created - Long - The time in milliseconds since epoch since the sub-task was created.
– started - Long - The time in milliseconds since epoch since the sub-task was started.
– modified - Long - The time in milliseconds since epoch since the sub-task was modified.
– completed - Long - The time in milliseconds since epoch since the sub-task was completed.

Response Sample
{
"cancelled_by": "String",
"completed": 42,
"created": 42,
"created_by": "String",
"id": 42,
"maximum": 42,
"message": "String",
"modified": 42,
"name": "String",

1172 QRadar API Reference Guide

 "number_of_dependents": 42,
"progress": 42,
"started": 42,
"status": "String <one of: CANCELLED,
CANCELING,
CANCEL_REQUESTED,
COMPLETED,
CONFLICT,
EXCEPTION,
INITIALIZING,
INTERRUPTED,
PAUSED,
PROCESSING,
QUEUED,
RESUMING>",
"task_components": [
{
"completed": 42,
"created": 42,
"maximum": 42,
"message": "String",
"modified": 42,
"number_of_dependents": 42,
"progress": 42,
"started": 42,
"status": "String <one of: CANCELLED,
CANCELING,
CANCEL_REQUESTED,
COMPLETED,
CONFLICT,
EXCEPTION,
INITIALIZING,
INTERRUPTED,
PAUSED,
PROCESSING,
QUEUED,
RESUMING>",
"task_sub_type": "String <one of:
FIND_DEPENDENT_ARIEL_SAVED_SEARCHES,
FIND_DEPENDENT_OFFENSE_SAVED_SEARCHES,
FIND_DEPENDENT_ASSET_SAVED_SEARCHES,
FIND_DEPENDENT_VULNERABILITY_SAVED_SEARCHES,
FIND_DEPENDENT_ADE_RULES,
FIND_DEPENDENT_RULES,
FIND_DEPENDENT_CALCULATED_PROPERTIES,
FIND_DEPENDENT_LOG_SOURCE_GROUPS,
FIND_DEPENDENT_CUSTOM_PROPERTIES,
FIND_DEPENDENT_REPORTS,
FIND_DEPENDENT_DASHBOARDS,
FIND_DEPENDENT_STORE_AND_FORWARD_POLICIES,
FIND_DEPENDENT_AUTHORIZED_SERVICES,
FIND_DEPENDENT_OFFENSE_TYPES,
FIND_DEPENDENT_ASSIGNED_OFFENSES,
FIND_DEPENDENT_VULNERABILITIES,
FIND_DEPENDENT_GROUPS,
FIND_DEPENDENT_HISTORICAL_CORRELATION_PROFILES>"
}
]
}

POST /analytics/building_blocks/building_block_dependent_tasks/{task_id}
DEPRECATED
Cancels the dependent the building block rule task.

Cancels the dependent building block rule task.

7 Previous REST API versions 1173

Table 2620. POST /analytics/building_blocks/building_block_dependent_tasks/{task_id} resource details
MIME Type
application/json

Table 2621. POST /analytics/building_blocks/building_block_dependent_tasks/{task_id} request parameter details

Parameter Type Optionality Data Type MIME Type Description
task_id path Required Number text/plain null
(Integer)
fields header Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.

Table 2622. POST /analytics/building_blocks/building_block_dependent_tasks/{task_id} request body details

Parameter Data Type MIME Type Description Sample
task Object application/ null { "status": "String <one of:
json CANCELLED, CANCELING,
CANCEL_REQUESTED,
COMPLETED, CONFLICT,
EXCEPTION, INITIALIZING,
INTERRUPTED, PAUSED,
PROCESSING, QUEUED,
RESUMING>" }

Table 2623. POST /analytics/building_blocks/building_block_dependent_tasks/{task_id} response codes

HTTP Response Code Unique Code Description
200 The Delete Task Status has been retrieved.
404 1002 The Dependent Task Status does not exist.
409 1004 The task is in a completed state
422 1005 A request parameter is not valid
500 1020 An error occurred during the attempt to update the Dependent
Task Status.

Response Description

A Dependent Task Status object and the location header set to the task status url "/api/analytics/
building_blocks/building_block_dependent_tasks/{task_id}". A Dependent Task Status object contains the
following fields:
v id - Long - The ID of the task.
v message - String - The localized task message.
v status - String - The current state of the task.
v name - String - The name of the task.
v created_by - String - The name of the user who started the task.
v cancelled_by - String - The name of the user who requested the cancellation of the task.

1174 QRadar API Reference Guide

v created - Long - The time in milliseconds since epoch since the task was created.
v started - Long - The time in milliseconds since epoch since the task was started.
v modified - Long - The time in milliseconds since epoch since the task was modified.
v completed - Long - The time in milliseconds since epoch since the task was completed.
v number_of_dependents - Long - The number of dependents found. The value is null until the task
completes.
v maximum - Long - The maximum number of objects to check for dependency.
v progress - Long - The number of objects that were checked for dependency.
v task_components - Array - An array of task component objects. A task component object contains the
following fields
– message - String - The localized sub-task status message.
– status - String - The current state of the the sub-task.
– sub_task_type - String - The type of the sub-task
– maximum - Long - The maximum number of objects to check for dependency.
– progress - Long - The number of objects that were checked for dependency.
– created - Long - The time in milliseconds since epoch since the sub-task was created.
– started - Long - The time in milliseconds since epoch since the sub-task was started.
– modified - Long - The time in milliseconds since epoch since the sub-task was modified.
– completed - Long - The time in milliseconds since epoch since the sub-task was completed.

Response Sample
{
"cancelled_by": "String",
"completed": 42,
"created": 42,
"created_by": "String",
"id": 42,
"maximum": 42,
"message": "String",
"modified": 42,
"name": "String",
"number_of_dependents": 42,
"progress": 42,
"started": 42,
"status": "String <one of: CANCELLED,
CANCELING,
CANCEL_REQUESTED,
COMPLETED,
CONFLICT,
EXCEPTION,
INITIALIZING,
INTERRUPTED,
PAUSED,
PROCESSING,
QUEUED,
RESUMING>",
"task_components": [
{
"completed": 42,
"created": 42,
"maximum": 42,
"message": "String",
"modified": 42,
"number_of_dependents": 42,
"progress": 42,
"started": 42,
"status": "String <one of: CANCELLED,
CANCELING,

7 Previous REST API versions 1175

 CANCEL_REQUESTED,
COMPLETED,
CONFLICT,
EXCEPTION,
INITIALIZING,
INTERRUPTED,
PAUSED,
PROCESSING,
QUEUED,
RESUMING>",
"task_sub_type": "String <one of:
FIND_DEPENDENT_ARIEL_SAVED_SEARCHES,
FIND_DEPENDENT_OFFENSE_SAVED_SEARCHES,
FIND_DEPENDENT_ASSET_SAVED_SEARCHES,
FIND_DEPENDENT_VULNERABILITY_SAVED_SEARCHES,
FIND_DEPENDENT_ADE_RULES,
FIND_DEPENDENT_RULES,
FIND_DEPENDENT_CALCULATED_PROPERTIES,
FIND_DEPENDENT_LOG_SOURCE_GROUPS,
FIND_DEPENDENT_CUSTOM_PROPERTIES,
FIND_DEPENDENT_REPORTS,
FIND_DEPENDENT_DASHBOARDS,
FIND_DEPENDENT_STORE_AND_FORWARD_POLICIES,
FIND_DEPENDENT_AUTHORIZED_SERVICES,
FIND_DEPENDENT_OFFENSE_TYPES,
FIND_DEPENDENT_ASSIGNED_OFFENSES,
FIND_DEPENDENT_VULNERABILITIES,
FIND_DEPENDENT_GROUPS,
FIND_DEPENDENT_HISTORICAL_CORRELATION_PROFILES>"
}
]
}

GET /analytics/building_blocks/building_block_dependent_tasks/{task_id}/results
DEPRECATED
Retrieves the building block rule dependent task results.

Retrieves the building block rule dependent task results

Table 2624. GET /analytics/building_blocks/building_block_dependent_tasks/{task_id}/results resource details
MIME Type
application/json

Table 2625. GET /analytics/building_blocks/building_block_dependent_tasks/{task_id}/results request parameter

details
Parameter Type Optionality Data Type MIME Type Description
task_id path Required Number text/plain null
(Integer)
fields query Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.

1176 QRadar API Reference Guide

Table 2626. GET /analytics/building_blocks/building_block_dependent_tasks/{task_id}/results response codes
HTTP Response Code Unique Code Description
200 The building block rule dependents were retrieved.
404 1002 The Dependent Task Status does not exist.
500 1020 An error occurred during the attempt to retrieve the building block
rules.

Response Description

An list of Dependent objects. A Dependent object contains the following fields:

v dependent_id - String - The ID of the dependent resource.
v dependent_name - String - The name of the dependent resource (default resources can have localized
names).
v dependent_owner - String - The owner of the dependent resource.
v dependent_type - String - The type of the dependent resource.
v dependent_database - String - The database of the dependent resource.
v dependent_group_ids - Array of Longs - List of groups that the dependent resource belongs to.
v user_has_edit_permissions - Boolean - The true if the user who created the task has permission to edit
this dependent resource.

Response Sample
[
{
"blocking": true,
"dependent_database": "String <one of: EVENTS, FLOWS>",
"dependent_group_ids": [
42
],
"dependent_id": "String",
"dependent_name": "String",
"dependent_owner": "String",
"dependent_type": "String <one of: ARIEL_SAVED_SEARCH,
ASSET_SAVED_SEARCH,
OFFENSE_SAVED_SEARCH,
VULNERABILITY_SAVED_SEARCH,
QRM_SAVED_SEARCH_GROUP,
ASSET_SAVED_SEARCH_GROUP,
CUSTOM_RULE_GROUP,
EVENT_ARIEL_SAVED_SEARCH_GROUP,
FLOW_ARIEL_SAVED_SEARCH_GROUP,
LOG_SOURCE_GROUP,
MODEL_GROUP,
OFFENSE_SAVED_SEARCH_GROUP,
QUESTION_GROUP,
REPORT_GROUP,
SIMULATION_GROUP,
TOPOLOGY_SAVED_SEARCH_GROUP,
VULNERABILITY_SAVED_SEARCH_GROUP,
ASSIGNED_OFFENSE,
ASSIGNED_VULNERABILITY,
AUTHORIZED_SERVICE,
BUILDING_BLOCK,
CRE_RULE,
CRE_ADE_RULE,
EVENT_REGEX_PROPERTY,
EVENT_CALCULATED_PROPERTY,
FLOW_REGEX_PROPERTY,
FLOW_CALCULATED_PROPERTY,

7 Previous REST API versions 1177

 DASHBOARD,
GV_REFERENCE, REPORT,
REFERENCE_DATA,
REFERENCE_DATA_MAP_OF_SETS,
REFERENCE_DATA_MAPS,
REFERENCE_DATA_SETS,
REFERENCE_DATA_TABLES,
REFERENCE_DATA_RESPONSE,
REFERENCE_SET_RESPONSE,
EVENT_RETENTION_BUCKET,
FLOW_RETENTION_BUCKET,
ROUTING_RULE,
STORE_AND_FORWARD_POLICY,
USER,
HISTORICAL_PROFILE,
OFFENSE_TYPE>",
"user_has_edit_permissions": true
}
]

GET /analytics/building_blocks/{id} DEPRECATED

Retrieves a building block rule.

Retrieves a building block rule.

Table 2627. GET /analytics/building_blocks/{id} resource details
MIME Type
application/json

Table 2628. GET /analytics/building_blocks/{id} request parameter details

Parameter Type Optionality Data Type MIME Type Description
id path Required Number text/plain null
(Integer)
fields query Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.

Table 2629. GET /analytics/building_blocks/{id} response codes

HTTP Response Code Unique Code Description
200 The building block rule was retrieved.
404 1002 The building block rule does not exist.
500 1020 An error occurred during the attempt to retrieve the building block
rule.

Response Description

The building block rule after it is retrieved. An Building Block Rule object contains the following fields:
v id - Long - The ID of the building block rule.
v name - String - The name of the building block rule.

1178 QRadar API Reference Guide

v building_block_type - String - The type of building block rule: EVENT, FLOW, COMMON, USER.
v enabled - Boolean - True if the building block rule is enabled.
v owner - String - The owner of the building block rule.
v origin - String - The origin of the building block rule: SYSTEM, OVERRIDE, USER.

Response Sample
{
"enabled": true,
"id": 42,
"name": "String",
"origin": "String <one of: SYSTEM, OVERRIDE, USER>",
"owner": "String",
"type": "String <one of: EVENT, FLOW, COMMON, OFFENSE>"
}

POST /analytics/building_blocks/{id} DEPRECATED

Updates the building block rule owner or enabled/disabled only.

Updates the building block rule owner or enabled/disabled only.

Table 2630. POST /analytics/building_blocks/{id} resource details
MIME Type
application/json

Table 2631. POST /analytics/building_blocks/{id} request parameter details

Parameter Type Optionality Data Type MIME Type Description
id path Required Number text/plain null
(Integer)
fields header Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.

Table 2632. POST /analytics/building_blocks/{id} request body details

Parameter Data Type MIME Type Description Sample
building_block Object application/ null { "id": "1", "name": "String",
json "type": "String", "owner":
"String" }

Table 2633. POST /analytics/building_blocks/{id} response codes

HTTP Response Code Unique Code Description
200 The building block rule was updated.
403 1009 You do not have the required capabilities to update the building
block rule.
404 1002 The building block rule does not exist.
409 1004 The provided user does not have the required capabilities to own
the building block rule.

7 Previous REST API versions 1179

Table 2633. POST /analytics/building_blocks/{id} response codes (continued)
HTTP Response Code Unique Code Description
422 1005 A request parameter is not valid.
500 1020 An error occurred during the attempt to update the building block
rule.

Response Description

The building block rule after it has been updated. An Building Block Rule object contains the following
fields:
v id - Long - The ID of the building block rule.
v name - String - The name of the building block rule.
v building_block_type - String - The type of building block rule: EVENT, FLOW, COMMON, USER.
v enabled - Boolean - True if the building block rule is enabled.
v owner - String - The owner of the building block rule.
v origin - String - The origin of the building block rule: SYSTEM, OVERRIDE, USER.

Response Sample
{
"enabled": true,
"id": 42,
"name": "String",
"origin": "String <one of: SYSTEM, OVERRIDE, USER>",
"owner": "String",
"type": "String <one of: EVENT, FLOW, COMMON, OFFENSE>"
}

DELETE /analytics/building_blocks/{id} DEPRECATED

Deletes the building block rule. To ensure safe deletion, a dependency check is carried out. This check
might take some time. An asynchronous task is started for this check.

Deletes the building block rule. To ensure safe deletion we check if anything depends on it, this may take
some time. Therefore we start an asynchronous task to do this.
Table 2634. DELETE /analytics/building_blocks/{id} resource details
MIME Type
application/json

Table 2635. DELETE /analytics/building_blocks/{id} request parameter details

Parameter Type Optionality Data Type MIME Type Description
id path Required Number text/plain null
(Integer)
fields query Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.

1180 QRadar API Reference Guide

Table 2636. DELETE /analytics/building_blocks/{id} response codes
HTTP Response Code Unique Code Description
202 The building block rule delete command was accepted and is in
progress.
403 1009 You do not have the required capabilities to delete the building
block rule.
404 1002 The building block rule does not exist.
409 1004 null
500 1020 An error occurred during the attempt to delete the building block
rule.

Response Description

A Delete Task Status object and the location header set to the task status url "/api/analytics/
building_blocks/building_block_delete_tasks/{task_id}". A Delete Task Status object contains the
following fields:
v id - Long - The ID of the task.
v message - String - The localized task message.
v status - String - The current state that the task is in.
v name - String - The name of the task.
v created_by - String - The name of the user who started the task.
v created - Long - The time in milliseconds since epoch since the task was created.
v started - Long - The time in milliseconds since epoch since the task was started.
v modified - Long - The time in milliseconds since epoch since the task was modified.
v completed - Long - The time in milliseconds since epoch since the task was completed.

Response Sample
{
"completed": 42,
"created": 42,
"created_by": "String",
"id": 42,
"message": "String",
"modified": 42,
"name": "String",
"started": 42,
"status": "String <one of: CANCELLED,
CANCELING,
CANCEL_REQUESTED,
COMPLETED,
CONFLICT,
EXCEPTION,
INITIALIZING,
INTERRUPTED,
PAUSED,
PROCESSING,
QUEUED,
RESUMING>"
}

GET /analytics/building_blocks/{id}/dependents DEPRECATED

Retrieves the objects that depend on the building block rule.

Retrieves the objects that depend on the building block rule

7 Previous REST API versions 1181

Table 2637. GET /analytics/building_blocks/{id}/dependents resource details
MIME Type
application/json

Table 2638. GET /analytics/building_blocks/{id}/dependents request parameter details

Parameter Type Optionality Data Type MIME Type Description
id path Required Number text/plain null
(Integer)
fields query Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.

Table 2639. GET /analytics/building_blocks/{id}/dependents response codes

HTTP Response Code Unique Code Description
202 The building block rule dependents retrieval was accepted and is in
progress.
404 1002 The building block rule does not exist.
500 1020 An error occurred during the attempt to initiate the building block
rule dependents retrieval task.

Response Description

A Dependents Task Status object and the location header set to the task status url "/api/analytics/
building_blocks/building_block_dependents_tasks/{task_id}". A Dependent Task Status object contains
the following fields:
v id - Long - The ID of the task.
v message - String - The localized task message.
v status - String - The current state of the task.
v name - String - The name of the task.
v created_by - String - The name of the user who started the task.
v cancelled_by - String - The name of the user who requested to cancel the task.
v created - Long - The time in milliseconds since epoch since the task was created.
v started - Long - The time in milliseconds since epoch since the task was started.
v modified - Long - The time in milliseconds since epoch since the task was modified.
v completed - Long - The time in milliseconds since epoch since the task was completed.
v number_of_dependents - Long - The number of dependents found. the value is null until the task
completes.
v maximum - Long - The maximum number of objects to check for dependency.
v progress - Long - The number of objects that were checked for dependency.
v task_components - Array - An array of task component objects. A task component object contains the
following fields
– message - String - The localized sub-task status message.

1182 QRadar API Reference Guide

 – status - String - The current state of the sub-task.
– sub_task_type - String - The type of the sub-task
– maximum - Long - The maximum number of objects to check for dependency.
– progress - Long - The number of objects that were checked for dependency.
– created - Long - The time in milliseconds since epoch since the sub-task was created.
– started - Long - The time in milliseconds since epoch since the sub-task was started.
– modified - Long - The time in milliseconds since epoch since the sub-task was modified.
– completed - Long - The time in milliseconds since epoch since the sub-task was completed.

Response Sample
{
"cancelled_by": "String",
"completed": 42,
"created": 42,
"created_by": "String",
"id": 42,
"maximum": 42,
"message": "String",
"modified": 42,
"name": "String",
"number_of_dependents": 42,
"progress": 42,
"started": 42,
"status": "String <one of: CANCELLED,
CANCELING,
CANCEL_REQUESTED,
COMPLETED,
CONFLICT,
EXCEPTION,
INITIALIZING,
INTERRUPTED,
PAUSED,
PROCESSING,
QUEUED,
RESUMING>",
"task_components": [
{
"completed": 42,
"created": 42,
"maximum": 42,
"message": "String",
"modified": 42,
"number_of_dependents": 42,
"progress": 42,
"started": 42,
"status": "String <one of: CANCELLED,
CANCELING,
CANCEL_REQUESTED,
COMPLETED,
CONFLICT,
EXCEPTION,
INITIALIZING,
INTERRUPTED,
PAUSED,
PROCESSING,
QUEUED,
RESUMING>",
"task_sub_type": "String <one of:
FIND_DEPENDENT_ARIEL_SAVED_SEARCHES,
FIND_DEPENDENT_OFFENSE_SAVED_SEARCHES,
FIND_DEPENDENT_ASSET_SAVED_SEARCHES,
FIND_DEPENDENT_VULNERABILITY_SAVED_SEARCHES,
FIND_DEPENDENT_ADE_RULES,

7 Previous REST API versions 1183

 FIND_DEPENDENT_RULES,
FIND_DEPENDENT_CALCULATED_PROPERTIES,
FIND_DEPENDENT_LOG_SOURCE_GROUPS,
FIND_DEPENDENT_CUSTOM_PROPERTIES,
FIND_DEPENDENT_REPORTS,
FIND_DEPENDENT_DASHBOARDS,
FIND_DEPENDENT_STORE_AND_FORWARD_POLICIES,
FIND_DEPENDENT_AUTHORIZED_SERVICES,
FIND_DEPENDENT_OFFENSE_TYPES,
FIND_DEPENDENT_ASSIGNED_OFFENSES,
FIND_DEPENDENT_VULNERABILITIES,
FIND_DEPENDENT_GROUPS,
FIND_DEPENDENT_HISTORICAL_CORRELATION_PROFILES>"
}
]
}

GET /analytics/custom_actions/actions DEPRECATED

Retrieves a list of available custom actions.

Retrieves a list of available custom actions.

Table 2640. GET /analytics/custom_actions/actions resource details
MIME Type
application/json

Table 2641. GET /analytics/custom_actions/actions request parameter details

Parameter Type Optionality Data Type MIME Type Description
Range header Optional String text/plain Optional - Use this parameter
to restrict the number of
elements that are returned in
the list to a specified range.
The list is indexed starting at
zero.
filter query Optional String text/plain Optional - This parameter is
used to restrict the elements in
a list base on the contents of
various fields.
fields query Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.

Table 2642. GET /analytics/custom_actions/actions response codes

HTTP Response Code Unique Code Description
200 The requested list of custom actions have been successfully
retrieved.
500 1020 An internal server error occurred while retrieving custom actions.

1184 QRadar API Reference Guide

Response Description

Array of available custom actions which in turn contain the following fields:
v id - Number - Unique ID of the custom action within the QRadar deployment.
v name - String - Unique name of the custom action within the QRadar deployment.
v description - String - Optional description attached to the custom action.
v interpreter - Number - Unique ID of the custom action interpreter used by the custom action.
v script - Number - Unique ID of the custom action script used by the custom action.
v parameters - Array - Array of custom action parameters contained within the custom action. Each
Custom action parameter has the following fields:
– name - String - Name of the custom action parameter. Unique in the context of the parent custom
action.
– parameter_type - String - Custom action parameter type. Can be either fixed or dynamic.
– encrypted - Boolean - Designates whether the custom action parameter value field is stored in an
encrypted state.True if encrypted, false otherwise.
– value - String - Value of the custom action parameter.

Response Sample
[
{
"description": "String",
"id": 42,
"interpreter": 42,
"name": "String",
"parameters": [
{
"encrypted": true,
"name": "String",
"parameter_type": "String",
"value": "String"
}
],
"script": 42
}
]

POST /analytics/custom_actions/actions DEPRECATED

Creates a new custom action with the supplied fields.

Creates a new custom action with the supplied fields. The custom action must contain the following
fields:
v name - Required - String - Unique name of the custom action within the QRadar deployment.
v description - Optional - String - Description of the custom action.
v interpreter - Required - Number - Unique ID of the custom action interpreter used by the custom
action.
v script - Required - Number - Unique ID of the custom action script used by the custom action.
v parameters - Required - Array - Array of custom action parameters contained within the custom action.
Each Custom action parameter must have the following fields:
– name - Required - String - Name of the custom action parameter. Unique in the context of the parent
custom action.
– parameter_type - Required - String - Custom action parameter type. Can be either fixed or dynamic.
– encrypted - Required - Boolean - Designates whether the custom action parameter value field is
stored in an encrypted state.True if encrypted, false otherwise.

7 Previous REST API versions 1185

 – value - Required - String - Value of the custom action parameter. Custom action parameters with
parameter_type fixed can have any value. Custom action parameters with parameter_type dynamic
must have values corresponding to column names in an Ariel database, for example sourceip. Ariel
database column names are available through the /api/ariel/databases/{database_name} endpoint.
Table 2643. POST /analytics/custom_actions/actions resource details
MIME Type
application/json

Table 2644. POST /analytics/custom_actions/actions request parameter details

Parameter Type Optionality Data Type MIME Type Description
fields header Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.

Table 2645. POST /analytics/custom_actions/actions request body details

Parameter Data Type MIME Type Description Sample
custom_action Object application/ Custom action JSON object { "description": "String",
json containing the supplied "interpreter": 42, "name":
fields (see above for more "String", "parameters": [ {
details). "encrypted": true, "name":
"String", "parameter_type":
"String", "value": "String" } ],
"script": 42 }

Table 2646. POST /analytics/custom_actions/actions response codes

HTTP Response Code Unique Code Description
201 A new custom action has been successfully created.
422 1005 One or more parameters are invalid in request.
500 1020 An internal server error occurred while posting custom action.

Response Description

The newly created custom action with the following fields:

v id - Number - Unique ID of the custom action within the QRadar deployment.
v name - String - Unique name of the custom action within the QRadar deployment.
v description - String - Optional description attached to the custom action.
v interpreter - Number - Unique ID of the custom action interpreter used by the custom action.
v script - Number - Unique ID of the custom action script used by the custom action.
v parameters - Array - Array of custom action parameters contained within the custom action. Each
Custom action parameter has the following fields:
– name - String - Name of the custom action parameter. Unique in the context of the parent custom
action.
– parameter_type - String - Custom action parameter type. Can be either fixed or dynamic.

1186 QRadar API Reference Guide

 – encrypted - Boolean - Designates whether the custom action parameter value field is stored in an
encrypted state.True if encrypted, false otherwise.
– value - String - Value of the custom action parameter.

Response Sample
{
"description": "String",
"id": 42,
"interpreter": 42,
"name": "String",
"parameters": [
{
"encrypted": true,
"name": "String",
"parameter_type": "String",
"value": "String"
}
],
"script": 42
}

GET /analytics/custom_actions/actions/{action_id} DEPRECATED

Retrieves a custom action based on the supplied action_id.

Retrieves a custom action based on the supplied action_id.

Table 2647. GET /analytics/custom_actions/actions/{action_id} resource details
MIME Type
application/json

Table 2648. GET /analytics/custom_actions/actions/{action_id} request parameter details

Parameter Type Optionality Data Type MIME Type Description
action_id path Required Number text/plain Long id of the custom action
(Integer) to be retrieved.
fields query Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.

Table 2649. GET /analytics/custom_actions/actions/{action_id} response codes

HTTP Response Code Unique Code Description
200 The requested custom action has been successfully retrieved.
404 1002 The requested custom action could not be found.
500 1020 An internal server error occurred while retrieving custom action
with supplied action_id.

7 Previous REST API versions 1187

Response Description

A custom action with containing following fields:

v id - Number - Unique ID of the custom action within the QRadar deployment.
v name - String - Unique name of the custom action within the QRadar deployment.
v description - String - Optional description attached to the custom action.
v interpreter - Number - Unique ID of the custom action interpreter used by the custom action.
v script - Number - Unique ID of the custom action script used by the custom action.
v parameters - Array - Array of custom action parameters contained within the custom action. Each
Custom action parameter has the following fields:
– name - String - Name of the custom action parameter. Unique in the context of the parent custom
action.
– parameter_type - String - Custom action parameter type. Can be either fixed or dynamic.
– encrypted - Boolean - Designates whether the custom action parameter value field is stored in an
encrypted state.True if encrypted, false otherwise.
– value - String - Value of the custom action parameter.

Response Sample
{
"description": "String",
"id": 42,
"interpreter": 42,
"name": "String",
"parameters": [
{
"encrypted": true,
"name": "String",
"parameter_type": "String",
"value": "String"
}
],
"script": 42
}

POST /analytics/custom_actions/actions/{action_id} DEPRECATED

Updates an existing custom action.

Updates an existing custom action. The custom action should contain the following fields:
v id - Required - Number - Unique ID of the custom action within the QRadar deployment.
v name - Optional - String - Unique name of the custom action within the QRadar deployment.
v description - Optional - String - Description of the custom action.
v interpreter - Required - Number - Unique ID of the custom action interpreter used by the custom
action.
v script - Required - Number - Unique ID of the custom action script used by the custom action.
v parameters - Required - Array - Array of custom action parameters contained within the custom action.
Each Custom action parameter must have the following fields:
– name - Required - String - Name of the custom action parameter. Unique in the context of the parent
custom action.
– parameter_type - Optional - String - Custom action parameter type. Can be either fixed or dynamic.
– encrypted - Optional - Boolean - Designates whether the custom action parameter value field is
stored in an encrypted state.True if encrypted, false otherwise.
– value - Optional - String - Value of the custom action parameter. Custom action parameters with
parameter_type fixed can have any value. Custom action parameters with parameter_type dynamic

1188 QRadar API Reference Guide

 must have values corresponding to column names in an Ariel database, for example sourceip. Ariel
database column names are available through the /api/ariel/databases/{database_name} endpoint.
Table 2650. POST /analytics/custom_actions/actions/{action_id} resource details
MIME Type
application/json

Table 2651. POST /analytics/custom_actions/actions/{action_id} request parameter details

Parameter Type Optionality Data Type MIME Type Description
action_id path Required Number text/plain Number id of the custom
(Integer) action to be updated.
fields header Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.

Table 2652. POST /analytics/custom_actions/actions/{action_id} request body details

Parameter Data Type MIME Type Description Sample
custom_action Object application/ Custom action JSON object { "description": "String", "id":
json which can contain the 42, "interpreter": 42, "name":
supplied fields (see above for "String", "parameters": [ {
more details). "encrypted": true, "name":
"String", "parameter_type":
"String", "value": "String" } ],
"script": 42 }

Table 2653. POST /analytics/custom_actions/actions/{action_id} response codes

HTTP Response Code Unique Code Description
200 The custom action has been updated.
404 1002 The requested custom action could not be found.
422 1005 One or more parameters are invalid in request.
500 1020 An internal server error occurred while updating custom action
with supplied action_id.

Response Description

The updated custom action with the following fields:

v id - Number - Unique ID of the custom action within the QRadar deployment.
v name - String - Unique name of the custom action within the QRadar deployment.
v description - String - Optional description attached to the custom action.
v interpreter - Number - Unique ID of the custom action interpreter used by the custom action.
v script - Number - Unique ID of the custom action script used by the custom action.
v parameters - Array - Array of custom action parameters contained within the custom action. Each
Custom action parameter has the following fields:

7 Previous REST API versions 1189

 – name - String - Name of the custom action parameter. Unique in the context of the parent custom
action.
– parameter_type - String - Custom action parameter type. Can be either fixed or dynamic.
– encrypted - Boolean - Designates whether the custom action parameter value field is stored in an
encrypted state.True if encrypted, false otherwise.
– value - String - Value of the custom action parameter.

Response Sample
{
"description": "String",
"id": 42,
"interpreter": 42,
"name": "String",
"parameters": [
{
"encrypted": true,
"name": "String",
"parameter_type": "String",
"value": "String"
}
],
"script": 42
}

DELETE /analytics/custom_actions/actions/{action_id} DEPRECATED

Deletes an existing custom action.

Deletes an existing custom action.

Table 2654. DELETE /analytics/custom_actions/actions/{action_id} resource details
MIME Type
text/plain

Table 2655. DELETE /analytics/custom_actions/actions/{action_id} request parameter details

Parameter Type Optionality Data Type MIME Type Description
action_id path Required Number text/plain Number id of the custom
(Integer) action you wish to delete.

Table 2656. DELETE /analytics/custom_actions/actions/{action_id} response codes

HTTP Response Code Unique Code Description
204 The custom action has been deleted.
404 1002 The requested custom action could not be found.
500 1020 An internal server error occurred while deleting custom action with
supplied action_id.

Response Description

Empty response with 204 successful response code.

1190 QRadar API Reference Guide

Response Sample

GET /analytics/custom_actions/interpreters DEPRECATED

Retrieves a list of available custom action interpreters.

Retrieves a list of available custom action interpreters.

Table 2657. GET /analytics/custom_actions/interpreters resource details
MIME Type
application/json

Table 2658. GET /analytics/custom_actions/interpreters request parameter details

Parameter Type Optionality Data Type MIME Type Description
Range header Optional String text/plain Optional - Use this parameter
to restrict the number of
elements that are returned in
the list to a specified range.
The list is indexed starting at
zero.
filter query Optional String text/plain Optional - This parameter is
used to restrict the elements in
a list base on the contents of
various fields.
fields query Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.

Table 2659. GET /analytics/custom_actions/interpreters response codes

HTTP Response Code Unique Code Description
200 The requested list of custom action interpreters have been retrieved.
500 1020 An internal server error occurred while retrieving available custom
action interpreters.

Response Description

Array of available custom action interpreters, each with the following fields:
v id - Number - Unique ID of the custom action interpreter within the QRadar deployment.
v name - String - Name of the custom action interpreter.

Response Sample
[
{
"id": 42,
"name": "String"
}
]

7 Previous REST API versions 1191

GET /analytics/custom_actions/interpreters/{interpreter_id} DEPRECATED
Retrieves a custom action interpreter based on supplied interpreter_id.

Retrieves a custom action interpreter based on supplied interpreter_id.

Table 2660. GET /analytics/custom_actions/interpreters/{interpreter_id} resource details
MIME Type
application/json

Table 2661. GET /analytics/custom_actions/interpreters/{interpreter_id} request parameter details

Parameter Type Optionality Data Type MIME Type Description
interpreter_id path Required Number text/plain Number id of custom action
(Integer) interpreter to be retrieved.
fields query Optional String text/plain Optional - Use this
parameter to specify which
fields you would like to get
back in the response. Fields
that are not named are
excluded. Specify subfields
in brackets and multiple
fields in the same object are
separated by commas.

Table 2662. GET /analytics/custom_actions/interpreters/{interpreter_id} response codes

HTTP Response Code Unique Code Description
200 The requested custom action interpreter has been retrieved.
404 1002 The requested custom action interpreter could not be found.
500 1020 An internal server error occurred while retrieving custom action
interpreter with supplied interpreter_id.

Response Description

A custom action interpreter with the following fields:

v id - Number - Unique ID of the custom action interpreter within the QRadar deployment.
v name - String - Name of the custom action interpreter.

Response Sample
{
"id": 42,
"name": "String"
}

GET /analytics/custom_actions/scripts DEPRECATED

Retrieves a list of meta-data for available custom action script files.

Retrieves a list of meta-data for available custom action script files.

Table 2663. GET /analytics/custom_actions/scripts resource details
MIME Type
application/json

1192 QRadar API Reference Guide

Table 2664. GET /analytics/custom_actions/scripts request parameter details
Parameter Type Optionality Data Type MIME Type Description
Range header Optional String text/plain Optional - Use this parameter
to restrict the number of
elements that are returned in
the list to a specified range.
The list is indexed starting at
zero.
filter query Optional String text/plain Optional - This parameter is
used to restrict the elements in
a list base on the contents of
various fields.
fields query Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.

Table 2665. GET /analytics/custom_actions/scripts response codes

HTTP Response Code Unique Code Description
200 The requested custom action script file has been retrieved.
500 1020 An internal server error occurred while retrieving available custom
action script file meta-data.

Response Description

Array of available custom action script file meta-data, each with the following fields:
v id - Number - Unique ID of the custom action script file within the QRadar deployment.
v name - String - Name of the custom action script file.

Response Sample
[
{
"file_name": "String",
"id": 42
}
]

POST /analytics/custom_actions/scripts DEPRECATED

Creates a new custom action script file. Newly created custom action script files require a deployment
before using.

Creates a new custom action script file. Newly created custom action script files require a deployment
before using. Users can include an optional HTTP header file_name containing the custom action script
file name. If not specified this is defaulted to the script id of the uploaded file.
Table 2666. POST /analytics/custom_actions/scripts resource details
MIME Type
application/json

7 Previous REST API versions 1193

Table 2667. POST /analytics/custom_actions/scripts request parameter details
Parameter Type Optionality Data Type MIME Type Description
fields header Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.

Table 2668. POST /analytics/custom_actions/scripts request body details

Parameter Data Type MIME Type Description Sample
file File application/ Required. The custom action File
octet-stream script file. Must be supplied
with MIME type
application/octet-stream.

Table 2669. POST /analytics/custom_actions/scripts response codes

HTTP Response Code Unique Code Description
201 A custom action script file has been created.
500 1020 An internal server error occurred while posting custom action script
file.

Response Description

Custom action script file meta-data with the following fields:

v id - Number - Unique ID of the custom action script within the QRadar deployment.
v name - String - Name of the custom action script.

Response Sample
{
"file_name": "String",
"id": 42
}

GET /analytics/custom_actions/scripts/{script_id} DEPRECATED

Retrieves meta-data of a custom action script file based on supplied script_id.

Retrieves meta-data of a custom action script file based on supplied script_id.

Table 2670. GET /analytics/custom_actions/scripts/{script_id} resource details
MIME Type
application/json

Table 2671. GET /analytics/custom_actions/scripts/{script_id} request parameter details

Parameter Type Optionality Data Type MIME Type Description
script_id path Required Number text/plain Number id of the custom
(Integer) action script file.

1194 QRadar API Reference Guide

Table 2671. GET /analytics/custom_actions/scripts/{script_id} request parameter details (continued)
Parameter Type Optionality Data Type MIME Type Description
fields query Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.

Table 2672. GET /analytics/custom_actions/scripts/{script_id} response codes

HTTP Response Code Unique Code Description
200 The requested custom action script file has been retrieved.
404 1002 The requested custom action script file could not be found.
500 1020 An internal server error occurred while retrieving custom action
script file meta-data with supplied script_id.

Response Description

Custom action script file meta-data with the following fields:

v id - Number - Unique ID of the custom action script file within the QRadar deployment.
v name - String - Name of the custom action script file.

Response Sample
{
"file_name": "String",
"id": 42
}

POST /analytics/custom_actions/scripts/{script_id} DEPRECATED

Updates an existing custom action script file. Updated custom action script files require a deployment
before using.

Updates an existing custom action script file. Updated custom action script files require a deployment
before using. Users can include an optional HTTP header file_name containing the custom action script
file name. If not specified this is defaulted to the script id of the uploaded file.
Table 2673. POST /analytics/custom_actions/scripts/{script_id} resource details
MIME Type
application/json

Table 2674. POST /analytics/custom_actions/scripts/{script_id} request parameter details

Parameter Type Optionality Data Type MIME Type Description
script_id path Required Number text/plain Number id of the custom
(Integer) action script file to be updated.

7 Previous REST API versions 1195

Table 2674. POST /analytics/custom_actions/scripts/{script_id} request parameter details (continued)
Parameter Type Optionality Data Type MIME Type Description
fields header Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.

Table 2675. POST /analytics/custom_actions/scripts/{script_id} request body details

Parameter Data Type MIME Type Description Sample
file File application/ Required. The custom action File
octet-stream script file. Must be supplied
with MIME type
application/octet-stream.

Table 2676. POST /analytics/custom_actions/scripts/{script_id} response codes

HTTP Response Code Unique Code Description
200 The custom action script file has been updated.
404 1002 The requested custom action script file could not be found.
500 1020 An internal server error occurred while updating custom action
script file with supplied script_id.

Response Description

Custom action script file meta-data with the following fields:

v id - Number - Unique ID of the custom action script file within the QRadar deployment.
v name - String - Name of the custom action script file.

Response Sample
{
"file_name": "String",
"id": 42
}

DELETE /analytics/custom_actions/scripts/{script_id} DEPRECATED

Deletes an existing custom action script file.

Deletes an existing custom action script file.

Table 2677. DELETE /analytics/custom_actions/scripts/{script_id} resource details
MIME Type
text/plain

Table 2678. DELETE /analytics/custom_actions/scripts/{script_id} request parameter details

Parameter Type Optionality Data Type MIME Type Description
script_id path Required Number text/plain Number id of the custom
(Integer) action script file to be deleted.

1196 QRadar API Reference Guide

Table 2679. DELETE /analytics/custom_actions/scripts/{script_id} response codes
HTTP Response Code Unique Code Description
204 The custom action script file has been deleted.
404 1002 The requested custom action script file could not be found.
422 1005 The requested custom action script file is tied to an existing custom
action.
500 1020 An internal server error occurred while deleting custom action
script file with supplied script_id.

Response Description

Empty response with a 204 successful response code.

Response Sample

GET /analytics/rule_groups DEPRECATED

Retrieves a list of the rule groups.

Retrieves a list of the rule groups.

Table 2680. GET /analytics/rule_groups resource details
MIME Type
application/json

Table 2681. GET /analytics/rule_groups request parameter details

Parameter Type Optionality Data Type MIME Type Description
Range header Optional String text/plain Optional - Use this parameter
to restrict the number of
elements that are returned in
the list to a specified range.
The list is indexed starting at
zero.
filter query Optional String text/plain Optional - This parameter is
used to restrict the elements in
a list base on the contents of
various fields.
fields query Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.

Table 2682. GET /analytics/rule_groups response codes

HTTP Response Code Unique Code Description
200 The rule rroups were returned.
500 1020 An error occurred during the attempt to retrieve the rule groups.

7 Previous REST API versions 1197

Response Description

List of the Group objects. A Group object contains the following fields:
v id - Long - The ID of the group.
v parent_id - Long - The ID of the parent group (default resources can have localized names).
v type - String - The type of the group.
v level - Long - The depth of the group in the group hierarchy.
v name - String - The name of the group (default resources can have localized names).
v description - String - The description of the group (default resources can have localized names).
v owner - String - The owner of the group.
v modified_time - Long - The time in milliseconds since epoch since the group was last modified.
v child_group_ids - Array of Longs - List of the child group IDs.

Response Sample
[
{
"child_groups": [
42
],
"child_items": [
"String"
],
"description": "String",
"id": 42,
"level": 42,
"modified_time": 42,
"name": "String",
"owner": "String",
"parent_id": 42,
"type": "String <one of: LOG_SOURCE_GROUP,
REPORT_GROUP,
RULE_GROUP,
EVENT_SAVED_SEARCH_GROUP,
FLOW_SAVED_SEARCH_GROUP,
OFFENSE_SAVED_SEARCH_GROUP,
QRM_SAVED_SEARCH_GROUP,
MODEL_SAVED_SEARCH_GROUP,
QUESTION_SAVED_SEARCH_GROUP,
SIMULATION_SAVED_SEARCH_GROUP,
TOPOLOGY_SAVED_SEARCH_GROUP,
ASSET_SAVED_SEARCH_GROUP,
VULNERABILITY_SAVED_SEARCH_GROUP>"
}
]

GET /analytics/rule_groups/{group_id} DEPRECATED

Retrieves a rule group.

Retrieves a rule group.

Table 2683. GET /analytics/rule_groups/{group_id} resource details
MIME Type
application/json

1198 QRadar API Reference Guide

Table 2684. GET /analytics/rule_groups/{group_id} request parameter details
Parameter Type Optionality Data Type MIME Type Description
group_id path Required Number text/plain null
(Integer)
fields query Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.

Table 2685. GET /analytics/rule_groups/{group_id} response codes

HTTP Response Code Unique Code Description
200 The rule group was retrieved.
404 1002 The rule group does not exist.
500 1020 An error occurred during the attempt to retrieve the rule group.

Response Description

A single Group object. A Group object contains the following fields:

v id - Long - The ID of the group.
v parent_id - Long - The ID of the parent group (default resources can have localized names).
v type - String - The type of the group.
v level - Long - The depth of the group in the group hierarchy.
v name - String - The name of the group (default resources can have localized names).
v description - String - The description of the group (default resources can have localized names).
v owner - String - The owner of the group.
v modified_time - Long - The time in milliseconds since epoch since the group was last modified.
v child_group_ids - Array of Longs - List of the child group IDs.

Response Sample
{
"child_groups": [
42
],
"child_items": [
"String"
],
"description": "String",
"id": 42,
"level": 42,
"modified_time": 42,
"name": "String",
"owner": "String",
"parent_id": 42,
"type": "String <one of:
LOG_SOURCE_GROUP,
REPORT_GROUP,
RULE_GROUP,
EVENT_SAVED_SEARCH_GROUP,
FLOW_SAVED_SEARCH_GROUP,

7 Previous REST API versions 1199

 OFFENSE_SAVED_SEARCH_GROUP,
QRM_SAVED_SEARCH_GROUP,
MODEL_SAVED_SEARCH_GROUP,
QUESTION_SAVED_SEARCH_GROUP,
SIMULATION_SAVED_SEARCH_GROUP,
TOPOLOGY_SAVED_SEARCH_GROUP,
ASSET_SAVED_SEARCH_GROUP,
VULNERABILITY_SAVED_SEARCH_GROUP>"
}

POST /analytics/rule_groups/{group_id} DEPRECATED

Updates the owner of a rule group.

Updates the owner of a rule group.

Table 2686. POST /analytics/rule_groups/{group_id} resource details
MIME Type
application/json

Table 2687. POST /analytics/rule_groups/{group_id} request parameter details

Parameter Type Optionality Data Type MIME Type Description
group_id path Required Number text/plain null
(Integer)
fields header Optional String text/plain Optional - Use this parameter to specify which
fields you would like to get back in the
response. Fields that are not named are
excluded. Specify subfields in brackets and
multiple fields in the same object are
separated by commas.

Table 2688. POST /analytics/rule_groups/{group_id} request body details

Parameter Data Type MIME Type Description Sample
group Object application/json Required - Group object with {
the owner set to a valid "child_groups": [ 42 ],
deployed user.
"child_items": [ "String" ],
"description": "String",
"id": 42,
"level": 42,
"name": "String",
"owner": "String",
"parent_id": 42,
"type": "String <one of:
LOG_SOURCE_GROUP,
REPORT_GROUP,
RULE_GROUP,
EVENT_SAVED_SEARCH _GROUP,
FLOW_SAVED_SEARCH _GROUP,
OFFENSE_SAVED_SEARCH _GROUP,
QRM_SAVED_SEARCH _GROUP,
MODEL_SAVED_SEARCH_GROUP,
QUESTION_SAVED_SEARCH _GROUP,
SIMULATION_SAVED_SEARCH _GROUP,
TOPOLOGY_SAVED_SEARCH _GROUP,
ASSET_SAVED_SEARCH_GROUP,
VULNERABILITY_SAVED _SEARCH _GROUP>" }

1200 QRadar API Reference Guide

Table 2689. POST /analytics/rule_groups/{group_id} response codes
HTTP Response Code Unique Code Description
200 The rule group was updated.
404 1002 The rule group does not exist.
409 1004 The provided user does not have the required capabilities to own
the rule group.
422 1005 A request parameter is not valid.
500 1020 An error occurred during the attempt to update the rule group.

Response Description

The updated Group object. A Group object contains the following fields:
v id - Long - The ID of the group.
v parent_id - Long - The ID of the parent group (default resources can have localized names).
v type - String - The type of the group.
v level - Long - The depth of the group in the group hierarchy.
v name - String - The name of the group (default resources can have localized names).
v description - String - The description of the group (default resources can have localized names).
v owner - String - The owner of the group.
v modified_time - Long - The time in milliseconds since epoch since the group was last modified.
v child_group_ids - Array of Longs - List of the child group IDs.

Response Sample
{
"child_groups": [
42
],
"child_items": [
"String"
],
"description": "String",
"id": 42,
"level": 42,
"modified_time": 42,
"name": "String",
"owner": "String",
"parent_id": 42,
"type": "String <one of: LOG_SOURCE_GROUP,
REPORT_GROUP,
RULE_GROUP,
EVENT_SAVED_SEARCH_GROUP,
FLOW_SAVED_SEARCH_GROUP,
OFFENSE_SAVED_SEARCH_GROUP,
QRM_SAVED_SEARCH_GROUP,
MODEL_SAVED_SEARCH_GROUP,
QUESTION_SAVED_SEARCH_GROUP,
SIMULATION_SAVED_SEARCH_GROUP,
TOPOLOGY_SAVED_SEARCH_GROUP,
ASSET_SAVED_SEARCH_GROUP,
VULNERABILITY_SAVED_SEARCH_GROUP>"
}

DELETE /analytics/rule_groups/{group_id} DEPRECATED

Deletes a rule. To ensure safe deletion, a dependency check is carried out. This check might take some
time. An asynchronous task is started for this check.

7 Previous REST API versions 1201

Deletes a rule. To ensure safe deletion, a dependency check is carried out. This check might take some
time. An asynchronous task is started for this check.
Table 2690. DELETE /analytics/rule_groups/{group_id} resource details
MIME Type
text/plain

Table 2691. DELETE /analytics/rule_groups/{group_id} request parameter details

Parameter Type Optionality Data Type MIME Type Description
group_id path Required Number text/plain null
(Integer)

Table 2692. DELETE /analytics/rule_groups/{group_id} response codes

HTTP Response Code Unique Code Description
202 The rule delete command was accepted and is in progress.
404 1002 The rule does not exist.
409 1004 null
500 1020 An error occurred during the attempt to delete the rule.

Response Description

A Delete Task Status object and the location header set to the task status url "/api/analytics/rules/
rule_delete_tasks/{task_id}". A Delete Task Status object contains the following fields:
v id - Long - The ID of the task.
v message - String - The localized task message.
v status - String - The current state of the task.
v name - String - The name of the task.
v created_by - String - The name of the user who started the task.
v created - Long - The time in milliseconds since epoch since the task was created.
v started - Long - The time in milliseconds since epoch since the task was started.
v modified - Long - The time in milliseconds since epoch since the task was modified.
v completed - Long - The time in milliseconds since epoch since the task was completed.

Response Sample

GET /analytics/rules DEPRECATED

Retrieves a list of rules.

Retrieves a list of rules

Table 2693. GET /analytics/rules resource details
MIME Type
application/json

1202 QRadar API Reference Guide

Table 2694. GET /analytics/rules request parameter details
Parameter Type Optionality Data Type MIME Type Description
Range header Optional String text/plain Optional - Use this parameter
to restrict the number of
elements that are returned in
the list to a specified range.
The list is indexed starting at
zero.
filter query Optional String text/plain Optional - This parameter is
used to restrict the elements in
a list base on the contents of
various fields.
fields query Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.

Table 2695. GET /analytics/rules response codes

HTTP Response Code Unique Code Description
200 The rules were retrieved.
422 1010 A request parameter is not valid.
500 1020 An error occurred during the attempt to retrieve the rules.

Response Description

An array of Rule objects. An Rule object contains the following fields:

v id - Long - The ID of the rule.
v name - String - The name of the rule.
v type - String - The type of rule: EVENT, FLOW, COMMON, USER.
v enabled - Boolean - True if the rule is enabled.
v owner - String - The owner of the rule.
v origin - String - The origin of the rule: SYSTEM, OVERRIDE, USER.

Response Sample
[
{
"enabled": true,
"id": 42,
"name": "String",
"origin": "String <one of: SYSTEM, OVERRIDE, USER>",
"owner": "String",
"type": "String <one of: EVENT, FLOW, COMMON, OFFENSE>"
}
]

7 Previous REST API versions 1203

GET /analytics/rules/rule_delete_tasks/{task_id} DEPRECATED
Retrieves the delete the rule task status.

Retrieves the delete rule task status.

Table 2696. GET /analytics/rules/rule_delete_tasks/{task_id} resource details
MIME Type
application/json

Table 2697. GET /analytics/rules/rule_delete_tasks/{task_id} request parameter details

Parameter Type Optionality Data Type MIME Type Description
task_id path Required Number text/plain null
(Integer)
fields query Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.

Table 2698. GET /analytics/rules/rule_delete_tasks/{task_id} response codes

HTTP Response Code Unique Code Description
200 The delete task status was retrieved.
404 1002 The delete task status does not exist.
500 1020 An error occurred during the attempt to retrieve the delete task
status.

Response Description

A Delete Task Status object and the location header set to the task status url "/api/analytics/rules/
rule_delete_tasks/{task_id}". A Delete Task Status object contains the following fields:
v id - Long - The ID of the task.
v message - String - The localized task message.
v status - String - The current state of the task.
v name - String - The name of the task.
v created_by - String - The name of the user who started the task.
v created - Long - The time in milliseconds since epoch since the task was created.
v started - Long - The time in milliseconds since epoch since the task was started.
v modified - Long - The time in milliseconds since epoch since the task was modified.
v completed - Long - The time in milliseconds since epoch since the task was completed.

Response Sample
{
"completed": 42,
"created": 42,
"created_by": "String",
"id": 42,
"message": "String",

1204 QRadar API Reference Guide

 "modified": 42,
"name": "String",
"started": 42,
"status": "String <one of: CANCELLED,
CANCELING,
CANCEL_REQUESTED,
COMPLETED,
CONFLICT,
EXCEPTION,
INITIALIZING,
INTERRUPTED,
PAUSED,
PROCESSING,
QUEUED,
RESUMING>"
}

GET /analytics/rules/rule_dependent_tasks/{task_id} DEPRECATED

Retrieves the dependent rule task status.

Retrieves the dependent rule task status.

Table 2699. GET /analytics/rules/rule_dependent_tasks/{task_id} resource details
MIME Type
application/json

Table 2700. GET /analytics/rules/rule_dependent_tasks/{task_id} request parameter details

Parameter Type Optionality Data Type MIME Type Description
task_id path Required Number text/plain null
(Integer)
fields query Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.

Table 2701. GET /analytics/rules/rule_dependent_tasks/{task_id} response codes

HTTP Response Code Unique Code Description
200 The delete task status was retrieved.
404 1002 The delete task status does not exist.
500 1020 An error occurred during the attempt to retrieve the delete task
status.

Response Description

A Dependent Task Status object and the location header set to the task status url "/api/analytics/rules/
rule_dependent_tasks/{task_id}". A Dependent Task Status object contains the following fields:
v id - Long - The ID of the task.
v message - String - The localized task message.
v status - String - The current state of the task.

7 Previous REST API versions 1205

v name - String - The name of the task.
v created_by - String - The name of the user who started the task.
v cancelled_by - String - The name of the user who requested the cancellation of the task.
v created - Long - The time in milliseconds since epoch since the task was created.
v started - Long - The time in milliseconds since epoch since the task was started.
v modified - Long - The time in milliseconds since epoch since the task was modified.
v completed - Long - The time in milliseconds since epoch since the task was completed.
v number_of_dependents - Long - The number of dependents found. the value is null until the task
completes.
v maximum - Long - The maximum number of objects to check for dependency.
v progress - Long - The number of objects that were checked for dependency.
v task_components - Array - An array of task component objects. A task component object contains the
following fields:
– message - String - The localized sub-task status message.
– status - String - The current state of the sub-task.
– sub_task_type - String - The type of the sub-task
– maximum - Long - The maximum number of objects to check for dependency.
– progress - Long - The number of objects that were checked for dependency.
– created - Long - The time in milliseconds since epoch since the sub-task was created.
– started - Long - The time in milliseconds since epoch since the sub-task was started.
– modified - Long - The time in milliseconds since epoch since the sub-task was modified.
– completed - Long - The time in milliseconds since epoch since the sub-task was completed.

Response Sample
{
"cancelled_by": "String",
"completed": 42,
"created": 42,
"created_by": "String",
"id": 42,
"maximum": 42,
"message": "String",
"modified": 42,
"name": "String",
"number_of_dependents": 42,
"progress": 42,
"started": 42,
"status": "String <one of: CANCELLED,
CANCELING,
CANCEL_REQUESTED,
COMPLETED,
CONFLICT,
EXCEPTION,
INITIALIZING,
INTERRUPTED,
PAUSED,
PROCESSING,
QUEUED,
RESUMING>",
"task_components": [
{
"completed": 42,
"created": 42,
"maximum": 42,
"message": "String",
"modified": 42,

1206 QRadar API Reference Guide

 "number_of_dependents": 42,
"progress": 42,
"started": 42,
"status": "String <one of: CANCELLED,
CANCELING,
CANCEL_REQUESTED,
COMPLETED,
CONFLICT,
EXCEPTION,
INITIALIZING,
INTERRUPTED,
PAUSED,
PROCESSING,
QUEUED,
RESUMING>",
"task_sub_type": "String <one of:
FIND_DEPENDENT_ARIEL_SAVED_SEARCHES,
FIND_DEPENDENT_OFFENSE_SAVED_SEARCHES,
FIND_DEPENDENT_ASSET_SAVED_SEARCHES,
FIND_DEPENDENT_VULNERABILITY_SAVED_SEARCHES,
FIND_DEPENDENT_ADE_RULES,
FIND_DEPENDENT_RULES,
FIND_DEPENDENT_CALCULATED_PROPERTIES,
FIND_DEPENDENT_LOG_SOURCE_GROUPS,
FIND_DEPENDENT_CUSTOM_PROPERTIES,
FIND_DEPENDENT_REPORTS,
FIND_DEPENDENT_DASHBOARDS,
FIND_DEPENDENT_STORE_AND_FORWARD_POLICIES,
FIND_DEPENDENT_AUTHORIZED_SERVICES,
FIND_DEPENDENT_OFFENSE_TYPES,
FIND_DEPENDENT_ASSIGNED_OFFENSES,
FIND_DEPENDENT_VULNERABILITIES,
FIND_DEPENDENT_GROUPS,
FIND_DEPENDENT_HISTORICAL_CORRELATION_PROFILES>"
}
]
}

POST /analytics/rules/rule_dependent_tasks/{task_id} DEPRECATED

Cancels the dependent the rule task.

Cancels the dependent rule task.

Table 2702. POST /analytics/rules/rule_dependent_tasks/{task_id} resource details
MIME Type
application/json

Table 2703. POST /analytics/rules/rule_dependent_tasks/{task_id} request parameter details

Parameter Type Optionality Data Type MIME Type Description
task_id path Required Number text/plain null
(Integer)
fields header Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.

7 Previous REST API versions 1207

Table 2704. POST /analytics/rules/rule_dependent_tasks/{task_id} request body details
Parameter Data Type MIME Type Description Sample
task Object application/ null { "status": "String <one of: CANCELLED,
json CANCELING, CANCEL_REQUESTED,
COMPLETED, CONFLICT, EXCEPTION,
INITIALIZING, INTERRUPTED, PAUSED,
PROCESSING, QUEUED, RESUMING>" }

Table 2705. POST /analytics/rules/rule_dependent_tasks/{task_id} response codes

HTTP Response Code Unique Code Description
200 The dependent task status was retrieved.
404 1002 The dependent task status does not exist.
409 1004 The task is in a completed state.
422 1005 A request parameter is not valid.
500 1020 An error occurred during the attempt to update the dependent task
status.

Response Description

A Dependent Task Status object and the location header set to the task status url "/api/analytics/rules/
rule_dependent_tasks/{task_id}". A Dependent Task Status object contains the following fields:
v id - Long - The ID of the task.
v message - String - The localized task message.
v status - String - The current state of the task.
v name - String - The name of the task.
v created_by - String - The name of the user who started the task.
v cancelled_by - String - The name of the user who requested cancellation of the task.
v created - Long - The time in milliseconds since epoch since the task was created.
v started - Long - The time in milliseconds since epoch since the task was started.
v modified - Long - The time in milliseconds since epoch since the task was modified.
v completed - Long - The time in milliseconds since epoch since the task was completed.
v number_of_dependents - Long - The number of dependents found. The value is null until the task
completes.
v maximum - Long - The maximum number of objects to check for dependency.
v progress - Long - The number of objects that were checked for dependency.
v task_components - Array - An array of task component objects. A task component object contains the
following fields:
– message - String - The localized sub-task status message.
– status - String - The current state of the sub-task.
– sub_task_type - String - The type of the sub-task
– maximum - Long - The maximum number of objects to check for dependency.
– progress - Long - The number of objects that were checked for dependency.
– created - Long - The time in milliseconds since epoch since the sub-task was created.
– started - Long - The time in milliseconds since epoch since the sub-task was started.
– modified - Long - The time in milliseconds since epoch since the sub-task was modified.
– completed - Long - The time in milliseconds since epoch since the sub-task was completed.

1208 QRadar API Reference Guide

Response Sample
{
"cancelled_by": "String",
"completed": 42,
"created": 42,
"created_by": "String",
"id": 42,
"maximum": 42,
"message": "String",
"modified": 42,
"name": "String",
"number_of_dependents": 42,
"progress": 42,
"started": 42,
"status": "String <one of: CANCELLED,
CANCELING,
CANCEL_REQUESTED,
COMPLETED,
CONFLICT,
EXCEPTION,
INITIALIZING,
INTERRUPTED,
PAUSED,
PROCESSING,
QUEUED,
RESUMING>",
"task_components": [
{
"completed": 42,
"created": 42,
"maximum": 42,
"message": "String",
"modified": 42,
"number_of_dependents": 42,
"progress": 42,
"started": 42,
"status": "String <one of: CANCELLED,
CANCELING,
CANCEL_REQUESTED,
COMPLETED,
CONFLICT,
EXCEPTION,
INITIALIZING,
INTERRUPTED,
PAUSED,
PROCESSING,
QUEUED,
RESUMING>",
"task_sub_type": "String <one of:
FIND_DEPENDENT_ARIEL_SAVED_SEARCHES,
FIND_DEPENDENT_OFFENSE_SAVED_SEARCHES,
FIND_DEPENDENT_ASSET_SAVED_SEARCHES,
FIND_DEPENDENT_VULNERABILITY_SAVED_SEARCHES,
FIND_DEPENDENT_ADE_RULES,
FIND_DEPENDENT_RULES,
FIND_DEPENDENT_CALCULATED_PROPERTIES,
FIND_DEPENDENT_LOG_SOURCE_GROUPS,
FIND_DEPENDENT_CUSTOM_PROPERTIES,
FIND_DEPENDENT_REPORTS,
FIND_DEPENDENT_DASHBOARDS,
FIND_DEPENDENT_STORE_AND_FORWARD_POLICIES,
FIND_DEPENDENT_AUTHORIZED_SERVICES,
FIND_DEPENDENT_OFFENSE_TYPES,
FIND_DEPENDENT_ASSIGNED_OFFENSES,
FIND_DEPENDENT_VULNERABILITIES,
FIND_DEPENDENT_GROUPS,

7 Previous REST API versions 1209

 FIND_DEPENDENT_HISTORICAL_CORRELATION_PROFILES>"
}
]
}

GET /analytics/rules/rule_dependent_tasks/{task_id}/results DEPRECATED

Retrieves the rule dependent task results.

Retrieves the rule dependent task results.

Table 2706. GET /analytics/rules/rule_dependent_tasks/{task_id}/results resource details
MIME Type
application/json

Table 2707. GET /analytics/rules/rule_dependent_tasks/{task_id}/results request parameter details

Parameter Type Optionality Data Type MIME Type Description
task_id path Required Number text/plain null
(Integer)
fields query Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.

Table 2708. GET /analytics/rules/rule_dependent_tasks/{task_id}/results response codes

HTTP Response Code Unique Code Description
200 The rule dependents were retrieved.
404 1002 The dependent task status does not exist.
500 1020 An error occurred during the attempt to retrieve the rules.

Response Description

An list of Dependent objects. A Dependent object contains the following fields:

v dependent_id - String - The ID of the dependent resource.
v dependent_name - String - The name of the dependent resource (default resources can have localized
names).
v dependent_owner - String - The owner of the dependent resource.
v dependent_type - String - The type of the dependent resource.
v dependent_database - String - The database of the dependent resource.
v dependent_group_ids - Array of Longs - List of groups that the dependent resource belongs to.
v user_has_edit_permissions - Boolean - The true if the user who created the task has permission to edit
this dependent resource.

Response Sample
[
{
"blocking": true,
"dependent_database": "String <one of: EVENTS, FLOWS>",

1210 QRadar API Reference Guide

 "dependent_group_ids": [
42
],
"dependent_id": "String",
"dependent_name": "String",
"dependent_owner": "String",
"dependent_type": "String <one of:
ARIEL_SAVED_SEARCH,
ASSET_SAVED_SEARCH,
OFFENSE_SAVED_SEARCH,
VULNERABILITY_SAVED_SEARCH,
QRM_SAVED_SEARCH_GROUP,
ASSET_SAVED_SEARCH_GROUP,
CUSTOM_RULE_GROUP,
EVENT_ARIEL_SAVED_SEARCH_GROUP,
FLOW_ARIEL_SAVED_SEARCH_GROUP,
LOG_SOURCE_GROUP,
MODEL_GROUP,
OFFENSE_SAVED_SEARCH_GROUP,
QUESTION_GROUP,
REPORT_GROUP,
SIMULATION_GROUP,
TOPOLOGY_SAVED_SEARCH_GROUP,
VULNERABILITY_SAVED_SEARCH_GROUP,
ASSIGNED_OFFENSE,
ASSIGNED_VULNERABILITY,
AUTHORIZED_SERVICE,
BUILDING_BLOCK,
CRE_RULE,
CRE_ADE_RULE,
EVENT_REGEX_PROPERTY,
EVENT_CALCULATED_PROPERTY,
FLOW_REGEX_PROPERTY,
FLOW_CALCULATED_PROPERTY,
DASHBOARD,
GV_REFERENCE, REPORT,
REFERENCE_DATA,
REFERENCE_DATA_MAP_OF_SETS,
REFERENCE_DATA_MAPS,
REFERENCE_DATA_SETS,
REFERENCE_DATA_TABLES,
REFERENCE_DATA_RESPONSE,
REFERENCE_SET_RESPONSE,
EVENT_RETENTION_BUCKET,
FLOW_RETENTION_BUCKET,
ROUTING_RULE,
STORE_AND_FORWARD_POLICY,
USER,
HISTORICAL_PROFILE,
OFFENSE_TYPE>",
"user_has_edit_permissions": true
}
]

GET /analytics/rules/{id} DEPRECATED

Retrieves a rule.

Retrieves a rule.
Table 2709. GET /analytics/rules/{id} resource details
MIME Type
application/json

7 Previous REST API versions 1211

Table 2710. GET /analytics/rules/{id} request parameter details
Parameter Type Optionality Data Type MIME Type Description
id path Required Number text/plain null
(Integer)
fields query Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.

Table 2711. GET /analytics/rules/{id} response codes

HTTP Response Code Unique Code Description
200 The rule was retrieved.
404 1002 The rule does not exist.
500 1020 An error occurred during the attempt to retrieve the rule.

Response Description

The rule after it has been retrieved. An Rule object contains the following fields:
v id - Long - The ID of the rule.
v name - String - The name of the rule.
v type - String - The type of rule: EVENT, FLOW, COMMON, USER.
v enabled - Boolean - True if the rule is enabled.
v owner - String - The owner of the rule.
v origin - String - The origin of the rule: SYSTEM, OVERRIDE, USER.

Response Sample
{
"enabled": true,
"id": 42,
"name": "String",
"origin": "String <one of: SYSTEM, OVERRIDE, USER>",
"owner": "String",
"type": "String <one of: EVENT, FLOW, COMMON, OFFENSE>"
}

POST /analytics/rules/{id} DEPRECATED

Updates the rule owner or enabled/disabled only.

Updates the rule owner or enabled/disabled only.

Table 2712. POST /analytics/rules/{id} resource details
MIME Type
application/json

1212 QRadar API Reference Guide

Table 2713. POST /analytics/rules/{id} request parameter details
Parameter Type Optionality Data Type MIME Type Description
id path Required Number text/plain null
(Integer)
fields header Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.

Table 2714. POST /analytics/rules/{id} request body details

Parameter Data Type MIME Type Description Sample
rule Object application/ Required - Rule object. { "enabled": true, "id": 42,
json "name": "String", "origin":
"String <one of: SYSTEM,
OVERRIDE, USER>", "owner":
"String", "type": "String <one
of: EVENT, FLOW, COMMON,
OFFENSE>" }

Table 2715. POST /analytics/rules/{id} response codes

HTTP Response Code Unique Code Description
200 The rule was updated.
403 1009 You do not have the required capabilities to update the rule.
404 1002 The rule does not exist.
409 1004 The provided user does not have the required capabilities to own
the rule.
422 1005 A request parameter is not valid.
500 1020 An error occurred during the attempt to update the rule.

Response Description

The rule after it is updated. An Rule object contains the following fields:
v id - Long - The ID of the rule.
v name - String - The name of the rule.
v type - String - The type of rule: EVENT, FLOW, COMMON, USER.
v enabled - Boolean - True if the rule is enabled.
v owner - String - The owner of the rule.
v origin - String - The origin of the rule: SYSTEM, OVERRIDE, USER.

Response Sample
{
"enabled": true,
"id": 42,
"name": "String",

7 Previous REST API versions 1213

 "origin": "String <one of: SYSTEM, OVERRIDE, USER>",
"owner": "String",
"type": "String <one of: EVENT, FLOW, COMMON, OFFENSE>"
}

DELETE /analytics/rules/{id} DEPRECATED

Delete the rule. To ensure safe deletion, a dependency check is carried out. This check might take some
time. An asynchronous task is started for this check.

Deletes a rule. To ensure safe deletion, a dependency check is carried out. This check might take some
time. An asynchronous task is started for this check.
Table 2716. DELETE /analytics/rules/{id} resource details
MIME Type
application/json

Table 2717. DELETE /analytics/rules/{id} request parameter details

Parameter Type Optionality Data Type MIME Type Description
id path Required Number text/plain null
(Integer)
fields query Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.

Table 2718. DELETE /analytics/rules/{id} response codes

HTTP Response Code Unique Code Description
202 The rule delete command was accepted and is in progress.
403 1009 You do not have the required capabilities to delete the rule.
404 1002 The rule does not exist.
409 1004 null
500 1020 An error occurred during the attempt to delete the rule.

Response Description

A Delete Task Status object and the location header set to the task status url "/api/analytics/rules/
rule_delete_tasks/{task_id}". A Delete Task Status object contains the following fields:
v id - Long - The ID of the task.
v message - String - The localized task message.
v status - String - The current state of the task.
v name - String - The name of the task.
v created_by - String - The name of the user who started the task.
v created - Long - The time in milliseconds since epoch since the task was created.
v started - Long - The time in milliseconds since epoch since the task was started.
v modified - Long - The time in milliseconds since epoch since the task was modified.

1214 QRadar API Reference Guide

v completed - Long - The time in milliseconds since epoch since the task was completed.

Response Sample
{
"completed": 42,
"created": 42,
"created_by": "String",
"id": 42,
"message": "String",
"modified": 42,
"name": "String",
"started": 42,
"status": "String <one of: CANCELLED,
CANCELING,
CANCEL_REQUESTED,
COMPLETED,
CONFLICT,
EXCEPTION,
INITIALIZING,
INTERRUPTED,
PAUSED,
PROCESSING,
QUEUED,
RESUMING>"
}

GET /analytics/rules/{id}/dependents DEPRECATED

Retrieves the objects that depend on the rule.

Retrieves the objects that depend on the rule.

Table 2719. GET /analytics/rules/{id}/dependents resource details
MIME Type
application/json

Table 2720. GET /analytics/rules/{id}/dependents request parameter details

Parameter Type Optionality Data Type MIME Type Description
id path Required Number text/plain null
(Integer)
fields query Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.

Table 2721. GET /analytics/rules/{id}/dependents response codes

HTTP Response Code Unique Code Description
202 The rule dependents retrieval was accepted and is in progress.
403 1009 null
404 1002 The rule does not exist.
500 1020 An error occurred during the attempt to initiate the rule
dependents retrieval task.

7 Previous REST API versions 1215

Response Description

A Dependents Task Status object and the location header set to the task status url "/api/analytics/rules/
rule_dependents_tasks/{task_id}". A Dependent Task Status object contains the following fields:
v id - Long - The ID of the task.
v message - String - The localized task message.
v status - String - The current state of the task.
v name - String - The name of the task.
v created_by - String - The name of the user who started the task.
v cancelled_by - String - The name of the user who requested the cancellation of the task.
v created - Long - The time in milliseconds since epoch since the task was created.
v started - Long - The time in milliseconds since epoch since the task was started.
v modified - Long - The time in milliseconds since epoch since the task was modified.
v completed - Long - The time in milliseconds since epoch since the task was completed.
v number_of_dependents - Long - The number of dependents found. the value is null until the task
completes.
v maximum - Long - The maximum number of objects to check for dependency.
v progress - Long - The number of objects that were checked for dependency.
v task_components - Array - An array of Task Component objects. A Task Component object contains the
following fields:
– message - String - The localized sub-task status message.
– status - String - The current state of the sub-task.
– sub_task_type - String - The type of the sub-task
– maximum - Long - The maximum number of objects to check for dependency.
– progress - Long - The number of objects that were checked for dependency.
– created - Long - The time in milliseconds since epoch since the sub-task was created.
– started - Long - The time in milliseconds since epoch since the sub-task was started.
– modified - Long - The time in milliseconds since epoch since the sub-task was modified.
– completed - Long - The time in milliseconds since epoch since the sub-task was completed.

Response Sample
{
"cancelled_by": "String",
"completed": 42,
"created": 42,
"created_by": "String",
"id": 42,
"maximum": 42,
"message": "String",
"modified": 42,
"name": "String",
"number_of_dependents": 42,
"progress": 42,
"started": 42,
"status": "String <one of: CANCELLED,
CANCELING,
CANCEL_REQUESTED,
COMPLETED,
CONFLICT,
EXCEPTION,
INITIALIZING,

1216 QRadar API Reference Guide

 INTERRUPTED,
PAUSED,
PROCESSING,
QUEUED,
RESUMING>",
"task_components": [
{
"completed": 42,
"created": 42,
"maximum": 42,
"message": "String",
"modified": 42,
"number_of_dependents": 42,
"progress": 42,
"started": 42,
"status": "String <one of: CANCELLED,
CANCELING,
CANCEL_REQUESTED,
COMPLETED,
CONFLICT,
EXCEPTION,
INITIALIZING,
INTERRUPTED,
PAUSED,
PROCESSING,
QUEUED,
RESUMING>",
"task_sub_type": "String <one of:
FIND_DEPENDENT_ARIEL_SAVED_SEARCHES,
FIND_DEPENDENT_OFFENSE_SAVED_SEARCHES,
FIND_DEPENDENT_ASSET_SAVED_SEARCHES,
FIND_DEPENDENT_VULNERABILITY_SAVED_SEARCHES,
FIND_DEPENDENT_ADE_RULES,
FIND_DEPENDENT_RULES,
FIND_DEPENDENT_CALCULATED_PROPERTIES,
FIND_DEPENDENT_LOG_SOURCE_GROUPS,
FIND_DEPENDENT_CUSTOM_PROPERTIES,
FIND_DEPENDENT_REPORTS,
FIND_DEPENDENT_DASHBOARDS,
FIND_DEPENDENT_STORE_AND_FORWARD_POLICIES,
FIND_DEPENDENT_AUTHORIZED_SERVICES,
FIND_DEPENDENT_OFFENSE_TYPES,
FIND_DEPENDENT_ASSIGNED_OFFENSES,
FIND_DEPENDENT_VULNERABILITIES,
FIND_DEPENDENT_GROUPS,
FIND_DEPENDENT_HISTORICAL_CORRELATION_PROFILES>"
}
]
}

Ariel endpoints
Use the references for REST API V7.0 Ariel endpoints.

GET /ariel/databases DEPRECATED

Retrieves a list of available Ariel database names

Retrieves a list of available Ariel databases.

Table 2722. GET /ariel/databases resource details
MIME Type
application/json

7 Previous REST API versions 1217

Table 2723. GET /ariel/databases request parameter details
Parameter Type Optionality Data Type MIME Type Description
filter query Optional String text/plain Optional - This parameter is
used to restrict the elements in
a list base on the contents of
various fields.
Range header Optional String text/plain Optional - Use this parameter
to restrict the number of
elements that are returned in
the list to a specified range.
The list is indexed starting at
zero.

Table 2724. GET /ariel/databases response codes

HTTP Response Code Unique Code Description
200 The database list was retrieved.

Response Description

The names of the available Ariel databases.

Response Sample
[
"String"
]

GET /ariel/databases/{database_name} DEPRECATED

Retrieves the columns that are defined for a specific Ariel database.

Retrieves the columns that are defined for the specified Ariel database. This is the set of columns that can
be explicitly named in the column list of a SELECT query.
Table 2725. GET /ariel/databases/{database_name} resource details
MIME Type
application/json

Table 2726. GET /ariel/databases/{database_name} request parameter details

Parameter Type Optionality Data Type MIME Type Description
database_name path Required String text/plain Required. The name of the Ariel
database that contains the
columns that you want to
retrieve.
fields query Optional String text/plain Optional - Use this parameter to
specify which fields you would
like to get back in the response.
Fields that are not named are
excluded. Specify subfields in
brackets and multiple fields in
the same object are separated by
commas.
filter query Optional String text/plain Optional - This parameter is
used to restrict the elements in a
list base on the contents of
various fields.

1218 QRadar API Reference Guide

Table 2726. GET /ariel/databases/{database_name} request parameter details (continued)
Parameter Type Optionality Data Type MIME Type Description
Range header Optional String text/plain Optional - Use this parameter to
restrict the number of elements
that are returned in the list to a
specified range. The list is
indexed starting at zero.

Table 2727. GET /ariel/databases/{database_name} response codes

HTTP Response Code Unique Code Description
200 The database columns were retrieved.
404 1002 The database does not exist.

Response Description

A list of columns that are defined for the specified database. Multiple properties of each column are
returned. For example, the column name or an indication that the column is indexable.

Response Sample
{
"columns": [
{
"argument_type": "String",
"indexable": true,
"name": "String"
}
]
}

GET /ariel/event_saved_search_groups DEPRECATED

Retrieves a list the event Ariel saved search groups.

Retrieves a list the event Ariel saved search groups.

Table 2728. GET /ariel/event_saved_search_groups resource details
MIME Type
application/json

Table 2729. GET /ariel/event_saved_search_groups request parameter details

Parameter Type Optionality Data Type MIME Type Description
fields query Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.
filter query Optional String text/plain Optional - This parameter is
used to restrict the elements in
a list base on the contents of
various fields.

7 Previous REST API versions 1219

Table 2729. GET /ariel/event_saved_search_groups request parameter details (continued)
Parameter Type Optionality Data Type MIME Type Description
Range header Optional String text/plain Optional - Use this parameter
to restrict the number of
elements that are returned in
the list to a specified range.
The list is indexed starting at
zero.

Table 2730. GET /ariel/event_saved_search_groups response codes

HTTP Response Code Unique Code Description
200 The event Ariel saved search groups were returned.
500 1020 An error occurred during the attempt to retrieve the event Ariel
saved search groups.

Response Description

List of the Group objects. A Group object contains the following fields:
v id - Long - The ID of the group.
v parent_id - Long - The ID of the parent group (default resources can have localized names).
v type - String - The type of the group.
v level - Long - The depth of the group in the group hierarchy.
v name - String - The name of the group (default groups can have localized names).
v description - String - The description of the group (default groups can have localized names).
v owner - String - The owner of the group.
v modified_time - Long - The time in milliseconds since epoch since the group was last modified.
v child_group_ids - Array of Longs - List of the child group ids.

Response Sample
[
{
"child_groups": [
42
],
"child_items": [
"String"
],
"description": "String",
"id": 42,
"level": 42,
"modified_time": 42,
"name": "String",
"owner": "String",
"parent_id": 42,
"type": "String <one of:
LOG_SOURCE_GROUP,
REPORT_GROUP,
RULE_GROUP,
EVENT_SAVED_SEARCH_GROUP,
FLOW_SAVED_SEARCH_GROUP,
OFFENSE_SAVED_SEARCH_GROUP,
QRM_SAVED_SEARCH_GROUP,
MODEL_SAVED_SEARCH_GROUP,
QUESTION_SAVED_SEARCH_GROUP,
SIMULATION_SAVED_SEARCH_GROUP,

1220 QRadar API Reference Guide

 TOPOLOGY_SAVED_SEARCH_GROUP,
ASSET_SAVED_SEARCH_GROUP,
VULNERABILITY_SAVED_SEARCH_GROUP>"
}
]

GET /ariel/event_saved_search_groups/{group_id} DEPRECATED

Retrieves an event Ariel saved search group.

Retrieves an event Ariel saved search group.

Table 2731. GET /ariel/event_saved_search_groups/{group_id} resource details
MIME Type
application/json

Table 2732. GET /ariel/event_saved_search_groups/{group_id} request parameter details

Parameter Type Optionality Data Type MIME Type Description
group_id path Required Number text/plain null
(Integer)
fields query Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.

Table 2733. GET /ariel/event_saved_search_groups/{group_id} response codes

HTTP Response Code Unique Code Description
200 The event Ariel saved search group was retrieved.
404 1002 The vent Ariel saved search group does not exist.
500 1020 An error occurred during the attempt to retrieve the event Ariel
saved search groups.

Response Description

A single Group object. A Group object contains the following fields:

v id - Long - The ID of the group.
v parent_id - Long - The ID of the parent group (default resources can have localized names).
v type - String - The type of the group.
v level - Long - The depth of the group in the group hierarchy.
v name - String - The name of the group (default resources can have localized names).
v description - String - The description of the group (default resources can have localized names).
v owner - String - The owner of the group.
v modified_time - Long - The time in milliseconds since epoch since the group was last modified.
v child_group_ids - Array of Longs - List of the child group IDs.

7 Previous REST API versions 1221

Response Sample
{
"child_groups": [
42
],
"child_items": [
"String"
],
"description": "String",
"id": 42,
"level": 42,
"modified_time": 42,
"name": "String",
"owner": "String",
"parent_id": 42,
"type": "String <one of:
LOG_SOURCE_GROUP,
REPORT_GROUP,
RULE_GROUP,
EVENT_SAVED_SEARCH_GROUP,
FLOW_SAVED_SEARCH_GROUP,
OFFENSE_SAVED_SEARCH_GROUP,
QRM_SAVED_SEARCH_GROUP,
MODEL_SAVED_SEARCH_GROUP,
QUESTION_SAVED_SEARCH_GROUP,
SIMULATION_SAVED_SEARCH_GROUP,
TOPOLOGY_SAVED_SEARCH_GROUP,
ASSET_SAVED_SEARCH_GROUP,
VULNERABILITY_SAVED_SEARCH_GROUP>"
}

POST /ariel/event_saved_search_groups/{group_id} DEPRECATED

Updates the owner of an event Ariel saved search group.

Updates the owner of an event Ariel saved search group.

Table 2734. POST /ariel/event_saved_search_groups/{group_id} resource details
MIME Type
application/json

Table 2735. POST /ariel/event_saved_search_groups/{group_id} request parameter details

Parameter Type Optionality Data Type MIME Type Description
group_id path Required Number text/plain null
(Integer)
fields header Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.

1222 QRadar API Reference Guide

Table 2736. POST /ariel/event_saved_search_groups/{group_id} request body details
Parameter Data Type MIME Type Description Sample
group Object application/ Required - Group object {
json with the owner set to a "child_groups": [ 42 ],
valid deployed user.
"child_items": [ "String" ],
"description": "String",
"id": 42,
"level": 42,
"name": "String",
"owner": "String",
"parent_id": 42,
"type": "String <one of:
LOG_SOURCE_GROUP,
REPORT_GROUP,
RULE_GROUP,
EVENT_SAVED_SEARCH _GROUP,
FLOW_SAVED_SEARCH _GROUP,
OFFENSE_SAVED_SEARCH _GROUP,
QRM_SAVED_SEARCH _GROUP,
MODEL_SAVED_SEARCH_GROUP,
QUESTION_SAVED_SEARCH _GROUP,
SIMULATION_SAVED_SEARCH _GROUP,
TOPOLOGY_SAVED_SEARCH _GROUP,
ASSET_SAVED_SEARCH_GROUP,
VULNERABILITY_SAVED _SEARCH _GROUP>" }

Table 2737. POST /ariel/event_saved_search_groups/{group_id} response codes

HTTP Response Code Unique Code Description
200 The event Ariel saved search group was updated.
404 1002 The event Ariel saved search group does not exist.
409 1004 The provided user does not have the required capabilities to own
the Eevent Ariel saved search group.
422 1005 A request parameter is not valid.
500 1020 An error occurred during the attempt to update the event Ariel
saved search group.

Response Description

The updated Group object. A Group object contains the following fields:
v id - Long - The ID of the group.
v parent_id - Long - The id of the parent group (default resources can have localized names).
v type - String - The type of the group.
v level - Long - The depth of the group in the group hierarchy.
v name - String - The name of the group (default resources can have localized names).
v description - String - The description of the group (default resources can have localized names).
v owner - String - The owner of the group.
v modified_time - Long - The time in milliseconds since epoch since the group was last modified.
v child_group_ids - Array of Longs - List of the child group ids.

7 Previous REST API versions 1223

Response Sample
{
"child_groups": [
42
],
"child_items": [
"String"
],
"description": "String",
"id": 42,
"level": 42,
"modified_time": 42,
"name": "String",
"owner": "String",
"parent_id": 42,
"type": "String <one of:
LOG_SOURCE_GROUP,
REPORT_GROUP,
RULE_GROUP,
EVENT_SAVED_SEARCH_GROUP,
FLOW_SAVED_SEARCH_GROUP,
OFFENSE_SAVED_SEARCH_GROUP,
QRM_SAVED_SEARCH_GROUP,
MODEL_SAVED_SEARCH_GROUP,
QUESTION_SAVED_SEARCH_GROUP,
SIMULATION_SAVED_SEARCH_GROUP,
TOPOLOGY_SAVED_SEARCH_GROUP,
ASSET_SAVED_SEARCH_GROUP,
VULNERABILITY_SAVED_SEARCH_GROUP>"
}

DELETE /ariel/event_saved_search_groups/{group_id} DEPRECATED

Deletes an event Ariel saved search group.

Deletes an event Ariel saved search group.

Table 2738. DELETE /ariel/event_saved_search_groups/{group_id} resource details
MIME Type
text/plain

Table 2739. DELETE /ariel/event_saved_search_groups/{group_id} request parameter details

Parameter Type Optionality Data Type MIME Type Description
group_id path Required Number text/plain null
(Integer)

Table 2740. DELETE /ariel/event_saved_search_groups/{group_id} response codes

HTTP Response Code Unique Code Description
204 The event Ariel saved search group was deleted.
404 1002 The event Ariel saved search group does not exist.
409 1004 null
500 1020 An error occurred during the attempt to delete theevent Ariel saved
search group.

1224 QRadar API Reference Guide

Response Description

Response Sample

GET /ariel/flow_saved_search_groups DEPRECATED

Retrieves a list of flow Ariel saved search groups.

Retrieves a list of flow Ariel saved search groups.

Table 2741. GET /ariel/flow_saved_search_groups resource details
MIME Type
application/json

Table 2742. GET /ariel/flow_saved_search_groups request parameter details

Parameter Type Optionality Data Type MIME Type Description
fields query Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.
filter query Optional String text/plain Optional - This parameter is
used to restrict the elements in
a list base on the contents of
various fields.
Range header Optional String text/plain Optional - Use this parameter
to restrict the number of
elements that are returned in
the list to a specified range.
The list is indexed starting at
zero.

Table 2743. GET /ariel/flow_saved_search_groups response codes

HTTP Response Code Unique Code Description
200 The Retrieves a list of flow Ariel saved search groups were
returned.
500 1020 An error occurred during the attempt to retrieve the flow Ariel
saved search groups.

Response Description

List of the Group objects. A Group object contains the following fields:
v id - Long - The ID of the group.
v parent_id - Long - The ID of the parent group (default resources can have localized names).
v type - String - The type of the group.
v level - Long - The depth of the group in the group hierarchy.
v name - String - The name of the group (default resources can have localized names).
v description - String - The description of the group (default resources can have localized names).

7 Previous REST API versions 1225

v owner - String - The owner of the group.
v modified_time - Long - The time in milliseconds since epoch since the group was last modified.
v child_group_ids - Array of Longs - List of the child group IDs.

Response Sample
[
{
"child_groups": [
42
],
"child_items": [
"String"
],
"description": "String",
"id": 42,
"level": 42,
"modified_time": 42,
"name": "String",
"owner": "String",
"parent_id": 42,
"type": "String <one of:
LOG_SOURCE_GROUP,
REPORT_GROUP,
RULE_GROUP,
EVENT_SAVED_SEARCH_GROUP,
FLOW_SAVED_SEARCH_GROUP,
OFFENSE_SAVED_SEARCH_GROUP,
QRM_SAVED_SEARCH_GROUP,
MODEL_SAVED_SEARCH_GROUP,
QUESTION_SAVED_SEARCH_GROUP,
SIMULATION_SAVED_SEARCH_GROUP,
TOPOLOGY_SAVED_SEARCH_GROUP,
ASSET_SAVED_SEARCH_GROUP,
VULNERABILITY_SAVED_SEARCH_GROUP>"
}
]

GET /ariel/flow_saved_search_groups/{group_id} DEPRECATED

Retrieves a flow Ariel saved search group.

Retrieves a flow Ariel saved search group.

Table 2744. GET /ariel/flow_saved_search_groups/{group_id} resource details
MIME Type
application/json

Table 2745. GET /ariel/flow_saved_search_groups/{group_id} request parameter details

Parameter Type Optionality Data Type MIME Type Description
group_id path Required Number text/plain null
(Integer)
fields query Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.

1226 QRadar API Reference Guide

Table 2746. GET /ariel/flow_saved_search_groups/{group_id} response codes
HTTP Response Code Unique Code Description
200 The flow Ariel saved search group was retrieved.
404 1002 The flow Ariel saved search group does not exist.
500 1020 An error occurred during the attempt to retrieve the flow Ariel
saved search group.

Response Description

A single Group object. A Group object contains the following fields:

v id - Long - The ID of the group.
v parent_id - Long - The ID of the parent group (default resources can have localized names).
v type - String - The type of the group.
v level - Long - The depth of the group in the group hierarchy.
v name - String - The name of the group (default resources can have localized names).
v description - String - The description of the group (default resources can have localized names).
v owner - String - The owner of the group.
v modified_time - Long - The time in milliseconds since epoch since the group was last modified.
v child_group_ids - Array of Longs - List of the child group IDs.

Response Sample
{
"child_groups": [
42
],
"child_items": [
"String"
],
"description": "String",
"id": 42,
"level": 42,
"modified_time": 42,
"name": "String",
"owner": "String",
"parent_id": 42,
"type": "String <one of:
LOG_SOURCE_GROUP,
REPORT_GROUP,
RULE_GROUP,
EVENT_SAVED_SEARCH_GROUP,
FLOW_SAVED_SEARCH_GROUP,
OFFENSE_SAVED_SEARCH_GROUP,
QRM_SAVED_SEARCH_GROUP,
MODEL_SAVED_SEARCH_GROUP,
QUESTION_SAVED_SEARCH_GROUP,
SIMULATION_SAVED_SEARCH_GROUP,
TOPOLOGY_SAVED_SEARCH_GROUP,
ASSET_SAVED_SEARCH_GROUP,
VULNERABILITY_SAVED_SEARCH_GROUP>"
}

POST /ariel/flow_saved_search_groups/{group_id} DEPRECATED

Updates the owner of a flow Ariel saved search group.

Updates the owner of a flow Ariel saved search group.

7 Previous REST API versions 1227

Table 2747. POST /ariel/flow_saved_search_groups/{group_id} resource details
MIME Type
application/json

Table 2748. POST /ariel/flow_saved_search_groups/{group_id} request parameter details

Parameter Type Optionality Data Type MIME Type Description
group_id path Required Number text/plain null
(Integer)
fields header Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.

Table 2749. POST /ariel/flow_saved_search_groups/{group_id} request body details

Parameter Data Type MIME Type Description Sample
group Object application/ Required - Group object {
json with the owner set to a "child_groups": [ 42 ],
valid deployed user.
"child_items": [ "String" ],
"description": "String",
"id": 42,
"level": 42,
"name": "String",
"owner": "String",
"parent_id": 42,
"type": "String <one of:
LOG_SOURCE_GROUP,
REPORT_GROUP,
RULE_GROUP,
EVENT_SAVED_SEARCH _GROUP,
FLOW_SAVED_SEARCH _GROUP,
OFFENSE_SAVED_SEARCH _GROUP,
QRM_SAVED_SEARCH _GROUP,
MODEL_SAVED_SEARCH_GROUP,
QUESTION_SAVED_SEARCH _GROUP,
SIMULATION_SAVED_SEARCH _GROUP,
TOPOLOGY_SAVED_SEARCH _GROUP,
ASSET_SAVED_SEARCH_GROUP,
VULNERABILITY_SAVED _SEARCH _GROUP>" }

Table 2750. POST /ariel/flow_saved_search_groups/{group_id} response codes

HTTP Response Code Unique Code Description
200 The flow Ariel saved search group was updated.
404 1002 The flow Ariel saved search group does not exist.
409 1004 The provided user does not have the required capabilities to own
the flow Ariel saved search group.

1228 QRadar API Reference Guide

Table 2750. POST /ariel/flow_saved_search_groups/{group_id} response codes (continued)
HTTP Response Code Unique Code Description
422 1005 A request parameter is not valid.
500 1020 An error occurred during the attempt to update the flow Ariel
saved search group.

Response Description

The updated Group object. A Group object contains the following fields:
v id - Long - The ID of the group.
v parent_id - Long - The ID of the parent group (default resources can have localized names).
v type - String - The type of the group.
v level - Long - The depth of the group in the group hierarchy.
v name - String - The name of the group (default resources can have localized names).
v description - String - The description of the group (default resources can have localized names).
v owner - String - The owner of the group.
v modified_time - Long - The time in milliseconds since epoch since the group was last modified.
v child_group_ids - Array of Longs - List of the child group IDs.

Response Sample
{
"child_groups": [
42
],
"child_items": [
"String"
],
"description": "String",
"id": 42,
"level": 42,
"modified_time": 42,
"name": "String",
"owner": "String",
"parent_id": 42,
"type": "String <one of:
LOG_SOURCE_GROUP,
REPORT_GROUP,
RULE_GROUP,
EVENT_SAVED_SEARCH_GROUP,
FLOW_SAVED_SEARCH_GROUP,
OFFENSE_SAVED_SEARCH_GROUP,
QRM_SAVED_SEARCH_GROUP,
MODEL_SAVED_SEARCH_GROUP,
QUESTION_SAVED_SEARCH_GROUP,
SIMULATION_SAVED_SEARCH_GROUP,
TOPOLOGY_SAVED_SEARCH_GROUP,
ASSET_SAVED_SEARCH_GROUP,
VULNERABILITY_SAVED_SEARCH_GROUP>"
}

DELETE /ariel/flow_saved_search_groups/{group_id} DEPRECATED

Deletes a flow Ariel saved search group.

Deletes a flow Ariel saved search group.

7 Previous REST API versions 1229

Table 2751. DELETE /ariel/flow_saved_search_groups/{group_id} resource details
MIME Type
text/plain

Table 2752. DELETE /ariel/flow_saved_search_groups/{group_id} request parameter details

Parameter Type Optionality Data Type MIME Type Description
group_id path Required Number text/plain null
(Integer)

Table 2753. DELETE /ariel/flow_saved_search_groups/{group_id} response codes

HTTP Response Code Unique Code Description
204 The flow Ariel saved search group was deleted.
404 1002 The flow Ariel saved search group does not exist.
409 1004 null
500 1020 An error occurred during the attempt to delete the flow Ariel saved
search group.

Response Description

Response Sample

GET /ariel/saved_search_delete_tasks/{task_id} DEPRECATED

Retrieves the delete the Ariel saved search task status.

Retrieves the delete Ariel saved search task status.

Table 2754. GET /ariel/saved_search_delete_tasks/{task_id} resource details
MIME Type
application/json

Table 2755. GET /ariel/saved_search_delete_tasks/{task_id} request parameter details

Parameter Type Optionality Data Type MIME Type Description
task_id path Required Number text/plain null
(Integer)
fields query Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.

Table 2756. GET /ariel/saved_search_delete_tasks/{task_id} response codes

HTTP Response Code Unique Code Description
200 The delete task status was retrieved.
404 1002 The delete task status was exist.

1230 QRadar API Reference Guide

Table 2756. GET /ariel/saved_search_delete_tasks/{task_id} response codes (continued)
HTTP Response Code Unique Code Description
500 1020 An error occurred during the attempt to retrieve the delete task
status.

Response Description

A Delete Task Status object and the location header set to the task status url "/api/ariel/
saved_search_delete_tasks/{task_id}". A Delete Task Status object contains the following fields:
v id - Long - The ID of the task.
v message - String - The localized task message.
v status - String - The current state of the task.
v name - String - The name of the task.
v created_by - String - The name of the user who started the task.
v created - Long - The time in milliseconds since epoch since the task was created.
v started - Long - The time in milliseconds since epoch since the task was started.
v modified - Long - The time in milliseconds since epoch since the task was modified.
v completed - Long - The time in milliseconds since epoch since the task was completed.

Response Sample
{
"completed": 42,
"created": 42,
"created_by": "String",
"id": 42,
"message": "String",
"modified": 42,
"name": "String",
"started": 42,
"status": "String <one of: CANCELLED,
CANCELING,
CANCEL_REQUESTED,
COMPLETED,
CONFLICT,
EXCEPTION,
INITIALIZING,
INTERRUPTED,
PAUSED,
PROCESSING,
QUEUED,
RESUMING>"
}

GET /ariel/saved_search_dependent_tasks/{task_id} DEPRECATED

Retrieves the dependent the Ariel saved search task status.

Retrieves the dependent Ariel saved search task status.

Table 2757. GET /ariel/saved_search_dependent_tasks/{task_id} resource details
MIME Type
application/json

7 Previous REST API versions 1231

Table 2758. GET /ariel/saved_search_dependent_tasks/{task_id} request parameter details
Parameter Type Optionality Data Type MIME Type Description
task_id path Required Number text/plain null
(Integer)
fields query Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.

Table 2759. GET /ariel/saved_search_dependent_tasks/{task_id} response codes

HTTP Response Code Unique Code Description
200 The dependent task status was retrieved.
404 1002 The dependent task status does not exist.
500 1020 An error occurred during the attempt to retrieve the dependent task
status.

Response Description

A Dependent Task Status object and the location header set to the task status url "/api/ariel/
saved_search_dependent_tasks/{task_id}". A Dependent Task Status object contains the following fields:
v id - Long - The ID of the task.
v message - String - The localized task message.
v status - String - The current state of the task.
v name - String - The name of the task.
v created_by - String - The name of the user who started the task.
v cancelled_by - String - The name of the user who requested cancellation of the task.
v created - Long - The time in milliseconds since epoch since the task was created.
v started - Long - The time in milliseconds since epoch since the task was started.
v modified - Long - The time in milliseconds since epoch since the task was modified.
v completed - Long - The time in milliseconds since epoch since the task was completed.
v number_of_dependents - Long - The number of dependents found. The value is null until the task
completes.
v maximum - Long - The maximum number of objects to check for dependency.
v progress - Long - The number of objects that were checked for dependency.
v task_components - Array - An array of task component objects. A task component object contains the
following fields:
– message - String - The localized sub-task status message.
– status - String - The current state of the sub-task.
– sub_task_type - String - The type of the sub-task.
– maximum - Long - The maximum number of objects to check for dependency.
– progress - Long - The number of objects that were checked for dependency.
– created - Long - The time in milliseconds since epoch since the sub-task was created.
– started - Long - The time in milliseconds since epoch since the sub-task was started.

1232 QRadar API Reference Guide

 – modified - Long - The time in milliseconds since epoch since the sub-task was modified.
– completed - Long - The time in milliseconds since epoch since the sub-task was completed.

Response Sample
{
"cancelled_by": "String",
"completed": 42,
"created": 42,
"created_by": "String",
"id": 42,
"maximum": 42,
"message": "String",
"modified": 42,
"name": "String",
"number_of_dependents": 42,
"progress": 42,
"started": 42,
"status": "String <one of: CANCELLED,
CANCELING,
CANCEL_REQUESTED,
COMPLETED,
CONFLICT,
EXCEPTION,
INITIALIZING,
INTERRUPTED,
PAUSED,
PROCESSING,
QUEUED,
RESUMING>"
"task_components": [
{
"completed": 42,
"created": 42,
"maximum": 42,
"message": "String",
"modified": 42,
"number_of_dependents": 42,
"progress": 42,
"started": 42,
"status": "String <one of: CANCELLED,
CANCELING,
CANCEL_REQUESTED,
COMPLETED,
CONFLICT,
EXCEPTION,
INITIALIZING,
INTERRUPTED,
PAUSED,
PROCESSING,
QUEUED,
RESUMING>"
"task_sub_type": "String <one of:
FIND_DEPENDENT_ARIEL_SAVED_SEARCHES,
FIND_DEPENDENT_OFFENSE_SAVED_SEARCHES,
FIND_DEPENDENT_ASSET_SAVED_SEARCHES,
FIND_DEPENDENT_VULNERABILITY_SAVED_SEARCHES,
FIND_DEPENDENT_ADE_RULES,
FIND_DEPENDENT_RULES,
FIND_DEPENDENT_CALCULATED_PROPERTIES,
FIND_DEPENDENT_LOG_SOURCE_GROUPS,
FIND_DEPENDENT_CUSTOM_PROPERTIES,
FIND_DEPENDENT_REPORTS,
FIND_DEPENDENT_DASHBOARDS,
FIND_DEPENDENT_STORE_AND_FORWARD_POLICIES,
FIND_DEPENDENT_AUTHORIZED_SERVICES,
FIND_DEPENDENT_OFFENSE_TYPES,

7 Previous REST API versions 1233

 FIND_DEPENDENT_ASSIGNED_OFFENSES,
FIND_DEPENDENT_VULNERABILITIES,
FIND_DEPENDENT_GROUPS,
FIND_DEPENDENT_HISTORICAL_CORRELATION_PROFILES>"
}
]
}

POST /ariel/saved_search_dependent_tasks/{task_id} DEPRECATED

Cancels the dependent Ariel saved search task.

Cancels the dependent Ariel saved search task.

Table 2760. POST /ariel/saved_search_dependent_tasks/{task_id} resource details
MIME Type
application/json

Table 2761. POST /ariel/saved_search_dependent_tasks/{task_id} request parameter details

Parameter Type Optionality Data Type MIME Type Description
task_id path Required Number text/plain null
(Integer)
fields header Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.

Table 2762. POST /ariel/saved_search_dependent_tasks/{task_id} request body details

Parameter Data Type MIME Type Description Sample
task Object application/ null { "status": "String <one of:
json CANCELLED, CANCELING,
CANCEL_REQUESTED,
COMPLETED, CONFLICT,
EXCEPTION, INITIALIZING,
INTERRUPTED, PAUSED,
PROCESSING, QUEUED,
RESUMING>" }

Table 2763. POST /ariel/saved_search_dependent_tasks/{task_id} response codes

HTTP Response Code Unique Code Description
200 The delete task status was retrieved.
404 1002 The dependent task status does not exist.
409 1004 The task is in a completed state.
422 1005 A request parameter is not valid.
500 1020 An error occurred during the attempt to update the dependent task
status.

1234 QRadar API Reference Guide

Response Description

A Dependent Task Status object and the location header set to the task status url "/api/ariel/
saved_search_dependent_tasks/{task_id}". A Dependent Task Status object contains the following fields:
v id - Long - The ID of the task.
v message - String - The localized task message.
v status - String - The current state that the task is in.
v name - String - The name of the task.
v created_by - String - The name of the user who started the task.
v cancelled_by - String - The name of the user who requested cancellation of the task.
v created - Long - The time in milliseconds since epoch since the task was created.
v started - Long - The time in milliseconds since epoch since the task was started.
v modified - Long - The time in milliseconds since epoch since the task was modified.
v completed - Long - The time in milliseconds since epoch since the task was completed.
v number_of_dependents - Long - The number of dependents found. the vaalue is null until the task
completes.
v maximum - Long - The maximum number of objects to check for dependency.
v progress - Long - The number of objects that were checked for dependency.
v task_components - Array - An array of task component objects. A task component object contains the
following fields:
– message - String - The localized sub-task status message.
– status - String - The current state of the sub-task.
– sub_task_type - String - The type of the sub-task
– maximum - Long - The maximum number of objects to check for dependency.
– progress - Long - The number of objects that were checked for dependency.
– created - Long - The time in milliseconds since epoch since the sub-task was created.
– started - Long - The time in milliseconds since epoch since the sub-task was started.
– modified - Long - The time in milliseconds since epoch since the sub-task was modified.
– completed - Long - The time in milliseconds since epoch since the sub-task was completed.

Response Sample
{
"cancelled_by": "String",
"completed": 42,
"created": 42,
"created_by": "String",
"id": 42,
"maximum": 42,
"message": "String",
"modified": 42,
"name": "String",
"number_of_dependents": 42,
"progress": 42,
"started": 42,
"status": "String <one of: CANCELLED,
CANCELING,
CANCEL_REQUESTED,
COMPLETED,
CONFLICT,
EXCEPTION,
INITIALIZING,
INTERRUPTED,
PAUSED,
PROCESSING,

7 Previous REST API versions 1235

 QUEUED,
RESUMING>"
"task_components": [
{
"completed": 42,
"created": 42,
"maximum": 42,
"message": "String",
"modified": 42,
"number_of_dependents": 42,
"progress": 42,
"started": 42,
"status": "String <one of: CANCELLED,
CANCELING,
CANCEL_REQUESTED,
COMPLETED,
CONFLICT,
EXCEPTION,
INITIALIZING,
INTERRUPTED,
PAUSED,
PROCESSING,
QUEUED,
RESUMING>"
"task_sub_type": "String <one of:
FIND_DEPENDENT_ARIEL_SAVED_SEARCHES,
FIND_DEPENDENT_OFFENSE_SAVED_SEARCHES,
FIND_DEPENDENT_ASSET_SAVED_SEARCHES,
FIND_DEPENDENT_VULNERABILITY_SAVED_SEARCHES,
FIND_DEPENDENT_ADE_RULES,
FIND_DEPENDENT_RULES,
FIND_DEPENDENT_CALCULATED_PROPERTIES,
FIND_DEPENDENT_LOG_SOURCE_GROUPS,
FIND_DEPENDENT_CUSTOM_PROPERTIES,
FIND_DEPENDENT_REPORTS,
FIND_DEPENDENT_DASHBOARDS,
FIND_DEPENDENT_STORE_AND_FORWARD_POLICIES,
FIND_DEPENDENT_AUTHORIZED_SERVICES,
FIND_DEPENDENT_OFFENSE_TYPES,
FIND_DEPENDENT_ASSIGNED_OFFENSES,
FIND_DEPENDENT_VULNERABILITIES,
FIND_DEPENDENT_GROUPS,
FIND_DEPENDENT_HISTORICAL_CORRELATION_PROFILES>"
}
]
}

GET /ariel/saved_search_dependent_tasks/{task_id}/results DEPRECATED

Retrieves the Ariel saved search dependent task results.

Retrieves the Ariel saved search dependent task results.

Table 2764. GET /ariel/saved_search_dependent_tasks/{task_id}/results resource details
MIME Type
application/json

Table 2765. GET /ariel/saved_search_dependent_tasks/{task_id}/results request parameter details

Parameter Type Optionality Data Type MIME Type Description
task_id path Required Number text/plain null
(Integer)

1236 QRadar API Reference Guide

Table 2765. GET /ariel/saved_search_dependent_tasks/{task_id}/results request parameter details (continued)
Parameter Type Optionality Data Type MIME Type Description
fields query Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.

Table 2766. GET /ariel/saved_search_dependent_tasks/{task_id}/results response codes

HTTP Response Code Unique Code Description
200 The Ariel saved search dependents were retrieved.
404 1002 The Dependent Task Status does not exist.
500 1020 An error occurred during the attempt to retrieve the Ariel saved
searches.

Response Description

An list of Dependent objects. A Dependent object contains the following fields:

v dependent_id - String - The ID of the dependent resource.
v dependent_name - String - The name of the dependent resource. ( Default resources can have localized
names )
v dependent_owner - String - The owner of the dependent resource.
v dependent_type - String - The type of the dependent resource.
v dependent_database - String - The database of the dependent resource.
v dependent_group_ids - Array of Longs - List of groups that the dependent resource belongs to.
v user_has_edit_permissions - Boolean - The true if the user who created the task has permission to edit
this dependent resource.

Response Sample
[
{
"blocking": true,
"dependent_database": "String <one of: EVENTS, FLOWS>",
"dependent_group_ids": [
42
],
"dependent_id": "String",
"dependent_name": "String",
"dependent_owner": "String",
"dependent_type": "String <one of:
ARIEL_SAVED_SEARCH,
ASSET_SAVED_SEARCH,
OFFENSE_SAVED_SEARCH,
VULNERABILITY_SAVED_SEARCH,
QRM_SAVED_SEARCH_GROUP,
ASSET_SAVED_SEARCH_GROUP,
CUSTOM_RULE_GROUP,
EVENT_ARIEL_SAVED_SEARCH_GROUP,
FLOW_ARIEL_SAVED_SEARCH_GROUP,
LOG_SOURCE_GROUP, MODEL_GROUP,
OFFENSE_SAVED_SEARCH_GROUP,

7 Previous REST API versions 1237

 QUESTION_GROUP,
REPORT_GROUP,
SIMULATION_GROUP,
TOPOLOGY_SAVED_SEARCH_GROUP,
VULNERABILITY_SAVED_SEARCH_GROUP,
ASSIGNED_OFFENSE,
ASSIGNED_VULNERABILITY,
AUTHORIZED_SERVICE,
BUILDING_BLOCK,
CRE_RULE,
CRE_ADE_RULE,
EVENT_REGEX_PROPERTY,
EVENT_CALCULATED_PROPERTY,
FLOW_REGEX_PROPERTY,
FLOW_CALCULATED_PROPERTY,
DASHBOARD,
GV_REFERENCE,
REPORT,
REFERENCE_DATA,
REFERENCE_DATA_MAP_OF_SETS,
REFERENCE_DATA_MAPS,
REFERENCE_DATA_SETS,
REFERENCE_DATA_TABLES,
REFERENCE_DATA_RESPONSE,
REFERENCE_SET_RESPONSE,
EVENT_RETENTION_BUCKET,
FLOW_RETENTION_BUCKET,
ROUTING_RULE,
STORE_AND_FORWARD_POLICY,
USER,
HISTORICAL_PROFILE,
OFFENSE_TYPE>",
"user_has_edit_permissions": true
}
]

GET /ariel/saved_searches DEPRECATED

Retrieves a list of Ariel saved searches.

Retrieves a list of Ariel saved searches.

Table 2767. GET /ariel/saved_searches resource details
MIME Type
application/json

Table 2768. GET /ariel/saved_searches request parameter details

Parameter Type Optionality Data Type MIME Type Description
fields query Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.
filter query Optional String text/plain Optional - This parameter is
used to restrict the elements in
a list base on the contents of
various fields.

1238 QRadar API Reference Guide

Table 2768. GET /ariel/saved_searches request parameter details (continued)
Parameter Type Optionality Data Type MIME Type Description
Range header Optional String text/plain Optional - Use this parameter
to restrict the number of
elements that are returned in
the list to a specified range.
The list is indexed starting at
zero.

Table 2769. GET /ariel/saved_searches response codes

HTTP Response Code Unique Code Description
200 The Ariel saved searches were retrieved.
422 1010 A request parameter is not valid.
500 1020 An error occurred during the attempt to retrieve the Ariel Saved
Searches.

Response Description

An array of Ariel Saved Search objects. An Ariel Saved Search object contains the following fields:
v id - Long - The ID of the ariel saved search.
v uuid - String - The uuid of the Ariel saved search.
v name - String - The name of the Ariel saved search.
v database - String - The database of the Ariel saved search, events or flows.
v isShared - Boolean - True if the Ariel saved search is shared with other users.
v owner - String - The owner of the Ariel saved search.

Response Sample
[
{
"database": "String <one of: EVENTS, FLOWS>",
"id": 42,
"is_shared": true,
"name": "String",
"owner": "String",
"uid": "String"
}
]

GET /ariel/saved_searches/{id} DEPRECATED

Retrieves an Ariel saved search.

Retrieves an Ariel saved search.

Table 2770. GET /ariel/saved_searches/{id} resource details
MIME Type
application/json

Table 2771. GET /ariel/saved_searches/{id} request parameter details

Parameter Type Optionality Data Type MIME Type Description
id path Required Number text/plain null
(Integer)

7 Previous REST API versions 1239

Table 2771. GET /ariel/saved_searches/{id} request parameter details (continued)
Parameter Type Optionality Data Type MIME Type Description
fields query Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.

Table 2772. GET /ariel/saved_searches/{id} response codes

HTTP Response Code Unique Code Description
200 The Ariel saved search was retrieved.
404 1002 The Ariel saved search does not exist.
500 1020 An error occurred during the attempt to retrieve the Ariel Saved
Search.

Response Description

The Ariel saved search after it is retrieved. An Ariel Saved Search object contains the following fields:
v id - Long - The ID of the Ariel saved search.
v uuid - String - The uuid of the Ariel saved search.
v name - String - The name of the Ariel saved search.
v database - String - The database of the Ariel saved search, events or flows.
v isShared - Boolean - True if the Ariel saved search is shared with other users.
v owner - String - The owner of the Ariel saved search.

Response Sample
{
"database": "String <one of: EVENTS, FLOWS>",
"id": 42,
"is_shared": true,
"name": "String",
"owner": "String",
"uid": "String"
}

POST /ariel/saved_searches/{id} DEPRECATED

Updates the Ariel saved search owner only.

Updates the Ariel saved search owner only.

Table 2773. POST /ariel/saved_searches/{id} resource details
MIME Type
application/json

1240 QRadar API Reference Guide

Table 2774. POST /ariel/saved_searches/{id} request parameter details
Parameter Type Optionality Data Type MIME Type Description
id path Required Number text/plain null
(Integer)
fields header Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.

Table 2775. POST /ariel/saved_searches/{id} request body details

Parameter Data Type MIME Type Description Sample
saved_search Object application/ null { "id": "1", "name": "String",
json "database": "String",
"is_shared": true, "owner":
"String" }

Table 2776. POST /ariel/saved_searches/{id} response codes

HTTP Response Code Unique Code Description
200 The Ariel saved search was updated.
403 1009 You do not have the required capabilities to update the Ariel Saved
Search.
404 1002 The Ariel saved search does not exist.
409 1004 The provided user does not have the required capabilities to own
the Ariel saved search.
422 1005 A request parameter is not valid.
500 1020 An error occurred during the attempt to update the Ariel Saved
Search.

Response Description

The Ariel saved search after it has been updated. An Ariel Saved Search object contains the following
fields:
v id - Long - The ID of the Ariel saved search.
v uuid - String - The uuid of the Ariel saved search.
v name - String - The name of the Ariel saved search.
v database - String - The database of the Ariel saved search, events or flows.
v isShared - Boolean - True if the Ariel saved search is shared with other users.
v owner - String - The owner of the Ariel saved search.

Response Sample
{
"database": "String <one of: EVENTS, FLOWS>",
"id": 42,
"is_shared": true,

7 Previous REST API versions 1241

 "name": "String",
"owner": "String",
"uid": "String"
}

DELETE /ariel/saved_searches/{id} DEPRECATED

Deletes an Ariel saved search. To ensure safe deletion, a dependency check is carried out. The check
might take some time. An asynchronous task is started to do this check.

Deletes an Ariel saved search. To ensure safe deletion, a dependency check is carried out. The check
might take some time. An asynchronous task is started to do this check.
Table 2777. DELETE /ariel/saved_searches/{id} resource details
MIME Type
application/json

Table 2778. DELETE /ariel/saved_searches/{id} request parameter details

Parameter Type Optionality Data Type MIME Type Description
id path Required Number text/plain null
(Integer)
fields query Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.

Table 2779. DELETE /ariel/saved_searches/{id} response codes

HTTP Response Code Unique Code Description
202 The Ariel saved search delete command was accepted and is in
progress.
403 1009 You do not have the required capabilities to delete the Ariel saved
search.
404 1002 The Ariel saved search does not exist.
500 1020 An error occurred during the attempt to delete the Ariel Saved
Search.

Response Description

A Delete Task Status object and the location header set to the task status url "/api/ariel/
saved_search_delete_tasks/{task_id}". A Delete Task Status object contains the following fields:
v id - Long - The ID of the task.
v message - String - The localized task message.
v status - String - The current state of the task.
v name - String - The name of the task.
v created_by - String - The name of the user who started the task.
v created - Long - The time in milliseconds since epoch since the task was created.
v started - Long - The time in milliseconds since epoch since the task was started.

1242 QRadar API Reference Guide

v modified - Long - The time in milliseconds since epoch since the task was modified.
v completed - Long - The time in milliseconds since epoch since the task was completed.

Response Sample
{
"completed": 42,
"created": 42,
"created_by": "String",
"id": 42,
"message": "String",
"modified": 42,
"name": "String",
"started": 42,
"status": "String <one of: CANCELLED,
CANCELING,
CANCEL_REQUESTED,
COMPLETED,
CONFLICT,
EXCEPTION,
INITIALIZING,
INTERRUPTED,
PAUSED,
PROCESSING,
QUEUED,
RESUMING>"
}

GET /ariel/saved_searches/{id}/dependents DEPRECATED

Retrieves the objects that depend on the Ariel saved search.

Retrieves the objects that depend on the Ariel saved search.

Table 2780. GET /ariel/saved_searches/{id}/dependents resource details
MIME Type
application/json

Table 2781. GET /ariel/saved_searches/{id}/dependents request parameter details

Parameter Type Optionality Data Type MIME Type Description
id path Required Number text/plain null
(Integer)
fields query Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.

Table 2782. GET /ariel/saved_searches/{id}/dependents response codes

HTTP Response Code Unique Code Description
202 The Ariel saved search dependents retrieval was accepted and is in
progress
404 1002 The Ariel saved search does not exist

7 Previous REST API versions 1243

Table 2782. GET /ariel/saved_searches/{id}/dependents response codes (continued)
HTTP Response Code Unique Code Description
500 1020 An error occurred during the attempt to initiate the Ariel Saved
Search dependents retrieval task

Response Description

A Dependents Task Status object and the location header set to the task status url "/api/ariel/
saved_search_dependents_tasks/{task_id}". A Dependent Task Status object contains the following fields:
v id - Long - The ID of the task.
v message - String - The localized task message.
v status - String - The current state of the task.
v name - String - The name of the task.
v created_by - String - The name of the user who started the task.
v cancelled_by - String - The name of the user who requested to cancel the task.
v created - Long - The time in milliseconds since epoch since the task was created.
v started - Long - The time in milliseconds since epoch since the task was started.
v modified - Long - The time in milliseconds since epoch since the task was modified.
v completed - Long - The time in milliseconds since epoch since the task was completed.
v number_of_dependents - Long - The number of dependents found. The value is null until the task
completes.
v maximum - Long - The maximum number of objects to check for dependency.
v progress - Long - The number of objects that were checked for dependency.
v task_components - Array - An array of task component objects. A task component object contains the
following fields:
– message - String - The localized sub-task status message.
– status - String - The current state of the sub-task.
– sub_task_type - String - The type of the sub-task
– maximum - Long - The maximum number of objects to check for dependency.
– progress - Long - The number of objects that were checked for dependency.
– created - Long - The time in milliseconds since epoch since the sub-task was created.
– started - Long - The time in milliseconds since epoch since the sub-task was started.
– modified - Long - The time in milliseconds since epoch since the sub-task was modified.
– completed - Long - The time in milliseconds since epoch since the sub-task was completed.

Response Sample
{
"cancelled_by": "String",
"completed": 42,
"created": 42,
"created_by": "String",
"id": 42,
"maximum": 42,
"message": "String",
"modified": 42,
"name": "String",
"number_of_dependents": 42,
"progress": 42,
"started": 42,
"status": "String <one of: CANCELLED,
CANCELING,

1244 QRadar API Reference Guide

 CANCEL_REQUESTED,
COMPLETED,
CONFLICT,
EXCEPTION,
INITIALIZING,
INTERRUPTED,
PAUSED,
PROCESSING,
QUEUED,
RESUMING>"
"task_components": [
{
"completed": 42,
"created": 42,
"maximum": 42,
"message": "String",
"modified": 42,
"number_of_dependents": 42,
"progress": 42,
"started": 42,
"status": "String <one of: CANCELLED,
CANCELING,
CANCEL_REQUESTED,
COMPLETED,
CONFLICT,
EXCEPTION,
INITIALIZING,
INTERRUPTED,
PAUSED,
PROCESSING,
QUEUED,
RESUMING>"
"task_sub_type": "String <one of:
FIND_DEPENDENT_ARIEL_SAVED_SEARCHES,
FIND_DEPENDENT_OFFENSE_SAVED_SEARCHES,
FIND_DEPENDENT_ASSET_SAVED_SEARCHES,
FIND_DEPENDENT_VULNERABILITY_SAVED_SEARCHES,
FIND_DEPENDENT_ADE_RULES,
FIND_DEPENDENT_RULES,
FIND_DEPENDENT_CALCULATED_PROPERTIES,
FIND_DEPENDENT_LOG_SOURCE_GROUPS,
FIND_DEPENDENT_CUSTOM_PROPERTIES,
FIND_DEPENDENT_REPORTS,
FIND_DEPENDENT_DASHBOARDS,
FIND_DEPENDENT_STORE_AND_FORWARD_POLICIES,
FIND_DEPENDENT_AUTHORIZED_SERVICES,
FIND_DEPENDENT_OFFENSE_TYPES,
FIND_DEPENDENT_ASSIGNED_OFFENSES,
FIND_DEPENDENT_VULNERABILITIES,
FIND_DEPENDENT_GROUPS,
FIND_DEPENDENT_HISTORICAL_CORRELATION_PROFILES>"
}
]
}

GET /ariel/searches DEPRECATED

Retrieves the list of Ariel searches. Search IDs for completed and active searches are returned.

Retrieves the list of Ariel searches. This includes search IDs for completed and active searches.
Table 2783. GET /ariel/searches resource details
MIME Type
application/json

7 Previous REST API versions 1245

Table 2784. GET /ariel/searches request parameter details
Parameter Type Optionality Data Type MIME Type Description
db_name query Optional String text/plain Optional - The name of the
Ariel database to retrieve the
list of Ariel searches.
filter query Optional String text/plain Optional - This parameter is
used to restrict the elements in
a list base on the contents of
various fields.
Range header Optional String text/plain Optional - Use this parameter
to restrict the number of
elements that are returned in
the list to a specified range.
The list is indexed starting at
zero.

Table 2785. GET /ariel/searches response codes

HTTP Response Code Unique Code Description
200 The search list was retrieved.
500 1020 An error occurred during the attempt to retrieve the list of searches.
503 1010 The ariel server might be temporarily unavailable or offline. Please
try again later.

Response Description

A list of search IDs.

Response Sample
[
"String"
]

POST /ariel/searches DEPRECATED

Creates a new asynchronous Ariel search.

Creates a new Ariel search as specified by the Ariel Query Language (AQL) query expression. Searches
are executed asynchronously. A reference to the search ID is returned and should be used in subsequent
API calls to determine the status of the search and retrieve the results once it is complete.

This endpoint only accepts SELECT query expressions.

Queries are applied to the range of data in a certain time interval. By default this time interval is the last
60 seconds. An alternative time interval can be specified by specifying them as part of the query
expression. For further information, see the AQL reference guide.
Table 2786. POST /ariel/searches resource details
MIME Type
application/json

1246 QRadar API Reference Guide

Table 2787. POST /ariel/searches request parameter details
Parameter Type Optionality Data Type MIME Type Description
query_expression query Required String text/plain Required - The AQL query to
execute.

Table 2788. POST /ariel/searches response codes

HTTP Response Code Unique Code Description
201 A new Ariel search was successfully created.
409 1004 The search cannot be created. The requested search ID that was
provided in the query expression is already in use. Please use a
unique search ID (or allow one to be generated).
422 2000 The query_expression contains invalid AQL syntax.
422 1005 A request parameter is not valid.
500 1020 An error occurred during the attempt to create a new search.
503 1010 The Ariel server might be temporarily unavailable or offline. Please
try again later.

Response Description

Information about the specified search, including the search ID. Use the search ID to access or manipulate
the search with the other API endpoints. If the exact search being created was already recently created,
the response message will return a reference to the original search ID rather than creating a new search.

Response Sample
{
"cursor_id": "s16",
"compressed_data_file_count": 0,
"compressed_data_total_size": 0,
"data_file_count": 5470,
"data_total_size": 67183115,
"index_file_count": 0,
"index_total_size": 0,
"processed_record_count": 1256462,
"error_messages": [
{
"code": "String",
"contexts": [
"String"
],
"message": "String",
"severity": "String <one of: INFO, WARN, ERROR>"
}
],
"desired_retention_time_msec": 86400000,
"progress": 46,
"progress_details": [
0,
0,
0,
0,
66957,
652657,
76594,
89809,
86032,
107729
],
"query_execution_time": 1480,

7 Previous REST API versions 1247

 "query_string": "SELECT sourceip, starttime from events
into s16 where sourceip
in (select destinationip from events)
parameters snapshotsize=2, PROGRESSDETAILSRESOLUTION=10",
"record_count": 1240923,
"save_results": false,
"status": "EXECUTE",
"snapshot": {
"events": [
{
"sourceip": "10.100.65.20",
"starttime": "1467049610018"
},
{
"sourceip": "10.100.100.121",
"starttime": "1467049610019"
}
]
},
"subsearch_ids": [
"sub_id_1"
],
"search_id": "s16"
}

GET /ariel/searches/{search_id} DEPRECATED

Retrieves information about an Ariel search.

Retrieve status information for a search, based on the search ID parameter. The same informational fields
are returned regardless of whether the search is in progress or is complete.
Table 2789. GET /ariel/searches/{search_id} resource details
MIME Type
application/json

Table 2790. GET /ariel/searches/{search_id} request parameter details

Parameter Type Optionality Data Type MIME Type Description
search_id path Required String text/plain Required. The identifier for an
Ariel search.

Table 2791. GET /ariel/searches/{search_id} response codes

HTTP Response Code Unique Code Description
200 The search information was retrieved.
404 1002 The search does not exist.
422 1005 A request parameter is not valid.
500 1020 An error occurred during the attempt to retrieve the search
information.
503 1010 The Ariel server might be temporarily unavailable or offline. Please
try again later.

Response Description

Information about the specified search, including the search status.

1248 QRadar API Reference Guide

Response Sample
{
"cursor_id": "s16",
"compressed_data_file_count": 0,
"compressed_data_total_size": 0,
"data_file_count": 5470,
"data_total_size": 67183115,
"index_file_count": 0,
"index_total_size": 0,
"processed_record_count": 1256462,
"error_messages": [
{
"code": "String",
"contexts": [
"String"
],
"message": "String",
"severity": "String <one of: INFO, WARN, ERROR>"
}
],
"desired_retention_time_msec": 86400000,
"progress": 46,
"progress_details": [
0,
0,
0,
0,
66957,
652657,
76594,
89809,
86032,
107729
],
"query_execution_time": 1480,
"query_string": "SELECT sourceip, starttime from events
into s16 where sourceip
in (select destinationip from events)
parameters snapshotsize=2, PROGRESSDETAILSRESOLUTION=10",
"record_count": 1240923,
"save_results": false,
"status": "EXECUTE",
"snapshot": {
"events": [
{
"sourceip": "10.100.65.20",
"starttime": "1467049610018"
},
{
"sourceip": "10.100.100.121",
"starttime": "1467049610019"
}
]
},
"subsearch_ids": [
"sub_id_1"
],
"search_id": "s16"
}

POST /ariel/searches/{search_id} DEPRECATED

Updates an Ariel search.

Updates details for an Ariel search. You can update searches in the following ways:

7 Previous REST API versions 1249

v To cancel an active search, set the status parameter to CANCELED. This stops the search and keeps
any search results that were collected before the search was canceled.
v The results for a completed search can be saved by setting the save_results parameter to true. This
ensures that the search is not automatically removed when it expires in accordance with the retention
policy.

The Ariel server uses an internal retention policy to manage available disk space. Searches might be
deleted automatically, according to the settings of the retention policy. Searches with saved results are not
automatically reclaimed by the server and are therefore retained. A search can be explicitly deleted by
using the DELETE /searches/{search_id} endpoint.

Note: Saving too many search results might result in insufficient disk space to process new searches.
Table 2792. POST /ariel/searches/{search_id} resource details
MIME Type
application/json

Table 2793. POST /ariel/searches/{search_id} request parameter details

Parameter Type Optionality Data Type MIME Type Description
search_id path Required String text/plain Required. The ID of the search
to update.
status query Optional String text/plain Optional. The only accepted
value is CANCELED. If this
value is provided, the search is
canceled.
save_results query Optional String text/plain Optional. The only accepted
value is true. If this value is
provided, the search results
are not deleted by the search
expiration removal process. If
status parameter was
provided, this parameter is not
checked and silently ignored.

Table 2794. POST /ariel/searches/{search_id} response codes

HTTP Response Code Unique Code Description
200 The search was updated.
404 1002 The search does not exist.
422 1005 A request parameter is not valid.
500 1020 An error occurred during the attempt to update the search.
503 1010 The Ariel server might be temporarily unavailable or offline. Please
try again later.

Response Description

Information about the specified search that was updated.

Response Sample
{
"cursor_id": "s16",
"compressed_data_file_count": 0,
"compressed_data_total_size": 0,

1250 QRadar API Reference Guide

 "data_file_count": 5470,
"data_total_size": 67183115,
"index_file_count": 0,
"index_total_size": 0,
"processed_record_count": 1256462,
"error_messages": [
{
"code": "String",
"contexts": [
"String"
],
"message": "String",
"severity": "String <one of: INFO, WARN, ERROR>"
}
],
"desired_retention_time_msec": 86400000,
"progress": 46,
"progress_details": [
0,
0,
0,
0,
66957,
652657,
76594,
89809,
86032,
107729
],
"query_execution_time": 1480,
"query_string": "SELECT sourceip, starttime from events
into s16 where sourceip
in (select destinationip from events)
parameters snapshotsize=2, PROGRESSDETAILSRESOLUTION=10",
"record_count": 1240923,
"save_results": false,
"status": "EXECUTE",
"snapshot": {
"events": [
{
"sourceip": "10.100.65.20",
"starttime": "1467049610018"
},
{
"sourceip": "10.100.100.121",
"starttime": "1467049610019"
}
]
},
"subsearch_ids": [
"sub_id_1"
],
"search_id": "s16"
}

DELETE /ariel/searches/{search_id} DEPRECATED

Deletes an Ariel search.

Deletes an Ariel search. This discards any results that were collected and stops the search if it is in
progress. This search is deleted regardless of whether the results were saved.
Table 2795. DELETE /ariel/searches/{search_id} resource details
MIME Type
application/json

7 Previous REST API versions 1251

Table 2796. DELETE /ariel/searches/{search_id} request parameter details
Parameter Type Optionality Data Type MIME Type Description
search_id path Required String text/plain Required - The search ID of
the search to delete.

Table 2797. DELETE /ariel/searches/{search_id} response codes

HTTP Response Code Unique Code Description
202 The delete request has been accepted.
404 1002 The search does not exist.
422 1005 A request parameter is not valid.
500 1020 An error occurred during the attempt to delete the search.
503 1010 The ariel server might be temporarily unavailable or offline. Please
try again later.

Response Description

Information about the deleted search.

Response Sample
{
"cursor_id": "s16",
"compressed_data_file_count": 0,
"compressed_data_total_size": 0,
"data_file_count": 5470,
"data_total_size": 67183115,
"index_file_count": 0,
"index_total_size": 0,
"processed_record_count": 1256462,
"error_messages": [
{
"code": "String",
"contexts": [
"String"
],
"message": "String",
"severity": "String <one of: INFO, WARN, ERROR>"
}
],
"desired_retention_time_msec": 86400000,
"progress": 46,
"progress_details": [
0,
0,
0,
0,
66957,
652657,
76594,
89809,
86032,
107729
],
"query_execution_time": 1480,
"query_string": "SELECT sourceip, starttime from events
into s16 where sourceip
in (select destinationip from events)
parameters snapshotsize=2, PROGRESSDETAILSRESOLUTION=10",
"record_count": 1240923,

1252 QRadar API Reference Guide

 "save_results": false,
"status": "EXECUTE",
"snapshot": {
"events": [
{
"sourceip": "10.100.65.20",
"starttime": "1467049610018"
},
{
"sourceip": "10.100.100.121",
"starttime": "1467049610019"
}
]
},
"subsearch_ids": [
"sub_id_1"
],
"search_id": "s16"
}

GET /ariel/searches/{search_id}/results DEPRECATED

Retrieves search results in the requested format.

Retrieve the results of the Ariel search that is identified by the search ID. The Accepts request header
indicates the format of the result. The formats are RFC compliant and can be JSON, CSV, XML, or tabular
text.

By default, all query result records are returned. To restrict the results to a contiguous subset of the
records, you can supply a Range header to specify the inclusive range of records to be returned.

This end-point works with query results that are generated by AQL query expressions. This endpoint
might not work as expected for results that are generated by other means. Search results might not be
retrievable for searches that are created on the Console.

The response samples are for the following query: Select sourceIP, destinationIP from events.
Table 2798. GET /ariel/searches/{search_id}/results resource details
MIME Type
application/json application/csv text/table application/xml

Table 2799. GET /ariel/searches/{search_id}/results request parameter details

Parameter Type Optionality Data Type MIME Type Description
search_id path Required String text/plain The ID of the search criteria
for the returned results.
Range header Optional String text/plain Optional - Use this parameter
to restrict the number of
elements that are returned in
the list to a specified range.
The list is indexed starting at
zero.

Table 2800. GET /ariel/searches/{search_id}/results response codes

HTTP Response Code Unique Code Description
200 The search results were retrieved.
404 1002 The search does not exist.
404 1003 Search results not found. The search is still in progress.

7 Previous REST API versions 1253

Table 2800. GET /ariel/searches/{search_id}/results response codes (continued)
HTTP Response Code Unique Code Description
422 1005 A request parameter is not valid.
500 1020 An error occurred during the attempt to retrieve the search results.
503 1010 The Ariel server might be temporarily unavailable or offline. Please
try again later.

Response Description

The search results for the specified search ID. The format that is used to encapsulate the data depends on
the format specified in the Accept header for this request.

Response Sample
{
"events": [
{
"sourceIP": "1.1.1.1",
"destinationIP": "127.0.0.1"
},
{
"sourceIP": "1.1.1.1",
"destinationIP": "127.0.0.1"
}
]
}

Asset model endpoints

Use the references for REST API V7.0 Asset Model endpoints.

GET /asset_model/assets DEPRECATED

List all assets found in the model.
Table 2801. GET /asset_model/assets resource details
MIME Type
application/json

Table 2802. GET /asset_model/assets request parameter details

Parameter Type Optionality Data Type MIME Type Description
Range header Optional String text/plain Optional - Use this parameter
to restrict the number of
elements that are returned in
the list to a specified range.
The list is indexed starting at
zero.
fields query Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.

1254 QRadar API Reference Guide

Table 2802. GET /asset_model/assets request parameter details (continued)
Parameter Type Optionality Data Type MIME Type Description
filter query Optional String text/plain Optional - This parameter is
used to restrict the elements in
a list base on the contents of
various fields.

Table 2803. GET /asset_model/assets response codes

HTTP Response Code Unique Code Description
200 The request to retrieve assets completed successfully.
500 1020 The server encountered an error while trying to retrieve the assets.

Response Description

List of assets retrieved using the associated asset saved search.

Response Sample
[{"id": 42,
"domain_id": 42,
"interfaces": [{"first_seen_scanner": 42,
"id": 42,
"first_seen_profiler": 42,
"created": 42,
"last_seen_profiler": 42,
"last_seen_scanner": 42,
"mac_address": "String",
"ip_addresses": [{"first_seen_scanner": 42,
"id": 42,
"first_seen_profiler": 42,
"created": 42,
"network_id": 42,
"value": "String",
"last_seen_profiler": 42,
"last_seen_scanner": 42,
"type": "String"}]
}],
"properties": [{"id": 42,
"name": "String",
"value": "String",
"last_reported": 42,
"type_id": 42,
"last_reported_by": "String"}]
}]

POST /asset_model/assets/{asset_id} DEPRECATED

Update an asset with several pertinent pieces of information.

The asset_id tag is mandatory, and is the unique identifier for an asset. This field is available through the
/asset_model/assets or /asset_model/saved_searches/{saved_search_id}/results query. To update
properties, the property type ID which is available through the /asset_model/properties query must be
provided along with the new value. See the sample provided demonstrating an example asset update.
Table 2804. POST /asset_model/assets/{asset_id} resource details
MIME Type
text/plain

7 Previous REST API versions 1255

Table 2805. POST /asset_model/assets/{asset_id} request parameter details
Parameter Type Optionality Data Type MIME Type Description
asset_id path Required String text/plain Unique identifier of the asset
to update.

Table 2806. POST /asset_model/assets/{asset_id} request body details

Parameter Data Type MIME Type Description Sample
asset JSON application/json JSON representation of an { "properties": [ { "type_id":
asset. 1001, "value": "given name
value" }, { "type_id": 1002,
"value": "unified name value" }
]}

Table 2807. POST /asset_model/assets/{asset_id} response codes

HTTP Response Code Unique Code Description
202 The request to update the asset was successful. The update will
take place when the asset profile application receives the request.
422 1005 One or more of the requested property updates were invalid.
500 1020 The server encountered an error registering the update with the
asset profile application.

Response Description

Information about the asset that was updated.

Response Sample
String

GET /asset_model/properties DEPRECATED

Get a list of available asset property types that can be used.

Get a list of available asset property types that can be used or applied against the /asset_model/assets
endpoint.
Table 2808. GET /asset_model/properties resource details
MIME Type
application/json

Table 2809. GET /asset_model/properties request parameter details

Parameter Type Optionality Data Type MIME Type Description
Range header Optional String text/plain Optional - Use this parameter
to restrict the number of
elements that are returned in
the list to a specified range.
The list is indexed starting at
zero.

1256 QRadar API Reference Guide

Table 2809. GET /asset_model/properties request parameter details (continued)
Parameter Type Optionality Data Type MIME Type Description
fields query Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.
filter query Optional String text/plain Optional - This parameter is
used to restrict the elements in
a list base on the contents of
various fields.

Table 2810. GET /asset_model/properties response codes

HTTP Response Code Unique Code Description
200 The request to retrieve the list of asset property types completed
successfully.
500 1020 An error occurred while trying to retrieve the list of asset property
types.

Response Description

List of asset properties. Per asset property type: id and name that make up this asset property type.

Response Sample
[
{
"custom": true,
"data_type": "String",
"display": true,
"id": 42,
"name": "String",
"state": 42
}
]

GET /asset_model/saved_search_groups DEPRECATED

Retrieves a list the asset saved search groups.

Retrieves a list the asset saved search groups.

Table 2811. GET /asset_model/saved_search_groups resource details
MIME Type
application/json

7 Previous REST API versions 1257

Table 2812. GET /asset_model/saved_search_groups request parameter details
Parameter Type Optionality Data Type MIME Type Description
fields query Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.
Range header Optional String text/plain Optional - Use this parameter
to restrict the number of
elements that are returned in
the list to a specified range.
The list is indexed starting at
zero.
filter query Optional String text/plain Optional - This parameter is
used to restrict the elements in
a list base on the contents of
various fields.

Table 2813. GET /asset_model/saved_search_groups response codes

HTTP Response Code Unique Code Description
200 The asset saved search groups were returned.
500 1020 An error occurred during the attempt to retrieve the asset saved
search groups.

Response Description

List of the Group objects. A Group object contains the following fields:
v id - Long - The ID of the group.
v parent_id - Long - The ID of the parent group (default resources can have localized names).
v type - String - The type of the group.
v level - Long - The depth of the group in the group hierarchy.
v name - String - The name of the group (default resources can have localized names).
v description - String - The description of the group (default resources can have localized names).
v owner - String - The owner of the group.
v modified_time - Long - The time in milliseconds since epoch since the group was last modified.
v child_group_ids - Array of Longs - List of the child group IDs.

Response Sample
[
{
"child_groups": [
42
],
"child_items": [
"String"
],
"description": "String",
"id": 42,
"level": 42,

1258 QRadar API Reference Guide

 "modified_time": 42,
"name": "String",
"owner": "String",
"parent_id": 42,
"type": "String <one of:
LOG_SOURCE_GROUP,
REPORT_GROUP,
RULE_GROUP,
EVENT_SAVED_SEARCH_GROUP,
FLOW_SAVED_SEARCH_GROUP,
OFFENSE_SAVED_SEARCH_GROUP,
QRM_SAVED_SEARCH_GROUP,
MODEL_SAVED_SEARCH_GROUP,
QUESTION_SAVED_SEARCH_GROUP,
SIMULATION_SAVED_SEARCH_GROUP,
TOPOLOGY_SAVED_SEARCH_GROUP,
ASSET_SAVED_SEARCH_GROUP,
VULNERABILITY_SAVED_SEARCH_GROUP>"
}
]

GET /asset_model/saved_search_groups/{group_id} DEPRECATED

Retrieves an asset saved search group.

Retrieves an asset saved search group.

Table 2814. GET /asset_model/saved_search_groups/{group_id} resource details
MIME Type
application/json

Table 2815. GET /asset_model/saved_search_groups/{group_id} request parameter details

Parameter Type Optionality Data Type MIME Type Description
group_id path Required Number text/plain null
(Integer)
fields query Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.

Table 2816. GET /asset_model/saved_search_groups/{group_id} response codes

HTTP Response Code Unique Code Description
200 The asset saved search group was retrieved.
404 1002 The asset saved search group does not exist.
500 1020 An error occurred during the attempt to retrieve the asset saved
search group.

Response Description

A single Group object. A Group object contains the following fields:

v id - Long - The ID of the group.

7 Previous REST API versions 1259

v parent_id - Long - The id of the parent group. ( Default resources can have localized names )
v type - String - The type of the group.
v level - Long - The depth of the group in the group hierarchy.
v name - String - The name of the group. ( Default groups can have localized names )
v description - String - The description of the group. ( Default groups can have localized names )
v owner - String - The owner of the group.
v modified_time - Long - The time in milliseconds since epoch since the group was last modified.
v child_group_ids - Array of Longs - List of the child group IDs.

Response Sample
{
"child_groups": [
42
],
"child_items": [
"String"
],
"description": "String",
"id": 42,
"level": 42,
"modified_time": 42,
"name": "String",
"owner": "String",
"parent_id": 42,
"type": "String <one of:
LOG_SOURCE_GROUP,
REPORT_GROUP,
RULE_GROUP,
EVENT_SAVED_SEARCH_GROUP,
FLOW_SAVED_SEARCH_GROUP,
OFFENSE_SAVED_SEARCH_GROUP,
QRM_SAVED_SEARCH_GROUP,
MODEL_SAVED_SEARCH_GROUP,
QUESTION_SAVED_SEARCH_GROUP,
SIMULATION_SAVED_SEARCH_GROUP,
TOPOLOGY_SAVED_SEARCH_GROUP,
ASSET_SAVED_SEARCH_GROUP,
VULNERABILITY_SAVED_SEARCH_GROUP>"
}

POST /asset_model/saved_search_groups/{group_id} DEPRECATED

Updates the owner of an asset saved search group.

Updates the owner of an asset saved search group.

Table 2817. POST /asset_model/saved_search_groups/{group_id} resource details
MIME Type
application/json

Table 2818. POST /asset_model/saved_search_groups/{group_id} request parameter details

Parameter Type Optionality Data Type MIME Type Description
group_id path Required Number text/plain null
(Integer)

1260 QRadar API Reference Guide

Table 2818. POST /asset_model/saved_search_groups/{group_id} request parameter details (continued)
Parameter Type Optionality Data Type MIME Type Description
fields header Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.

Table 2819. POST /asset_model/saved_search_groups/{group_id} request body details

Parameter Data Type MIME Type Description Sample
group Object application/ Required - Group object with { "child_groups": [ 42 ], "child_items": [ "String" ], "description":
json the owner set to a valid "String", "id": 42, "level": 42, "name": "String", "owner": "String",
deployed user. "parent_id": 42, "type": "String <one of:
LOG_SOURCE_GROUP, REPORT_GROUP, RULE_GROUP,
EVENT_SAVED_SEARCH_GROUP,
FLOW_SAVED_SEARCH_GROUP,
OFFENSE_SAVED_SEARCH_GROUP,
QRM_SAVED_SEARCH_GROUP,
MODEL_SAVED_SEARCH_GROUP,
QUESTION_SAVED_SEARCH_GROUP,
SIMULATION_SAVED_SEARCH_GROUP,
TOPOLOGY_SAVED_SEARCH_GROUP,
ASSET_SAVED_SEARCH_GROUP,
VULNERABILITY_SAVED_SEARCH_GROUP>" }

Table 2820. POST /asset_model/saved_search_groups/{group_id} response codes

HTTP Response Code Unique Code Description
200 The asset saved search group has been updated.
404 1002 The asset saved search group does not exist.
409 1004 The provided user does not have the required capabilities to own
the asset saved search group.
422 1005 A request parameter is not valid.
500 1020 An error occurred during the attempt to update the asset saved
search group.

Response Description

The updated Group object. A Group object contains the following fields:
v id - Long - The ID of the group.
v parent_id - Long - The ID of the parent group (default resources can have localized names).
v type - String - The type of the group.
v level - Long - The depth of the group in the group hierarchy.
v name - String - The name of the group (default resources can have localized names).
v description - String - The description of the group (default resources can have localized names).
v owner - String - The owner of the group.
v modified_time - Long - The time in milliseconds since epoch since the group was last modified.
v child_group_ids - Array of Longs - List of the child group IDs.

7 Previous REST API versions 1261

Response Sample
{
"child_groups": [
42
],
"child_items": [
"String"
],
"description": "String",
"id": 42,
"level": 42,
"modified_time": 42,
"name": "String",
"owner": "String",
"parent_id": 42,
"type": "String <one of:
LOG_SOURCE_GROUP,
REPORT_GROUP,
RULE_GROUP,
EVENT_SAVED_SEARCH_GROUP,
FLOW_SAVED_SEARCH_GROUP,
OFFENSE_SAVED_SEARCH_GROUP,
QRM_SAVED_SEARCH_GROUP,
MODEL_SAVED_SEARCH_GROUP,
QUESTION_SAVED_SEARCH_GROUP,
SIMULATION_SAVED_SEARCH_GROUP,
TOPOLOGY_SAVED_SEARCH_GROUP,
ASSET_SAVED_SEARCH_GROUP,
VULNERABILITY_SAVED_SEARCH_GROUP>"
}

DELETE /asset_model/saved_search_groups/{group_id} DEPRECATED

Deletes an asset saved search group.

Deletes an asset saved search group.

Table 2821. DELETE /asset_model/saved_search_groups/{group_id} resource details
MIME Type
text/plain

Table 2822. DELETE /asset_model/saved_search_groups/{group_id} request parameter details

Parameter Type Optionality Data Type MIME Type Description
group_id path Required Number text/plain null
(Integer)

Table 2823. DELETE /asset_model/saved_search_groups/{group_id} response codes

HTTP Response Code Unique Code Description
204 The asset saved search group was deleted.
404 1002 The asset saved search group does not exist.
409 1004 null
500 1020 An error occurred during the attempt to delete the asset saved
search group.

1262 QRadar API Reference Guide

Response Description

Response Sample

GET /asset_model/saved_searches DEPRECATED

Get a list of saved searches that can be used.

Get a list of saved searches that can be used or applied against the /asset_model/saved_searches/
{saved_search_id}/results query.
Table 2824. GET /asset_model/saved_searches resource details
MIME Type
application/json

Table 2825. GET /asset_model/saved_searches request parameter details

Parameter Type Optionality Data Type MIME Type Description
Range header Optional String text/plain Optional - Use this parameter
to restrict the number of
elements that are returned in
the list to a specified range.
The list is indexed starting at
zero.
fields query Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.
filter query Optional String text/plain Optional - This parameter is
used to restrict the elements in
a list base on the contents of
various fields.

Table 2826. GET /asset_model/saved_searches response codes

HTTP Response Code Unique Code Description
200 The request to retrieve the list of saved searches completed
successfully.
500 1020 The server encountered an error while trying to retrieve the list of
saved searches.

Response Description

List of saved searches. Per saved search: id, name and list of filters that make up this saved search

Response Sample
[
{
"columns": [
{
"name": "String",
"type": "String"

7 Previous REST API versions 1263

 }
],
"description": "String",
"filters": [
{
"operator": "String",
"parameter": "String",
"value": "String"
}
],
"id": 42,
"name": "String"
}
]

GET /asset_model/saved_searches/{saved_search_id} DEPRECATED

Retrieves an asset saved search.

Retrieves an asset saved search.

Table 2827. GET /asset_model/saved_searches/{saved_search_id} resource details
MIME Type
application/json

Table 2828. GET /asset_model/saved_searches/{saved_search_id} request parameter details

Parameter Type Optionality Data Type MIME Type Description
saved_search_id path Required Number text/plain null
(Integer)
fields query Optional String text/plain Optional - Use this parameter to
specify which fields you would
like to get back in the response.
Fields that are not named are
excluded. Specify subfields in
brackets and multiple fields in
the same object are separated by
commas.

Table 2829. GET /asset_model/saved_searches/{saved_search_id} response codes

HTTP Response Code Unique Code Description
200 The asset saved search was retrieved,
404 1002 The asset saved search does not exist,
500 1020 An error occurred during the attempt to retrieve the asset saved
search,

Response Description

The asset saved search after it is retrieved. An Asset Saved Search object contains the following fields:
v id - Long - The ID of the asset saved search.
v name - String - The name of the asset saved search.
v owner - String - The owner of the asset saved search.
v isShared - Boolean - True if the asset saved search is shared with other users.
v description - String - The description of the asset saved search.
v filters - List of Strings - The asset saved search filters.
v columns - List of Strings - The asset saved search columns.

1264 QRadar API Reference Guide

Response Sample
{
"columns": [
{
"name": "String",
"type": "String"
}
],
"description": "String",
"filters": [
{
"operator": "String",
"parameter": "String",
"value": "String"
}
],
"id": 42,
"is_shared": true,
"name": "String",
"owner": "String"
}

POST /asset_model/saved_searches/{saved_search_id} DEPRECATED

Updates the asset saved search owner only.

Updates the asset saved search owner only.

Table 2830. POST /asset_model/saved_searches/{saved_search_id} resource details
MIME Type
application/json

Table 2831. POST /asset_model/saved_searches/{saved_search_id} request parameter details

Parameter Type Optionality Data Type MIME Type Description
saved_search_id path Required Number text/plain null
(Integer)
fields header Optional String text/plain Optional - Use this parameter to
specify which fields you would
like to get back in the response.
Fields that are not named are
excluded. Specify subfields in
brackets and multiple fields in
the same object are separated by
commas.

Table 2832. POST /asset_model/saved_searches/{saved_search_id} request body details

Parameter Data Type MIME Type Description Sample
saved_search Object application/json null { "columns": [ { "name": "String",
"type": "String" } ], "description":
"String", "filters": [ { "operator":
"String", "parameter": "String",
"value": "String" } ], "id": 42,
"is_shared": true, "name":
"String", "owner": "String" }

Table 2833. POST /asset_model/saved_searches/{saved_search_id} response codes

HTTP Response Code Unique Code Description
200 The asset saved search was updated.

7 Previous REST API versions 1265

Table 2833. POST /asset_model/saved_searches/{saved_search_id} response codes (continued)
HTTP Response Code Unique Code Description
403 1009 You do not have the required capabilities to update the asset saved
search.
404 1002 The asset saved search does not exist.
409 1004 The provided user does not have the required capabilities to own
the asset saved search.
422 1005 A request parameter is not valid.
500 1020 An error occurred during the attempt to update the asset saved
search.

Response Description

The asset saved search after it is updated. An Asset Saved Search object contains the following fields:
v id - Long - The ID of the asset saved search.
v name - String - The name of the asset saved search.
v owner - String - The owner of the asset saved search.
v isShared - Boolean - True if the asset saved search is shared with other users.
v description - String - The description of the asset saved search.
v filters - List of Strings - The asset saved search filters.
v columns - List of Strings - The asset saved search columns.

Response Sample
{
"columns": [
{
"name": "String",
"type": "String"
}
],
"description": "String",
"filters": [
{
"operator": "String",
"parameter": "String",
"value": "String"
}
],
"id": 42,
"is_shared": true,
"name": "String",
"owner": "String"
}

DELETE /asset_model/saved_searches/{saved_search_id} DEPRECATED

Deletes an asset saved search.

Deletes an asset saved search.

Table 2834. DELETE /asset_model/saved_searches/{saved_search_id} resource details
MIME Type
text/plain

1266 QRadar API Reference Guide

Table 2835. DELETE /asset_model/saved_searches/{saved_search_id} request parameter details
Parameter Type Optionality Data Type MIME Type Description
saved_search_id path Required Number text/plain null
(Integer)

Table 2836. DELETE /asset_model/saved_searches/{saved_search_id} response codes

HTTP Response Code Unique Code Description
204 The asset saved searchh was deleted.
403 1009 You do not have the required capabilities to delete the asset saved
search.
404 1002 The asset saved search does not exist.
500 1020 An error occurred during the attempt to delete the asset saved
search.

Response Description

Response Sample

GET /asset_model/saved_searches/{saved_search_id}/results DEPRECATED

Retrieves a list of assets based on the results of an asset saved search.
Table 2837. GET /asset_model/saved_searches/{saved_search_id}/results resource details
MIME Type
application/json

Table 2838. GET /asset_model/saved_searches/{saved_search_id}/results request parameter details

Parameter Type Optionality Data Type MIME Type Description
saved_search_id path Required String text/plain Unique identifier of the saved
search used to retrieve assets.
Range header Optional String text/plain Optional - Use this parameter to
restrict the number of elements
that are returned in the list to a
specified range. The list is
indexed starting at zero.
fields query Optional String text/plain Optional - Use this parameter to
specify which fields you would
like to get back in the response.
Fields that are not named are
excluded. Specify subfields in
brackets and multiple fields in
the same object are separated by
commas.
filter query Optional String text/plain Optional - This parameter is
used to restrict the elements in a
list base on the contents of
various fields.

Table 2839. GET /asset_model/saved_searches/{saved_search_id}/results response codes

HTTP Response Code Unique Code Description
200 The request to retrieve assets completed successfully.
422 1005 The unique identifier of the saved search provided was invalid.
500 1003 The server encountered an error executing the saved search.

7 Previous REST API versions 1267

Response Description

List of assets retrieved using the associated asset saved search.

Response Sample
[
{
"domain_id": 42,
"id": 42,
"interfaces": [
{
"created": 42,
"first_seen_profiler": 42,
"first_seen_scanner": 42,
"id": 42,
"ip_addresses": [
{
"created": 42,
"first_seen_profiler": 42,
"first_seen_scanner": 42,
"id": 42,
"last_seen_profiler": 42,
"last_seen_scanner": 42,
"network_id": 42,
"type": "String",
"value": "String"
}
],
"last_seen_profiler": 42,
"last_seen_scanner": 42,
"mac_address": "String"
}
],
"properties": [
{
"id": 42,
"last_reported": 42,
"last_reported_by": "String",
"name": "String",
"type_id": 42,
"value": "String"
}
]
}
]

Authentication endpoints
Use the references for REST API V7.0 authentication endpoints.

POST /auth/logout DEPRECATED

Invoke this method as an authorized user and your session will be invalidated.
Table 2840. POST /auth/logout resource details
MIME Type
text/plain

There are no parameters for this endpoint.

1268 QRadar API Reference Guide

Table 2841. POST /auth/logout response codes
HTTP Response Code Unique Code Description
200 The session was invalidated.

Response Description

Returns true. Throws exception upon failure.

Response Sample
true

Configuration endpoints
Use the references for REST API V7.0 configuration endpoints.

GET /config/access/tenant_management/tenants DEPRECATED

Retrieve the list of all tenants ordered by tenant ID.

Retrieve the list of all tenants. The list is ordered by tenant ID.
Table 2842. GET /config/access/tenant_management/tenants resource details
MIME Type
application/json

Table 2843. GET /config/access/tenant_management/tenants request parameter details

Parameter Type Optionality Data Type MIME Type Description
Range header Optional String text/plain Optional - Use this parameter
to restrict the number of
elements that are returned in
the list to a specified range.
The list is indexed starting at
zero.
fields query Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.
filter query Optional String text/plain Optional - This parameter is
used to restrict the elements in
a list base on the contents of
various fields.

Table 2844. GET /config/access/tenant_management/tenants response codes

HTTP Response Code Unique Code Description
200 The tenant list was successfully retrieved.
500 1020 An error occurred while the tenant list was being retrieved.

7 Previous REST API versions 1269

Response Description

a list of all the tenants

Response Sample
[
{
"deleted": true,
"description": "String",
"event_rate_limit": 42,
"flow_rate_limit": 42,
"id": 42,
"name": "String"
}
]

POST /config/access/tenant_management/tenants DEPRECATED

Create a new tenant.
Table 2845. POST /config/access/tenant_management/tenants resource details
MIME Type
application/json

Table 2846. POST /config/access/tenant_management/tenants request parameter details

Parameter Type Optionality Data Type MIME Type Description
fields header Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.

Table 2847. POST /config/access/tenant_management/tenants request body details

Parameter Data Type MIME Type Description Sample
tenant Object application/json Required - Tenant - includes { "deleted": true, "description":
name, event_rate_limit (unit "String", "event_rate_limit": 42,
eps), flow_rate_limit (unit "flow_rate_limit": 42, "name":
fpm) and description "String" }

Table 2848. POST /config/access/tenant_management/tenants response codes

HTTP Response Code Unique Code Description
201 A new tenant was created successfully and returned the new tenant
object.
409 1004 A tenant with the given name already exists.
422 1005 A request parameter is invalid.
500 1020 Failed to create the tenant.

Response Description

a created tenant object

1270 QRadar API Reference Guide

Response Sample
{
"deleted": true,
"description": "String",
"event_rate_limit": 42,
"flow_rate_limit": 42,
"id": 42,
"name": "String"
}

GET /config/access/tenant_management/tenants/{tenant_id} DEPRECATED

Retrieve a tenant by tenant id.
Table 2849. GET /config/access/tenant_management/tenants/{tenant_id} resource details
MIME Type
application/json

Table 2850. GET /config/access/tenant_management/tenants/{tenant_id} request parameter details

Parameter Type Optionality Data Type MIME Type Description
tenant_id path Required Number text/plain null
(Integer)
fields query Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.

Table 2851. GET /config/access/tenant_management/tenants/{tenant_id} response codes

HTTP Response Code Unique Code Description
200 The tenant was successfully retrieved.
404 1002 No tenant was found for the provided tenant id.
500 1020 An error occurred while the tenant was being retrieved.

Response Description

the associated tenants object

Response Sample
{
"deleted": true,
"description": "String",
"event_rate_limit": 42,
"flow_rate_limit": 42,
"id": 42,
"name": "String"
}

7 Previous REST API versions 1271

POST /config/access/tenant_management/tenants/{tenant_id} DEPRECATED
Update a tenant
Table 2852. POST /config/access/tenant_management/tenants/{tenant_id} resource details
MIME Type
application/json

Table 2853. POST /config/access/tenant_management/tenants/{tenant_id} request parameter details

Parameter Type Optionality Data Type MIME Type Description
tenant_id path Required Number text/plain Required - Integer - the tenant
(Integer) id to modify
fields header Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.

Table 2854. POST /config/access/tenant_management/tenants/{tenant_id} request body details

Parameter Data Type MIME Type Description Sample
tenant Object application/json Required - Tenant - includes { "deleted": true, "description":
name, event_rate_limit (unit "String", "event_rate_limit": 42,
eps), flow_rate_limit (unit "flow_rate_limit": 42, "name":
fpm) and description "String" }

Table 2855. POST /config/access/tenant_management/tenants/{tenant_id} response codes

HTTP Response Code Unique Code Description
200 A tenant profile that was updated successfully and returned the
updated tenant object.
404 1002 The tenant profile does not exist.
409 1004 A tenant with the given name already exists.
422 1005 A request parameter is invalid.
500 1020 Failed to retrieve/update the given tenant profile.

Response Description

the updated tenant object

Response Sample
{
"deleted": true,
"description": "String",
"event_rate_limit": 42,
"flow_rate_limit": 42,
"id": 42,
"name": "String"
}

1272 QRadar API Reference Guide

DELETE /config/access/tenant_management/tenants/{tenant_id} DEPRECATED
Delete a tenant.

Deletes a tenant by tenant ID.

Table 2856. DELETE /config/access/tenant_management/tenants/{tenant_id} resource details
MIME Type
application/json

Table 2857. DELETE /config/access/tenant_management/tenants/{tenant_id} request parameter details

Parameter Type Optionality Data Type MIME Type Description
tenant_id path Required Number text/plain Required - String - id
(Integer) associated to a tenant

Table 2858. DELETE /config/access/tenant_management/tenants/{tenant_id} response codes

HTTP Response Code Unique Code Description
200 The tenant was deleted successfully (soft delete).
404 1002 The tenant does not exists.
500 1020 An error occurred while deleting tenant.

Response Description

the deleted tenant object with its parameter deleted set to true

Response Sample
{
"deleted": true,
"description": "String",
"event_rate_limit": 42,
"flow_rate_limit": 42,
"id": 42,
"name": "String"
}

GET /config/domain_management/domains DEPRECATED

Retrieves the list of all domains, active and deleted (including the default domain).

The list is ordered by domain ID. If domains were never configured, only the default domain is returned.
Table 2859. GET /config/domain_management/domains resource details
MIME Type
application/json

Table 2860. GET /config/domain_management/domains request parameter details

Parameter Type Optionality Data Type MIME Type Description
Range header Optional String text/plain Optional - Use this parameter
to restrict the number of
elements that are returned in
the list to a specified range.
The list is indexed starting at
zero.

7 Previous REST API versions 1273

Table 2860. GET /config/domain_management/domains request parameter details (continued)
Parameter Type Optionality Data Type MIME Type Description
fields query Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.
filter query Optional String text/plain Optional - This parameter is
used to restrict the elements in
a list base on the contents of
various fields.

Table 2861. GET /config/domain_management/domains response codes

HTTP Response Code Unique Code Description
200 The domain list has been successfully retrieved.
500 1020 An error occurred while the domain list was being retrieved.

Response Description

The list of domain objects.

Response Sample
[
{
"asset_scanner_ids": [
42
],
"custom_properties": [
{
"capture_result": "String",
"id": 42
}
],
"deleted": true,
"description": "String",
"event_collector_ids": [
42
],
"flow_collector_ids": [
42
],
"flow_source_ids": [
42
],
"id": 42,
"log_source_group_ids": [
42
],
"log_source_ids": [
42
],
"name": "String",
"qvm_scanner_ids": [
42

1274 QRadar API Reference Guide

 ],
"tenant_id": 42
}
]

POST /config/domain_management/domains DEPRECATED

Creates a new domain.
Table 2862. POST /config/domain_management/domains resource details
MIME Type
application/json

Table 2863. POST /config/domain_management/domains request parameter details

Parameter Type Optionality Data Type MIME Type Description
fields header Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.

Table 2864. POST /config/domain_management/domains request body details

Parameter Data Type MIME Type Description Sample
domain Object application/json A domain JSON object (its id { "asset_scanner_ids": [42],
parameter is ignored). "custom_properties":
[{"capture_result": "String",
"id": 42}], "deleted": true,
"description": "String",
"event_collector_ids": [42],
"flow_collector_ids": [42],
"flow_source_ids": [42],
"log_source_group_ids": [42],
"log_source_ids": [42], "name":
"String", "qvm_scanner_ids":
[42], "tenant_id": 42 }

Table 2865. POST /config/domain_management/domains response codes

HTTP Response Code Unique Code Description
201 The domain has been successfully created.
409 1004 A domain object parameter already exists.
422 1005 A domain object parameter is invalid.
500 1020 An error occurred while the domain was being created.

Response Description

A created domain object.

Response Sample
{
"asset_scanner_ids": [
42
],

7 Previous REST API versions 1275

 "custom_properties": [
{
"capture_result": "String",
"id": 42
}
],
"deleted": true,
"description": "String",
"event_collector_ids": [
42
],
"flow_collector_ids": [
42
],
"flow_source_ids": [
42
],
"id": 42,
"log_source_group_ids": [
42
],
"log_source_ids": [
42
],
"name": "String",
"qvm_scanner_ids": [
42
],
"tenant_id": 42
}

GET /config/domain_management/domains/{domain_id} DEPRECATED

Retrieves a domain by domain ID.
Table 2866. GET /config/domain_management/domains/{domain_id} resource details
MIME Type
application/json

Table 2867. GET /config/domain_management/domains/{domain_id} request parameter details

Parameter Type Optionality Data Type MIME Type Description
domain_id path Required Number text/plain The ID of the domain object to
(Integer) retrieve.
fields query Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.

Table 2868. GET /config/domain_management/domains/{domain_id} response codes

HTTP Response Code Unique Code Description
200 The domain has been successfully retrieved.
404 1002 No domain was found for the provided domain id.
500 1020 An error occurred while the domain was being retrieved.

1276 QRadar API Reference Guide

Response Description

A domain object.

Response Sample
{
"asset_scanner_ids": [
42
],
"custom_properties": [
{
"capture_result": "String",
"id": 42
}
],
"deleted": true,
"description": "String",
"event_collector_ids": [
42
],
"flow_collector_ids": [
42
],
"flow_source_ids": [
42
],
"id": 42,
"log_source_group_ids": [
42
],
"log_source_ids": [
42
],
"name": "String",
"qvm_scanner_ids": [
42
],
"tenant_id": 42
}

POST /config/domain_management/domains/{domain_id} DEPRECATED

Updates an existing domain.
Table 2869. POST /config/domain_management/domains/{domain_id} resource details
MIME Type
application/json

Table 2870. POST /config/domain_management/domains/{domain_id} request parameter details

Parameter Type Optionality Data Type MIME Type Description
domain_id path Required Number text/plain The ID of the domain object to
(Integer) update.
fields header Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.

7 Previous REST API versions 1277

Table 2871. POST /config/domain_management/domains/{domain_id} request body details
Parameter Data Type MIME Type Description Sample
domain Object application/json A domain JSON object. { "asset_scanner_ids": [42],
"custom_properties":
[{"capture_result": "String",
"id": 42}], "deleted": true,
"description": "String",
"event_collector_ids": [42],
"flow_collector_ids": [42],
"flow_source_ids": [42],
"log_source_group_ids": [42],
"log_source_ids": [42], "name":
"String", "qvm_scanner_ids":
[42], "tenant_id": 42 }

Table 2872. POST /config/domain_management/domains/{domain_id} response codes

HTTP Response Code Unique Code Description
200 The domain has been successfully updated.
404 1002 No domain was found for the provided domain id.
409 1004 A domain object parameter already exists.
422 1005 A domain object parameter is invalid.
500 1020 An error occurred while the domain was being updated.

Response Description

The updated domain object.

Response Sample
{
"asset_scanner_ids": [
42
],
"custom_properties": [
{
"capture_result": "String",
"id": 42
}
],
"deleted": true,
"description": "String",
"event_collector_ids": [
42
],
"flow_collector_ids": [
42
],
"flow_source_ids": [
42
],
"id": 42,
"log_source_group_ids": [
42
],
"log_source_ids": [
42
],
"name": "String",
"qvm_scanner_ids": [

1278 QRadar API Reference Guide

 42
],
"tenant_id": 42
}

DELETE /config/domain_management/domains/{domain_id} DEPRECATED

Deletes a domain by domain ID.

All domain mappings are also deleted

Table 2873. DELETE /config/domain_management/domains/{domain_id} resource details
MIME Type
application/json

Table 2874. DELETE /config/domain_management/domains/{domain_id} request parameter details

Parameter Type Optionality Data Type MIME Type Description
domain_id path Required Number text/plain The ID of the domain object to
(Integer) delete.
fields query Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.

Table 2875. DELETE /config/domain_management/domains/{domain_id} response codes

HTTP Response Code Unique Code Description
200 The domain has been successfully deleted.
404 1002 No domain was found for the provided domain id.
422 1005 Default domain cannot be deleted.
500 1020 An error occurred while the domain was being deleted.

Response Description

The deleted domain object with its parameter deleted set to true.

Response Sample
{
"asset_scanner_ids": [
42
],
"custom_properties": [
{
"capture_result": "String",
"id": 42
}
],
"deleted": true,
"description": "String",
"event_collector_ids": [
42
],

7 Previous REST API versions 1279

 "flow_collector_ids": [
42
],
"flow_source_ids": [
42
],
"id": 42,
"log_source_group_ids": [
42
],
"log_source_ids": [
42
],
"name": "String",
"qvm_scanner_ids": [
42
],
"tenant_id": 42
}

GET /config/event_retention_buckets DEPRECATED

Retrieves a list of event retention buckets.

Retrieves a list of event retention buckets.

Table 2876. GET /config/event_retention_buckets resource details
MIME Type
application/json

Table 2877. GET /config/event_retention_buckets request parameter details

Parameter Type Optionality Data Type MIME Type Description
Range header Optional String text/plain Optional - Use this parameter
to restrict the number of
elements that are returned in
the list to a specified range.
The list is indexed starting at
zero.
filter query Optional String text/plain Optional - This parameter is
used to restrict the elements in
a list base on the contents of
various fields.
fields query Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.

Table 2878. GET /config/event_retention_buckets response codes

HTTP Response Code Unique Code Description
200 The event retention buckets were retrieved.
422 1010 A request parameter is not valid.

1280 QRadar API Reference Guide

Table 2878. GET /config/event_retention_buckets response codes (continued)
HTTP Response Code Unique Code Description
500 1020 An error occurred during the attempt to retrieve the event retention
buckets.

Response Description

An array of Retention Bucket objects. An Retention Bucket object contains the following fields:
v id - Integer - The ID of the retention bucket.
v bucket_id - Integer - The Bucket ID of the retention bucket. ( 0 - 10 )
v priority - Integer - The priority of the retention bucket. ( 0 - 10 ).
v name - String - The name of the retention bucket.
v database - String - The database of the retention bucket, EVENTS or FLOWS.
v description - String - The description of the retention bucket.
v period - Integer - The retention period in hours.
v delete - String - The delete protocol of the retention bucket, IMMEDIATELY or ON_DEMAND.
v created - Long - The time in milliseconds since epoch since the retention bucket was created.
v modified - Long - The time in milliseconds since epoch since the retention bucket was last modified.
v saved_search_id - String - The id of the saved search used by the retention bucket.
v enabled - Boolean - True if the retention bucket is enabled.

Response Sample
[
{
"bucket_id": 42,
"created": 42,
"database": "String",
"deletion": "String <one of: ON_DEMAND, IMMEDIATELY>",
"description": "String",
"enabled": true,
"id": 42,
"modified": 42,
"name": "String",
"period": 42,
"priority": 42,
"saved_search_id": "String"
}
]

GET /config/event_retention_buckets/{id} DEPRECATED

Retrieves an event retention bucket.

Retrieves an event retention bucket.

Table 2879. GET /config/event_retention_buckets/{id} resource details
MIME Type
application/json

Table 2880. GET /config/event_retention_buckets/{id} request parameter details

Parameter Type Optionality Data Type MIME Type Description
id path Required Number text/plain null
(Integer)

7 Previous REST API versions 1281

Table 2880. GET /config/event_retention_buckets/{id} request parameter details (continued)
Parameter Type Optionality Data Type MIME Type Description
fields query Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.

Table 2881. GET /config/event_retention_buckets/{id} response codes

HTTP Response Code Unique Code Description
200 The event retention bucket was retrieved.
404 1002 The event retention bucket does not exist.
500 1020 An error occurred during the attempt to retrieve the event retention
bucket.

Response Description

The retention bucket after it has been retrieved. An Retention Bucket object contains the following fields:
v id - Integer - The ID of the retention bucket.
v bucket_id - Integer - The Bucket ID of the retention bucket (0 - 10).
v priority - Integer - The priority of the retention bucket (0 - 10).
v name - String - The name of the retention bucket.
v database - String - The database of the retention bucket, EVENTS or FLOWS.
v description - String - The description of the retention bucket.
v period - Integer - The retention period in hours.
v delete - String - The delete protocol of the retention bucket, IMMEDIATELY or ON_DEMAND.
v created - Long - The time in milliseconds since epoch since the retention bucket was created.
v modified - Long - The time in milliseconds since epoch since the retention bucket was last modified.
v saved_search_id - String - The ID of the saved search that is used by the retention bucket.
v enabled - Boolean - True if the retention bucket is enabled.

Response Sample
{
"bucket_id": 42,
"created": 42,
"database": "String",
"deletion": "String <one of: ON_DEMAND, IMMEDIATELY>",
"description": "String",
"enabled": true,
"id": 42,
"modified": 42,
"name": "String",
"period": 42,
"priority": 42,
"saved_search_id": "String"
}

1282 QRadar API Reference Guide

POST /config/event_retention_buckets/{id} DEPRECATED
Updates the event retention bucket owner or enabled/disabled only.

Updates the event retention bucket owner or enabled/disabled only.

Table 2882. POST /config/event_retention_buckets/{id} resource details
MIME Type
application/json

Table 2883. POST /config/event_retention_buckets/{id} request parameter details

Parameter Type Optionality Data Type MIME Type Description
id path Required Number text/plain null
(Integer)
fields header Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.

Table 2884. POST /config/event_retention_buckets/{id} request body details

Parameter Data Type MIME Type Description Sample
retention_bucket Object application/json null { "id": 1, "name": "String", "description": "String",
"priority": 1, "period": 1, "deletion": "String",
"created": 123123, "modified": 123123,
"saved_search_id": "String", "enabled": true }

Table 2885. POST /config/event_retention_buckets/{id} response codes

HTTP Response Code Unique Code Description
200 The event retention bucket has been updated.
404 1002 The event retention bucket does not exist.
409 1004 The provided user does not have the required capabilities to own
the event retention bucket.
422 1005 A request parameter is not valid.
500 1020 An error occurred during the attempt to update the event retention
bucket.

Response Description

The Retention Bucket after it is updated. A Retention Bucket object contains the following fields:
v id - Integer - The ID of the retention bucket.
v bucket_id - Integer - The Bucket ID of the retention bucket (0 - 10).
v priority - Integer - The priority of the retention bucket (0 - 10).
v name - String - The name of the retention bucket.
v database - String - The database of the retention bucket, EVENTS or FLOWS.
v description - String - The description of the retention bucket.
v period - Integer - The retention period in hours.

7 Previous REST API versions 1283

v delete - String - The delete protocol of the retention bucket, IMMEDIATELY or ON_DEMAND.
v created - Long - The time in milliseconds since epoch since the retention bucket was created.
v modified - Long - The time in milliseconds since epoch since the retention bucket was last modified.
v saved_search_id - String - The ID of the saved search that is used by the retention bucket.
v enabled - Boolean - True if the retention bucket is enabled.

Response Sample
{
"bucket_id": 42,
"created": 42,
"database": "String",
"deletion": "String <one of: ON_DEMAND, IMMEDIATELY>",
"description": "String",
"enabled": true,
"id": 42,
"modified": 42,
"name": "String",
"period": 42,
"priority": 42,
"saved_search_id": "String"
}

DELETE /config/event_retention_buckets/{id} DEPRECATED

Deletes an event retention bucket.

Deletes an event retention bucket.

Table 2886. DELETE /config/event_retention_buckets/{id} resource details
MIME Type
text/plain

Table 2887. DELETE /config/event_retention_buckets/{id} request parameter details

Parameter Type Optionality Data Type MIME Type Description
id path Required Number text/plain null
(Integer)

Table 2888. DELETE /config/event_retention_buckets/{id} response codes

HTTP Response Code Unique Code Description
204 The Event Retention Bucket was deleted.
403 1009 You do not have the proper capabilities to delete the event retention
bucket.
404 1002 The Event Retention Bucket does not exist.
500 1020 An error occurred during the attempt to delete the event retention
bucket.

1284 QRadar API Reference Guide

Response Description

Response Sample

GET /config/event_sources/custom_properties/property_expressions
DEPRECATED
Retrieves a list of event regex property expressions.

Retrieves a list of event regex property expressions.

Table 2889. GET /config/event_sources/custom_properties/property_expressions resource details
MIME Type
application/json

Table 2890. GET /config/event_sources/custom_properties/property_expressions request parameter details

Parameter Type Optionality Data Type MIME Type Description
fields query Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.
Range header Optional String text/plain Optional - Use this parameter
to restrict the number of
elements that are returned in
the list to a specified range.
The list is indexed starting at
zero.
filter query Optional String text/plain Optional - This parameter is
used to restrict the elements in
a list base on the contents of
various fields.

Table 2891. GET /config/event_sources/custom_properties/property_expressions response codes

HTTP Response Code Unique Code Description
200 The requested list of event regex property expressions was
retrieved.
422 1010 An error occurred while building the filter.
500 1020 An error occurred during the attempt to retrieve the list of event
regex property expressions.

Response Description

A list of event regex property expressions. Each regex property expression contains the following fields:
v id - Integer - The sequence ID of the event regex property expression.
v identifier - String - The ID of the event regex property expression.
v regex_property_identifier - String - The identifier of the event regex property that this expression
belongs to.
v enabled - Boolean - Flag that indicates whether this expression is enabled.

7 Previous REST API versions 1285

v regex - String - The regex to extract the property from the payload.
v capture_group - Integer - The capture group to capture.
v payload - String - Test payload. This parameter is only used in the UI so that the user can verify their
regex matches the expected payload.
v log_source_type_id - Integer - The expression is only applied to events for this log source type.
v log_source_id - Integer - The expression is only applied to events for this log source (more specific
than type alone).
v qid - Integer - The expression is only applied to events associated with this QID record.
v low_level_category_id - Integer - The expression is only applied to events with this low level category.
v username - String - The owner of the event regex property expression.

Response Sample
[
{
"capture_group": 42,
"creation_date": 42,
"enabled": true,
"id": 42,
"identifier": "String",
"log_source_id": 42,
"log_source_type_id": 42,
"low_level_category_id": 42,
"modification_date": 42,
"payload": "String",
"qid": 42,
"regex": "String",
"regex_property_identifier": "String",
"username": "String"
}
]

POST /config/event_sources/custom_properties/property_expressions
DEPRECATED
Creates a new event regex property expression.

Creates a new event regex property expression.

Table 2892. POST /config/event_sources/custom_properties/property_expressions resource details
MIME Type
application/json

Table 2893. POST /config/event_sources/custom_properties/property_expressions request parameter details

Parameter Type Optionality Data Type MIME Type Description
fields header Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.

1286 QRadar API Reference Guide

Table 2894. POST /config/event_sources/custom_properties/property_expressions request body details
Parameter Data Type MIME Type Description Sample
data Object application/json Required - A JSON representation of the regex { "capture_group": 42, "creation_date": 42, "enabled":
property expression object true, "id": 42, "identifier": "String", "log_source_id": 42,
"log_source_type_id": 42, "low_level_category_id": 42,
v regex_property_identifier - Required - String - The
"modification_date": 42, "payload": "String", "qid": 42,
identifier of the event regex property that this
"regex": "String", "regex_property_identifier": "String",
expression belongs to. "username": "String" }
v enabled - Optional - Boolean - Flag that indicates
whether this expression is enabled. It defaults to
true if not provided.
v regex - Required - String - The regex to extract the
property from the payload.
v capture_group - Optional - Integer - The capture
group to capture. It defaults to 1 if not provided.
v payload - Optional - String - Test payload. This
parameter is only used in the UI so that the user can
verify their regex matches the expected payload.
v log_source_type_id - Required - Integer - The
expression is only applied to events for this log
source type.
v log_source_id - Optional - Integer - The expression
is only applied to events for this log source (more
specific than type alone).
v qid - Optional - Integer - The expression is only
applied to events associated with this QID record.
v low_level_category_id - Optional - Integer - The
expression is only applied to events with this low
level category.

Table 2895. POST /config/event_sources/custom_properties/property_expressions response codes

HTTP Response Code Unique Code Description
201 A new event regex property expression was created.
422 1005 One or more request parameter are invalid in request.
500 1020 An error occurred during the attempt to create a new event regex
property expression.

Response Description

The newly created event regex property expression that contains the following fields:
v id - Integer - The sequence ID of the event regex property expression.
v identifier - String - The ID of the event regex property expression.
v regex_property_identifier - String - The identifier of the event regex property that this expression
belongs to.
v enabled - Boolean - Flag that indicates whether this expression is enabled.
v regex - String - The regex to extract the property from the payload.
v capture_group - Integer - The capture group to capture.
v payload - String - Test payload. This parameter is only used in the UI so that the user can verify their
regex matches the expected payload.
v log_source_type_id - Integer - The expression is only applied to events for this log source type.
v log_source_id - Integer - The expression is only applied to events for this log source (more specific
than type alone).
v qid - Integer - The expression is only applied to events associated with this QID record.
v low_level_category_id - Integer - The expression is only applied to events with this low level category.
v username - String - The owner of the event regex property expression.

7 Previous REST API versions 1287

Response Sample
{
"capture_group": 42,
"creation_date": 42,
"enabled": true,
"id": 42,
"identifier": "String",
"log_source_id": 42,
"log_source_type_id": 42,
"low_level_category_id": 42,
"modification_date": 42,
"payload": "String",
"qid": 42,
"regex": "String",
"regex_property_identifier": "String",
"username": "String"
}

GET /config/event_sources/custom_properties/property_expressions/
{expression_id} DEPRECATED
Retrieves an event regex property expression based on the supplied expression ID.

Retrieves an event regex property expression based on the supplied expression ID.
Table 2896. GET /config/event_sources/custom_properties/property_expressions/{expression_id} resource details
MIME Type
application/json

Table 2897. GET /config/event_sources/custom_properties/property_expressions/{expression_id} request parameter

details
Parameter Type Optionality Data Type MIME Type Description
expression_id path Required Number (Integer) text/plain Required - The Guid ID of the
event_regex_property_expression.
fields query Optional String text/plain Optional - Use this parameter to specify which fields you
would like to get back in the response. Fields that are not
named are excluded. Specify subfields in brackets and multiple
fields in the same object are separated by commas.

Table 2898. GET /config/event_sources/custom_properties/property_expressions/{expression_id} response codes

HTTP Response Code Unique Code Description
200 The requested event regex property expression was successfully
retrieved.
404 1002 The requested event regex property expression cannot be found.
500 1020 An error occurred during the attempt to retrieve the requested
event regex property expression.

Response Description

A event regex property expression that contains the following fields:

v id - Integer - The sequence ID of the event regex property expression.
v identifier - String - The ID of the event regex property expression.
v regex_property_identifier - String - The identifier of the event regex property that this expression
belongs to.
v enabled - Boolean - Flag that indicates whether this expression is enabled.
v regex - String - The regex to extract the property from the payload.
v capture_group - Integer - The capture group to capture.

1288 QRadar API Reference Guide

v payload - String - Test payload. This parameter is only used in the UI so that the user can verify their
regex matches the expected payload.
v log_source_type_id - Integer - The expression is only applied to events for this log source type.
v log_source_id - Integer - The expression is only applied to events for this log source (more specific
than type alone).
v qid - Integer - The expression is only applied to events associated with this QID record.
v low_level_category_id - Integer - The expression is only applied to events with this low level category.
v username - String - The owner of the event regex property expression.

Response Sample
{
"capture_group": 42,
"creation_date": 42,
"enabled": true,
"id": 42,
"identifier": "String",
"log_source_id": 42,
"log_source_type_id": 42,
"low_level_category_id": 42,
"modification_date": 42,
"payload": "String",
"qid": 42,
"regex": "String",
"regex_property_identifier": "String",
"username": "String"
}

POST /config/event_sources/custom_properties/property_expressions/
{expression_id} DEPRECATED
Updates an existing event regex property expression.

Updates an existing event regex property expression.

Table 2899. POST /config/event_sources/custom_properties/property_expressions/{expression_id} resource details
MIME Type
application/json

Table 2900. POST /config/event_sources/custom_properties/property_expressions/{expression_id} request parameter

details
Parameter Type Optionality Data Type MIME Type Description
expression_id path Required Number text/plain Required - The sequence ID
(Integer) of the event regex property
expression.
fields header Optional String text/plain Optional - Use this
parameter to specify which
fields you would like to get
back in the response. Fields
that are not named are
excluded. Specify subfields
in brackets and multiple
fields in the same object are
separated by commas.

7 Previous REST API versions 1289

Table 2901. POST /config/event_sources/custom_properties/property_expressions/{expression_id} request body
details
Parameter Data Type MIME Type Description Sample
data Object application/json Required - A JSON representation of the event regex { "capture_group": 42, "creation_date": 42, "enabled":
property expression object. true, "id": 42, "identifier": "String", "log_source_id": 42,
"log_source_type_id": 42, "low_level_category_id": 42,
v regex_property_identifier - Optional - String - The
"modification_date": 42, "payload": "String", "qid": 42,
identifier of the event regex property that this
"regex": "String", "regex_property_identifier": "String",
expression belongs to. "username": "String" }
v enabled - Optional - Boolean - Flag that indicates
whether this expression is enabled.
v regex - Optional - String - The regex to extract the
property from the payload.
v capture_group - Optional - Integer - The capture
group to capture.
v payload - Optional - String - Test payload. This
parameter is only used in the UI so that the user can
verify their regex matches the expected payload.
v log_source_type_id - Optional - Integer - The
expression is only applied to events for this log
source type.
v log_source_id - Optional - Integer - The expression
is only applied to events for this log source (more
specific than type alone).
v qid - Optional - Integer - The expression is only
applied to events associated with this QID record.
v low_level_category_id - Optional - Integer - The
expression is only applied to events with this low
level category.
v username - Optional - String - The owner of the
event regex property expression. If the input
username is authorized service, the prefix
"API_token: " is required.

Table 2902. POST /config/event_sources/custom_properties/property_expressions/{expression_id} response codes

HTTP Response Code Unique Code Description
200 The event regex property expression was updated.
403 1009 The user cannot update the resource because it only can be updated
by the owner or admin user.
404 1002 The requested event regex property expression cannot be found.
422 1005 One or more parameters are invalid in request.
500 1020 An error occurred during the attempt to update an event regex
property expression.

Response Description

The updated event regex property expression object contains the following fields:
v id - Integer - The sequence ID of the event regex property expression.
v identifier - String - The ID of the event regex property expression.
v regex_property_identifier - String - The ID of the event regex property that this expression belongs to.
v enabled - Boolean - Flag that indicates whether this expression is enabled.
v regex - String - The regex to extract the property from the payload.
v capture_group - Integer - The capture group to capture.
v payload - String - Test payload. This parameter is only used in the UI so that the user can verify their
regex matches the expected payload.
v log_source_type_id - Integer - The expression is only applied to events for this log source type.
v log_source_id - Integer - The expression is only applied to events for this log source (more specific
than type alone).
v qid - Integer - The expression is only applied to events associated with this QID record.

1290 QRadar API Reference Guide

v low_level_category_id - Integer - The expression is only applied to events with this low level category.
v username - String - The owner of the event regex property expression.

Response Sample
{
"capture_group": 42,
"creation_date": 42,
"enabled": true,
"id": 42,
"identifier": "String",
"log_source_id": 42,
"log_source_type_id": 42,
"low_level_category_id": 42,
"modification_date": 42,
"payload": "String",
"qid": 42,
"regex": "String",
"regex_property_identifier": "String",
"username": "String"
}

DELETE /config/event_sources/custom_properties/property_expressions/
{expression_id} DEPRECATED
Deletes an event regex property expression based on the supplied expression ID.

Deletes an event regex property expression based on the supplied expression ID.
Table 2903. DELETE /config/event_sources/custom_properties/property_expressions/{expression_id} resource details
MIME Type
text/plain

Table 2904. DELETE /config/event_sources/custom_properties/property_expressions/{expression_id} request

parameter details
Parameter Type Optionality Data Type MIME Type Description
expression_id path Required Number (Integer) text/plain Required - The sequence ID of the
event_regex_property_expression.

Table 2905. DELETE /config/event_sources/custom_properties/property_expressions/{expression_id} response codes

HTTP Response Code Unique Code Description
204 The requested event regex property expression was successfully
deleted.
403 1009 The user cannot delete the resource because it only can be deleted
by the owner or admin user.
404 1002 The requested event regex property expression cannot be found.
500 1020 An error occurred during the attempt to delete the requested event
regex property expression.

Response Description

Response Sample

GET /config/event_sources/custom_properties/regex_properties DEPRECATED

Retrieves a list of event regex properties.

Retrieves a list of event regex properties.

7 Previous REST API versions 1291

Table 2906. GET /config/event_sources/custom_properties/regex_properties resource details
MIME Type
application/json

Table 2907. GET /config/event_sources/custom_properties/regex_properties request parameter details

Parameter Type Optionality Data Type MIME Type Description
fields query Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.
Range header Optional String text/plain Optional - Use this parameter
to restrict the number of
elements that are returned in
the list to a specified range.
The list is indexed starting at
zero.
filter query Optional String text/plain Optional - This parameter is
used to restrict the elements in
a list base on the contents of
various fields.

Table 2908. GET /config/event_sources/custom_properties/regex_properties response codes

HTTP Response Code Unique Code Description
200 The requested list of event regex properties was retrieved.
422 1010 An error occurred while building the filter.
500 1020 An error occurred during the attempt to retrieve the list of event
regex properties.

Response Description

A list of event regex properties. Each regex property contains the following fields:
v id - Integer - The sequence ID of the event regex property.
v identifier - String - The ID of the event regex property.
v name - String - The name of the event regex property.
v username - String - The owner of the event regex property.
v description - String - The description of the event regex property.
v property_type - String - The property type (STRING, NUMERIC, IP, PORT, TIME) of event regex
property.
v use_for_rule_engine - Boolean - The flag to indicate if the event regex property is parsed when the
event is received.
v datetime_format - String - The date/time pattern that the event regex property matches.
v locale - String - The Language tag of what locale the Property matches.

1292 QRadar API Reference Guide

Response Sample
[
{
"creation_date": 42,
"datetime_format": "String",
"description": "String",
"id": 42,
"identifier": "String",
"locale": "String",
"modification_date": 42,
"name": "String",
"property_type": "String <one of: string, numeric, ip, port, time>",
"use_for_rule_engine": true,
"username": "String"
}
]

POST /config/event_sources/custom_properties/regex_properties DEPRECATED

Creates a new event regex property.

Creates a new event regex property.

Table 2909. POST /config/event_sources/custom_properties/regex_properties resource details
MIME Type
application/json

Table 2910. POST /config/event_sources/custom_properties/regex_properties request parameter details

Parameter Type Optionality Data Type MIME Type Description
fields header Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.

Table 2911. POST /config/event_sources/custom_properties/regex_properties request body details

Parameter Data Type MIME Type Description Sample
data Object application/json Required - A JSON representation of the event regex { "creation_date": 42, "datetime_format": "String",
property object. "description": "String", "id": 42, "identifier": "String",
v name - Required - String - The name of the event "locale": "String", "modification_date": 42, "name":
"String", "property_type": "String <one of: string,
regex property.
numeric, ip, port, time>", "use_for_rule_engine": true,
v description - Optional - String - The description of "username": "String" }
the event regex property.
v property_type - Required - String - The property
type (string, numeric, ip, port, time) of event regex
property.
v use_for_rule_engine - Optional - Boolean - The flag
to indicate if the event regex property is parsed
when the event is received. It is false if no value
supplied.
v datetime_format - Optional - String - The date/time
pattern that the event regex property matches.. It is
required when property type is TIME.
v locale - Optional - String - The language tag of the
locale that the property matches. The locale is
required when the property type is TIME.

7 Previous REST API versions 1293

Table 2912. POST /config/event_sources/custom_properties/regex_properties response codes
HTTP Response Code Unique Code Description
201 A new event regex property was created.
422 1005 One or more request parameter are invalid in the request.
500 1020 An error occurred during the attempt to create a new event regex
property.

Response Description

The newly created event regex property that contains the following fields:
v id - Integer - The sequence ID of the event regex property.
v identifier - String - The ID of the event regex property.
v name - String - The name of the event regex property.
v username - String - The owner of the event regex property.
v description - String - The description of the event regex property.
v property_type - String - The property type (string, numeric, ip, port, time) of event regex property.
v use_for_rule_engine - Boolean - The flag to indicate if the event regex property is parsed when the
event is received.
v datetime_format - String - The date/time pattern that the event regex property matches.
v locale - String - The language tag of the locale that the property matches.

Response Sample
{
"creation_date": 42,
"datetime_format": "String",
"description": "String",
"id": 42,
"identifier": "String",
"locale": "String",
"modification_date": 42,
"name": "String",
"property_type": "String <one of: string, numeric, ip, port, time>",
"use_for_rule_engine": true,
"username": "String"
}

GET /config/event_sources/custom_properties/regex_properties/
{regex_property_id} DEPRECATED
Retrieves a event regex property based on the supplied regex property ID.

Retrieves a event regex property based on the supplied regex property ID.
Table 2913. GET /config/event_sources/custom_properties/regex_properties/{regex_property_id} resource details
MIME Type
application/json

Table 2914. GET /config/event_sources/custom_properties/regex_properties/{regex_property_id} request parameter

details
Parameter Type Optionality Data Type MIME Type Description
regex_property_id path Required Number (Integer) text/plain Required - The sequence ID of the
event_regex_property.

1294 QRadar API Reference Guide

Table 2914. GET /config/event_sources/custom_properties/regex_properties/{regex_property_id} request parameter
details (continued)
Parameter Type Optionality Data Type MIME Type Description
fields query Optional String text/plain Optional - Use this parameter to
specify which fields you would like
to get back in the response. Fields
that are not named are excluded.
Specify subfields in brackets and
multiple fields in the same object
are separated by commas.

Table 2915. GET /config/event_sources/custom_properties/regex_properties/{regex_property_id} response codes

HTTP Response Code Unique Code Description
200 The requested event regex property was successfully retrieved.
404 1002 The requested event regex property cannot be found.
500 1020 An error occurred during the attempt to retrieve the requested
event regex property.

Response Description

A event regex property that contains the following fields:

v id - Integer - The sequence ID of the event regex property.
v identifier - String - The ID of the event regex property.
v name - String - The name of the event regex property.
v username - String - The owner of the event regex property.
v description - String - The description of the event regex property.
v property_type - String - The property type (string, numeric, ip, port, time) of the event regex property.
v use_for_rule_engine - Boolean - The flag to indicate if the event regex property is parsed when the
event is received.
v datetime_format - String - The date/time pattern that the event regex property matches.
v locale - String - The language tag of the locale that the property matches.

Response Sample
{
"creation_date": 42,
"datetime_format": "String",
"description": "String",
"id": 42,
"identifier": "String",
"locale": "String",
"modification_date": 42,
"name": "String",
"property_type": "String <one of: string, numeric, ip, port, time>",
"use_for_rule_engine": true,
"username": "String"
}

POST /config/event_sources/custom_properties/regex_properties/
{regex_property_id} DEPRECATED
Updates an existing event regex property.

Updates an existing event regex property.

7 Previous REST API versions 1295

Table 2916. POST /config/event_sources/custom_properties/regex_properties/{regex_property_id} resource details
MIME Type
application/json

Table 2917. POST /config/event_sources/custom_properties/regex_properties/{regex_property_id} request parameter

details
Parameter Type Optionality Data Type MIME Type Description
regex_property_id path Required Number (Integer) text/plain Required - The sequence ID of the
event regex property.
fields header Optional String text/plain Optional - Use this parameter to
specify which fields you would like
to get back in the response. Fields
that are not named are excluded.
Specify subfields in brackets and
multiple fields in the same object
are separated by commas.

Table 2918. POST /config/event_sources/custom_properties/regex_properties/{regex_property_id} request body

details
Parameter Data Type MIME Type Description Sample
data Object application/ Required - A JSON { "creation_date": 42,
json representation of the event "datetime_format": "String",
regex property object. "description": "String", "id": 42,
v description - Optional - "identifier": "String", "locale":
String - The description of "String", "modification_date":
the event regex property. 42, "name": "String",
"property_type": "String <one
v property_type - Optional -
of: string, numeric, ip, port,
String - The property type
time>", "use_for_rule_engine":
(string, numeric, ip, port,
true, "username": "String" }
time) of event regex
property.
v use_for_rule_engine -
Optional - Boolean - The flag
to indicate if the event regex
property is parsed when the
event is received.
v datetime_format - Optional -
String - The date/time
pattern that the event regex
property matches. It is
required when property type
is TIME.
v locale - Optional - String -
The language tag of the
locale that the property
matches. The locale is
required when the property
type is TIME.
v username - Optional - String
- The owner of the event
regex property. If the input
username is authorized
service, the prefix
"API_token: " is required.

1296 QRadar API Reference Guide

Table 2919. POST /config/event_sources/custom_properties/regex_properties/{regex_property_id} response codes
HTTP Response Code Unique Code Description
200 The event regex property was updated.
403 1009 The user cannot update the resource because it only can be updated
by the owner or admin user.
404 1002 The requested event regex property cannot be found.
422 1005 One or more parameters are invalid in request.
500 1020 An error occurred during the attempt to update an event regex
property.

Response Description

The updated event regex property object contains the following fields:
v id - Integer - The sequence ID of the event regex property.
v identifier - String - The ID of the event regex property.
v name - String - The name of the event regex property.
v username - String - The owner of the event regex property.
v description - String - The description of the event regex property.
v property_type - String - The property type (string, numeric, ip, port, time) of event regex property.
v use_for_rule_engine - Boolean - The flag to indicate if the event regex property is parsed when the
event is received.
v datetime_format - String - The date/time pattern that the event regex property matches.
v locale - String - The language tag of the locale the the property matches.

Response Sample
{
"creation_date": 42,
"datetime_format": "String",
"description": "String",
"id": 42,
"identifier": "String",
"locale": "String",
"modification_date": 42,
"name": "String",
"property_type": "String <one of: string, numeric, ip, port, time>",
"use_for_rule_engine": true,
"username": "String"
}

DELETE /config/event_sources/custom_properties/regex_properties/
{regex_property_id} DEPRECATED
Deletes an event regex property. To ensure safe deletion, a dependency check is carried out. This check
might take some time. An asynchronous task is started to do this check.

Deletes an event regex property. To ensure safe deletion, a dependency check is carried out. This check
might take some time. An asynchronous task is started to do this check.
Table 2920. DELETE /config/event_sources/custom_properties/regex_properties/{regex_property_id} resource details
MIME Type
application/json

7 Previous REST API versions 1297

Table 2921. DELETE /config/event_sources/custom_properties/regex_properties/{regex_property_id} request
parameter details
Parameter Type Optionality Data Type MIME Type Description
regex_property_id path Required Number (Integer) text/plain null
fields query Optional String text/plain Optional - Use this parameter to
specify which fields you would like
to get back in the response. Fields
that are not named are excluded.
Specify subfields in brackets and
multiple fields in the same object
are separated by commas.

Table 2922. DELETE /config/event_sources/custom_properties/regex_properties/{regex_property_id} response codes

HTTP Response Code Unique Code Description
202 The event regex property delete request was accepted and is in
progress.
403 1009 The user cannot delete the regex_property because it only can be
deleted by the owner or admin user.
404 1002 The requested event regex property cannot be found.
500 1020 An error occurred while attempting to delete the event regex
property.

Response Description

A Delete Task Status object and the location header set to the task status URL "/api/config/
event_sources/custom_properties/regex_property_delete_tasks/{task_id}". A Delete Task Status object
contains the following fields:
v id - Long - The ID of the task.
v message - String - The localized task message.
v status - String - The current state of the task.
v name - String - The name of the task.
v created_by - String - The name of the user who started the task.
v created - Long - The time in milliseconds since epoch since the task was created.
v started - Long - The time in milliseconds since epoch since the task was started.
v modified - Long - The time in milliseconds since epoch since the task was modified.
v completed - Long - The time in milliseconds since epoch since the task was completed.

Response Sample
{
"completed": 42,
"created": 42,
"created_by": "String",
"id": 42,
"message": "String",
"modified": 42,
"name": "String",
"started": 42,
"status": "String <one of:
CANCELLED,
CANCELING,
CANCEL_REQUESTED,
COMPLETED,
CONFLICT,
EXCEPTION,
INITIALIZING,

1298 QRadar API Reference Guide

 INTERRUPTED,
PAUSED,
PROCESSING,
QUEUED,
RESUMING>"
}

GET /config/event_sources/custom_properties/regex_properties/
{regex_property_id}/dependents DEPRECATED
Retrieves the objects that depend on the event regex property.

Retrieves the objects that depend on the event regex property.

Table 2923. GET /config/event_sources/custom_properties/regex_properties/{regex_property_id}/dependents resource
details
MIME Type
application/json

Table 2924. GET /config/event_sources/custom_properties/regex_properties/{regex_property_id}/dependents request

parameter details
Parameter Type Optionality Data Type MIME Type Description
regex_property_id path Required Number (Integer) text/plain null
fields query Optional String text/plain Optional - Use this parameter to
specify which fields you would like
to get back in the response. Fields
that are not named are excluded.
Specify subfields in brackets and
multiple fields in the same object
are separated by commas.

Table 2925. GET /config/event_sources/custom_properties/regex_properties/{regex_property_id}/dependents

response codes
HTTP Response Code Unique Code Description
202 The event regex property dependents retrieval was accepted and is
in progress.
404 1002 The event regex property does not exist.
500 1020 An error occurred while attempting to initiate the event regex
property dependents retrieval task.

Response Description

A Dependents Task Status object and the location header set to the task status URL "/api/config/
event_sources/custom_properties/regex_property_dependents_tasks/{task_id}". A Dependent Task Status
object contains the following fields:
v id - Long - The ID of the task.
v message - String - The localized task message.
v status - String - The current state of the task.
v name - String - The name of the task.
v created_by - String - The name of the user who started the task.
v cancelled_by - String - The name of the user who requested to cancel the task.
v created - Long - The time in milliseconds since epoch since the task was created.
v started - Long - The time in milliseconds since epoch since the task was started.
v modified - Long - The time in milliseconds since epoch since the task was modified.

7 Previous REST API versions 1299

v completed - Long - The time in milliseconds since epoch since the task was completed.
v number_of_dependents - Long - The number of dependents found. The value is null until the task
completes.
v maximum - Long - The maximum number of objects to check for dependency.
v progress - Long - The number of objects that were checked for dependency.
v task_components - Array - An array of task component objects. A task component object contains the
following fields:
– message - String - The localized sub-task status message.
– status - String - The current state of the sub-task.
– sub_task_type - String - The type of the sub-task
– maximum - Long - The maximum number of objects to check for dependency.
– progress - Long - The number of objects that were checked for dependency.
– created - Long - The time in milliseconds since epoch since the sub-task was created.
– started - Long - The time in milliseconds since epoch since the sub-task was started.
– modified - Long - The time in milliseconds since epoch since the sub-task was modified.
– completed - Long - The time in milliseconds since epoch since the sub-task was completed.

Response Sample
{
"cancelled_by": "String",
"completed": 42,
"created": 42,
"created_by": "String",
"id": 42,
"maximum": 42,
"message": "String",
"modified": 42,
"name": "String",
"number_of_dependents": 42,
"progress": 42,
"started": 42,
"status": "String <one of:
CANCELLED,
CANCELING,
CANCEL_REQUESTED,
COMPLETED,
CONFLICT,
EXCEPTION,
INITIALIZING,
INTERRUPTED,
PAUSED,
PROCESSING,
QUEUED,
RESUMING>",
"task_components": [
{
"completed": 42,
"created": 42,
"maximum": 42,
"message": "String",
"modified": 42,
"number_of_dependents": 42,
"progress": 42,
"started": 42,
"status": "String <one of: CANCELLED,
CANCELING,
CANCEL_REQUESTED,
COMPLETED,
CONFLICT,

1300 QRadar API Reference Guide

 EXCEPTION,
INITIALIZING,
INTERRUPTED,
PAUSED,
PROCESSING,
QUEUED,
RESUMING>",
"task_sub_type": "String <one of:
FIND_DEPENDENT_ARIEL_SAVED_SEARCHES,
FIND_DEPENDENT_OFFENSE_SAVED_SEARCHES,
FIND_DEPENDENT_ASSET_SAVED_SEARCHES,
FIND_DEPENDENT_VULNERABILITY_SAVED_SEARCHES,
FIND_DEPENDENT_ADE_RULES,
FIND_DEPENDENT_RULES,
FIND_DEPENDENT_CALCULATED_PROPERTIES,
FIND_DEPENDENT_LOG_SOURCE_GROUPS,
FIND_DEPENDENT_CUSTOM_PROPERTIES,
FIND_DEPENDENT_REPORTS,
FIND_DEPENDENT_DASHBOARDS,
FIND_DEPENDENT_STORE_AND_FORWARD_POLICIES,
FIND_DEPENDENT_AUTHORIZED_SERVICES,
FIND_DEPENDENT_OFFENSE_TYPES,
FIND_DEPENDENT_ASSIGNED_OFFENSES,
FIND_DEPENDENT_VULNERABILITIES,
FIND_DEPENDENT_GROUPS,
FIND_DEPENDENT_HISTORICAL_CORRELATION_PROFILES>"
}
]
}

GET /config/event_sources/custom_properties/regex_property_delete_tasks/
{task_id} DEPRECATED
Retrieves the event regex property delete task status.

Retrieves the event regex property delete task status.

Table 2926. GET /config/event_sources/custom_properties/regex_property_delete_tasks/{task_id} resource details
MIME Type
application/json

Table 2927. GET /config/event_sources/custom_properties/regex_property_delete_tasks/{task_id} request parameter

details
Parameter Type Optionality Data Type MIME Type Description
task_id path Required Number text/plain null
(Integer)
fields query Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.

Table 2928. GET /config/event_sources/custom_properties/regex_property_delete_tasks/{task_id} response codes

HTTP Response Code Unique Code Description
200 The delete task status was retrieved.

7 Previous REST API versions 1301

Table 2928. GET /config/event_sources/custom_properties/regex_property_delete_tasks/{task_id} response
codes (continued)
HTTP Response Code Unique Code Description
404 1002 The requested delete task status cannot be found.
422 1005 The task ID is invalid in the request.
500 1020 An error occurred during the attempt to retrieve the delete task
status.

Response Description

A Delete Task Status object and the location header set to the task status URL "/api/config/
event_sources/custom_properties/regex_property_delete_tasks/{task_id}". A Delete Task Status object
contains the following fields:
v id - Long - The ID of the task.
v message - String - The localized task message.
v status - String - The current state of the task.
v name - String - The name of the task.
v created_by - String - The name of the user who started the task.
v created - Long - The time in milliseconds since epoch since the task was created.
v started - Long - The time in milliseconds since epoch since the task was started.
v modified - Long - The time in milliseconds since epoch since the task was modified.
v completed - Long - The time in milliseconds since epoch since the task was completed.

Response Sample
{
"completed": 42,
"created": 42,
"created_by": "String",
"id": 42,
"message": "String",
"modified": 42,
"name": "String",
"started": 42,
"status": "String <one of:
CANCELLED,
CANCELING,
CANCEL_REQUESTED,
COMPLETED,
CONFLICT,
EXCEPTION,
INITIALIZING,
INTERRUPTED,
PAUSED,
PROCESSING,
QUEUED,
RESUMING>"
}

GET /config/event_sources/custom_properties/regex_property_dependent_tasks/
{task_id} DEPRECATED
Retrieves the event regex property dependent task status.

Retrieves the event regex property dependent task status.

1302 QRadar API Reference Guide

Table 2929. GET /config/event_sources/custom_properties/regex_property_dependent_tasks/{task_id} resource
details
MIME Type
application/json

Table 2930. GET /config/event_sources/custom_properties/regex_property_dependent_tasks/{task_id} request

parameter details
Parameter Type Optionality Data Type MIME Type Description
task_id path Required Number text/plain null
(Integer)
fields query Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.

Table 2931. GET /config/event_sources/custom_properties/regex_property_dependent_tasks/{task_id} response

codes
HTTP Response Code Unique Code Description
200 The dependent task status was retrieved.
404 1002 The requested dependent task status cannot be found.
422 1005 The task ID is invalid in the request.
500 1020 An error occurred during the attempt to retrieve the task status.

Response Description

A Dependent Task Status object and the location header set to the task status URL "/api/config/
event_sources/custom_properties/regex_property_dependent_tasks/{task_id}". A Dependent Task Status
object contains the following fields:
v id - Long - The ID of the task.
v message - String - The localized task message.
v status - String - The current state of the task.
v name - String - The name of the task.
v created_by - String - The name of the user who started the task.
v cancelled_by - String - The name of the user who requested to cancel the task.
v created - Long - The time in milliseconds since epoch since the task was created.
v started - Long - The time in milliseconds since epoch since the task was started.
v modified - Long - The time in milliseconds since epoch since the task was modified.
v completed - Long - The time in milliseconds since epoch since the task was completed.
v number_of_dependents - Long - The number of dependents found. The value is null until the task
completes.
v maximum - Long - The maximum number of objects to check for dependency.
v progress - Long - The number of objects that were checked for dependency.

7 Previous REST API versions 1303

v task_components - Array - An array of task component objects. A task component object contains the
following fields
– message - String - The localized sub-task status message.
– status - String - The current state of the sub-task.
– sub_task_type - String - The type of the sub-task
– maximum - Long - The maximum number of objects to check for dependency.
– progress - Long - The number of objects that were checked for dependency.
– created - Long - The time in milliseconds since epoch since the sub-task was created.
– started - Long - The time in milliseconds since epoch since the sub-task was started.
– modified - Long - The time in milliseconds since epoch since the sub-task was modified.
– completed - Long - The time in milliseconds since epoch since the sub-task was completed.

Response Sample
{
"cancelled_by": "String",
"completed": 42,
"created": 42,
"created_by": "String",
"id": 42,
"maximum": 42,
"message": "String",
"modified": 42,
"name": "String",
"number_of_dependents": 42,
"progress": 42,
"started": 42,
"status": "String <one of:
CANCELLED,
CANCELING,
CANCEL_REQUESTED,
COMPLETED,
CONFLICT,
EXCEPTION,
INITIALIZING,
INTERRUPTED,
PAUSED,
PROCESSING,
QUEUED,
RESUMING>",
"task_components": [
{
"completed": 42,
"created": 42,
"maximum": 42,
"message": "String",
"modified": 42,
"number_of_dependents": 42,
"progress": 42,
"started": 42,
"status": "String <one of: CANCELLED,
CANCELING,
CANCEL_REQUESTED,
COMPLETED,
CONFLICT,
EXCEPTION,
INITIALIZING,
INTERRUPTED,
PAUSED,
PROCESSING,
QUEUED,
RESUMING>",
"task_sub_type": "String <one of:

1304 QRadar API Reference Guide

 FIND_DEPENDENT_ARIEL_SAVED_SEARCHES,
FIND_DEPENDENT_OFFENSE_SAVED_SEARCHES,
FIND_DEPENDENT_ASSET_SAVED_SEARCHES,
FIND_DEPENDENT_VULNERABILITY_SAVED_SEARCHES,
FIND_DEPENDENT_ADE_RULES,
FIND_DEPENDENT_RULES,
FIND_DEPENDENT_CALCULATED_PROPERTIES,
FIND_DEPENDENT_LOG_SOURCE_GROUPS,
FIND_DEPENDENT_CUSTOM_PROPERTIES,
FIND_DEPENDENT_REPORTS,
FIND_DEPENDENT_DASHBOARDS,
FIND_DEPENDENT_STORE_AND_FORWARD_POLICIES,
FIND_DEPENDENT_AUTHORIZED_SERVICES,
FIND_DEPENDENT_OFFENSE_TYPES,
FIND_DEPENDENT_ASSIGNED_OFFENSES,
FIND_DEPENDENT_VULNERABILITIES,
FIND_DEPENDENT_GROUPS,
FIND_DEPENDENT_HISTORICAL_CORRELATION_PROFILES>"
}
]
}

POST /config/event_sources/custom_properties/regex_property_dependent_tasks/
{task_id} DEPRECATED
Cancels the regex property dependent task.

Cancels the regex property dependent task.

Table 2932. POST /config/event_sources/custom_properties/regex_property_dependent_tasks/{task_id} resource
details
MIME Type
application/json

Table 2933. POST /config/event_sources/custom_properties/regex_property_dependent_tasks/{task_id} request

parameter details
Parameter Type Optionality Data Type MIME Type Description
task_id path Required Number text/plain null
(Integer)
fields header Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.

7 Previous REST API versions 1305

Table 2934. POST /config/event_sources/custom_properties/regex_property_dependent_tasks/{task_id} request body
details
Parameter Data Type MIME Type Description Sample
task Object application/ null { "status": "String <one of:
json CANCELLED, CANCELING,
CANCEL_REQUESTED,
COMPLETED, CONFLICT,
EXCEPTION, INITIALIZING,
INTERRUPTED, PAUSED,
PROCESSING, QUEUED,
RESUMING>" }

Table 2935. POST /config/event_sources/custom_properties/regex_property_dependent_tasks/{task_id} response

codes
HTTP Response Code Unique Code Description
200 The dependent task was cancelled.
404 1002 The dependent task status does not exist.
409 1004 The task is in a completed state.
422 1005 A request parameter is not valid.
500 1020 An error occurred while attempting to update the dependent task
status.

Response Description

A Dependent Task Status object and the location header set to the task status URL "/api/config/
event_sources/custom_properties/regex_property_dependent_tasks/{task_id}". A Dependent Task Status
object contains the following fields:
v id - Long - The ID of the task.
v message - String - The localized task message.
v status - String - The current state of the task.
v name - String - The name of the task.
v created_by - String - The name of the user who started the task.
v cancelled_by - String - The name of the user who requested to cancel the task.
v created - Long - The time in milliseconds since epoch since the task was created.
v started - Long - The time in milliseconds since epoch since the task was started.
v modified - Long - The time in milliseconds since epoch since the task was modified.
v completed - Long - The time in milliseconds since epoch since the task was completed.
v number_of_dependents - Long - The number of dependents found. The value is null until the task
completes.
v maximum - Long - The maximum number of objects to check for dependency.
v progress - Long - The number of objects that were checked for dependency.
v task_components - Array - An array of task component objects. A task component object contains the
following fields:
– message - String - The localized sub-task status message.
– status - String - The current state of the sub-task.
– sub_task_type - String - The type of the sub-task
– maximum - Long - The maximum number of objects to check for dependency.
– progress - Long - The number of objects that were checked for dependency.

1306 QRadar API Reference Guide

 – created - Long - The time in milliseconds since epoch since the sub-task was created.
– started - Long - The time in milliseconds since epoch since the sub-task was started.
– modified - Long - The time in milliseconds since epoch since the sub-task was modified.
– completed - Long - The time in milliseconds since epoch since the sub-task was completed.

Response Sample
{
"cancelled_by": "String",
"completed": 42,
"created": 42,
"created_by": "String",
"id": 42,
"maximum": 42,
"message": "String",
"modified": 42,
"name": "String",
"number_of_dependents": 42,
"progress": 42,
"started": 42,
"status": "String <one of:
CANCELLED,
CANCELING,
CANCEL_REQUESTED,
COMPLETED,
CONFLICT,
EXCEPTION,
INITIALIZING,
INTERRUPTED,
PAUSED,
PROCESSING,
QUEUED,
RESUMING>",
"task_components": [
{
"completed": 42,
"created": 42,
"maximum": 42,
"message": "String",
"modified": 42,
"number_of_dependents": 42,
"progress": 42,
"started": 42,
"status": "String <one of: CANCELLED,
CANCELING,
CANCEL_REQUESTED,
COMPLETED,
CONFLICT,
EXCEPTION,
INITIALIZING,
INTERRUPTED,
PAUSED,
PROCESSING,
QUEUED,
RESUMING>",
"task_sub_type": "String <one of:
FIND_DEPENDENT_ARIEL_SAVED_SEARCHES,
FIND_DEPENDENT_OFFENSE_SAVED_SEARCHES,
FIND_DEPENDENT_ASSET_SAVED_SEARCHES,
FIND_DEPENDENT_VULNERABILITY_SAVED_SEARCHES,
FIND_DEPENDENT_ADE_RULES,
FIND_DEPENDENT_RULES,
FIND_DEPENDENT_CALCULATED_PROPERTIES,
FIND_DEPENDENT_LOG_SOURCE_GROUPS,
FIND_DEPENDENT_CUSTOM_PROPERTIES,
FIND_DEPENDENT_REPORTS,

7 Previous REST API versions 1307

 FIND_DEPENDENT_DASHBOARDS,
FIND_DEPENDENT_STORE_AND_FORWARD_POLICIES,
FIND_DEPENDENT_AUTHORIZED_SERVICES,
FIND_DEPENDENT_OFFENSE_TYPES,
FIND_DEPENDENT_ASSIGNED_OFFENSES,
FIND_DEPENDENT_VULNERABILITIES,
FIND_DEPENDENT_GROUPS,
FIND_DEPENDENT_HISTORICAL_CORRELATION_PROFILES>"
}
]
}

GET /config/event_sources/custom_properties/regex_property_dependent_tasks/
{task_id}/results DEPRECATED
Retrieves the regex property dependent task results.

Retrieves the regex property dependent task results.

Table 2936. GET /config/event_sources/custom_properties/regex_property_dependent_tasks/{task_id}/results
resource details
MIME Type
application/json

Table 2937. GET /config/event_sources/custom_properties/regex_property_dependent_tasks/{task_id}/results request

parameter details
Parameter Type Optionality Data Type MIME Type Description
task_id path Required Number text/plain null
(Integer)
fields query Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.

Table 2938. GET /config/event_sources/custom_properties/regex_property_dependent_tasks/{task_id}/results

response codes
HTTP Response Code Unique Code Description
200 The regex property dependents were retrieved.
404 1002 The requested task status cannot be found.
500 1020 An error occurred during the attempt to retrieve the task results.

Response Description

A list of Dependent objects. A Dependent object contains the following fields:

v dependent_id - String - The ID of the dependent resource.
v dependent_name - String - The name of the dependent resource )default resources can have localized
names).
v dependent_owner - String - The owner of the dependent resource
v dependent_type - String - The type of the dependent resource

1308 QRadar API Reference Guide

v dependent_database - String - The database of the dependent resource.
v dependent_group_ids - Array of Longs - List of groups that the dependent resource belongs to.
v user_has_edit_permissions - Boolean - True if the user who created the task has permission to edit this
dependent resource.

Response Sample
[
{
"blocking": true,
"dependent_database": "String <one of: EVENTS, FLOWS>",
"dependent_group_ids": [
42
],
"dependent_id": "String",
"dependent_name": "String",
"dependent_owner": "String",
"dependent_type": "String <one of:
ARIEL_SAVED_SEARCH,
ASSET_SAVED_SEARCH,
OFFENSE_SAVED_SEARCH,
VULNERABILITY_SAVED_SEARCH,
QRM_SAVED_SEARCH_GROUP,
ASSET_SAVED_SEARCH_GROUP,
CUSTOM_RULE_GROUP,
EVENT_ARIEL_SAVED_SEARCH_GROUP,
FLOW_ARIEL_SAVED_SEARCH_GROUP,
LOG_SOURCE_GROUP, MODEL_GROUP,
OFFENSE_SAVED_SEARCH_GROUP,
QUESTION_GROUP,
REPORT_GROUP,
SIMULATION_GROUP,
TOPOLOGY_SAVED_SEARCH_GROUP,
VULNERABILITY_SAVED_SEARCH_GROUP,
ASSIGNED_OFFENSE,
ASSIGNED_VULNERABILITY,
AUTHORIZED_SERVICE,
BUILDING_BLOCK,
CRE_RULE,
CRE_ADE_RULE,
EVENT_REGEX_PROPERTY,
EVENT_CALCULATED_PROPERTY,
FLOW_REGEX_PROPERTY,
FLOW_CALCULATED_PROPERTY,
DASHBOARD,
GV_REFERENCE,
REPORT,
REFERENCE_DATA,
REFERENCE_DATA_MAP_OF_SETS,
REFERENCE_DATA_MAPS,
REFERENCE_DATA_SETS,
REFERENCE_DATA_TABLES,
REFERENCE_DATA_RESPONSE,
REFERENCE_SET_RESPONSE,
EVENT_RETENTION_BUCKET,
FLOW_RETENTION_BUCKET,
ROUTING_RULE,
STORE_AND_FORWARD_POLICY,
USER,
HISTORICAL_PROFILE,
OFFENSE_TYPE>",
"user_has_edit_permissions": true
}
]

7 Previous REST API versions 1309

GET /config/extension_management/extensions DEPRECATED
Retrieve a list of extensions.
Table 2939. GET /config/extension_management/extensions resource details
MIME Type
application/json

Table 2940. GET /config/extension_management/extensions request parameter details

Parameter Type Optionality Data Type MIME Type Description
Range header Optional String text/plain Optional - Use this parameter
to restrict the number of
elements that are returned in
the list to a specified range.
The list is indexed starting at
zero.
sort query Optional String text/plain Optional - This parameter is
used to sort the elements in a
list.
fields query Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.
filter query Optional String text/plain Optional - This parameter is
used to restrict the elements in
a list base on the contents of
various fields.

Table 2941. GET /config/extension_management/extensions response codes

HTTP Response Code Unique Code Description
200 The requested list of extensions has been retrieved.
422 22608 The supplied filter is invalid.
422 22615 Unknown status used in filter.
422 22610 The selected field cannot be utilized for sorting.
422 22609 Only top-level-elements of the root entity can be sorted on.
500 22602 An error has occurred while trying to retrieve the list of extensions.

Response Description

A list of extensions. Each extension contains the following fields:

v id - Number - Unique ID of this extension within the QRadar deployment.
v name - String - The name of the extension.
v description - String - The description of the extension.
v author - String - The author (person who generated) the extension.
v version - String - The version of the extension.
v supported_languages - Array of strings - The language tags supported by this extension.

1310 QRadar API Reference Guide

v exported_qradar_version - String - The version of the QRadar deployment this extension was exported
from.
v min_qradar_version - String - The minimum QRadar version required for the extension to function
properly.
v file_location - String - The location of the extension file on disk.
v size - Number - The size in bytes of the extension file.
v signed - String - The state of the extension's signature.
v beta - Boolean - True if the extension is considered to be beta or experimental.
v added_by - String - The user or authorized service that added the extension to QRadar.
v installed_by - String The user or authorized service that installed the extension.
v add_time - Number - The date/time at which the extension was added to QRadar, represented as
number of milliseconds since Unix epoch.
v install_time - Number - The date/time at which the extension was installed, represented as number of
milliseconds since Unix epoch.
v full_uninstall - Boolean - True if the extension and all of its contents can be fully uninstalled.
v status - String - The tag corresponding to the current status of the extension. Possible values are
UPLOADED, UPLOADING, INSTALLED, INSTALLING, INSTALL_FAILED, UNINSTALLED,
UNINSTALLING, UNINSTALL_FAILED, NOT_INSTALLED, PREVIEWING, NONE.
v contents - Array of objects representing an item contained within the extension. Each object has the
following fields:
– content_type_id - Number - The ID of the content type.
– content_type_name - String - The name of the content type.
– identifier - String - The descriptive name/identifier of the item.

Response Sample
[
{
"file_location": "/store/cmt/exports/custom_rule.zip",
"supported_languages": [
"en_US"
],
"contents": [
{
"content_type_id": 3,
"identifier": "No Description Supplied",
"content_type_name": "custom_rule"
},
{
"content_type_id": 28,
"identifier": "Asset Reconciliation IPv4 Blacklist",
"content_type_name": "reference_data"
},
{
"content_type_id": 28,
"identifier": "Asset Reconciliation IPv4 Whitelist",
"content_type_name": "reference_data"
},
{
"content_type_id": 32,
"identifier": "No Description Supplied",
"content_type_name": "reference_data_rules"
}
],
"status": "INSTALLED",
"signed": "NOT_SIGNED",
"full_uninstall": false,
"min_qradar_version": null,

7 Previous REST API versions 1311

 "beta": false,
"version": "7.2.6.20150825133843",
"size": 8575,
"id": 59,
"author": "admin",
"description": null,
"exported_qradar_version": null,
"name": "custom_rule.xml",
"install_time": 1440788704856,
"installed_by": "admin",
"added_by": "admin",
"add_time": 1440693660702
},
{
"file_location": "/store/cmt/exports/qidmap.xml",
"supported_languages": [
"en_US"
],
"contents": [
{
"content_type_id": 27,
"identifier": "",
"content_type_name": "qidmap"
}
],
"status": "INSTALLED",
"signed": "NOT_SIGNED",
"full_uninstall": false,
"min_qradar_version": null,
"beta": false,
"version": "7.2.6.20150821144442",
"size": 675,
"id": 2,
"author": "admin",
"description": null,
"exported_qradar_version": null,
"name": "qidmap.xml",
"install_time": 1440612194941,
"installed_by": "admin",
"added_by": "admin",
"add_time": 1440555001236
}
]

POST /config/extension_management/extensions DEPRECATED

Uploads the supplied extension file to the IBM Security QRadarsystem.
Table 2942. POST /config/extension_management/extensions resource details
MIME Type
application/json

Table 2943. POST /config/extension_management/extensions request parameter details

Parameter Type Optionality Data Type MIME Type Description
fields header Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.

1312 QRadar API Reference Guide

Table 2944. POST /config/extension_management/extensions request body details
Parameter Data Type MIME Type Description Sample
file File application/x-gzip Required - The Extension file. File
Must be a properly-formed
QRadar extension/content
export, either an XML file or
an XML within a ZIP or
TAR.GZ archive. Must be
provided with MIME type
application/xml,
application/zip,
application/x-gzip or
multipart/form-data

Table 2945. POST /config/extension_management/extensions response codes

HTTP Response Code Unique Code Description
201 The supplied extension file has been uploaded.
409 22613 The supplied extension file can not be uploaded because it shares
the same hub_id and version as one of the extensions in the system.
422 22607 The supplied extension could not be validated successfully
422 22616 The supplied manifest for the extension is invalid.
500 22602 An error has occurred while trying to upload the extension file.

Response Description

An extension containing the following fields:

v id - Number - Unique ID of this extension within the QRadar deployment.
v name - String - The name of the extension.
v description - String - The description of the extension.
v author - String - The author (person who generated) the extension.
v version - String - The version of the extension.
v supported_languages - Array of strings - The language tags supported by this extension.
v exported_qradar_version - String - The version of the QRadar deployment this extension was exported
from.
v min_qradar_version - String - The minimum QRadar version required for the extension to function
properly.
v file_location - String - The location of the extension file on disk.
v size - Number - The size in bytes of the extension file.
v signed - String - The state of the extension's signature.
v beta - Boolean - True if the extension is considered to be beta or experimental.
v added_by - String - The user or authorized service that added the extension to QRadar.
v installed_by - String The user or authorized service that installed the extension.
v add_time - Number - The date/time at which the extension was added to QRadar, represented as
number of milliseconds since Unix epoch.
v install_time - Number - The date/time at which the extension was installed, represented as number of
milliseconds since Unix epoch.
v full_uninstall - Boolean - True if the extension and all of its contents can be fully uninstalled.
v status - String - The tag corresponding to the current status of the extension. Possible values are
UPLOADED, UPLOADING, INSTALLED, INSTALLING, INSTALL_FAILED, UNINSTALLED,
UNINSTALLING, UNINSTALL_FAILED, NOT_INSTALLED, PREVIEWING, NONE.

7 Previous REST API versions 1313

v contents - Array of objects representing an item contained within the extension. Each object has the
following fields:
– content_type_id - Number - The ID of the content type.
– content_type_name - String - The name of the content type.
– identifier - String - The descriptive name/identifier of the item.

Response Sample
{
"file_location": "/store/cmt/exports/qidmaps.xml",
"supported_languages": [
"en_US"
],
"contents": [
{
"content_type_id": 27,
"identifier": "",
"content_type_name": "qidmap"
}
],
"status": "INSTALLED",
"signed": "NOT_SIGNED",
"full_uninstall": false,
"min_qradar_version": null,
"beta": false,
"version": "7.2.6.20150821144442",
"size": 675,
"id": 2,
"author": "admin",
"description": null,
"exported_qradar_version": null,
"name": "qidmaps.xml",
"install_time": 1440612194941,
"installed_by": "admin",
"added_by": "admin",
"add_time": 1440555001236
}

GET /config/extension_management/extensions/{extension_id} DEPRECATED

Retrieves an extension based on the supplied extension ID.
Table 2946. GET /config/extension_management/extensions/{extension_id} resource details
MIME Type
application/json

Table 2947. GET /config/extension_management/extensions/{extension_id} request parameter details

Parameter Type Optionality Data Type MIME Type Description
extension_id path Required Number text/plain Required - The id of the
(Integer) extension.
fields query Optional String text/plain Optional - Use this parameter to
specify which fields you would
like to get back in the response.
Fields that are not named are
excluded. Specify subfields in
brackets and multiple fields in
the same object are separated by
commas.

1314 QRadar API Reference Guide

Table 2948. GET /config/extension_management/extensions/{extension_id} response codes
HTTP Response Code Unique Code Description
200 The requested extension has been retrieved.
404 22603 The requested extension cannot be found.
422 22606 A supplied numeric parameter was not positive.
500 22602 An error has occurred while trying to retrieve the requested
extension.

Response Description

An extension containing the following fields:

v id - Number - Unique ID of this extension within the QRadar deployment.
v name - String - The name of the extension.
v description - String - The description of the extension.
v author - String - The author (person who generated) the extension.
v version - String - The version of the extension.
v supported_languages - Array of strings - The language tags supported by this extension.
v exported_qradar_version - String - The version of the QRadar deployment this extension was exported
from.
v min_qradar_version - String - The minimum QRadar version required for the extension to function
properly.
v file_location - String - The location of the extension file on disk.
v size - Number - The size in bytes of the extension file.
v signed - String - The state of the extension's signature.
v beta - Boolean - True if the extension is considered to be beta or experimental.
v added_by - String - The user or authorized service that added the extension to QRadar.
v installed_by - String The user or authorized service that installed the extension.
v add_time - Number - The date/time at which the extension was added to QRadar, represented as
number of milliseconds since Unix epoch.
v install_time - Number - The date/time at which the extension was installed, represented as number of
milliseconds since Unix epoch.
v full_uninstall - Boolean - True if the extension and all of its contents can be fully uninstalled.
v status - String - The tag corresponding to the current status of the extension. Possible values are
UPLOADED, UPLOADING, INSTALLED, INSTALLING, INSTALL_FAILED, UNINSTALLED,
UNINSTALLING, UNINSTALL_FAILED, NOT_INSTALLED, PREVIEWING, NONE.
v contents - Array of objects representing an item contained within the extension. Each object has the
following fields:
– content_type_id - Number - The ID of the content type.
– content_type_name - String - The name of the content type.
– identifier - String - The descriptive name/identifier of the item.

Response Sample
{
"file_location": "/store/cmt/exports/qidmaps.xml",
"supported_languages": [
"en_US"
],
"contents": [
{

7 Previous REST API versions 1315

 "content_type_id": 27,
"identifier": "",
"content_type_name": "qidmap"
}
],
"status": "INSTALLED",
"signed": "NOT_SIGNED",
"full_uninstall": false,
"min_qradar_version": null,
"beta": false,
"version": "7.2.6.20150821144442",
"size": 675,
"id": 2,
"author": "admin",
"description": null,
"exported_qradar_version": null,
"name": "qidmaps.xml",
"install_time": 1440612194941,
"installed_by": "admin",
"added_by": "admin",
"add_time": 1440555001236
}

POST /config/extension_management/extensions/{extension_id} DEPRECATED

Install an extension based on the supplied extension ID. This is an asynchronous action.

Installs the Extension corresponding to the supplied extension ID Alternatively can be used to preview an
extension, showing what values are applied if the extension is installed.
Table 2949. POST /config/extension_management/extensions/{extension_id} resource details
MIME Type
application/json

Table 2950. POST /config/extension_management/extensions/{extension_id} request parameter details

Parameter Type Optionality Data Type MIME Type Description
extension_id path Required Number text/plain Required - The id of the
(Integer) extension.
action_type query Required String text/plain Required - The desired action to
take on the Extension (INSTALL
or PREVIEW)
overwrite query Optional Boolean text/plain Optional - If true, any existing
items on the importing system
will be overwritten if the
extension contains the same
items. If false, existing items
will be preserved, and the
corresponding items in the
extension will be skipped.
fields query Optional String text/plain Optional - Use this parameter to
specify which fields you would
like to get back in the response.
Fields that are not named are
excluded. Specify subfields in
brackets and multiple fields in
the same object are separated by
commas.

Table 2951. POST /config/extension_management/extensions/{extension_id} response codes

HTTP Response Code Unique Code Description
202 The requested install or preview task has been started.

1316 QRadar API Reference Guide

Table 2951. POST /config/extension_management/extensions/{extension_id} response codes (continued)
HTTP Response Code Unique Code Description
404 22603 The requested extension cannot be found.
404 22604 The task status for status_id cannot be found.
409 22612 The supplied extension cannot be installed/previewed because it is
already installed
409 22611 The supplied extension cannot be installed/previewed because it is
already in the process of being installed/previewed.
409 22618 The requested task can not be initiated because another
preview/install task is already in progress.
422 22605 The supplied action type is invalid
422 22606 A supplied numeric parameter was not positive.
500 22602 An error has occurred while trying to install or preview the
requested extension.

Response Description

A JSON string depicting the accepted task for previewing/installing an extension:

v message - String - description of the accepted task.
v status_location - String - the url of the task status.
v current_status - String - a JSON object depicting the current status of the task.

Response Sample
{
"message": "Uninstalling an extension",
"status_location":
"https://1.1.1.1/console/restapi/api/config/extension_management/
extensions_task_status/101",
"current_status": {
"progress": 0,
"result_url": null,
"cancelled_by": null,
"status": "QUEUED",
"task_components": null,
"modified": 1440891410849,
"id": 101,
"message": "Queued Extension uninstallation task for extension id 2",
"created_by": "admin",
"created": 1440891410629,
"maximum": 0,
"cancel_requested": false,
"name": "Extension uninstallation task",
"child_tasks": null,
"started": 1440891410847,
"completed": null
}
}

DELETE /config/extension_management/extensions/{extension_id} DEPRECATED

Uninstall an extension based on the supplied extension ID. This is an asynchronous action.
Table 2952. DELETE /config/extension_management/extensions/{extension_id} resource details
MIME Type
application/json

7 Previous REST API versions 1317

Table 2953. DELETE /config/extension_management/extensions/{extension_id} request parameter details
Parameter Type Optionality Data Type MIME Type Description
extension_id path Required Number text/plain Required - The id of the
(Integer) extension to be uninstalled.
fields query Optional String text/plain Optional - Use this parameter to
specify which fields you would
like to get back in the response.
Fields that are not named are
excluded. Specify subfields in
brackets and multiple fields in
the same object are separated by
commas.

Table 2954. DELETE /config/extension_management/extensions/{extension_id} response codes

HTTP Response Code Unique Code Description
202 The requested uninstall task has been started.
404 22603 The requested extension cannot be found.
404 22604 The task status for status_id cannot be found.
409 22611 The supplied extension cannot be uninstalled because it is already
in the process of being uninstalled.
409 22617 The extension can not be uninstalled because it is already in the
process of being previewed/installed.
422 22606 A supplied numeric parameter was not positive.
500 22602 An error has occurred while trying to uninstall an extension.

Response Description

A JSON string depicting the accepted task for uninstalling an extension:

v message - String - description of the accepted task.
v status_location - String - the url of the task status.
v current_status - String - a JSON object depicting the current status of the task.

Response Sample
{
"message": "Uninstalling an extension",
"status_location":
"https://1.1.1.1/console/restapi/api/config/extension_management/
extensions_task_status/101",
"current_status": {
"progress": 0,
"result_url": null,
"cancelled_by": null,
"status": "QUEUED",
"task_components": null,
"modified": 1440891410849,
"id": 101,
"message": "Queued Extension uninstallation task for extension id 2",
"created_by": "admin",
"created": 1440891410629,
"maximum": 0,
"cancel_requested": false,
"name": "Extension uninstallation task",
"child_tasks": null,

1318 QRadar API Reference Guide

 "started": 1440891410847,
"completed": null
}
}

GET /config/extension_management/extensions_task_status/{status_id}
DEPRECATED
Retrieves the tasks status based on the status ID.
Table 2955. GET /config/extension_management/extensions_task_status/{status_id} resource details
MIME Type
application/json

Table 2956. GET /config/extension_management/extensions_task_status/{status_id} request parameter details

Parameter Type Optionality Data Type MIME Type Description
status_id path Required Number text/plain Required - the id of the task
(Integer) status.
fields query Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.

Table 2957. GET /config/extension_management/extensions_task_status/{status_id} response codes

HTTP Response Code Unique Code Description
200 The requested task status has been retrieved.
404 22604 The task status for status_id cannot be found.
422 22606 A supplied numeric parameter was not positive.
500 22602 An error has occurred while trying to retrieve the task status.

Response Description

A task status containing the following fields:

v id - Number - The ID of the task status.
v name - String - The name of the task status.
v status - String - A string that represents the current state of the task status.
v message - String - A message regarding the current state of the task.
v progress - Number - The current progress of the task
v minimum - Number - The minimum progress of the task.
v maximum - Number - The maximum progress of the task.
v created_by - String - The username of the user who created the task.
v cancelled_by - String - The username of the user who cancelled the task.
v created - Number - The date/time at which this task was created, represented as number of
milliseconds since Unix epoch.
v started - Number - The date/time at which this task was started, represented as number of
milliseconds since Unix epoch.

7 Previous REST API versions 1319

v modified - Number - The date/time at which this task was last modified, represented as number of
milliseconds since Unix epoch.
v completed - Number - The date/time at which this task was completed, represented as number of
milliseconds since Unix epoch.
v result_url - String - The url where the result can be viewed.
v cancel_requested - Boolean - True if cancel has been requested.
v child_tasks - Array - Array of child task id's that are executed asynchronously from this task.
v task_components - Array - Array of task components that are executed sequentially.

Response Sample
{
"progress": 0,
"result_url": "",
"cancelled_by": "",
"status": "COMPLETED",
"task_components": null,
"modified": 1440891517961,
"id": 102,
"message": "Completed Extension uninstallation task for extension id 56",
"created_by": "admin",
"created": 1440891514006,
"maximum": 0,
"cancel_requested": false,
"name": "Extension uninstallation task",
"child_tasks": null,
"started": 1440891514041,
"completed": 1440891515224
}

GET /config/extension_management/extensions_task_status/{status_id}/results
DEPRECATED
Retrieves the tasks status results based on the status ID.
Table 2958. GET /config/extension_management/extensions_task_status/{status_id}/results resource details
MIME Type
application/json

Table 2959. GET /config/extension_management/extensions_task_status/{status_id}/results request parameter details

Parameter Type Optionality Data Type MIME Type Description
status_id path Required Number text/plain Required - The id of the task
(Integer) status.
fields query Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.

Table 2960. GET /config/extension_management/extensions_task_status/{status_id}/results response codes

HTTP Response Code Unique Code Description
200 The requested results of the task status have been retrieved.
404 22604 The task status for status_id cannot be found.

1320 QRadar API Reference Guide

Table 2960. GET /config/extension_management/extensions_task_status/{status_id}/results response
codes (continued)
HTTP Response Code Unique Code Description
404 22614 The task results are not available.
422 22606 A supplied numeric parameter was not positive.
500 22602 An error has occurred while trying to retrieve the results of a task
status.

Response Description

A JSON object representing the result of an Extension preview, install or uninstall task. It contains the
following fields:
v id - Number - The ID of the extension.
v task_type - String - The type of task that was issued against the Extension.
v content - Array - An array of JSON objects representing the contents of the extension and what action
is associated with each content item for the task that was executed. Each content item contains the
following fields:
– name - String - The name of the content item.
– content_type_id - Number - The ID of the type of the content item.
– content_type_name - String - The name of the type of the content item.
– action - String - The action taken for the content item.

Response Sample
{
"id": 56,
"task_type": "UNINSTALL",
"content": [
{
"content_type_id": 3,
"name": "SYSTEM-1607",
"action": "SKIP",
"content_type_name": "custom_rule"
},
{
"content_type_id": 28,
"name": "Asset Reconciliation IPv4 Whitelist",
"action": "SKIP",
"content_type_name": "reference_data"
}
]
}

GET /config/flow_retention_buckets DEPRECATED

Retrieves a list of flow retention buckets.

Retrieves a list of flow retention buckets.

Table 2961. GET /config/flow_retention_buckets resource details
MIME Type
application/json

7 Previous REST API versions 1321

Table 2962. GET /config/flow_retention_buckets request parameter details
Parameter Type Optionality Data Type MIME Type Description
Range header Optional String text/plain Optional - Use this parameter
to restrict the number of
elements that are returned in
the list to a specified range.
The list is indexed starting at
zero.
filter query Optional String text/plain Optional - This parameter is
used to restrict the elements in
a list base on the contents of
various fields.
fields query Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.

Table 2963. GET /config/flow_retention_buckets response codes

HTTP Response Code Unique Code Description
200 The flow retention buckets were retrieved.
422 1010 A request parameter is not valid.
500 1020 An error occurred during the attempt to retrieve the flow retention
buckets.

Response Description

An array of Retention Bucket objects. An Retention Bucket object contains the following fields:
v id - Integer - The ID of the retention bucket.
v bucket_id - Integer - The Bucket ID of the retention bucket. ( 0 - 10 )
v priority - Integer - The priority of the retention bucket. ( 0 - 10 ).
v name - String - The name of the retention bucket.
v database - String - The database of the retention bucket, EVENTS or FLOWS.
v description - String - The description of the retention bucket.
v period - Integer - The retention period in hours.
v delete - String - The delete protocol of the retention bucket, IMMEDIATELY or ON_DEMAND.
v created - Long - The time in milliseconds since epoch since the retention bucket was created.
v modified - Long - The time in milliseconds since epoch since the retention bucket was last modified.
v saved_search_id - String - The ID of the saved search used by the retention bucket.
v enabled - Boolean - True if the retention bucket is enabled.

Response Sample
[
{
"bucket_id": 42,
"created": 42,
"database": "String",

1322 QRadar API Reference Guide

 "deletion": "String <one of: ON_DEMAND, IMMEDIATELY>",
"description": "String",
"enabled": true,
"id": 42,
"modified": 42,
"name": "String",
"period": 42,
"priority": 42,
"saved_search_id": "String"
}
]

GET /config/flow_retention_buckets/{id} DEPRECATED

Retrieves a flow retention bucket.

Retrieves a flow retention bucket.

Table 2964. GET /config/flow_retention_buckets/{id} resource details
MIME Type
application/json

Table 2965. GET /config/flow_retention_buckets/{id} request parameter details

Parameter Type Optionality Data Type MIME Type Description
id path Required Number text/plain null
(Integer)
fields query Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.

Table 2966. GET /config/flow_retention_buckets/{id} response codes

HTTP Response Code Unique Code Description
200 The flow retention bucket was retrieved.
404 1002 The flow retention bucket does not exist.
500 1020 An error occurred during the attempt to retrieve the flow retention
bucket.

Response Description

The retention bucket after it is retrieved. An Retention Bucket object contains the following fields:
v id - Integer - The ID of the retention bucket.
v bucket_id - Integer - The Bucket ID of the retention bucket. ( 0 - 10 )
v priority - Integer - The priority of the retention bucket. ( 0 - 10 ).
v name - String - The name of the retention bucket.
v database - String - The database of the retention bucket, EVENTS or FLOWS.
v description - String - The description of the retention bucket.
v period - Integer - The retention period in hours.

7 Previous REST API versions 1323

v delete - String - The delete protocol of the retention bucket, IMMEDIATELY or ON_DEMAND.
v created - Long - The time in milliseconds since epoch since the retention bucket was created.
v modified - Long - The time in milliseconds since epoch since the retention bucket was last modified.
v saved_search_id - String - The ID of the saved search that is used by the retention bucket.
v enabled - Boolean - True if the retention bucket is enabled.

Response Sample
{
"bucket_id": 42,
"created": 42,
"database": "String",
"deletion": "String <one of: ON_DEMAND, IMMEDIATELY>",
"description": "String",
"enabled": true,
"id": 42,
"modified": 42,
"name": "String",
"period": 42,
"priority": 42,
"saved_search_id": "String"
}

POST /config/flow_retention_buckets/{id} DEPRECATED

Updates the flow retention bucket owner, or enabled/disabled only.

Updates the flow retention bucket owner, or enabled/disabled only.

Table 2967. POST /config/flow_retention_buckets/{id} resource details
MIME Type
application/json

Table 2968. POST /config/flow_retention_buckets/{id} request parameter details

Parameter Type Optionality Data Type MIME Type Description
id path Required Number text/plain null
(Integer)
fields header Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.

Table 2969. POST /config/flow_retention_buckets/{id} request body details

Parameter Data Type MIME Type Description Sample
retention_bucket Object application/ null { "bucket_id": 42, "database":
json "String", "description":
"String", "enabled": true, "id":
42, "name": "String", "period":
42, "priority": 42,
"saved_search_id": "String" }

1324 QRadar API Reference Guide

Table 2970. POST /config/flow_retention_buckets/{id} response codes
HTTP Response Code Unique Code Description
200 The flow retention bucket was updated.
404 1002 The Flow Retention Bucket does not exist.
409 1004 The provided user does not have the required capabilities to own
the flow retention bucket.
422 1005 A request parameter is not valid.
500 1020 An error occurred during the attempt to update the flow retention
bucket.

Response Description

The Retention Bucket after it is updated. A Retention Bucket object contains the following fields:
v id - Integer - The ID of the retention bucket.
v bucket_id - Integer - The Bucket ID of the retention bucket. ( 0 - 10 ).
v priority - Integer - The priority of the retention bucket ( 0 - 10 ).
v name - String - The name of the retention bucket.
v database - String - The database of the retention bucket, EVENTS or FLOWS.
v description - String - The description of the retention bucket.
v period - Integer - The retention period in hours.
v delete - String - The delete protocol of the retention bucket, IMMEDIATELY or ON_DEMAND.
v created - Long - The time in milliseconds since epoch since the retention bucket was created.
v modified - Long - The time in milliseconds since epoch since the retention bucket was last modified.
v saved_search_id - String - The ID of the saved search used by the retention bucket.
v enabled - Boolean - True if the retention bucket is enabled.

Response Sample
{
"bucket_id": 42,
"created": 42,
"database": "String",
"deletion": "String <one of: ON_DEMAND, IMMEDIATELY>",
"description": "String",
"enabled": true,
"id": 42,
"modified": 42,
"name": "String",
"period": 42,
"priority": 42,
"saved_search_id": "String"
}

DELETE /config/flow_retention_buckets/{id} DEPRECATED

Deletes a flow retention bucket.

Deletes a flow retention bucket.

Table 2971. DELETE /config/flow_retention_buckets/{id} resource details
MIME Type
text/plain

7 Previous REST API versions 1325

Table 2972. DELETE /config/flow_retention_buckets/{id} request parameter details
Parameter Type Optionality Data Type MIME Type Description
id path Required Number text/plain null
(Integer)

Table 2973. DELETE /config/flow_retention_buckets/{id} response codes

HTTP Response Code Unique Code Description
204 The flow retention bucket was deleted.
403 1009 You do not have the proper capabilities to delete the flow retention
bucket.
404 1002 The flow retention bucket does not exist.
500 1020 An error occurred during the attempt to delete the flow retention
bucket.

Response Description

Response Sample

GET /config/flow_sources/custom_properties/property_expressions DEPRECATED

Retrieve a list of flow regex property expressions.

Retrieves a list of flow regex property expressions.

Table 2974. GET /config/flow_sources/custom_properties/property_expressions resource details
MIME Type
application/json

Table 2975. GET /config/flow_sources/custom_properties/property_expressions request parameter details

Parameter Type Optionality Data Type MIME Type Description
fields query Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.
Range header Optional String text/plain Optional - Use this parameter
to restrict the number of
elements that are returned in
the list to a specified range.
The list is indexed starting at
zero.
filter query Optional String text/plain Optional - This parameter is
used to restrict the elements in
a list base on the contents of
various fields.

1326 QRadar API Reference Guide

Table 2976. GET /config/flow_sources/custom_properties/property_expressions response codes
HTTP Response Code Unique Code Description
200 The requested list of flow regex property expressions was retrieved.
422 1010 An error occurred while building the filter.
500 1020 An error occurred during the attempt to retrieve the list of flow
regex property expressions.

Response Description

A list of flow regex property expressions. Each regex property expression contains the following fields:
v id - Integer - The sequence ID of the flow regex property expression.
v identifier - String - The ID of the flow regex property expression.
v regex_property_identifier - String - The identifier of the flow regex property that this expression
belongs to.
v enabled - Boolean - Flag that indicates whether this expression is enabled.
v regex - String - The regex to extract the property from the payload.
v capture_group - Integer - The capture group to capture.
v payload - String - Test payload. This is only used in the UI so that the user can verify their regex
matches the expected payload.
v qid - Integer - The QID of the flow to apply this expression to.
v low_level_category_id - Integer - The expression is applied to all flows with this low level category.
v payload_origin - BaseProperty - The payload type (source_payload, destination_payload) to apply the
expression to.
v username - String - The owner of the flow regex property expression.

Response Sample
[
{
"capture_group": 42,
"creation_date": 42,
"enabled": true,
"id": 42,
"identifier": "String",
"low_level_category_id": 42,
"modification_date": 42,
"payload": "String",
"payload_origin": "String <one of:
event_payload,
source_payload,
destination_payload>",
"qid": 42,
"regex": "String",
"regex_property_identifier": "String",
"username": "String"
}
]

POST /config/flow_sources/custom_properties/property_expressions
DEPRECATED
Creates a new flow regex property expression.

Creates a new flow regex property expression.

7 Previous REST API versions 1327

Table 2977. POST /config/flow_sources/custom_properties/property_expressions resource details
MIME Type
application/json

Table 2978. POST /config/flow_sources/custom_properties/property_expressions request parameter details

Parameter Type Optionality Data Type MIME Type Description
fields header Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.

Table 2979. POST /config/flow_sources/custom_properties/property_expressions request body details

Parameter Data Type MIME Type Description Sample
data Object application/ Required - A JSON representation of the regex { "capture_group": 42, "creation_date": 42,
json property expression object. "enabled": true, "id": 42, "identifier": "String",
v regex_property_identifier - Required - "low_level_category_id": 42,
String - The identifier of the flow regex "modification_date": 42, "payload": "String",
"payload_origin": "String <one of:
property that this expression belongs to.
event_payload, source_payload,
v enabled - Optional - Boolean - Flag that destination_payload>", "qid": 42, "regex":
indicates whether this expression is enabled. "String", "regex_property_identifier": "String",
It defaults to true if not provided. "username": "String" }
v regex - Required - String - The regex to
extract the property from the payload.
v capture_group - Optional - Integer - The
capture group to capture. It defaults to 1 if
not provided.
v payload - Optional - String - Test payload.
This is only used in the UI so that the user
can verify their regex matches the expected
payload.
v qid - Optional - Integer - The QID of the
flow to apply this expression to.
v low_level_category_id - Optional - Integer -
The expression is applied to all flows with
this low level category.
v payload_origin - Required - String - The
payload type (source_payload,
destination_payload) to apply the expression
to.

Table 2980. POST /config/flow_sources/custom_properties/property_expressions response codes

HTTP Response Code Unique Code Description
201 A new flow regex property expression was created.
422 1005 One or more request parameter are invalid in the request.
500 1020 An error occurred during the attempt to create a new flow regex
property expression.

Response Description

The newly created flow regex property expression containing the following fields:
v id - Integer - The sequence ID of the flow regex property expression.

1328 QRadar API Reference Guide

v identifier - String - The ID of the flow regex property expression.
v regex_property_identifier - String - The identifier of the flow regex property that this expression
belongs to.
v enabled - Boolean - Flag that indicates whether this expression is enabled.
v regex - String - The regex to extract the property from the payload.
v capture_group - Integer - The capture group to capture.
v payload - String - Test payload. This is only used in the UI so that the user can verify their regex
matches the expected payload.
v qid - Integer - The QID of the flow to apply this expression to.
v low_level_category_id - Integer - The expression is applied to all flows with this low level category.
v payload_origin - BaseProperty - The payload type (source_payload, destination_payload) to apply the
expression to.
v username - String - The owner of the flow regex property expression.

Response Sample
{
"capture_group": 42,
"creation_date": 42,
"enabled": true,
"id": 42,
"identifier": "String",
"low_level_category_id": 42,
"modification_date": 42,
"payload": "String",
"payload_origin": "String <one of:
event_payload,
source_payload,
destination_payload>",
"qid": 42,
"regex": "String",
"regex_property_identifier": "String",
"username": "String"
}

GET /config/flow_sources/custom_properties/property_expressions/
{expression_id} DEPRECATED
Retrieves a flow regex property expression based on the supplied expression ID.

Retrieves a flow regex property expression based on the supplied expression ID.
Table 2981. GET /config/flow_sources/custom_properties/property_expressions/{expression_id} resource details
MIME Type
application/json

Table 2982. GET /config/flow_sources/custom_properties/property_expressions/{expression_id} request parameter

details
Parameter Type Optionality Data Type MIME Type Description
expression_id path Required Number text/plain Required - The sequence ID of the
(Integer) flow_regex_property_expression.
fields query Optional String text/plain Optional - Use this parameter to specify which
fields you would like to get back in the
response. Fields that are not named are
excluded. Specify subfields in brackets and
multiple fields in the same object are separated
by commas.

7 Previous REST API versions 1329

Table 2983. GET /config/flow_sources/custom_properties/property_expressions/{expression_id} response codes
HTTP Response Code Unique Code Description
200 The requested flow regex property expression was successfully
retrieved.
404 1002 The requested flow regex property expression cannot be found.
500 1020 An error occurred during the attempt to retrieve the requested flow
regex property expression.

Response Description

A flow regex property expression containing the following fields:

v id - Integer - The sequence ID of the flow regex property expression.
v identifier - String - The ID of the flow regex property expression.
v regex_property_identifier - String - The identifier of the flow regex property that this expression
belongs to.
v enabled - Boolean - Flag that indicates whether this expression is enabled.
v regex - String - The regex to extract the property from the payload.
v capture_group - Integer - The capture group to capture.
v payload - String - Test payload. This is only used in the UI so that the user can verify their regex
matches the expected payload.
v qid - Integer - The QID of the flow to apply this expression to.
v low_level_category_id - Integer - The expression is applied to all flows with this low level category.
v payload_origin - BaseProperty - The payload type (source_payload, destination_payload) to apply the
expression to.
v username - String - The owner of the flow regex property expression.

Response Sample
{
"capture_group": 42,
"creation_date": 42,
"enabled": true,
"id": 42,
"identifier": "String",
"low_level_category_id": 42,
"modification_date": 42,
"payload": "String",
"payload_origin": "String <one of:
event_payload,
source_payload,
destination_payload>",
"qid": 42,
"regex": "String",
"regex_property_identifier": "String",
"username": "String"
}

POST /config/flow_sources/custom_properties/property_expressions/
{expression_id} DEPRECATED
Updates an existing flow regex property expression.

Updates an existing flow regex property expression.

1330 QRadar API Reference Guide

Table 2984. POST /config/flow_sources/custom_properties/property_expressions/{expression_id} resource details
MIME Type
application/json

Table 2985. POST /config/flow_sources/custom_properties/property_expressions/{expression_id} request parameter

details
Parameter Type Optionality Data Type MIME Type Description
expression_id path Required Number text/plain Required - The sequence ID
(Integer) of the flow regex property
expression.
fields header Optional String text/plain Optional - Use this
parameter to specify which
fields you would like to get
back in the response. Fields
that are not named are
excluded. Specify subfields
in brackets and multiple
fields in the same object are
separated by commas.

Table 2986. POST /config/flow_sources/custom_properties/property_expressions/{expression_id} request body details

Parameter Data Type MIME Type Description Sample
data Object application/json Required - A JSON representation { "capture_group": 42, "creation_date": 42, "enabled":
of the flow regex property true, "id": 42, "identifier": "String",
expression object. "low_level_category_id": 42, "modification_date": 42,
v regex_property_identifier - "payload": "String", "payload_origin": "String <one of:
Optional - String - The identifier event_payload, source_payload,
destination_payload>", "qid": 42, "regex": "String",
of the flow regex property that
"regex_property_identifier": "String", "username":
this expression belongs to.
"String" }
v enabled - Optional - Boolean -
Flag that indicates whether this
expression is enabled.
v regex - Optional - String - The
regex to extract the property
from the payload.
v capture_group - Optional -
Integer - The capture group to
capture.
v payload - Optional - String - Test
payload. This is only used in the
UI so that the user can verify
their regex matches the expected
payload.
v qid - Optional - Integer - The
QID of the flow to apply this
expression to.
v low_level_category_id -
Optional - Integer - The
expression is applied to all flows
with this low level category.
v payload_origin - Optional -
String - The payload type
(source_payload,
destination_payload) to apply
the expression to.
v username - Optional - String -
The owner of the flow regex
property expression. If the input
username is authorized service,
the prefix "API_token: " is
required.

7 Previous REST API versions 1331

Table 2987. POST /config/flow_sources/custom_properties/property_expressions/{expression_id} response codes
HTTP Response Code Unique Code Description
200 The flow regex property expression was updated.
403 1009 The user cannot update the resource because it only can be updated
by the owner or admin user.
404 1002 The requested flow regex property expression cannot be found.
422 1005 One or more parameters are invalid in the request.
500 1020 An error occurred during the attempt to update an flow regex
property expression.

Response Description

The updated flow regex property expression object contains the following fields:
v id - Integer - The sequence ID of the flow regex property expression.
v identifier - String - The ID of the flow regex property expression.
v regex_property_identifier - String - The identifier of the flow regex property that this expression
belongs to.
v enabled - Boolean - Flag that indicates whether this expression is enabled.
v regex - String - The regex to extract the property from the payload.
v capture_group - Integer - The capture group to capture.
v payload - String - Test payload. This is only used in the UI so that the user can verify their regex
matches the expected payload.
v qid - Integer - The QID of the flow to apply this expression to.
v low_level_category_id - Integer - The expression is applied to all flows with this low level category.
v payload_origin - BaseProperty - The payload type (source_payload, destination_payload) to apply the
expression to.
v username - String - The owner of the flow regex property expression.

Response Sample
{
"capture_group": 42,
"creation_date": 42,
"enabled": true,
"id": 42,
"identifier": "String",
"low_level_category_id": 42,
"modification_date": 42,
"payload": "String",
"payload_origin": "String <one of:
event_payload,
source_payload,
destination_payload>",
"qid": 42,
"regex": "String",
"regex_property_identifier": "String",
"username": "String"
}

DELETE /config/flow_sources/custom_properties/property_expressions/
{expression_id} DEPRECATED
Deletes a flow regex property expression based on the supplied expression ID.

Deletes a flow regex property expression based on the supplied expression ID.

1332 QRadar API Reference Guide

Table 2988. DELETE /config/flow_sources/custom_properties/property_expressions/{expression_id} resource details
MIME Type
text/plain

Table 2989. DELETE /config/flow_sources/custom_properties/property_expressions/{expression_id} request

parameter details
Parameter Type Optionality Data Type MIME Type Description
expression_id path Required Number text/plain Required - The sequence ID of the
(Integer) flow_regex_property_expression.

Table 2990. DELETE /config/flow_sources/custom_properties/property_expressions/{expression_id} response codes

HTTP Response Code Unique Code Description
204 The requested flow regex property expression was successfully
deleted.
403 1009 The user cannot delete the resource because it only can be deleted
by the owner or admin user.
404 1002 The requested flow regex property expression cannot be found.
500 1020 An error occurred during the attempt to delete the requested flow
regex property expression.

Response Description

Response Sample

GET /config/flow_sources/custom_properties/regex_properties DEPRECATED

Retrieves a list of flow regex properties.

Retrieves a list of flow regex properties.

Table 2991. GET /config/flow_sources/custom_properties/regex_properties resource details
MIME Type
application/json

Table 2992. GET /config/flow_sources/custom_properties/regex_properties request parameter details

Parameter Type Optionality Data Type MIME Type Description
fields query Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.
Range header Optional String text/plain Optional - Use this parameter
to restrict the number of
elements that are returned in
the list to a specified range.
The list is indexed starting at
zero.

7 Previous REST API versions 1333

 Table 2992. GET /config/flow_sources/custom_properties/regex_properties request parameter details (continued)
Parameter Type Optionality Data Type MIME Type Description
filter query Optional String text/plain Optional - This parameter is
used to restrict the elements in
a list base on the contents of
various fields.

Table 2993. GET /config/flow_sources/custom_properties/regex_properties response codes

HTTP Response Code Unique Code Description
200 The requested list of flow regex properties was retrieved.
422 1010 An error occurred while building the filter.
500 1020 An error occurred during the attempt to retrieve the list of flow
regex properties.

Response Description

A list of flow regex properties. Each regex property contains the following fields:
v id - Integer - The sequence ID of the flow regex property.
v identifier - String - The ID of the flow regex property.
v name - String - The name of the flow regex property.
v username - String - The owner of the flow regex property.
v description - String - The description of the flow regex property.
v property_type - String - The property type (string, numeric, ip, port, time) of flow regex property.
v use_for_rule_engine - Boolean - The flag that indicates if the flow regex property is parsed when the
flow was captured.
v datetime_format - String - The date/time pattern that the flow regex property matches.
v locale - String - The language tag of the locale that the property matches.
.

Response Sample
[
{
"creation_date": 42,
"datetime_format": "String",
"description": "String",
"id": 42,
"identifier": "String",
"locale": "String",
"modification_date": 42,
"name": "String",
"property_type": "String <one of: string, numeric, ip, port, time>",
"use_for_rule_engine": true,
"username": "String"
}
]

POST /config/flow_sources/custom_properties/regex_properties DEPRECATED

Creates a new flow regex property.

Creates a new flow regex property.

1334 QRadar API Reference Guide

Table 2994. POST /config/flow_sources/custom_properties/regex_properties resource details
MIME Type
application/json

Table 2995. POST /config/flow_sources/custom_properties/regex_properties request parameter details

Parameter Type Optionality Data Type MIME Type Description
fields header Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.

Table 2996. POST /config/flow_sources/custom_properties/regex_properties request body details

Parameter Data Type MIME Type Description Sample
data Object application/ Required - A JSON representation of the flow { "creation_date": 42, "datetime_format":
json regex property object. "String", "description": "String", "id": 42,
v name - Required - String - The name of the "identifier": "String", "locale": "String",
flow regex property. "modification_date": 42, "name": "String",
"property_type": "String <one of: string,
v description - Optional - String - The numeric, ip, port, time>",
description of the flow regex property. "use_for_rule_engine": true, "username":
v property_type - Required - String - The "String" }
property type (string, numeric, ip, port,
time) of flow regex property.
v use_for_rule_engine - Optional - Boolean -
The flag that indicates if the flow regex
property is parsed when the flow was
captured.
v datetime_format - Optional - String - The
date/time pattern that the flow regex
property matches. It is required when
property type is TIME.
v locale - Optional - String - The language tag
of the locale that the property matches. The
locale is required when property type is
TIME.

Table 2997. POST /config/flow_sources/custom_properties/regex_properties response codes

HTTP Response Code Unique Code Description
201 A new flow regex property was created.
422 1005 One or more request parameter are invalid in the request.
500 1020 An error occurred during the attempt to create a new flow regex
property.

Response Description

The newly created flow regex property that contains the following fields:
v id - Integer - The sequence ID of the flow regex property.
v identifier - String - The ID of the flow regex property.
v name - String - The name of the flow regex property.
v username - String - The owner of the flow regex property.

7 Previous REST API versions 1335

v description - String - The description of the flow regex property.
v property_type - String - The property type (string, numeric, ip, port, time) of flow regex property.
v use_for_rule_engine - Boolean - The flag that indicates if the flow regex property is parsed when the
flow was captured.
v datetime_format - String - The date/time pattern that the flow regex property matches.
v locale - String - The language tag of the locale that the property matches.

Response Sample
{
"creation_date": 42,
"datetime_format": "String",
"description": "String",
"id": 42,
"identifier": "String",
"locale": "String",
"modification_date": 42,
"name": "String",
"property_type": "String <one of: string, numeric, ip, port, time>",
"use_for_rule_engine": true,
"username": "String"
}

GET /config/flow_sources/custom_properties/regex_properties/{regex_property_id}
DEPRECATED
Retrieves a flow regex property based on the supplied regex property ID.

Retrieves a flow regex property based on the supplied regex property ID.
Table 2998. GET /config/flow_sources/custom_properties/regex_properties/{regex_property_id} resource details
MIME Type
application/json

Table 2999. GET /config/flow_sources/custom_properties/regex_properties/{regex_property_id} request parameter

details
Parameter Type Optionality Data Type MIME Type Description
regex_property_id path Required Number (Integer) text/plain Required - The sequence ID of the
flow_regex_property.
fields query Optional String text/plain Optional - Use this parameter to
specify which fields you would like
to get back in the response. Fields
that are not named are excluded.
Specify subfields in brackets and
multiple fields in the same object
are separated by commas.

Table 3000. GET /config/flow_sources/custom_properties/regex_properties/{regex_property_id} response codes

HTTP Response Code Unique Code Description
200 The requested flow regex property was successfully retrieved.
404 1002 The requested flow regex property cannot be found.
500 1020 An error occurred during the attempt to retrieve the requested flow
regex property.

1336 QRadar API Reference Guide

Response Description

A flow regex property that contains the following fields:

v id - Integer - The sequence ID of the flow regex property.
v identifier - String - The ID of the flow regex property.
v name - String - The name of the flow regex property.
v username - String - The owner of the flow regex property.
v description - String - The description of the flow regex property.
v property_type - String - The property type (string, numeric, ip, port, time) of flow regex property.
v use_for_rule_engine - Boolean - The flag that indicates if the flow regex property is parsed when the
flow was captured.
v datetime_format - String - The date/time pattern that the flow regex property matches.
v locale - String - The language tag of the locale that the property matches.

Response Sample
{
"creation_date": 42,
"datetime_format": "String",
"description": "String",
"id": 42,
"identifier": "String",
"locale": "String",
"modification_date": 42,
"name": "String",
"property_type": "String <one of: string, numeric, ip, port, time>",
"use_for_rule_engine": true,
"username": "String"
}

POST /config/flow_sources/custom_properties/regex_properties/
{regex_property_id} DEPRECATED
Updates an existing flow regex property.

Updates an existing flow regex property.

Table 3001. POST /config/flow_sources/custom_properties/regex_properties/{regex_property_id} resource details
MIME Type
application/json

Table 3002. POST /config/flow_sources/custom_properties/regex_properties/{regex_property_id} request parameter

details
Parameter Type Optionality Data Type MIME Type Description
regex_property_id path Required Number (Integer) text/plain Required - The sequence ID of the
flow regex property.
fields header Optional String text/plain Optional - Use this parameter to
specify which fields you would like
to get back in the response. Fields
that are not named are excluded.
Specify subfields in brackets and
multiple fields in the same object
are separated by commas.

7 Previous REST API versions 1337

Table 3003. POST /config/flow_sources/custom_properties/regex_properties/{regex_property_id} request body details
Parameter Data Type MIME Type Description Sample
data Object application/ Required - A JSON { "creation_date": 42,
json representation of the flow "datetime_format": "String",
regex property object. "description": "String", "id": 42,
v description - Optional - "identifier": "String", "locale":
String - The description of "String", "modification_date":
the flow regex property. 42, "name": "String",
"property_type": "String <one
v property_type - Optional -
of: string, numeric, ip, port,
String - The property type
time>", "use_for_rule_engine":
(string, numeric, ip, port,
true, "username": "String" }
time) of flow regex property.
v use_for_rule_engine -
Optional - Boolean - The flag
that indicates if the flow
regex property is parsed
when the flow is captured. It
is false if no value supplied.
v datetime_format - Optional -
String - The date/time
pattern that the flow regex
property matches. It is
required when property type
is TIME.
v locale - Optional - String -
The language tag of the
locale that the property
matches.The locale is
required when property type
is TIME.
v username - Optional - String
- The owner of the event
regex property. If the input
username is authorized
service, the prefix
"API_token: " is required.

Table 3004. POST /config/flow_sources/custom_properties/regex_properties/{regex_property_id} response codes

HTTP Response Code Unique Code Description
200 The flow regex property was updated.
403 1009 The user cannot update the resourse because it only can be updated
by the owner or admin user.
404 1002 The requested flow regex property cannot be found.
422 1005 One or more parameters are invalid in the request.
500 1020 An error occurred during the attempt to update an flow regex
property.

Response Description

The updated flow regex property object contains the following fields:
v id - Integer - The sequence ID of the flow regex property.
v identifier - String - The ID of the flow regex property.
v name - String - The name of the flow regex property.
1338 QRadar API Reference Guide
v username - String - The owner of the flow regex property.
v description - String - The description of the flow regex property.
v property_type - String - The property type (string, numeric, ip, port, time) of flow regex property.
v use_for_rule_engine - Boolean - The flag that indicates if the flow regex property is parsed when the
flow is captured.
v datetime_format - String - The date/time pattern that the flow regex property matches.
v locale - String - The language tag of the locale that the property matches.

Response Sample
{
"creation_date": 42,
"datetime_format": "String",
"description": "String",
"id": 42,
"identifier": "String",
"locale": "String",
"modification_date": 42,
"name": "String",
"property_type": "String <one of: string, numeric, ip, port, time>",
"use_for_rule_engine": true,
"username": "String"
}

DELETE /config/flow_sources/custom_properties/regex_properties/
{regex_property_id} DEPRECATED
Deletes a flow regex property. To ensure safe deletion, a dependency check is carried out. This check
might take some time. An asynchronous task is started to do this check.

Deletes a flow regex property. To ensure safe deletion, a dependency check is carried out. This check
might take some time. An asynchronous task is started to do this check.
Table 3005. DELETE /config/flow_sources/custom_properties/regex_properties/{regex_property_id} resource details
MIME Type
application/json

Table 3006. DELETE /config/flow_sources/custom_properties/regex_properties/{regex_property_id} request parameter

details
Parameter Type Optionality Data Type MIME Type Description
regex_property_id path Required Number (Integer) text/plain Required - The sequence ID of the
Flow Regex property to delete.
fields query Optional String text/plain Optional - Use this parameter to
specify which fields you would like
to get back in the response. Fields
that are not named are excluded.
Specify subfields in brackets and
multiple fields in the same object
are separated by commas.

Table 3007. DELETE /config/flow_sources/custom_properties/regex_properties/{regex_property_id} response codes

HTTP Response Code Unique Code Description
202 The flow regex property delete request was accepted and is in
progress
403 1009 The user cannot delete the regex_property because it only can be
deleted by the owner or admin user.
404 1002 The requested flow regex property cannot be found.

7 Previous REST API versions 1339

Table 3007. DELETE /config/flow_sources/custom_properties/regex_properties/{regex_property_id} response
codes (continued)
HTTP Response Code Unique Code Description
500 1020 An error occurred during the attempt to delete the flow regex
property.

Response Description

A Delete Task Status object and the location header set to the task status URL "/api/config/
flow_sources/custom_properties/regex_property_delete_tasks/{task_id}". A Delete Task Status object
contains the following fields:
v id - Long - The ID of the task.
v message - String - The localized task message.
v status - String - The current state of the task .
v name - String - The name of the task.
v created_by - String - The name of the user who started the task.
v created - Long - The time in milliseconds since epoch since the task was created.
v started - Long - The time in milliseconds since epoch since the task was started.
v modified - Long - The time in milliseconds since epoch since the task was modified.
v completed - Long - The time in milliseconds since epoch since the task was completed.

Response Sample
{
"completed": 42,
"created": 42,
"created_by": "String",
"id": 42,
"message": "String",
"modified": 42,
"name": "String",
"started": 42,
"status": "String <one of:
CANCELLED,
CANCELING,
CANCEL_REQUESTED,
COMPLETED,
CONFLICT,
EXCEPTION,
INITIALIZING,
INTERRUPTED,
PAUSED,
PROCESSING,
QUEUED,
RESUMING>"
}

GET /config/flow_sources/custom_properties/regex_properties/
{regex_property_id}/dependents DEPRECATED
Retrieves the objects that depend on the flow regex property.

Retrieves the objects that depend on the flow regex property.

1340 QRadar API Reference Guide

Table 3008. GET /config/flow_sources/custom_properties/regex_properties/{regex_property_id}/dependents resource
details
MIME Type
application/json

Table 3009. GET /config/flow_sources/custom_properties/regex_properties/{regex_property_id}/dependents request

parameter details
Parameter Type Optionality Data Type MIME Type Description
regex_property_id path Required Number (Integer) text/plain null
fields query Optional String text/plain Optional - Use this parameter to
specify which fields you would like
to get back in the response. Fields
that are not named are excluded.
Specify subfields in brackets and
multiple fields in the same object
are separated by commas.

Table 3010. GET /config/flow_sources/custom_properties/regex_properties/{regex_property_id}/dependents response

codes
HTTP Response Code Unique Code Description
202 The flow regex property dependents retrieval was accepted and is
in progress.
404 1002 The flow regex property does not exist.
500 1020 An error occurred during the attempt to initiate the flow regex
property dependents retrieval task.

Response Description

A Dependents Task Status object and the location header set to the task status URL "/api/config/
flow_sources/custom_properties/regex_property_dependents_tasks/{task_id}". A Dependent Task Status
object contains the following fields:
v id - Long - The ID of the task.
v message - String - The localized task message.
v status - String - The current state of the task.
v name - String - The name of the task.
v created_by - String - The name of the user who started the task.
v cancelled_by - String - The name of the user who requested to cancel the task.
v created - Long - The time in milliseconds since epoch since the task was created.
v started - Long - The time in milliseconds since epoch since the task was started.
v modified - Long - The time in milliseconds since epoch since the task was modified.
v completed - Long - The time in milliseconds since epoch since the task was completed.
v number_of_dependents - Long - The number of dependents found. The value is null until the task
completes.
v maximum - Long - The maximum number of objects to check for dependency.
v progress - Long - The number of objects that were checked for dependency.
v task_components - Array - An array of task component objects. A task component object contains the
following fields
– message - String - The localized sub-task status message.
– status - String - The current state of the sub-task.
– sub_task_type - String - The type of the sub-task.

7 Previous REST API versions 1341

 – maximum - Long - The maximum number of objects to check for dependency.
– progress - Long - The number of objects that were checked for dependency.
– created - Long - The time in milliseconds since epoch since the sub-task was created.
– started - Long - The time in milliseconds since epoch since the sub-task was started.
– modified - Long - The time in milliseconds since epoch since the sub-task was modified.
– completed - Long - The time in milliseconds since epoch since the sub-task was completed.

Response Sample
{
"cancelled_by": "String",
"completed": 42,
"created": 42,
"created_by": "String",
"id": 42,
"maximum": 42,
"message": "String",
"modified": 42,
"name": "String",
"number_of_dependents": 42,
"progress": 42,
"started": 42,
"status": "String <one of:
CANCELLED,
CANCELING,
CANCEL_REQUESTED,
COMPLETED,
CONFLICT,
EXCEPTION,
INITIALIZING,
INTERRUPTED,
PAUSED,
PROCESSING,
QUEUED,
RESUMING>",
"task_components": [
{
"completed": 42,
"created": 42,
"maximum": 42,
"message": "String",
"modified": 42,
"number_of_dependents": 42,
"progress": 42,
"started": 42,
"status": "String <one of: CANCELLED,
CANCELING,
CANCEL_REQUESTED,
COMPLETED,
CONFLICT,
EXCEPTION,
INITIALIZING,
INTERRUPTED,
PAUSED,
PROCESSING,
QUEUED,
RESUMING>",
"task_sub_type": "String <one of:
FIND_DEPENDENT_ARIEL_SAVED_SEARCHES,
FIND_DEPENDENT_OFFENSE_SAVED_SEARCHES,
FIND_DEPENDENT_ASSET_SAVED_SEARCHES,
FIND_DEPENDENT_VULNERABILITY_SAVED_SEARCHES,
FIND_DEPENDENT_ADE_RULES,
FIND_DEPENDENT_RULES,
FIND_DEPENDENT_CALCULATED_PROPERTIES,

1342 QRadar API Reference Guide

 FIND_DEPENDENT_LOG_SOURCE_GROUPS,
FIND_DEPENDENT_CUSTOM_PROPERTIES,
FIND_DEPENDENT_REPORTS,
FIND_DEPENDENT_DASHBOARDS,
FIND_DEPENDENT_STORE_AND_FORWARD_POLICIES,
FIND_DEPENDENT_AUTHORIZED_SERVICES,
FIND_DEPENDENT_OFFENSE_TYPES,
FIND_DEPENDENT_ASSIGNED_OFFENSES,
FIND_DEPENDENT_VULNERABILITIES,
FIND_DEPENDENT_GROUPS,
FIND_DEPENDENT_HISTORICAL_CORRELATION_PROFILES>"
}
]
}

GET /config/flow_sources/custom_properties/regex_property_dependent_tasks/
{task_id} DEPRECATED
Retrieves the flow regex property dependent task status.

Retrieves the flow regex property dependent task status.

Table 3011. GET /config/flow_sources/custom_properties/regex_property_dependent_tasks/{task_id} resource details
MIME Type
application/json

Table 3012. GET /config/flow_sources/custom_properties/regex_property_dependent_tasks/{task_id} request

parameter details
Parameter Type Optionality Data Type MIME Type Description
task_id path Required Number text/plain null
(Integer)
fields query Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.

Table 3013. GET /config/flow_sources/custom_properties/regex_property_dependent_tasks/{task_id} response codes

HTTP Response Code Unique Code Description
200 The dependent task status was retrieved.
404 1002 The requested task status cannot be found.
422 1005 The task id is invalid in the request.
500 1020 An error occurred during the attempt to retrieve the task status.

Response Description

A Dependent Task Status object and the location header set to the task status URL "/api/config/
flow_sources/custom_properties/regex_property_dependent_tasks/{task_id}". A Dependent Task Status
object contains the following fields:
v id - Long - The ID of the task.
v message - String - The localized task message.

7 Previous REST API versions 1343

v status - String - The current state of the task.
v name - String - The name of the task.
v created_by - String - The name of the user who started the task.
v cancelled_by - String - The name of the user who requested to cancel the task.
v created - Long - The time in milliseconds since epoch since the task was created.
v started - Long - The time in milliseconds since epoch since the task was started.
v modified - Long - The time in milliseconds since epoch since the task was modified.
v completed - Long - The time in milliseconds since epoch since the task was completed.
v number_of_dependents - Long - The number of dependents found. The value is null until the task
completes.
v maximum - Long - The maximum number of objects to check for dependency.
v progress - Long - The number of objects that were checked for dependency.
v task_components - Array - An array of task component objects. A task component object contains the
following fields
– message - String - The localized sub-task status message.
– status - String - The current state of the sub-task.
– sub_task_type - String - The type of the sub-task.
– maximum - Long - The maximum number of objects to check for dependency.
– progress - Long - The number of objects that were checked for dependency.
– created - Long - The time in milliseconds since epoch since the sub-task was created.
– started - Long - The time in milliseconds since epoch since the sub-task was started.
– modified - Long - The time in milliseconds since epoch since the sub-task was modified.
– completed - Long - The time in milliseconds since epoch since the sub-task was completed.

Response Sample
{
"cancelled_by": "String",
"completed": 42,
"created": 42,
"created_by": "String",
"id": 42,
"maximum": 42,
"message": "String",
"modified": 42,
"name": "String",
"number_of_dependents": 42,
"progress": 42,
"started": 42,
"status": "String <one of:
CANCELLED,
CANCELING,
CANCEL_REQUESTED,
COMPLETED,
CONFLICT,
EXCEPTION,
INITIALIZING,
INTERRUPTED,
PAUSED,
PROCESSING,
QUEUED,
RESUMING>",
"task_components": [
{
"completed": 42,
"created": 42,
"maximum": 42,

1344 QRadar API Reference Guide

 "message": "String",
"modified": 42,
"number_of_dependents": 42,
"progress": 42,
"started": 42,
"status": "String <one of: CANCELLED,
CANCELING,
CANCEL_REQUESTED,
COMPLETED,
CONFLICT,
EXCEPTION,
INITIALIZING,
INTERRUPTED,
PAUSED,
PROCESSING,
QUEUED,
RESUMING>",
"task_sub_type": "String <one of:
FIND_DEPENDENT_ARIEL_SAVED_SEARCHES,
FIND_DEPENDENT_OFFENSE_SAVED_SEARCHES,
FIND_DEPENDENT_ASSET_SAVED_SEARCHES,
FIND_DEPENDENT_VULNERABILITY_SAVED_SEARCHES,
FIND_DEPENDENT_ADE_RULES,
FIND_DEPENDENT_RULES,
FIND_DEPENDENT_CALCULATED_PROPERTIES,
FIND_DEPENDENT_LOG_SOURCE_GROUPS,
FIND_DEPENDENT_CUSTOM_PROPERTIES,
FIND_DEPENDENT_REPORTS,
FIND_DEPENDENT_DASHBOARDS,
FIND_DEPENDENT_STORE_AND_FORWARD_POLICIES,
FIND_DEPENDENT_AUTHORIZED_SERVICES,
FIND_DEPENDENT_OFFENSE_TYPES,
FIND_DEPENDENT_ASSIGNED_OFFENSES,
FIND_DEPENDENT_VULNERABILITIES,
FIND_DEPENDENT_GROUPS,
FIND_DEPENDENT_HISTORICAL_CORRELATION_PROFILES>"
}
]
}

POST /config/flow_sources/custom_properties/regex_property_dependent_tasks/
{task_id} DEPRECATED
Cancels the flow regex property dependent task.

Cancels the flow regex property dependent task.

Table 3014. POST /config/flow_sources/custom_properties/regex_property_dependent_tasks/{task_id} resource
details
MIME Type
application/json

Table 3015. POST /config/flow_sources/custom_properties/regex_property_dependent_tasks/{task_id} request

parameter details
Parameter Type Optionality Data Type MIME Type Description
task_id path Required Number text/plain null
(Integer)

7 Previous REST API versions 1345

Table 3015. POST /config/flow_sources/custom_properties/regex_property_dependent_tasks/{task_id} request
parameter details (continued)
Parameter Type Optionality Data Type MIME Type Description
fields header Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.

Table 3016. POST /config/flow_sources/custom_properties/regex_property_dependent_tasks/{task_id} request body

details
Parameter Data Type MIME Type Description Sample
task Object application/ null { "status": "String <one of:
json CANCELLED, CANCELING,
CANCEL_REQUESTED,
COMPLETED, CONFLICT,
EXCEPTION, INITIALIZING,
INTERRUPTED, PAUSED,
PROCESSING, QUEUED,
RESUMING>" }

Table 3017. POST /config/flow_sources/custom_properties/regex_property_dependent_tasks/{task_id} response

codes
HTTP Response Code Unique Code Description
200 The delete task status was cancelled.
404 1002 The dependent task status does not exist.
409 1004 The task is in a completed state.
422 1005 A request parameter is not valid.
500 1020 An error occurred during the attempt to update the dependent task
status.

Response Description

A Dependent Task Status object and the location header set to the task status URL "/api/config/
flow_sources/custom_properties/regex_property_dependent_tasks/{task_id}". A Dependent Task Status
object contains the following fields:
v id - Long - The ID of the task.
v message - String - The localized task message.
v status - String - The current state of the task.
v name - String - The name of the task.
v created_by - String - The name of the user who started the task.
v cancelled_by - String - The name of the user who requested to cancel the task.
v created - Long - The time in milliseconds since epoch since the task was created.
v started - Long - The time in milliseconds since epoch since the task was started.
v modified - Long - The time in milliseconds since epoch since the task was modified.
v completed - Long - The time in milliseconds since epoch since the task was completed.
1346 QRadar API Reference Guide
v number_of_dependents - Long - The number of dependents found. The value is null until the task
completes.
v maximum - Long - The maximum number of objects to check for dependency.
v progress - Long - The number of objects that were checked for dependency.
v task_components - Array - An array of task component objects. A task component object contains the
following fields
– message - String - The localized sub-task status message.
– status - String - The current state of the sub-task.
– sub_task_type - String - The type of the sub-task.
– maximum - Long - The maximum number of objects to check for dependency.
– progress - Long - The number of objects that were checked for dependency.
– created - Long - The time in milliseconds since epoch since the sub-task was created.
– started - Long - The time in milliseconds since epoch since the sub-task was started.
– modified - Long - The time in milliseconds since epoch since the sub-task was modified.
– completed - Long - The time in milliseconds since epoch since the sub-task was completed.

Response Sample
{
"cancelled_by": "String",
"completed": 42,
"created": 42,
"created_by": "String",
"id": 42,
"maximum": 42,
"message": "String",
"modified": 42,
"name": "String",
"number_of_dependents": 42,
"progress": 42,
"started": 42,
"status": "String <one of:
CANCELLED,
CANCELING,
CANCEL_REQUESTED,
COMPLETED,
CONFLICT,
EXCEPTION,
INITIALIZING,
INTERRUPTED,
PAUSED,
PROCESSING,
QUEUED,
RESUMING>",
"task_components": [
{
"completed": 42,
"created": 42,
"maximum": 42,
"message": "String",
"modified": 42,
"number_of_dependents": 42,
"progress": 42,
"started": 42,
"status": "String <one of: CANCELLED,
CANCELING,
CANCEL_REQUESTED,
COMPLETED,
CONFLICT,
EXCEPTION,
INITIALIZING,

7 Previous REST API versions 1347

 INTERRUPTED,
PAUSED,
PROCESSING,
QUEUED,
RESUMING>",
"task_sub_type": "String <one of:
FIND_DEPENDENT_ARIEL_SAVED_SEARCHES,
FIND_DEPENDENT_OFFENSE_SAVED_SEARCHES,
FIND_DEPENDENT_ASSET_SAVED_SEARCHES,
FIND_DEPENDENT_VULNERABILITY_SAVED_SEARCHES,
FIND_DEPENDENT_ADE_RULES,
FIND_DEPENDENT_RULES,
FIND_DEPENDENT_CALCULATED_PROPERTIES,
FIND_DEPENDENT_LOG_SOURCE_GROUPS,
FIND_DEPENDENT_CUSTOM_PROPERTIES,
FIND_DEPENDENT_REPORTS,
FIND_DEPENDENT_DASHBOARDS,
FIND_DEPENDENT_STORE_AND_FORWARD_POLICIES,
FIND_DEPENDENT_AUTHORIZED_SERVICES,
FIND_DEPENDENT_OFFENSE_TYPES,
FIND_DEPENDENT_ASSIGNED_OFFENSES,
FIND_DEPENDENT_VULNERABILITIES,
FIND_DEPENDENT_GROUPS,
FIND_DEPENDENT_HISTORICAL_CORRELATION_PROFILES>"
}
]
}

GET /config/flow_sources/custom_properties/regex_property_dependent_tasks/
{task_id}/results DEPRECATED
Retrieves the regex property dependent task results.

Retrieves the regex property dependent task results.

Table 3018. GET /config/flow_sources/custom_properties/regex_property_dependent_tasks/{task_id}/results resource
details
MIME Type
application/json

Table 3019. GET /config/flow_sources/custom_properties/regex_property_dependent_tasks/{task_id}/results request

parameter details
Parameter Type Optionality Data Type MIME Type Description
task_id path Required Number text/plain null
(Integer)
fields query Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.

Table 3020. GET /config/flow_sources/custom_properties/regex_property_dependent_tasks/{task_id}/results response

codes
HTTP Response Code Unique Code Description
200 The requested task results was retrieved.

1348 QRadar API Reference Guide

Table 3020. GET /config/flow_sources/custom_properties/regex_property_dependent_tasks/{task_id}/results response
codes (continued)
HTTP Response Code Unique Code Description
404 1002 The requested task status cannot be found.
500 1020 An error occurred during the attempt to retrieve the task status.

Response Description

A list of Dependent objects. A Dependent object contains the following fields:

v dependent_id - String - The ID of the dependent resource.
v dependent_name - String - The name of the dependent resource (default resources can have localized
names).
v dependent_owner - String - The owner of the dependent resource
v dependent_type - String - The type of the dependent resource
v dependent_database - String - The database of the dependent resource.
v dependent_group_ids - Array of Longs - List of groups that the dependent resource belongs to.
v user_has_edit_permissions - Boolean - True if the user who created the task has permission to edit this
dependent resource.

Response Sample
[
{
"blocking": true,
"dependent_database": "String <one of: EVENTS, FLOWS>",
"dependent_group_ids": [
42
],
"dependent_id": "String",
"dependent_name": "String",
"dependent_owner": "String",
"dependent_type": "String <one of:
ARIEL_SAVED_SEARCH,
ASSET_SAVED_SEARCH,
OFFENSE_SAVED_SEARCH,
VULNERABILITY_SAVED_SEARCH,
QRM_SAVED_SEARCH_GROUP,
ASSET_SAVED_SEARCH_GROUP,
CUSTOM_RULE_GROUP,
EVENT_ARIEL_SAVED_SEARCH_GROUP,
FLOW_ARIEL_SAVED_SEARCH_GROUP,
LOG_SOURCE_GROUP, MODEL_GROUP,
OFFENSE_SAVED_SEARCH_GROUP,
QUESTION_GROUP,
REPORT_GROUP,
SIMULATION_GROUP,
TOPOLOGY_SAVED_SEARCH_GROUP,
VULNERABILITY_SAVED_SEARCH_GROUP,
ASSIGNED_OFFENSE,
ASSIGNED_VULNERABILITY,
AUTHORIZED_SERVICE,
BUILDING_BLOCK,
CRE_RULE,
CRE_ADE_RULE,
EVENT_REGEX_PROPERTY,
EVENT_CALCULATED_PROPERTY,
FLOW_REGEX_PROPERTY,
FLOW_CALCULATED_PROPERTY,
DASHBOARD,

7 Previous REST API versions 1349

 GV_REFERENCE,
REPORT,
REFERENCE_DATA,
REFERENCE_DATA_MAP_OF_SETS,
REFERENCE_DATA_MAPS,
REFERENCE_DATA_SETS,
REFERENCE_DATA_TABLES,
REFERENCE_DATA_RESPONSE,
REFERENCE_SET_RESPONSE,
EVENT_RETENTION_BUCKET,
FLOW_RETENTION_BUCKET,
ROUTING_RULE,
STORE_AND_FORWARD_POLICY,
USER,
HISTORICAL_PROFILE,
OFFENSE_TYPE>",
"user_has_edit_permissions": true
}
]

GET /config/global_system_notifications DEPRECATED

Retrieves a list of all deployed global system notifications.

Retrieves the list of deployed global system notifications

Table 3021. GET /config/global_system_notifications resource details
MIME Type
application/json

Table 3022. GET /config/global_system_notifications request parameter details

Parameter Type Optionality Data Type MIME Type Description
Range header Optional String text/plain Optional - Use this parameter
to restrict the number of
elements that are returned in
the list to a specified range.
The list is indexed starting at
zero.
filter query Optional String text/plain Optional - This parameter is
used to restrict the elements in
a list base on the contents of
various fields.
fields query Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.

Table 3023. GET /config/global_system_notifications response codes

HTTP Response Code Unique Code Description
200 The deployed global system notifications list was successfully
retrieved.
500 1020 An internal server error occurred while retrieving the list of
deployed global system notifications.

1350 QRadar API Reference Guide

Response Description

A list of all deployed global system notifications.

Response Sample
[
{
"default": true,
"enabled": true,
"id": 42,
"message": "String",
"name": "String",
"operator": "String",
"value": 42.5
}
]

GET /config/global_system_notifications/{notification_id} DEPRECATED

Retrieves a deployed global system notification by ID.

Retrieves a deployed global system notification by id.

Table 3024. GET /config/global_system_notifications/{notification_id} resource details
MIME Type
application/json

Table 3025. GET /config/global_system_notifications/{notification_id} request parameter details

Parameter Type Optionality Data Type MIME Type Description
notification_id path Required Number text/plain ID that is used for
(Integer) retrieving a deployed global
system notification.
fields query Optional String text/plain Optional - Use this
parameter to specify which
fields you would like to get
back in the response. Fields
that are not named are
excluded. Specify subfields
in brackets and multiple
fields in the same object are
separated by commas.

Table 3026. GET /config/global_system_notifications/{notification_id} response codes

HTTP Response Code Unique Code Description
200 The deployed global system notification was successfully retrieved.
404 1002 No deployed global system notification was found for the provided
notification ID.
500 1020 An error occurred while the notification was being retrieved.

Response Description

The associated deployed global system notification object.

7 Previous REST API versions 1351

Response Sample
{
"default": true,
"enabled": true,
"id": 42,
"message": "String",
"name": "String",
"operator": "String",
"value": 42.5
}

GET /config/network_hierarchy/networks DEPRECATED

Retrieves the deployed network hierarchy.

Retrieves the deployed network hierarchy.

Table 3027. GET /config/network_hierarchy/networks resource details
MIME Type
application/json

Table 3028. GET /config/network_hierarchy/networks request parameter details

Parameter Type Optionality Data Type MIME Type Description
fields query Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.

Table 3029. GET /config/network_hierarchy/networks response codes

HTTP Response Code Unique Code Description
200 The network hierarchy was returned.
500 1020 An error occurred during the attempt to retreive the network
hierarchy.

Response Description

Network Hierarchy - A JSON string that contains network_hierarchy objects with the following fields:
v id - Integer - The ID of the network object.
v group - String - The group of the network object.
v name - String - The name of the network object.
v cidr - String - The CIDR range of the network object.
v description - String - The description of the network object.
v domain_id - Integer - The domain ID of the network object.

Response Sample
[
{
"cidr": "String",
"description": "String",

1352 QRadar API Reference Guide

 "domain_id": 42,
"group": "String",
"id": 42,
"name": "String"
}
]

GET /config/network_hierarchy/staged_networks DEPRECATED

Retrieves the staged network hierarchy.

Retrieves the staged network hierarchy.

Table 3030. GET /config/network_hierarchy/staged_networks resource details
MIME Type
application/json

Table 3031. GET /config/network_hierarchy/staged_networks request parameter details

Parameter Type Optionality Data Type MIME Type Description
fields query Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.

Table 3032. GET /config/network_hierarchy/staged_networks response codes

HTTP Response Code Unique Code Description
200 The network hierarchy was returned
500 1020 An error occurred during the attempt to retreive the network
hierarchy

Response Description

Network Hierarchy - A JSON string that contains network_hierarchy objects with the following fields:
v id - Integer - The ID of the network object.
v group - String - The group of the network object.
v name - String - The name of the network object.
v cidr - String - The CIDR range of the network object.
v description - String - The description of the network object.
v domain_id - Integer - The domain ID of the network object.

Response Sample
[
{
"cidr": "String",
"description": "String",
"domain_id": 42,
"group": "String",

7 Previous REST API versions 1353

 "id": 42,
"name": "String"
}
]

PUT /config/network_hierarchy/staged_networks DEPRECATED

Replaces the current network hierarchy with the input that is provided.

Replaces the current network hierarchy with the input that is provided.
Table 3033. PUT /config/network_hierarchy/staged_networks resource details
MIME Type
application/json

Table 3034. PUT /config/network_hierarchy/staged_networks request parameter details

Parameter Type Optionality Data Type MIME Type Description
fields header Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.

Table 3035. PUT /config/network_hierarchy/staged_networks request body details

Parameter Data Type MIME Type Description Sample
network_hierarchy Array<Object> application/ Required - A JSON String that contains network [ { "id": 4, "group": "DMZ", "name": "External",
json hierarchy objects with the following fields: "description": "network description", "cidr":
"0.0.0.1/32", "domain_id": 0 }, { "id": 5, "group":
v id - Optional - Integer - The ID of the
"DMZ", "name": "External", "description":
network object.
"network description", "cidr": "0.0.0.2/32",
v group - Required - String - The group of the "domain_id": 0 } ]
network object.
v name - Required - String - The name of the
network object.
v cidr - Required - String - The CIDR range of
the network object.
v description - Optional - String - The
description of the network object.
v domain_id - Optional - Integer - The domain
ID of the network object (required if domain
aware).

Table 3036. PUT /config/network_hierarchy/staged_networks response codes

HTTP Response Code Unique Code Description
200 The network hierarchy was successfully replaced.
409 1004 A duplicate parameter was passed to the API call.
422 1005 An invalid parameter was passed to the API call.
500 1020 An unexpected error occurred during the creation of the network
hierarchy.

Response Description

Network Hierarchy - A JSON string that contains network_hierarchy objects, each with the following
fields:

1354 QRadar API Reference Guide

v id - Integer - The ID of the network object.
v group - String - The group of the network object.
v name - String - The name of the network object.
v cidr - String - The CIDR range of the network object.
v description - String - The description of the network object.
v domain_id - Integer - The domain ID of the network object.

Response Sample
[
{
"cidr": "String",
"description": "String",
"domain_id": 42,
"group": "String",
"id": 42,
"name": "String"
}
]

GET /config/resource_restrictions DEPRECATED

Retrieves a list of all resource restrictions.

Retrieves the list of all resource restrictions.

Table 3037. GET /config/resource_restrictions resource details
MIME Type
application/json

Table 3038. GET /config/resource_restrictions request parameter details

Parameter Type Optionality Data Type MIME Type Description
Range header Optional String text/plain Optional - Use this parameter
to restrict the number of
elements that are returned in
the list to a specified range.
The list is indexed starting at
zero.
filter query Optional String text/plain Optional - This parameter is
used to restrict the elements in
a list base on the contents of
various fields.
fields query Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.

Table 3039. GET /config/resource_restrictions response codes

HTTP Response Code Unique Code Description
200 The resource restriction list was successfully retrieved.
500 1001 An error occurred during the attempt to retrieve the restriction list.

7 Previous REST API versions 1355

Response Description

A list of all the restrictions.

Response Sample
[
{
"data_window": 42,
"execution_time": 42,
"id": "String",
"record_limit": 42,
"role_id": 42,
"tenant_id": 42,
"user_id": 42
}
]

POST /config/resource_restrictions DEPRECATED

Creates a new resource restriction.

Creates a new resource restriction.

Table 3040. POST /config/resource_restrictions resource details
MIME Type
application/json

Table 3041. POST /config/resource_restrictions request parameter details

Parameter Type Optionality Data Type MIME Type Description
fields header Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.

Table 3042. POST /config/resource_restrictions request body details

Parameter Data Type MIME Type Description Sample
resourceRestriction Object application/json Required - The resource { "data_window": 42,
restriction to be added. Only one "execution_time": 42, "id":
of the ID fields (user_id, "String", "record_limit": 42,
tenant_id, role_id) can be "role_id": 42, "tenant_id": 42,
provided. "user_id": 42 }

Table 3043. POST /config/resource_restrictions response codes

HTTP Response Code Unique Code Description
200 The new resource restriction was successfully created.
404 1009 The consumer (user, tenant, or role) provided was not found.
422 1008 One of: user_id, role_id, or tenant_id

1356 QRadar API Reference Guide

Table 3043. POST /config/resource_restrictions response codes (continued)
HTTP Response Code Unique Code Description
500 1010 An error occurred during the attempt to create a resource
restriction.

Response Description

The associated restriction object.

Response Sample
{
"data_window": 42,
"execution_time": 42,
"id": "String",
"record_limit": 42,
"role_id": 42,
"tenant_id": 42,
"user_id": 42
}

GET /config/resource_restrictions/{resource_restriction_id} DEPRECATED

Retrieves a resource restriction consumer by ID.

Retrieves a resource restriction consumer by ID.

Table 3044. GET /config/resource_restrictions/{resource_restriction_id} resource details
MIME Type
application/json

Table 3045. GET /config/resource_restrictions/{resource_restriction_id} request parameter details

Parameter Type Optionality Data Type MIME Type Description
resource_restriction_id path Required String text/plain Required - The resource
restriction ID of the resource
restriction to be retrieved.
Must be of the format
[1-3]-\d+
fields query Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.

Table 3046. GET /config/resource_restrictions/{resource_restriction_id} response codes

HTTP Response Code Unique Code Description
200 The resource restriction consumer was successfully retrieved.
404 1003 No such resource restriction consumer (user, tenant, or role) exists
for the given ID.
422 1002 Provided ID is not a valid format. must be [1-3]-\d+
500 1004 An error occurred during the retrtieval resource restrictions.

7 Previous REST API versions 1357

Response Description

The associated restriction object.

Response Sample
{
"data_window": 42,
"execution_time": 42,
"id": "String",
"record_limit": 42,
"role_id": 42,
"tenant_id": 42,
"user_id": 42
}

DELETE /config/resource_restrictions/{resource_restriction_id} DEPRECATED

Deletes a resource restriction consumer by ID.

Deletes a resource restriction consumer by ID.

Table 3047. DELETE /config/resource_restrictions/{resource_restriction_id} resource details
MIME Type
text/plain

Table 3048. DELETE /config/resource_restrictions/{resource_restriction_id} request parameter details

Parameter Type Optionality Data Type MIME Type Description
resource_restriction_id path Required String text/plain Required - The resource
restriction ID of the resource
restriction to be retrieved.
Must be of the format
[1-3]-\d+

Table 3049. DELETE /config/resource_restrictions/{resource_restriction_id} response codes

HTTP Response Code Unique Code Description
204 The resource restriction consumer was successfully deleted.
404 1003 null
422 1002 Provided ID is not a valid format. Must be of the format [1-3]-\d+
500 1004 An error occurred during the retrieval of the resource restrictions.

Response Description

The deleted restriction object.

Response Sample

PUT /config/resource_restrictions/{resource_restriction_id} DEPRECATED

Updates a resource restriction consumer by ID.

Updates a resource restriction consumer by ID.

Table 3050. PUT /config/resource_restrictions/{resource_restriction_id} resource details
MIME Type
application/json

1358 QRadar API Reference Guide

Table 3051. PUT /config/resource_restrictions/{resource_restriction_id} request parameter details
Parameter Type Optionality Data Type MIME Type Description
resource_restriction_id path Required String text/plain Required - The resource
restriction ID of the resource
restriction to be updated.
Must be of the format
[1-3]-\d+
fields header Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.

Table 3052. PUT /config/resource_restrictions/{resource_restriction_id} request body details

Parameter Data Type MIME Type Description Sample
resourceRestriction Object application/json Required - The resource { "data_window": 42,
restrictions to be updated. "execution_time": 42, "id":
"String", "record_limit": 42,
"role_id": 42, "tenant_id": 42,
"user_id": 42 }

Table 3053. PUT /config/resource_restrictions/{resource_restriction_id} response codes

HTTP Response Code Unique Code Description
200 The resource restriction consumer was successfully updated.
404 1006 The resource restriction consumer (user, tenant, or role) wasn't
found.
422 1005 Provided ID is not a valid format. Must be of the format [1-3]-\d+
500 1007 An error occurred during the retrieval of the resource restriction.

Response Description

The associated restriction object.

Response Sample
{
"data_window": 42,
"execution_time": 42,
"id": "String",
"record_limit": 42,
"role_id": 42,
"tenant_id": 42,
"user_id": 42
}

GET /config/store_and_forward/policies DEPRECATED

Retrieves a list of store and forward policies.

Retrieves a list of store and forward policies.

7 Previous REST API versions 1359

Table 3054. GET /config/store_and_forward/policies resource details
MIME Type
application/json

Table 3055. GET /config/store_and_forward/policies request parameter details

Parameter Type Optionality Data Type MIME Type Description
Range header Optional String text/plain Optional - Use this parameter
to restrict the number of
elements that are returned in
the list to a specified range.
The list is indexed starting at
zero.
filter query Optional String text/plain Optional - This parameter is
used to restrict the elements in
a list base on the contents of
various fields.
fields query Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.

Table 3056. GET /config/store_and_forward/policies response codes

HTTP Response Code Unique Code Description
200 The store and forward policies were retrieved.
422 1010 A request parameter is not valid.
500 1020 An error occurred during the attempt to retrieve the store and
forward policies.

Response Description

An array of Store and Forward Policy objects. An Store and Forward Policy object contains the following
fields:
v id - Long - The ID of the store and forward policy.
v name - String - The name of the store and forward policy.
v description - String - The description of the store and forward policy.
v timezone - String - The timezone of the store and forward policy.
v owner - String - The owner of the store and forward policy.
v store_and_forward_schedule_id - Long - The schedule ID of the store and forward policy.
v created - Long - The time in milliseconds since epoch since the store and forward policy was created.
v modified - Long - The time in milliseconds since epoch since the store and forward policy was last
modified.

1360 QRadar API Reference Guide

Response Sample
[
{
"created": 42,
"description": "String",
"id": 42,
"modified": 42,
"name": "String",
"owner": "String",
"saf_schedule_id": 42,
"timezone": "String"
}
]

GET /config/store_and_forward/policies/{id} DEPRECATED

Retrieves a store and forward policy.

Retrieves a store and forward policy.

Table 3057. GET /config/store_and_forward/policies/{id} resource details
MIME Type
application/json

Table 3058. GET /config/store_and_forward/policies/{id} request parameter details

Parameter Type Optionality Data Type MIME Type Description
id path Required Number text/plain null
(Integer)
fields query Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.

Table 3059. GET /config/store_and_forward/policies/{id} response codes

HTTP Response Code Unique Code Description
200 The store and forward policy was retrieved.
404 1002 The store and forward policy does not exist.
500 1020 An error occurred during the attempt to retrieve the store and
forward policy.

Response Description

The store and forward policy after it has been retrieved. An Store and Forward Policy object contains the
following fields:
v id - Long - The ID of the store and forward policy.
v name - String - The name of the store and forward policy.
v description - String - The description of the store and forward policy.
v timezone - String - The timezone of the store and forward policy.
v owner - String - The owner of the store and forward policy.

7 Previous REST API versions 1361

v store_and_forward_schedule_id - Long - The schedule ID of the store and forward policy.
v created - Long - The time in milliseconds since epoch since the store and forward policy was created.
v modified - Long - The time in milliseconds since epoch since the store and forward policy was last
modified.

Response Sample
{
"created": 42,
"description": "String",
"id": 42,
"modified": 42,
"name": "String",
"owner": "String",
"saf_schedule_id": 42,
"timezone": "String"
}

POST /config/store_and_forward/policies/{id} DEPRECATED

Updates the store and forward policy owner only.

Updates the store and forward policy owner only

Table 3060. POST /config/store_and_forward/policies/{id} resource details
MIME Type
application/json

Table 3061. POST /config/store_and_forward/policies/{id} request parameter details

Parameter Type Optionality Data Type MIME Type Description
id path Required Number text/plain null
(Integer)
fields header Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.

Table 3062. POST /config/store_and_forward/policies/{id} request body details

Parameter Data Type MIME Type Description Sample
policy Object application/ null { "description": "String", "id":
json 42, "name": "String", "owner":
"String", "saf_schedule_id": 42,
"timezone": "String" }

Table 3063. POST /config/store_and_forward/policies/{id} response codes

HTTP Response Code Unique Code Description
200 The store and forward policy has been updated.
403 1009 You do not have the required capabilities to update the store and
forward policy.
404 1002 The store and forward policy does not exist.

1362 QRadar API Reference Guide

Table 3063. POST /config/store_and_forward/policies/{id} response codes (continued)
HTTP Response Code Unique Code Description
409 1004 The provided user does not have the required capabilities to own
the store and forward policy.
422 1005 A request parameter is not valid.
500 1020 An error occurred during the attempt to update the store and
forward policy.

Response Description

The store and forward policy after it was updated. An Store and Forward Policy object contains the
following fields:
v id - Long - The ID of the store and forward policy.
v name - String - The name of the store and forward policy.
v description - String - The description of the store and forward policy.
v timezone - String - The timezone of the store and forward policy.
v owner - String - The owner of the store and forward policy.
v store_and_forward_schedule_id - Long - The schedule ID of the store and forward policy.
v created - Long - The time in milliseconds since epoch since the store and forward policy was created.
v modified - Long - The time in milliseconds since epoch since the store and forward policy was last
modified.

Response Sample
{
"created": 42,
"description": "String",
"id": 42,
"modified": 42,
"name": "String",
"owner": "String",
"saf_schedule_id": 42,
"timezone": "String"
}

DELETE /config/store_and_forward/policies/{id} DEPRECATED

Deletes a store and forward policy.

Deletes a store and forward policy.

Table 3064. DELETE /config/store_and_forward/policies/{id} resource details
MIME Type
text/plain

Table 3065. DELETE /config/store_and_forward/policies/{id} request parameter details

Parameter Type Optionality Data Type MIME Type Description
id path Required Number text/plain null
(Integer)

7 Previous REST API versions 1363

Table 3066. DELETE /config/store_and_forward/policies/{id} response codes
HTTP Response Code Unique Code Description
204 The Store and Forward Policy has been deleted
403 1009 You do not have the required capabilities to delete the store and
forward policy
404 1002 The Store and Forward Policy does not exist
500 1020 An error occurred during the attempt to delete the store and
forward policy

Response Description

Response Sample

Data classification endpoints

Use the references for REST API V7.0 data classification endpoints.

GET /data_classification/dsm_event_mappings DEPRECATED

Retrieve a list of DSM event mappings.

Retrieves a list of DSM event mappings.

Table 3067. GET /data_classification/dsm_event_mappings resource details
MIME Type
application/json

Table 3068. GET /data_classification/dsm_event_mappings request parameter details

Parameter Type Optionality Data Type MIME Type Description
fields query Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.
Range header Optional String text/plain Optional - Use this parameter
to restrict the number of
elements that are returned in
the list to a specified range.
The list is indexed starting at
zero.
filter query Optional String text/plain Optional - This parameter is
used to restrict the elements in
a list base on the contents of
various fields.

Table 3069. GET /data_classification/dsm_event_mappings response codes

HTTP Response Code Unique Code Description
200 The requested list of DSM event mappings was retrieved.

1364 QRadar API Reference Guide

Table 3069. GET /data_classification/dsm_event_mappings response codes (continued)
HTTP Response Code Unique Code Description
500 1020 An error occurred during the attempt to retrieve the list of DSM
event mappings.

Response Description

A list of DSM event mappings. A DSM event mapping contains the following fields:
v id - Number - The ID of the DSM event mapping.
v log_source_type_id - Number - The ID of the Log Source Type this DSM event mapping resource is
associated with.
v log_source_event_id - String - The primary identifying value parsed from an event to be used to look
up the corresponding QID record.
v log_source_event_category - String - The secondary identifying value parsed from an event to be used
to look up the corresponding QID record.
v custom_event - Boolean - Flag to identify if the DSM event mapping is system provided
(custom_event=false) or user-provided (custom_event=true).
v qid_record_id - Number - The ID of the QID record to which this DSM event mapping provides a
mapping.

Response Sample
[
{
"custom_event": true,
"id": 42,
"log_source_event_category": "String",
"log_source_event_id": "String",
"log_source_type_id": 42,
"qid_record_id": 42
}
]

POST /data_classification/dsm_event_mappings DEPRECATED

Creates a new custom DSM event mapping.

Creates a new custom DSM event mapping.

Table 3070. POST /data_classification/dsm_event_mappings resource details
MIME Type
application/json

Table 3071. POST /data_classification/dsm_event_mappings request parameter details

Parameter Type Optionality Data Type MIME Type Description
fields header Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.

7 Previous REST API versions 1365

Table 3072. POST /data_classification/dsm_event_mappings request body details
Parameter Data Type MIME Type Description Sample
data Object application/json Required - A DSM event mapping that { "log_source_event_category": "String",
contains the following fields: "log_source_event_id": "String",
v log_source_type_id - Required - "log_source_type_id": 42, "qid_record_id": 42 }
Number - The ID of the Log Source
Type this DSM event mapping resource
is associated with.
v log_source_event_id - Required -
String - The primary identifying value
parsed from an event to be used to
look up the corresponding QID record.
v log_source_event_category - Required
- String - The secondary identifying
value parsed from an event to be used
to look up the corresponding QID
record.
v qid_record_id - Required - Number -
The ID of the QID record to which this
DSM event mapping provides a
mapping.

Table 3073. POST /data_classification/dsm_event_mappings response codes

HTTP Response Code Unique Code Description
201 The new custom DSM event mapping was created.
409 1008 There is an existing custom DSM event mapping with same the
log_source_type_id, log_source_event_id and
log_source_event_category combination. Cannot create duplicate
DSM event mapping.
422 1005 Invalid parameter value provided for the new DSM event mapping.
500 1020 An error occurred during the attempt to create a new custom DSM
event mapping.

Response Description

The newly created DSM event mapping that contains the following fields:
v id - Number - The ID of the DSM event mapping.
v log_source_type_id - Number - The ID of the Log Source Type this DSM event mapping resource is
associated with.
v log_source_event_id - String - The primary identifying value parsed from an event to be used to look
up the corresponding QID record.
v log_source_event_category - String - The secondary identifying value parsed from an event to be used
to look up the corresponding QID record.
v custom_event - Boolean - Flag to identify if the DSM event mapping is system provided
(custom_event=false) or user-provided (custom_event=true).
v qid_record_id - Number - The ID of the QID record to which this DSM event mapping provides a
mapping.

Response Sample
{
"custom_event": true,
"id": 42,
"log_source_event_category": "String",

1366 QRadar API Reference Guide

 "log_source_event_id": "String",
"log_source_type_id": 42,
"qid_record_id": 42
}

GET /data_classification/dsm_event_mappings/{dsm_event_mapping_id}
DEPRECATED
Retrieves a DSM event mapping based on the supplied DSM event mapping ID.

Retrieves a DSM event mapping based on the supplied DSM event mapping ID.
Table 3074. GET /data_classification/dsm_event_mappings/{dsm_event_mapping_id} resource details
MIME Type
application/json

Table 3075. GET /data_classification/dsm_event_mappings/{dsm_event_mapping_id} request parameter details

Parameter Type Optionality Data Type MIME Type Description
dsm_event_mapping_id path Required Number (Integer) text/plain Required - The ID of the DSM
event mapping.
fields query Optional String text/plain Optional - Use this parameter to
specify which fields you would
like to get back in the response.
Fields that are not named are
excluded. Specify subfields in
brackets and multiple fields in the
same object are separated by
commas.

Table 3076. GET /data_classification/dsm_event_mappings/{dsm_event_mapping_id} response codes

HTTP Response Code Unique Code Description
200 The requested DSM event mapping was retrieved.
404 1002 The requested DSM event mapping was not found.
500 1020 An error occurred during the attempt to retrieve the DSM event
mapping.

Response Description

A DSM event mapping that contains the following fields:

v id - Number - The ID of the DSM event mapping.
v log_source_type_id - Number - The ID of the Log Source Type this DSM event mapping resource is
associated with.
v log_source_event_id - String - The primary identifying value parsed from an event to be used to look
up the corresponding QID record.
v log_source_event_category - String - The secondary identifying value parsed from an event to be used
to look up the corresponding QID record.
v custom_event - Boolean - Flag to identify if the DSM event mapping is system provided
(custom_event=false) or user-provided (custom_event=true).
v qid_record_id - Number - The ID of the QID record to which this DSM event mapping provides a
mapping.

Response Sample
{
"custom_event": true,
"id": 42,

7 Previous REST API versions 1367

 "log_source_event_category": "String",
"log_source_event_id": "String",
"log_source_type_id": 42,
"qid_record_id": 42
}

POST /data_classification/dsm_event_mappings/{dsm_event_mapping_id}
DEPRECATED
Updates an existing custom DSM event mapping.

Updates an existing custom DSM event mapping.

Table 3077. POST /data_classification/dsm_event_mappings/{dsm_event_mapping_id} resource details
MIME Type
application/json

Table 3078. POST /data_classification/dsm_event_mappings/{dsm_event_mapping_id} request parameter details

Parameter Type Optionality Data Type MIME Type Description
dsm_event_mapping_id path Required Number (Integer) text/plain Required - The ID of the DSM
event mapping.
fields header Optional String text/plain Optional - Use this parameter to
specify which fields you would
like to get back in the response.
Fields that are not named are
excluded. Specify subfields in
brackets and multiple fields in the
same object are separated by
commas.

Table 3079. POST /data_classification/dsm_event_mappings/{dsm_event_mapping_id} request body details

Parameter Data Type MIME Type Description Sample
data Object application/ Required - The DSM event { "qid_record_id": 42 }
json mapping to be updated that
might contain the following
field:
v qid_record_id - Number -
Required - The ID of the
QID record to which this
DSM event mapping
provides a mapping.

Table 3080. POST /data_classification/dsm_event_mappings/{dsm_event_mapping_id} response codes

HTTP Response Code Unique Code Description
200 The DSM event mapping was updated.
404 1002 The requested DSM event mapping was not found.
422 1005 Invalid parameter provided while updating the DSM event
mapping.
500 1020 An error occurred during the attempt to update a DSM event
mapping.

Response Description

The updated DSM event mapping that contains the following fields:
v id - Number - The ID of the DSM event mapping.

1368 QRadar API Reference Guide

v log_source_type_id - Number - The ID of the Log Source Type this DSM event mapping resource is
associated with.
v log_source_event_id - String - The primary identifying value parsed from an event to be used to look
up the corresponding QID record.
v log_source_event_category - String - The secondary identifying value parsed from an event to be used
to look up the corresponding QID record.
v custom_event - Boolean - Flag to identify if the DSM event mapping is system provided
(custom_event=false) or user-provided (custom_event=true).
v qid_record_id - Number - The ID of the QID record to which this DSM event mapping provides a
mapping.

Response Sample
{
"custom_event": true,
"id": 42,
"log_source_event_category": "String",
"log_source_event_id": "String",
"log_source_type_id": 42,
"qid_record_id": 42
}

GET /data_classification/high_level_categories DEPRECATED

Retrieves a list of high level categories.

Retrieves a list of high level categories.

Table 3081. GET /data_classification/high_level_categories resource details
MIME Type
application/json

Table 3082. GET /data_classification/high_level_categories request parameter details

Parameter Type Optionality Data Type MIME Type Description
fields query Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.
sort query Optional String text/plain Optional - This parameter is
used to sort the elements in a
list.
Range header Optional String text/plain Optional - Use this parameter
to restrict the number of
elements that are returned in
the list to a specified range.
The list is indexed starting at
zero.
filter query Optional String text/plain Optional - This parameter is
used to restrict the elements in
a list base on the contents of
various fields.

7 Previous REST API versions 1369

Table 3083. GET /data_classification/high_level_categories response codes
HTTP Response Code Unique Code Description
200 The requested list of high level categories was retrieved.
422 23003 Sorting is only supported for fields "id" or "name".
422 23004 The sort field that was provided does not exist.
422 23005 Sorting on multiple fields is not supported.
500 1020 An error occurred during the attempt to retrieve the list of high
level categories.

Response Description

A list of high level categories. A high level category contains the following fields:
v id - Number - The ID of the high level category.
v name - String - The name of the high level category.
v description - String - The description of the high level category.

Response Sample
[
{
"id": 19000,
"name": "Audit",
"description": "Audit"
},
{
"id": 20000,
"name": "Risk",
"description": "Risk"
}
]

GET /data_classification/high_level_categories/{high_level_category_id}
DEPRECATED
Retrieves a high level category based on the supplied high level category ID.

Retrieves a high level category based on the supplied high level category ID.
Table 3084. GET /data_classification/high_level_categories/{high_level_category_id} resource details
MIME Type
application/json

Table 3085. GET /data_classification/high_level_categories/{high_level_category_id} request parameter details

Parameter Type Optionality Data Type MIME Type Description
high_level_category_id path Required Number (Integer) text/plain Required - the ID of the high level
category.
fields query Optional String text/plain Optional - Use this parameter to
specify which fields you would
like to get back in the response.
Fields that are not named are
excluded. Specify subfields in
brackets and multiple fields in the
same object are separated by
commas.

1370 QRadar API Reference Guide

Table 3086. GET /data_classification/high_level_categories/{high_level_category_id} response codes
HTTP Response Code Unique Code Description
200 The requested high level category was retrieved.
404 1002 The requested high level category was not found.
422 1005 High level category ID must be a positive integer.
500 1020 An error occurred during the attempt to retrieve the high level
category.

Response Description

A high level category that contains the following fields:

v id - Number - The ID of the high level category.
v name - String - The name of the high level category.
v description - String - The description of the high level category.

Response Sample
{
"id": 19000,
"name": "Audit",
"description": "Audit",
}

GET /data_classification/low_level_categories DEPRECATED

Retrieves a list of low level categories.

Retrieves a list of low level categories.

Table 3087. GET /data_classification/low_level_categories resource details
MIME Type
application/json

Table 3088. GET /data_classification/low_level_categories request parameter details

Parameter Type Optionality Data Type MIME Type Description
fields query Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.
sort query Optional String text/plain Optional - This parameter is
used to sort the elements in a
list.
Range header Optional String text/plain Optional - Use this parameter
to restrict the number of
elements that are returned in
the list to a specified range.
The list is indexed starting at
zero.

7 Previous REST API versions 1371

Table 3088. GET /data_classification/low_level_categories request parameter details (continued)
Parameter Type Optionality Data Type MIME Type Description
filter query Optional String text/plain Optional - This parameter is
used to restrict the elements in
a list base on the contents of
various fields.

Table 3089. GET /data_classification/low_level_categories response codes

HTTP Response Code Unique Code Description
200 The requested list of low level categories was retrieved.
422 23053 Sorting is only supported for fields "id" or "name"
422 23054 The sort field that was provided does not exist.
422 23055 Sorting on multiple fields is not supported.
500 1020 An error occurred during the attempt to retrieve the list of low
level categories.

Response Description

A list of low level category objects. A low level category contains the following fields:
v id - Number - The ID of the low level category.
v name - String - The name of the low level category.
v description - String - The description of the low level category.
v severity - Number - The severity of the low level category.
v high_level_category_id - Number - The ID of the parent high level category.

Response Sample
[
{
"id": 19001,
"name": "General Audit Event",
"description": "General Audit Event",
"high_level_category_id": 19000,
"severity" : 0
},
{
"id": 19002,
"name": "Built-in Execution",
"description": " Built-in Execution",
"high_level_category_id": 19000,
"severity" : 0
}
]

GET /data_classification/low_level_categories/{low_level_category_id}
DEPRECATED
Retrieves a low level category based on the supplied low level category ID.

Retrieves a low level category that is based on the supplied low level category ID.
Table 3090. GET /data_classification/low_level_categories/{low_level_category_id} resource details
MIME Type
application/json

1372 QRadar API Reference Guide

Table 3091. GET /data_classification/low_level_categories/{low_level_category_id} request parameter details
Parameter Type Optionality Data Type MIME Type Description
low_level_category_id path Required Number (Integer) text/plain Required - The id of the low level
category.
fields query Optional String text/plain Optional - Use this parameter to
specify which fields you would
like to get back in the response.
Fields that are not named are
excluded. Specify subfields in
brackets and multiple fields in the
same object are separated by
commas.

Table 3092. GET /data_classification/low_level_categories/{low_level_category_id} response codes

HTTP Response Code Unique Code Description
200 The requested low level category was retrieved.
404 1002 The requested low level category was not found.
422 1005 Low level category ID must be a positive integer.
500 1020 An error occurred during the attempt to retrieve the low level
category.

Response Description

A low level category that contains the following fields:

v id - Number - The ID of the low level category.
v name - String - The name of the low level category.
v description - String - The description of the low level category.
v severity - Number - The severity of the low level category.
v high_level_category_id - Number - The ID of the parent high level category.

Response Sample
{
"id": 19001,
"name": "General Audit Event",
"description": "General Audit Event",
"high_level_category_id": 19000,
"severity" : 0
}

GET /data_classification/qid_records DEPRECATED

Retrieves a list of QID records.

Retrieves a list of QID records.

Table 3093. GET /data_classification/qid_records resource details
MIME Type
application/json

7 Previous REST API versions 1373

Table 3094. GET /data_classification/qid_records request parameter details
Parameter Type Optionality Data Type MIME Type Description
fields query Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.
Range header Optional String text/plain Optional - Use this parameter
to restrict the number of
elements that are returned in
the list to a specified range.
The list is indexed starting at
zero.
filter query Optional String text/plain Optional - This parameter is
used to restrict the elements in
a list base on the contents of
various fields.

Table 3095. GET /data_classification/qid_records response codes

HTTP Response Code Unique Code Description
200 The requested list of QID records was retrieved.
500 1020 An error occurred during the attempt to retrieve the list of QID
records.

Response Description

A list of QID records. A QID record contains the following fields:

v id - Number - The ID of the QID record.
v qid - Number - The QID of the QID record.
v name - String - The name of the QID record.
v description - String - The description of the QID record.
v severity - Number - The severity of the QID record.
v low_level_category_id - Number - The low level category ID of the QID record.
v log_source_type_id - Number - A placeholder with null value to ensure data structure consistency
among endpoints.

Response Sample
[
{
"id": 64280,
"qid": 2500283,
"name": "DELETED WEB-MISC O’Reilly args.bat access",
"description": "DELETED WEB-MISC O’Reilly args.bat access",
"severity": 2 ,
"low_level_category_id": 1011,
"log_source_type_id": null
},
{
"id": 64297,
"qid": 2500300,

1374 QRadar API Reference Guide

 "name": "DELETED WEB-MISC Cisco Web DOS attempt",
"description": "DELETED WEB-MISC Cisco Web DOS attempt",
"severity": 8,
"low_level_category_id": 2009
"log_source_type_id": null
}
]

POST /data_classification/qid_records DEPRECATED

Creates a new QID record.

Creates a new QID record.

Table 3096. POST /data_classification/qid_records resource details
MIME Type
application/json

Table 3097. POST /data_classification/qid_records request parameter details

Parameter Type Optionality Data Type MIME Type Description
fields header Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.

Table 3098. POST /data_classification/qid_records request body details

Parameter Data Type MIME Type Description Sample
data Object application/ Required - A QID record { "log_source_type_id": 199, "name":
json containing the following fields: "spp_portscan: Portscan Detected",
v log_source_type_id - "description": "spp_portscan: Portscan
Required - Number - The ID Detected", "severity": 4,
of the log source type which "low_level_category_id":1008 }
the QID record is created
for.
v name - Required - String -
The name of the QID
record.
v description - Optional -
String - The description of
the QID record.
v severity - Optional -
Number - The severity of
the QID record. If not
provided, the severity of the
corresponding low level
category is used as the
default value.
v low_level_category_id -
Required - Number - The
low level category ID of the
QID record.

7 Previous REST API versions 1375

Table 3099. POST /data_classification/qid_records response codes
HTTP Response Code Unique Code Description
201 The new QID record was created.
422 1005 Invalid parameter value provided for the new QID record.
500 1020 An error occurred during the attempt to create a new QID record.

Response Description

The newly created QID record containing the following fields:

v id - Number - The ID of the QID record.
v qid - Number - The QID of the QID record.
v name - String - The name of the QID record.
v description - String - The description of the QID record.
v severity - Number - The severity of the QID record.
v low_level_category_id - Number - The low level category ID of the QID record.
v log_source_type_id - Number - A placeholder with null value to ensure data structure consistency
among endpoints.

Response Sample
{
"id": 63998,
"qid": 2500001,
"name": "spp_portscan: Portscan Detected",
"description": "spp_portscan: Portscan Detected",
"severity": 4,
"low_level_category_id": 1008,
"log_source_type_id": null
}

GET /data_classification/qid_records/{qid_record_id} DEPRECATED

Retrieves a QID record that is based on the supplied qid_record_id.

Retrieves a QID record that is based on the supplied qid_record_id.

Table 3100. GET /data_classification/qid_records/{qid_record_id} resource details
MIME Type
application/json

Table 3101. GET /data_classification/qid_records/{qid_record_id} request parameter details

Parameter Type Optionality Data Type MIME Type Description
qid_record_id path Required Number text/plain Required - the ID of the
(Integer) QID record.
fields query Optional String text/plain Optional - Use this
parameter to specify which
fields you would like to get
back in the response. Fields
that are not named are
excluded. Specify subfields
in brackets and multiple
fields in the same object are
separated by commas.

1376 QRadar API Reference Guide

Table 3102. GET /data_classification/qid_records/{qid_record_id} response codes
HTTP Response Code Unique Code Description
200 The requested QID record was retrieved.
404 1002 The requested QID record was not found.
422 1005 qid_record_id must be a positive integer.
500 1020 An error occurred during the attempt to retrieve the QID record.

Response Description

A QID record containing the following fields:

v id - Number - The ID of the QID record.
v qid - Number - The QID of the QID record.
v name - String - The name of the QID record.
v description - String - The description of the QID record.
v severity - Number - The severity of the QID record.
v low_level_category_id - Number - The low level category ID of the QID record.
v log_source_type_id - Number - A placeholder with null value to ensure data structure consistency
among endpoints.

Response Sample
{
"id": 63998,
"qid": 2500001,
"name": "spp_portscan: Portscan Detected",
"description": "spp_portscan: Portscan Detected",
"severity": 4,
"low_level_category_id": 1008,
"log_source_type_id": null
}

POST /data_classification/qid_records/{qid_record_id} DEPRECATED

Updates an existing QID record.

Updates an existing QID record.

Table 3103. POST /data_classification/qid_records/{qid_record_id} resource details
MIME Type
application/json

Table 3104. POST /data_classification/qid_records/{qid_record_id} request parameter details

Parameter Type Optionality Data Type MIME Type Description
qid_record_id path Required Number text/plain Required - The ID of the
(Integer) QID record.

7 Previous REST API versions 1377

Table 3104. POST /data_classification/qid_records/{qid_record_id} request parameter details (continued)
Parameter Type Optionality Data Type MIME Type Description
fields header Optional String text/plain Optional - Use this
parameter to specify which
fields you would like to get
back in the response. Fields
that are not named are
excluded. Specify subfields
in brackets and multiple
fields in the same object are
separated by commas.

Table 3105. POST /data_classification/qid_records/{qid_record_id} request body details

Parameter Data Type MIME Type Description Sample
qid_record Object application/json Required - The QID record to be { "name": "spp_portscan: Portscan Detected",
updated, which may contain the "description": "spp_portscan: Portscan Detected",
following fields: "severity": 4, "low_level_category_id":1008 }
v name - Optional - String - The name of
the QID record.
v description - Optional - String - The
description of the QID record.
v severity - Optional - Number - The
severity of the QID record.
v low_level_category_id - Optional -
Number - The low level category ID of
the QID record.

Table 3106. POST /data_classification/qid_records/{qid_record_id} response codes

HTTP Response Code Unique Code Description
200 The QID record was updated.
404 1002 The requested QID record was not found.
409 1008 The QID record that was provided cannot be updated because it is
a system-provided QID.
422 1005 Invalid parameter was provided during the update to the QID
record.
500 1020 An error occurred during the attempt to update a QID record.

Response Description

The updated QID record containing the following fields:

v id - Number - The ID of the QID record.
v qid - Number - The QID of the QID record.
v name - String - The name of the QID record.
v description - String - The description of the QID record.
v severity - Number - The severity of the QID record.
v low_level_category_id - Number - The low level category ID of the QID record.
v log_source_type_id - Number - A placeholder with null value to ensure data structure consistency
among endpoints.

Response Sample
{
"id": 63998,
"qid": 2500001,

1378 QRadar API Reference Guide

 "name": "spp_portscan: Portscan Detected",
"description": "spp_portscan: Portscan Detected",
"severity": 4,
"low_level_category_id": 1008,
"log_source_type_id": null
}

Forensics endpoints
Use the references for REST API V7.0 forensics endpoints.

GET /forensics/capture/recoveries DEPRECATED

Retrieves a list of capture recoveries.

Retrieves a list of recoveries.

Table 3107. GET /forensics/capture/recoveries resource details
MIME Type
application/json

Table 3108. GET /forensics/capture/recoveries request parameter details

Parameter Type Optionality Data Type MIME Type Description
Range header Optional String text/plain Optional - Use this parameter
to restrict the number of
elements that are returned in
the list to a specified range.
The list is indexed starting at
zero.
filter query Optional String text/plain Optional - This parameter is
used to restrict the elements in
a list base on the contents of
various fields.
fields query Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.

Table 3109. GET /forensics/capture/recoveries response codes

HTTP Response Code Unique Code Description
200 The Workflow Recovery Jobs were retrieved.
500 1020 An error occurred while the recovery job list was being retrieved.

Response Description

A list of recoveries. A recovery contains the following fields:

v assigned_to - String - The username of the user the recovery is assigned to.
v bpf - String - The Berkeley Packet Filter to pass to the capture device.
v case_id - String - ID of the case where the collection(s) are created.

7 Previous REST API versions 1379

v collection_name_suffix - String - Suffix that is used to name the collection(s) to store the recovered
data in.
v id - Long - ID for the recovery.
v recovery_task_ids - Long Array - IDs for all recovery tasks belonging to this recovery.
v recovery_window_end_time - Long - End of time range for data recovery.
v recovery_window_start_time - Long - Start of time range for data recovery.
v tags - String - Identifiers applied to recovered data to assist with grouping when searching. These are
user supplied string identifiers that are used to mark the data so the user can easily look up the data
later.

Response Sample
[
{
"assigned_to": "String",
"bpf": "String",
"case_id": 42,
"collection_name_suffix": "String",
"id": 42,
"recovery_task_ids": [
42
],
"recovery_window_end_time": 42,
"recovery_window_start_time": 42,
"session_ids": [
"String"
],
"tags": [
"String"
]
}
]

POST /forensics/capture/recoveries DEPRECATED

Creates a new capture recovery.

Creates a new recovery.

Table 3110. POST /forensics/capture/recoveries resource details
MIME Type
application/json

Table 3111. POST /forensics/capture/recoveries request parameter details

Parameter Type Optionality Data Type MIME Type Description
fields header Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.

1380 QRadar API Reference Guide

Table 3112. POST /forensics/capture/recoveries request body details
Parameter Data Type MIME Type Description Sample
recovery Object application/ null { "assigned_to": "String", "bpf": "String", "case_id": 42,
json "collection_name_suffix": "String",
"recovery_window_end_time": 42,
"recovery_window_start_time": 42, "session_ids": [
"String" ], "tags": [ "String" ] }

Table 3113. POST /forensics/capture/recoveries response codes

HTTP Response Code Unique Code Description
201 The workflow recovery job was created.
403 1009 The user or targeted user does not have the capability to perform
this request.
409 1000 null
422 1005 A request parameter is not valid.
500 1020 An error occurred during the creation of the recovery job.

Response Description

The newly created recovery that contains the following fields:

v assigned_to - String - The username of the user the recovery is assigned to. If not supplied the
recovery will be assigned to the user making the request. Requires a valid user with Forensics role. Not
an authorized service.
v bpf - String - The Berkeley Packet Filter to pass to the capture device. A simplified Berkley Packet
Filter expression to pass to the capture device to apply when recovering network data. Maximum
length is 250 characters
v case_id - String - ID of the case where the collection(s) are created.
v collection_name_suffix - String - Suffix that is used to name the collection(s) to store the recovered
data in. Collection name(s) for recovery tasks are derived from this value and capture devices where
network data originates as a recovery task is created for each device. (e.g. A collection name suffix of
"mycollection" and data recovered from capture device IP "10.0.0.2" results in a collection that is named
"10.0.0.2_mycollection"). NOTE: If the collection name already exists in the case the existing collection
is deleted. Maximum length is 100 characters. Alphanumeric and period characters are permitted only.
v id - Long - ID for the recovery.
v recovery_task_ids - Long Array - IDs for all recovery tasks belonging to this recovery.
v recovery_window_end_time - Long - End of time range for data recovery.
v recovery_window_start_time - Long - Start of time range for data recovery.
v tags - String - Identifiers applied to recovered data to assist with grouping when searching. These are
user supplied string identifiers that are used to mark the data so the user can easily look up the data
later. Maximum length 255 alphanumeric characters (all values converted to space separated string)

Response Sample
{
"assigned_to": "String",
"bpf": "String",
"case_id": 42,
"collection_name_suffix": "String",
"id": 42,
"recovery_task_ids": [
42
],
"recovery_window_end_time": 42,

7 Previous REST API versions 1381

 "recovery_window_start_time": 42,
"session_ids": [
"String"
],
"tags": [
"String"
]
}

GET /forensics/capture/recoveries/{id} DEPRECATED

Retrieves a recovery based on the supplied ID.

Retrieves a recovery based on the supplied ID.

Table 3114. GET /forensics/capture/recoveries/{id} resource details
MIME Type
application/json

Table 3115. GET /forensics/capture/recoveries/{id} request parameter details

Parameter Type Optionality Data Type MIME Type Description
id path Required Number text/plain Required - The ID of the
(Integer) workflow job to retrieve.
fields query Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.

Table 3116. GET /forensics/capture/recoveries/{id} response codes

HTTP Response Code Unique Code Description
404 1002 No recovery job was found for the provided ID.
500 1020 An error occurred during the retrieval of the recovery job.

Response Description

A recovery that contains the following fields:

v assigned_to - String - The username of the user the recovery is assigned to.
v bpf - String - The Berkeley Packet Filter to pass to the capture device.
v case_id - String - ID of the case where the collection(s) are created.
v collection_name_suffix - String - Suffix that is used to name the collection(s) to store the recovered
data in.
v id - Long - ID for the recovery.
v recovery_task_ids - Long Array - IDs for all recovery tasks belonging to this recovery.
v recovery_window_end_time - Long - End of time range for data recovery.
v recovery_window_start_time - Long - Start of time range for data recovery.
v tags - String - Identifiers applied to recovered data to assist with grouping when searching. These are
user supplied string identifiers that are used to mark the data so the user can easily look up the data
later.

1382 QRadar API Reference Guide

Response Sample
{
"assigned_to": "String",
"bpf": "String",
"case_id": 42,
"collection_name_suffix": "String",
"id": 42,
"recovery_task_ids": [
42
],
"recovery_window_end_time": 42,
"recovery_window_start_time": 42,
"session_ids": [
"String"
],
"tags": [
"String"
]
}

GET /forensics/capture/recovery_tasks DEPRECATED

Retrieves a list of recovery tasks.

Retrieves a list of recovery tasks.

Table 3117. GET /forensics/capture/recovery_tasks resource details
MIME Type
application/json

Table 3118. GET /forensics/capture/recovery_tasks request parameter details

Parameter Type Optionality Data Type MIME Type Description
Range header Optional String text/plain Optional - Use this parameter
to restrict the number of
elements that are returned in
the list to a specified range.
The list is indexed starting at
zero.
filter query Optional String text/plain Optional - This parameter is
used to restrict the elements in
a list base on the contents of
various fields.
fields query Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.

Table 3119. GET /forensics/capture/recovery_tasks response codes

HTTP Response Code Unique Code Description
200 The workflow recovery job tasks were retrieved.
500 1020 An error occurred while the recovery job task list was being
retrieved.

7 Previous REST API versions 1383

Response Description

A list of recovery tasks. A recovery task contains the following fields:

v assigned_to - String - The username of the user the recovery task is assigned to.
v bpf - String - Berkeley Packet Filter sent to capture device when recovering.
v capture_device_id - String - Capture device where this task collected its data. The IP address of the
capture device at time of recovery.
v case_id - String - ID of case where the collection is created.
v collection_name - String - Name of collection where recovered data is stored. Derived from device
recovery collection name suffix. NOTE: This is used as part of the collection_name to uniquely identify
and index the data at time of recovery and is not updated if the capture device IP address is changed.
v id - Long - ID for the recovery task.
v managed_host_hostname - String - The managed host the recovery task is running on.
v recovery_id - Long - ID of the recovery this task belongs to.
v recovery_window_end_time - Long - End of time range for data recovery window sent to capture
device. Data recovered is from before this time.
v recovery_window_start_time - Long - Start of time range for data recovery window sent to capture
device. Data recovered is from after this time.
v status - String - Current status of this task. Possible values are:
– CANCELED - Recovery from capture device canceled. Any documents recovered before cancellation
remain in the system.
– CANCELLING - Recovery from capture device in process of cancellation
– FAILED - Something went wrong with the recovery.
– IN_PROGRESS - The capture device is processing the recovery.
– NEW - The recovery task was created and is waiting to be picked up by the system.
– PENDING - The recovery task was picked up by the system and is waiting for the capture device to
start processing the recovery.
– SUCCESS - Recovery from capture device successfully completed
v tags - String Array - Identifiers that are applied to recovered data to assist with grouping when
searching. These are user-supplied string identifiers that are used to mark the data so the user can
easily look up the data later.
v task_end_time - Long - Timestamp the recovery task completed.
v task_start_time - Long - Timestamp the recovery task started.

Response Sample
[
{
"assignee": "String",
"bpf": "String",
"capture_device_ip": "String",
"case_id": 42,
"collection_name": "String",
"id": 42,
"managed_host_hostname": "String",
"recovery_id": 42,
"recovery_window_end_time": 42,
"recovery_window_start_time": 42,
"status": "String <one of: CANCELED,
CANCELING,
FAILED,
IN_PROGRESS,
NEW,
PENDING,
SUCCESS>",

1384 QRadar API Reference Guide

 "tags": [
"String"
],
"task_end_time": 42,
"task_start_time": 42
}
]

GET /forensics/capture/recovery_tasks/{id} DEPRECATED

Retrieves a recovery task based on the supplied ID.

Retrieves a recovery task based on the supplied ID.

Table 3120. GET /forensics/capture/recovery_tasks/{id} resource details
MIME Type
application/json

Table 3121. GET /forensics/capture/recovery_tasks/{id} request parameter details

Parameter Type Optionality Data Type MIME Type Description
id path Required Number text/plain Required - The ID of the
(Integer) workflow job to retrieve.
fields query Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.

Table 3122. GET /forensics/capture/recovery_tasks/{id} response codes

HTTP Response Code Unique Code Description
200 The Workflow Recovery Job was retrieved.
404 1002 No recovery job was found for the provided ID.
500 1020 An error occurred while the recovery job was being retrieved.

Response Description

A recovery task containing the following fields:

v assigned_to - String - The username of the user the recovery task is assigned to.
v bpf - String - Berkeley Packet Filter sent to capture device when recovering.
v capture_device_id - String - Capture device where this task collected its data. The IP address of the
capture device at time of recovery.
v case_id - String - Id of case where the collection is created.
v collection_name - String - Name of collection where recovered data is stored. Derived from device
recovery collection name suffix. NOTE: This is used as part of the collection_name to uniquely identify
and index the data at time of recovery and is not updated if the capture device ip address is changed.
v id - Long - ID for the recovery task.
v managed_host_hostname - String - The managed host where the recovery task runs.
v recovery_id - Long - ID of the recovery this task belongs to.

7 Previous REST API versions 1385

v recovery_window_end_time - Long - End of time range for data recovery window sent to capture
device. Data recovered is from before this time.
v recovery_window_start_time - Long - Start of time range for data recovery window sent to capture
device. Data recovered is from after this time.
v status - String - Current status of this task. Possible values are:
– CANCELED - Recovery from capture device canceled. Any documents recovered before cancellation
remain in the system.
– CANCELLING - Recovery from capture device in process of cancellation.
– FAILED - Something went wrong with the recovery.
– IN_PROGRESS - The capture device is processing the recovery.
– NEW - The recovery task was created and is waiting to be picked up by the system.
– PENDING - The recovery task was picked up by the system and is waiting for the capture device to
start processing the recovery.
– SUCCESS - Recovery from capture device successfully completed
v tags - String Array - Identifiers that are applied to recovered data to assist with grouping when
searching. These are user-supplied string identifiers that are used to mark the data so the user can
easily look up the data later.
v task_end_time - Long - Timestamp the recovery task completed.
v task_start_time - Long - Timestamp the recovery task started.

Response Sample
{
"assignee": "String",
"bpf": "String",
"capture_device_ip": "String",
"case_id": 42,
"collection_name": "String",
"id": 42,
"managed_host_hostname": "String",
"recovery_id": 42,
"recovery_window_end_time": 42,
"recovery_window_start_time": 42,
"status": "String <one of: CANCELED,
CANCELING,
FAILED,
IN_PROGRESS,
NEW,
PENDING,
SUCCESS>",
"tags": [
"String"
],
"task_end_time": 42,
"task_start_time": 42
}

GET /forensics/case_management/case_create_tasks/{id} DEPRECATED

Retrieves a case create task based on the supplied id.

Retrieves a case create task based on the supplied id.

Table 3123. GET /forensics/case_management/case_create_tasks/{id} resource details
MIME Type
application/json

1386 QRadar API Reference Guide

Table 3124. GET /forensics/case_management/case_create_tasks/{id} request parameter details
Parameter Type Optionality Data Type MIME Type Description
id path Required Number text/plain Required - The id of the case
(Integer) create task to retrieve.
fields query Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.

Table 3125. GET /forensics/case_management/case_create_tasks/{id} response codes

HTTP Response Code Unique Code Description
200 The case create task was retrieved.
404 1002 No case create task was found for the provided ID.
500 1020 An error occurred during the retrieval of the case create task.

Response Description

A case create task containing the following fields:

v assigned_to - String Array - Usernames of users to give access to the case once it is created. Users
must have the FORENSICS role. Authorized services are not allowed.
v case_id - Long - ID for the created case .
v case_name - String - Name to give the created case.
v id - Long - ID for the case create task.
v status - String - Possible values are:
– COMPLETE - The case has been created across all managed hosts.
– PARTIALLY_COMPLETE - The case was created on at least one managed host, but not all of them.
The case is considered to be usable, but functionality might be limited. This usually means one or
more managed hosts are down and the case is not created yet. The task completes after all offending
managed hosts either complete the task, or are removed from the deployment.
– PROCESSING - The task has been picked up by QRadar and is actively being processed. Cases are
being created on the managed hosts.
– WAITING - The task is waiting for its time to be processed. Nothing is being done at this time.

Response Sample
{
"assigned_to": [
"String"
],
"case_id": 42,
"id": 42,
"name": "String",
"state": "String <one of: COMPLETE,
PARTIALLY_COMPLETE,
PROCESSING,
WAITING>"
}

7 Previous REST API versions 1387

GET /forensics/case_management/cases DEPRECATED
Retrieves a list of cases.

Retrieves a list of cases.

Table 3126. GET /forensics/case_management/cases resource details
MIME Type
application/json

Table 3127. GET /forensics/case_management/cases request parameter details

Parameter Type Optionality Data Type MIME Type Description
Range header Optional String text/plain Optional - Use this parameter
to restrict the number of
elements that are returned in
the list to a specified range.
The list is indexed starting at
zero.
filter query Optional String text/plain Optional - This parameter is
used to restrict the elements in
a list base on the contents of
various fields.
fields query Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.

Table 3128. GET /forensics/case_management/cases response codes

HTTP Response Code Unique Code Description
200 The cases were retrieved.
500 1020 An error occurred during the retrieval of the case list.

Response Description

A list of cases. A case contains the following fields:

v assigned_to - String Array - Usernames of the users who have access to the case. Users must have the
FORENSICS role. Authorized services are not allowed.
v id - Long - ID for the case.
v name - String - The name of the case.

Response Sample
[
{
"assigned_to": [
"String"
],

1388 QRadar API Reference Guide

 "id": 42,
"name": "String"
}
]

POST /forensics/case_management/cases DEPRECATED

Creates a new case.

Creates a new case.

Table 3129. POST /forensics/case_management/cases resource details
MIME Type
application/json

Table 3130. POST /forensics/case_management/cases request parameter details

Parameter Type Optionality Data Type MIME Type Description
fields header Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.

Table 3131. POST /forensics/case_management/cases request body details

Parameter Data Type MIME Type Description Sample
case Object application/ null { "assigned_to": [ "String" ],
json "name": "String" }

Table 3132. POST /forensics/case_management/cases response codes

HTTP Response Code Unique Code Description
201 The case was created.
403 1009 The user or targeted user does not have the capability to perform
this request.
422 1005 A request parameter is not valid.
500 1020 An error occurred during the creation of the case.

Response Description

The case create status contains the following fields:

v assigned_to - String Array - Usernames of users to give access to the case once it is created. Users
must have the FORENSICS role. Authorized services are not allowed. If the case is not assign to
anyone, it is assigned to the creator if they are a user (not authorized service). Otherwise, it is only
accessible by an administrator. NOTE: During creation the assigned_to list can contain at most one
username.
v case_id - Long - ID for the created case.
v case_name - String - Name to give the created case. The case name must include alphanumeric
characters only, and be 1-15 characters long with no spaces. Case names are unique.
v id - Long - ID for the case create task.

7 Previous REST API versions 1389

v status - String - Possible values are:
– COMPLETE - The case has been created across all managed hosts.
– PARTIALLY_COMPLETE - The case has been created on at least one managed host, but not all of
them. The case is considered to be usable, but functionality might be limited. This usually means
one or more managed hosts are down and the case is not created yet. The task completes after all
offending managed hosts either complete the task or are removed from the deployment.
– PROCESSING - The task was picked up by QRadar and is actively being processed. Cases are
being created on the managed hosts.
– WAITING - The task is waiting for its time to be processed. Nothing is being done at this time.

Response Sample
{
"assigned_to": [
"String"
],
"case_id": 42,
"id": 42,
"name": "String",
"state": "String <one of: COMPLETE,
PARTIALLY_COMPLETE,
PROCESSING,
WAITING>"
}

GET /forensics/case_management/cases/{id} DEPRECATED

Retrieves a case based on the supplied id.

Retrieves a case based on the supplied ID.

Table 3133. GET /forensics/case_management/cases/{id} resource details
MIME Type
application/json

Table 3134. GET /forensics/case_management/cases/{id} request parameter details

Parameter Type Optionality Data Type MIME Type Description
id path Required Number text/plain Required - The ID of the
(Integer) workflow job to retrieve.
fields query Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.

Table 3135. GET /forensics/case_management/cases/{id} response codes

HTTP Response Code Unique Code Description
404 1002 No case was found for the provided ID.
500 1020 An error occurred during the retrieval of the case.

1390 QRadar API Reference Guide

Response Description

A case that contains the following fields:

v assigned_to - String Array - Usernames of the users who have access to the case. Users must have the
FORENSICS role. Authorized services are not allowed.
v id - Long - ID for the case.
v name - String - The name of the case.

Response Sample
{
"assigned_to": [
"String"
],
"id": 42,
"name": "String"
}

GUI application framework endpoints

Use the references for REST API V7.0 GUI application framework endpoints.

GET /gui_app_framework/application_creation_task DEPRECATED

Retrieve status details.

Retrieve a list of status details of all asynchronous requests to create applications.

Table 3136. GET /gui_app_framework/application_creation_task resource details
MIME Type
application/json

There are no parameters for this endpoint.

Table 3137. GET /gui_app_framework/application_creation_task response codes
HTTP Response Code Unique Code Description
200 Application Creation Request list was retrieved.
500 1020 An error occurred while attempting to retrieve the list of status
details.

Response Description

The details of the requests to create applications.

Response Sample
[
{
"application_id":"101",
"status":"String <one of: CREATING,
UPGRADING,
COMPLETED,
CANCELLED,
ERROR>",
"error_messages": [
{
"code":"String <one of: ERROR_DB_UNAVAILABLE,
ERROR_FRAMEWORK_UNAVAILABLE,
ERROR_CREATING_IMAGE,

7 Previous REST API versions 1391

 ERROR_STARTING_CONTAINER>",
"message":"String"
}
]
}
]

POST /gui_app_framework/application_creation_task DEPRECATED

Creates a new application within the Application framework.

Create a new application within the Application framework, and register it with QRadar. The application
is created asynchronously. A reference to the application_id is returned and should be used in subsequent
API calls to determine the status of the application installation.
Table 3138. POST /gui_app_framework/application_creation_task resource details
MIME Type
application/json

Table 3139. POST /gui_app_framework/application_creation_task request body details

Parameter Data Type MIME Type Description Sample

package zip application/zip A zip file, that contains custom code, null
and a application manifest JSON file
descriptor

Table 3140. POST /gui_app_framework/application_creation_task response codes

HTTP Response Code Unique Code Description
201 The application was installed and registered successfully.

409 1008 An application with that UUID is already installed. Only an

upgrade or delete can be performed in this state.
422 1005 The provided application is invalid. See messages for further
details.
500 1020 The application could not be created.

Response Description

application id and status

Response Sample
[
{
"application_id":"101",
"status":"String <one of: CREATING,
UPGRADING,
COMPLETED,
CANCELLED,
ERROR>",
"error_messages": [
{
"code":"String <one of: ERROR_DB_UNAVAILABLE,
ERROR_FRAMEWORK_UNAVAILABLE,
ERROR_CREATING_IMAGE,
ERROR_STARTING_CONTAINER>",
"message":"String"

1392 QRadar API Reference Guide

 }
]
}
]

GET /gui_app_framework/application_creation_task/{application_id} DEPRECATED

Retrieve a list of status details of a asynchronous request to create application.
Table 3141. GET /gui_app_framework/application_creation_task/{application_id} resource details
MIME Type
application/json

Table 3142. GET /gui_app_framework/application_creation_task/{application_id} request parameter details

Parameter Type Optionality Data Type MIME Type Description
application_id path Required Number text/plain Required - Get the status details of
(Integer) this application defined by
application_id returned by the
initial POST on
application_creation_task.

Table 3143. GET /gui_app_framework/application_creation_task/{application_id} response codes

HTTP Response Code Unique Code Description
200 Application Creation Request list was retrieved.
404 1002 The application_id is invalid or could not be found.
500 1020 An error occurred while attempting to retrieve the list of status
details.

Response Description

The details of the request to create application.

Response Sample
[
{
"application_id":"101",
"status":"String <one of: CREATING,
UPGRADING,
COMPLETED,
CANCELLED,
ERROR>",
"error_messages": [
{
"code":"String <one of: ERROR_DB_UNAVAILABLE,
ERROR_FRAMEWORK_UNAVAILABLE,
ERROR_CREATING_IMAGE,
ERROR_STARTING_CONTAINER>",
"message":"String"
}
]
}
]

POST /gui_app_framework/application_creation_task/{application_id}
DEPRECATED
Cancel a new application install within the Application framework.

7 Previous REST API versions 1393

Use this endpoint to cancel a new application install within the Application framework. The
application_id and a status are required.
Table 3144. POST /gui_app_framework/application_creation_task/{application_id} resource details
MIME Type
application/json

Table 3145. POST /gui_app_framework/application_creation_task/{application_id} request parameter details

Parameter Type Optionality Data Type MIME Type Description
application_id path Required Number text/plain Required - The application_id to
(Integer) cancel installing.
status query Required String text/plain Required - The status to update
the application install to.
Currently only CANCELLED is
supported

Table 3146. POST /gui_app_framework/application_creation_task/{application_id} response codes

HTTP Response Code Unique Code Description
200 The application installation was canceled and unregistered
successfully.
404 1002 The application_id is invalid or could not be found.
422 1005 The status is not valid.
500 1020 An error occurred when attempting to update the Application
request state.

Response Description

application id and status

Response Sample
[
{
"application_id":"101",
"status":"String <one of: CREATING,
UPGRADING,
COMPLETED,
CANCELLED,
ERROR>",
"error_messages": [
{
"code":"String <one of: ERROR_DB_UNAVAILABLE,
ERROR_FRAMEWORK_UNAVAILABLE,
ERROR_CREATING_IMAGE,
ERROR_STARTING_CONTAINER>",
"message":"String"
}
]
}
]

GET /gui_app_framework/applications DEPRECATED

Retrieve list of applications

Retrieve a list of applications that are installed on the console, with their manifest json structures and
current status.

1394 QRadar API Reference Guide

Table 3147. GET /gui_app_framework/applications resource details
MIME Type
application/json

There are no parameters for this endpoint.

Table 3148. GET /gui_app_framework/applications response codes
HTTP Response Code Unique Code Description
200 The database list was retrieved.
500 1020 An error occurred while attempting to retrieve the list of
applications.

Response Description

The list of applications.

Response Sample
[
{
"application_state":{
"application_id":"101",
"status":"String <one of: CREATING,
UPGRADING,
RUNNING,
STOPPED,
ERROR>",
"error_message": "String"
}
,
"manifest":{

"name":"Sample Application",
"description":"An example of how to create an application manifest",
"version":"0.0.1",

"areas": [
{
"id":"Qapp1_HelloWorld",
"url":"http://9.21.118.58:5000",
"text":"QApp1",
"description":"Loading a dockerised web app into a tab
inside Qradar",
"required_capabilities":["ADMIN"]
}
],

"dashboard_items": [
{
"text":"Sample Item",
"description":"Sample dashboard item that is a copy of
most recent offenses",
"rest_method":"sampleDashboardItem",
"required_capabilities":["ADMIN"]
}
],

"rest_methods": [
{
"name":"sampleDashboardItem",
"url":"/static/sampleDashboardItemResponse.json",

7 Previous REST API versions 1395

 "method":"GET",
"argument_names":[],
"required_capabilities":["ADMIN"]
},
{
"name":"sampleToolbarMethod",
"url":"/static/sampleToolbarButtonResponse.json",
"method":"GET",
"argument_names":["context"],
"required_capabilities":["ADMIN"]
},
{
"name":"sampleIPInformation",
"url":"/static/sampleIPInformationResponse.json",
"method":"GET",
"argument_names":["metaDataContext"],
"required_capabilities":["ADMIN"]
},
{
"name":"sampleUserInformation",
"url":"/static/sampleUserInformationResponse.json",
"method":"GET",
"argument_names":["metaDataContext"],
"required_capabilities":["ADMIN"]
},
{
"name":"sampleURLInformation",
"url":"/static/sampleURLInformationResponse.json",
"method":"GET",
"argument_names":["metaDataContext"],
"required_capabilities":["ADMIN"]
},
{
"name":"addToReferenceSet",
"url":"/addToReferenceSet",
"method":"GET",
"argument_names":["data"]
}
],

"configuration_pages": [
{
"text":"Open IBM.com",
"description":"Loading IBM.com in a new window",
"icon":null,
"url":"https://www.ibm.com/us/en/",
"required_capabilities":["ADMIN"]
}
],

"gui_actions": [
{
"id":"addToReferenceSet",
"text":"Add To Reference Set",
"description":"Adds to a reference set",
"icon":null,
"rest_method":"addToReferenceSet",
"javascript":"alert(result)",
"groups":[ "ipPopup" ],
"required_capabilities":[ "ADMIN" ]
},
{
"id":"sampleToolbarButton",
"text":"Sample Toolbar Button",
"description":"Sample toolbar button that calls a REST method,
passing an offense ID along",
"icon":null,

1396 QRadar API Reference Guide

 "rest_method":"sampleToolbarMethod",
"javascript":"alert(result)",
"groups":[ "OffenseListToolbar" ],
"required_capabilities":[ "ADMIN" ]
}
],

"page_scripts": [
{
"app_name":"SEM",
"page_id":"OffenseList",
"scripts":["/static/sampleScriptInclude.js"]
}
],

"metadata_providers": [
{
"rest_method":"sampleIPInformation",
"metadata_type":"ip"
},
{
"rest_method":"sampleUserInformation",
"metadata_type":"userName"
},
{
"rest_method":"sampleURLInformation",
"metadata_type":"ariel:URL"
}
]
}
}
]

GET /gui_app_framework/applications/{application_id} DEPRECATED

Retrieve specific application

Retrieve a specific application installed on the console with manifest json structure and current status.
Table 3149. GET /gui_app_framework/applications/{application_id} resource details
MIME Type
application/json

Table 3150. GET /gui_app_framework/applications/{application_id} request parameter details

Parameter Type Optionality Data Type MIME Type Description
application_id path Required Number text/plain Required - Get specific installed
(Integer) application defined by
application_id returned by the
initial POST on
application_creation_task.

Table 3151. GET /gui_app_framework/applications/{application_id} response codes

HTTP Response Code Unique Code Description
200 The application was retrieved.
404 1002 The application_id is invalid or could not be found.
500 1020 An error occurred while attempting to retrieve the application.

7 Previous REST API versions 1397

Response Description

The specific application.

Response Sample
[
{
"application_state":{
"application_id":"101",
"status":"String <one of: CREATING,
UPGRADING,
RUNNING,
STOPPED,
ERROR>",
"error_message": "String"
}
,
"manifest":{

"name":"Sample Application",
"description":"An example of how to create an application manifest",
"version":"0.0.1",

"areas": [
{
"id":"Qapp1_HelloWorld",
"url":"http://9.21.118.58:5000",
"text":"QApp1",
"description":"Loading a dockerised web app into a tab
inside Qradar",
"required_capabilities":["ADMIN"]
}
],

"dashboard_items": [
{
"text":"Sample Item",
"description":"Sample dashboard item that is a copy of
most recent offenses",
"rest_method":"sampleDashboardItem",
"required_capabilities":["ADMIN"]
}
],

"rest_methods": [
{
"name":"sampleDashboardItem",
"url":"/static/sampleDashboardItemResponse.json",
"method":"GET",
"argument_names":[],
"required_capabilities":["ADMIN"]
},
{
"name":"sampleToolbarMethod",
"url":"/static/sampleToolbarButtonResponse.json",
"method":"GET",
"argument_names":["context"],
"required_capabilities":["ADMIN"]
},
{
"name":"sampleIPInformation",
"url":"/static/sampleIPInformationResponse.json",
"method":"GET",
"argument_names":["metaDataContext"],
"required_capabilities":["ADMIN"]
},

1398 QRadar API Reference Guide

 {
"name":"sampleUserInformation",
"url":"/static/sampleUserInformationResponse.json",
"method":"GET",
"argument_names":["metaDataContext"],
"required_capabilities":["ADMIN"]
},
{
"name":"sampleURLInformation",
"url":"/static/sampleURLInformationResponse.json",
"method":"GET",
"argument_names":["metaDataContext"],
"required_capabilities":["ADMIN"]
},
{
"name":"addToReferenceSet",
"url":"/addToReferenceSet",
"method":"GET",
"argument_names":["data"]
}
],

"configuration_pages": [
{
"text":"Open IBM.com",
"description":"Loading IBM.com in a new window",
"icon":null,
"url":"https://www.ibm.com/us/en/",
"required_capabilities":["ADMIN"]
}
],

"gui_actions": [
{
"id":"addToReferenceSet",
"text":"Add To Reference Set",
"description":"Adds to a reference set",
"icon":null,
"rest_method":"addToReferenceSet",
"javascript":"alert(result)",
"groups":[ "ipPopup" ],
"required_capabilities":[ "ADMIN" ]
},
{
"id":"sampleToolbarButton",
"text":"Sample Toolbar Button",
"description":"Sample toolbar button that calls a REST method,
passing an offense ID along",
"icon":null,
"rest_method":"sampleToolbarMethod",
"javascript":"alert(result)",
"groups":[ "OffenseListToolbar" ],
"required_capabilities":[ "ADMIN" ]
}
],

"page_scripts": [
{
"app_name":"SEM",
"page_id":"OffenseList",
"scripts":["/static/sampleScriptInclude.js"]
}
],

"metadata_providers": [
{
"rest_method":"sampleIPInformation",

7 Previous REST API versions 1399

 "metadata_type":"ip"
},
{
"rest_method":"sampleUserInformation",
"metadata_type":"userName"
},
{
"rest_method":"sampleURLInformation",
"metadata_type":"ariel:URL"
}
]
}
}
]

POST /gui_app_framework/applications/{application_id} DEPRECATED

Update an Application

Start or stop an application by setting status to RUNNING or STOPPED respectively.

Table 3152. POST /gui_app_framework/applications/{application_id} resource details
MIME Type
application/json

Table 3153. POST /gui_app_framework/applications/{application_id} request parameter details

Parameter Type Optionality Data Type MIME Type Description
application_id path Required Number text/plain Required - The
(Integer) applicationId of the
application to update.
status query Required String text/plain Required - The status of
the application to set to
RUNNING or STOPPED.

Table 3154. POST /gui_app_framework/applications/{application_id} response codes

HTTP Response Code Unique Code Description
200 The application has been successfully updated
404 1002 The application_id does not exist.
409 1008 The application is locked by another process.
422 1005 The application status is not valid.
500 1020 An error occurred while attempting to update the application.

Response Description

Application structure including application status.

Response Sample
[
{
"application_state":{
"application_id":"101",
"status":"String <one of: CREATING,
UPGRADING,
RUNNING,
STOPPED,
ERROR>",

1400 QRadar API Reference Guide

 "error_message": "String"
}
,
"manifest":{

"name":"Sample Application",
"description":"An example of how to create an application manifest",
"version":"0.0.1",

"areas": [
{
"id":"Qapp1_HelloWorld",
"url":"http://9.21.118.58:5000",
"text":"QApp1",
"description":"Loading a dockerised web app into a tab
inside Qradar",
"required_capabilities":["ADMIN"]
}
],

"dashboard_items": [
{
"text":"Sample Item",
"description":"Sample dashboard item that is a copy
of most recent offenses",
"rest_method":"sampleDashboardItem",
"required_capabilities":["ADMIN"]
}
],

"rest_methods": [
{
"name":"sampleDashboardItem",
"url":"/static/sampleDashboardItemResponse.json",
"method":"GET",
"argument_names":[],
"required_capabilities":["ADMIN"]
},
{
"name":"sampleToolbarMethod",
"url":"/static/sampleToolbarButtonResponse.json",
"method":"GET",
"argument_names":["context"],
"required_capabilities":["ADMIN"]
},
{
"name":"sampleIPInformation",
"url":"/static/sampleIPInformationResponse.json",
"method":"GET",
"argument_names":["metaDataContext"],
"required_capabilities":["ADMIN"]
},
{
"name":"sampleUserInformation",
"url":"/static/sampleUserInformationResponse.json",
"method":"GET",
"argument_names":["metaDataContext"],
"required_capabilities":["ADMIN"]
},
{
"name":"sampleURLInformation",
"url":"/static/sampleURLInformationResponse.json",
"method":"GET",
"argument_names":["metaDataContext"],
"required_capabilities":["ADMIN"]
},
{

7 Previous REST API versions 1401

 "name":"addToReferenceSet",
"url":"/addToReferenceSet",
"method":"GET",
"argument_names":["data"]
}
],

"configuration_pages": [
{
"text":"Open IBM.com",
"description":"Loading IBM.com in a new window",
"icon":null,
"url":"https://www.ibm.com/us/en/",
"required_capabilities":["ADMIN"]
}
],

"gui_actions": [
{
"id":"addToReferenceSet",
"text":"Add To Reference Set",
"description":"Adds to a reference set",
"icon":null,
"rest_method":"addToReferenceSet",
"javascript":"alert(result)",
"groups":[ "ipPopup" ],
"required_capabilities":[ "ADMIN" ]
},
{
"id":"sampleToolbarButton",
"text":"Sample Toolbar Button",
"description":"Sample toolbar button that calls a REST method,
passing an offense ID along",
"icon":null,
"rest_method":"sampleToolbarMethod",
"javascript":"alert(result)",
"groups":[ "OffenseListToolbar" ],
"required_capabilities":[ "ADMIN" ]
}
],

"page_scripts": [
{
"app_name":"SEM",
"page_id":"OffenseList",
"scripts":["/static/sampleScriptInclude.js"]
}
],

"metadata_providers": [
{
"rest_method":"sampleIPInformation",
"metadata_type":"ip"
},
{
"rest_method":"sampleUserInformation",
"metadata_type":"userName"
},
{
"rest_method":"sampleURLInformation",
"metadata_type":"ariel:URL"
}
]
}
}
]

1402 QRadar API Reference Guide

PUT /gui_app_framework/applications/{application_id} DEPRECATED
Upgrade an application.

Upgrade an application.
Table 3155. PUT /gui_app_framework/applications/{application_id} resource details
MIME Type
application/json

Table 3156. PUT /gui_app_framework/applications/{application_id} request parameter details

Parameter Type Optionality Data Type MIME Type Description
application_id path Required Number text/plain null
(Integer)

Table 3157. PUT /gui_app_framework/applications/{application_id} request body details

Parameter Data Type MIME Type Description Sample
package zip application/zip A zip file, that contains custom null
code, and a application
manifest JSON file descriptor

Table 3158. PUT /gui_app_framework/applications/{application_id} response codes

HTTP Response Code Unique Code Description
202 The request for an application upgrade was accepted.
404 1002 The application_id is invalid or could not be found.
409 1008 The application is locked by another process.
422 1005 The provided application is invalid. See messages for further
details.
500 1020 The application could not be created.

Response Description

application id and status

Response Sample
[
{
"application_id":"101",
"status":"String <one of: CREATING,
UPGRADING,
COMPLETED,
CANCELLED,
ERROR>",
"error_messages": [
{
"code":"String <one of: ERROR_DB_UNAVAILABLE,
ERROR_FRAMEWORK_UNAVAILABLE,
ERROR_CREATING_IMAGE,
ERROR_STARTING_CONTAINER>",
"message":"String"
}
]
}
]

7 Previous REST API versions 1403

DELETE /gui_app_framework/applications/{application_id} DEPRECATED
Delete an Application.
Table 3159. DELETE /gui_app_framework/applications/{application_id} resource details
MIME Type
text/plain

Table 3160. DELETE /gui_app_framework/applications/{application_id} request parameter details

Parameter Type Optionality Data Type MIME Type Description
application_id path Required Number text/plain Required - The
(Integer) applicationId of the
application to delete.

Table 3161. DELETE /gui_app_framework/applications/{application_id} response codes

HTTP Response Code Unique Code Description
204 The application has been successfully unregistered.
404 1002 The application_id does not exist.
409 1008 The application is locked by another process.
500 1020 An error occurred while attempting to delete the application.

Response Description

Successful response code 204 No content.

Response Sample

Help endpoints
Use the references for REST API V7.0 Help endpoints.

GET /help/endpoints DEPRECATED

Retrieves a list of endpoint documentation objects that are currently in the system.

Retrieves a list of endpoint documentation objects that are currently in the system.
Table 3162. GET /help/endpoints resource details
MIME Type
application/json

Table 3163. GET /help/endpoints request parameter details

Parameter Type Optionality Data Type MIME Type Description
filter query Optional String text/plain Optional - This parameter is
used to restrict the elements in
a list base on the contents of
various fields.

1404 QRadar API Reference Guide

Table 3163. GET /help/endpoints request parameter details (continued)
Parameter Type Optionality Data Type MIME Type Description
fields query Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.
Range header Optional String text/plain Optional - Use this parameter
to restrict the number of
elements that are returned in
the list to a specified range.
The list is indexed starting at
zero.

Table 3164. GET /help/endpoints response codes

HTTP Response Code Unique Code Description
200 The endpoint documentation list was retrieved.
500 1020 An unexpected error has occurred.

Response Description

An array of endpoint documentation objects. An endpoint documentation object contains the following
fields:
v id - Number - The ID of the endpoint documentation. This ID is not permanent. It might change any
time services are restarted.
v summary - String - A brief summary of the endpoint.
v deprecated - Boolean - Returns true if the endpoint is deprecated. Returns false otherwise.
v http_method - String - The HTTP request type. One of OPTIONS, GET, HEAD, POST, PUT, DELETE,
TRACE, CONNECT, PATCH.
v error_responses - Array of Objects - A list of potential error responses of this endpoint.
v error_responses(response_code) - Number - The HTTP code for this error response.
v error_responses(description) - String - The description for this error response.
v error_responses(unique_code) - Number - The unique code for this error response.
v error_responses(response_code_description) - String - The description of the response.
v response_description - String - The description of the response.
v version - String - The version of this endpoint.
v success_responses - Array of Objects - A list of potential success responses for this endpoint.
v success_responses(response_code) - Number - The HTTP code for this response.
v success_responses(description) - String - The description of this response.
v success_responses(response_code_description) - String - The name for the response code from RFC
2616.
v description - String - A description of this endpoint.
v path - String - The path of this endpoint.
v response_mime_types - Array of Objects - A list of possible response MIME types for this endpoint.
v response_mime_types(mime_type) - String - The MIME type.

7 Previous REST API versions 1405

v response_mime_types(sample) - String - The sample of this response MIME type.
v parameters - Array of Objects - A list of user parameters for this endpoint.
v parameters(description) - String - A description of this parameter.
v parameters(default_value) - String - The default value of this parameter. Null if there is no default
value for this parameter. This is always a String, regardless of the underlying data type of the
parameter.
v parameters(type) - String - The type of parameter, one of QUERY, HEADER, PATH, BODY.
v parameters(parameter_name) - String - The name of this parameter.
v parameters(mime_types) - Array of Objects - A list of possible mime_types for this parameter.
v parameters(mime_types(data_type)) - String - A description of the data type of this parameter.
v parameters(mime_types(mime_type)) - String - The MIME type of the parameter.
v parameters(mime_types(sample)) - String - The sample for this parameter.
v resource_id - Number - The ID of the associated resource.
v last_modified_version - String - The API version this endpoint was last modified. It is less than or
equal to the version in the version field.
v caller_has_access - Boolean - True if the user has the required capabilities to call this endpoint, false
otherwise.

Response Sample
[
{
"caller_has_access": true,
"deprecated": true,
"description": "String",
"error_responses": [
{
"description": "String",
"response_code": 42,
"response_code_description": "String",
"unique_code": 42
}
],
"http_method": "String <one of: OPTIONS,
GET,
HEAD,
POST,
PUT,
DELETE,
TRACE,
CONNECT,
PATCH>",
"id": 42,
"last_modified_version": "String",
"parameters": [
{
"default_value": "String",
"description": "String",
"mime_types": [
{
"data_type": "String",
"mime_type": "String",
"sample": "String"
}
],
"parameter_name": "String",
"type": "String <one of: QUERY,
HEADER,
PATH,
BODY>"

1406 QRadar API Reference Guide

 }
],
"path": "String",
"resource_id": 42,
"response_description": "String",
"response_mime_types": [
{
"mime_type": "String",
"sample": "String"
}
],
"success_responses": [
{
"description": "String",
"response_code": 42,
"response_code_description": "String"
}
],
"summary": "String",
"version": "String"
}
]

GET /help/endpoints/{endpoint_id} DEPRECATED

Retrieves a single endpoint documentation object.

Retrieves a single endpoint documentation object.

Table 3165. GET /help/endpoints/{endpoint_id} resource details
MIME Type
application/json

Table 3166. GET /help/endpoints/{endpoint_id} request parameter details

Parameter Type Optionality Data Type MIME Type Description
endpoint_id path Required Number text/plain The endpoint id.
(Integer)
fields query Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.

Table 3167. GET /help/endpoints/{endpoint_id} response codes

HTTP Response Code Unique Code Description
200 The endpoint documentation object was retrieved.
404 1002 No endpoint documentation object was found for the provided
endpoint id.
500 1020 An unexpected error has occurred.

Response Description

An endpoint documentation object. An endpoint documentation object contains the following fields:

7 Previous REST API versions 1407

v id - Number - The ID of the endpoint documentation. This ID is not permanent. It might change any
time services are restarted.
v summary - String - A brief summary of the endpoint.
v deprecated - Boolean - Returns true if the endpoint is deprecated. Returns false otherwise.
v http_method - String - The HTTP request type. One of OPTIONS, GET, HEAD, POST, PUT, DELETE,
TRACE, CONNECT, PATCH.
v error_responses - Array of Objects - A list of potential error responses of this endpoint.
v error_responses(response_code) - Number - The HTTP code for this error response.
v error_responses(description) - String - The description for this error response.
v error_responses(unique_code) - Number - The unique code for this error response.
v error_responses(response_code_description) - String - The description of the response.
v response_description - String - The description of the response.
v version - String - The version of this endpoint.
v success_responses - Array of Objects - A list of potential success responses for this endpoint.
v success_responses(response_code) - Number - The HTTP code for this response.
v success_responses(description) - String - The description of this response.
v success_responses(response_code_description) - String - The name for the response code from RFC
2616.
v description - String - A description of this endpoint.
v path - String - The path of this endpoint.
v response_mime_types - Array of Objects - A list of possible response MIME types for this endpoint.
v response_mime_types(mime_type) - String - The MIME type.
v response_mime_types(sample) - String - The sample of this response MIME type.
v parameters - Array of Objects - A list of user parameters for this endpoint.
v parameters(description) - String - A description of this parameter.
v parameters(default_value) - String - The default value of this parameter. Null if there is no default
value for this parameter. This is always a String, regardless of the underlying data type of the
parameter.
v parameters(type) - String - The type of parameter, one of QUERY, HEADER, PATH, BODY.
v parameters(parameter_name) - String - The name of this parameter.
v parameters(mime_types) - Array of Objects - A list of possible mime_types for this parameter.
v parameters(mime_types(data_type)) - String - A description of the data type of this parameter.
v parameters(mime_types(mime_type)) - String - The MIME type of the parameter.
v parameters(mime_types(sample)) - String - The sample for this parameter.
v resource_id - Number - The ID of the associated resource.
v last_modified_version - String - The API version this endpoint was last modified. It will be less than
or equal to the version in the version field.
v caller_has_access - Boolean - Returns true if the user has the required capabilities to call this endpoint.
Returns false otherwise.

Response Sample
{
"caller_has_access": true,
"deprecated": true,
"description": "String",
"error_responses": [
{
"description": "String",
"response_code": 42,

1408 QRadar API Reference Guide

 "response_code_description": "String",
"unique_code": 42
}
],
"http_method": "String <one of: OPTIONS,
GET,
HEAD,
POST,
PUT,
DELETE,
TRACE,
CONNECT,
PATCH>",
"id": 42,
"last_modified_version": "String",
"parameters": [
{
"default_value": "String",
"description": "String",
"mime_types": [
{
"data_type": "String",
"mime_type": "String",
"sample": "String"
}
],
"parameter_name": "String",
"type": "String <one of: QUERY,
HEADER,
PATH,
BODY>"
}
],
"path": "String",
"resource_id": 42,
"response_description": "String",
"response_mime_types": [
{
"mime_type": "String",
"sample": "String"
}
],
"success_responses": [
{
"description": "String",
"response_code": 42,
"response_code_description": "String"
}
],
"summary": "String",
"version": "String"
}

GET /help/resources DEPRECATED

Retrieves a list of resource documentation objects currently in the system.

Retrieves a list of resource documentation objects currently in the system.

Table 3168. GET /help/resources resource details
MIME Type
application/json

7 Previous REST API versions 1409

Table 3169. GET /help/resources request parameter details
Parameter Type Optionality Data Type MIME Type Description
filter query Optional String text/plain Optional - This parameter is
used to restrict the elements in
a list base on the contents of
various fields.
fields query Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.
Range header Optional String text/plain Optional - Use this parameter
to restrict the number of
elements that are returned in
the list to a specified range.
The list is indexed starting at
zero.

Table 3170. GET /help/resources response codes

HTTP Response Code Unique Code Description
200 The resource documentation list was retrieved.
500 1020 An unexpected error has occurred.

Response Description

An array of resource documentation objects. A resource documentation object contains the following
fields:
v id - Number - The ID of the resource documentation object. This ID is not permanent. It might change
any time services are restarted.
v child_resource_ids - Array of Numbers - A list of resource documentation IDs that are the children of
this resource.
v endpoint_ids - Array of Numbers - A list of endpoint documentation IDs for endpoints on this
resource.
v resource - String - The current resource.
v path - String - The full path of the current resource.
v parent_resource_id - Number - The resource documentation ID of the parent of this resource. Null if
this is a root resource.
v version - String - The version of this resource.

Response Sample
[
{
"child_resource_ids": [
42
],
"endpoint_ids": [
42
],
"id": 42,

1410 QRadar API Reference Guide

 "parent_resource_id": 42,
"path": "String",
"resource": "String",
"version": "String"
}
]

GET /help/resources/{resource_id} DEPRECATED

Retrieves a single resource documentation object.

Retrieves a single resource documentation object.

Table 3171. GET /help/resources/{resource_id} resource details
MIME Type
application/json

Table 3172. GET /help/resources/{resource_id} request parameter details

Parameter Type Optionality Data Type MIME Type Description
resource_id path Required Number text/plain The resource id.
(Integer)
fields query Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.

Table 3173. GET /help/resources/{resource_id} response codes

HTTP Response Code Unique Code Description
200 The resource documentation object was retrieved.
404 1002 No resource documentation object was found for the provided
resource ID.
500 1020 An unexpected error has occurred.

Response Description

A resource documentation object. A resource documentation object contains the following fields:
v id - Number - The ID of the resource documentation object. This ID is not permanent. It might change
any time services are restarted.
v child_resource_ids - Array of Numbers - A list of resource documentation IDs that are the children of
this resource.
v endpoint_ids - Array of Numbers - A list of endpoint documentation IDs for endpoints on this
resource.
v resource - String - The current resource.
v path - String - The full path of the current resource.
v parent_resource_id - Number - The resource documentation ID of the parent of this resource. Null if
this is a root resource.
v version - String - The version of this resource.

7 Previous REST API versions 1411

Response Sample
{
"child_resource_ids": [
42
],
"endpoint_ids": [
42
],
"id": 42,
"parent_resource_id": 42,
"path": "String",
"resource": "String",
"version": "String"
}

GET /help/versions DEPRECATED

Retrieves a list of version documentation objects currently in the system.

Retrieves a list of version documentation objects currently in the system.

Table 3174. GET /help/versions resource details
MIME Type
application/json

Table 3175. GET /help/versions request parameter details

Parameter Type Optionality Data Type MIME Type Description
filter query Optional String text/plain Optional - This parameter is
used to restrict the elements in
a list base on the contents of
various fields.
fields query Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.
Range header Optional String text/plain Optional - Use this parameter
to restrict the number of
elements that are returned in
the list to a specified range.
The list is indexed starting at
zero.

Table 3176. GET /help/versions response codes

HTTP Response Code Unique Code Description
200 The version documentation list was retrieved.
500 1020 An unexpected error has occurred.

Response Description

An array of version documentation objects. A version documentation object contains the following fields:

1412 QRadar API Reference Guide

v id - Number - The ID of the version documentation object. This ID is not permanent. It might change
any time services are restarted.
v deprecated - Boolean - Returns true if this version is deprecated. Returns false otherwise.
v removed - Boolean - Returns true if this version is removed. Returns false otherwise. Endpoints cannot
be called from an API version that is removed.
v root_resource_ids - Array of Numbers - Resource IDs of the root resources in this version of the API.
v version - String - The API version that this version documentation represents.

Response Sample
[
{
"deprecated": true,
"id": 42,
"removed": true,
"root_resource_ids": [
42
],
"version": "String"
}
]

GET /help/versions/{version_id} DEPRECATED

Retrieves a single version documentation object.

Retrieves a single version documentation object.

Table 3177. GET /help/versions/{version_id} resource details
MIME Type
application/json

Table 3178. GET /help/versions/{version_id} request parameter details

Parameter Type Optionality Data Type MIME Type Description
version_id path Required Number text/plain The ID of the version
(Integer) documentation to retrieve.
fields query Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.

Table 3179. GET /help/versions/{version_id} response codes

HTTP Response Code Unique Code Description
200 The version documentation object was retrieved.
404 1002 No version documentation object was found for the provided
version id.
500 1020 An unexpected error has occurred.

7 Previous REST API versions 1413

Response Description

A version documentation object. A version documentation object contains the following fields:
v id - Number - The ID of the version documentation object. This ID is not permanent. It might change
any time services are restarted.
v deprecated - Boolean - Returns true if this version is deprecated. Returns false otherwise.
v removed - Boolean - Returns true if this version is removed. Returns false otherwise. Endpoints cannot
be called with an API version that is removed.
v root_resource_ids - Array of Numbers - Resource IDs of the root resources in this version of the API.
v version - String - The API version that this version documentation represents.

Response Sample
{
"deprecated": true,
"id": 42,
"removed": true,
"root_resource_ids": [
42
],
"version": "String"
}

IBM Security QRadar Risk Manager endpoints

Use the references for REST API V7.0 QRadar Risk Manager endpoints.

GET /qrm/model_groups DEPRECATED

Retrieves a list of model groups.

Retrieves a list of model groups.

Table 3180. GET /qrm/model_groups resource details
MIME Type
application/json

Table 3181. GET /qrm/model_groups request parameter details

Parameter Type Optionality Data Type MIME Type Description
Range header Optional String text/plain Optional - Use this parameter
to restrict the number of
elements that are returned in
the list to a specified range.
The list is indexed starting at
zero.
filter query Optional String text/plain Optional - This parameter is
used to restrict the elements in
a list base on the contents of
various fields.

1414 QRadar API Reference Guide

Table 3181. GET /qrm/model_groups request parameter details (continued)
Parameter Type Optionality Data Type MIME Type Description
fields query Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.

Table 3182. GET /qrm/model_groups response codes

HTTP Response Code Unique Code Description
200 The model groups were retrieved.
500 1020 An error occurred during the attempt to retrieve the model groups.

Response Description

List of the Group objects. A Group object contains the following fields:
v id - Long - The ID of the group.
v parent_id - Long - The ID of the parent group (default resources can have localized names).
v type - String - The type of the group.
v level - Long - The depth of the group in the group hierarchy.
v name - String - The name of the group (default groups can have localized names).
v description - String - The description of the group (default groups can have localized names).
v owner - String - The owner of the group.
v modified_time - Long - The time in milliseconds since epoch since the group was last modified.
v child_group_ids - Array of Longs - List of the child group IDs.

Response Sample
[
{
"child_groups": [
42
],
"child_items": [
"String"
],
"description": "String",
"id": 42,
"level": 42,
"modified_time": 42,
"name": "String",
"owner": "String",
"parent_id": 42,
"type": "String <one of:
LOG_SOURCE_GROUP,
REPORT_GROUP,
RULE_GROUP,
EVENT_SAVED_SEARCH_GROUP,
FLOW_SAVED_SEARCH_GROUP,
OFFENSE_SAVED_SEARCH_GROUP,
QRM_SAVED_SEARCH_GROUP,
MODEL_SAVED_SEARCH_GROUP,

7 Previous REST API versions 1415

 QUESTION_SAVED_SEARCH_GROUP,
SIMULATION_SAVED_SEARCH_GROUP,
TOPOLOGY_SAVED_SEARCH_GROUP,
ASSET_SAVED_SEARCH_GROUP,
VULNERABILITY_SAVED_SEARCH_GROUP>"
}
]

GET /qrm/model_groups/{group_id} DEPRECATED

Retrieves a model group.

Retrieves a model group.

Table 3183. GET /qrm/model_groups/{group_id} resource details
MIME Type
application/json

Table 3184. GET /qrm/model_groups/{group_id} request parameter details

Parameter Type Optionality Data Type MIME Type Description
group_id path Required Number text/plain null
(Integer)
fields query Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.

Table 3185. GET /qrm/model_groups/{group_id} response codes

HTTP Response Code Unique Code Description
200 The model group was retrieved.
404 1002 The model group does not exist.
500 1020 An error occurred during the attempt to retrieve the model group.

Response Description

A single Group object. A Group object contains the following fields:

v id - Long - The ID of the group.
v parent_id - Long - The ID of the parent group (default resources can have localized names).
v type - String - The type of the group.
v level - Long - The depth of the group in the group hierarchy.
v name - String - The name of the group (default groups can have localized names).
v description - String - The description of the group (default groups can have localized names).
v owner - String - The owner of the group.
v modified_time - Long - The time in milliseconds since epoch since the group was last modified.
v child_group_ids - Array of Longs - List of the child group IDs.

1416 QRadar API Reference Guide

Response Sample
{
"child_groups": [
42
],
"child_items": [
"String"
],
"description": "String",
"id": 42,
"level": 42,
"modified_time": 42,
"name": "String",
"owner": "String",
"parent_id": 42,
"type": "String <one of:
LOG_SOURCE_GROUP,
REPORT_GROUP,
RULE_GROUP,
EVENT_SAVED_SEARCH_GROUP,
FLOW_SAVED_SEARCH_GROUP,
OFFENSE_SAVED_SEARCH_GROUP,
QRM_SAVED_SEARCH_GROUP,
MODEL_SAVED_SEARCH_GROUP,
QUESTION_SAVED_SEARCH_GROUP,
SIMULATION_SAVED_SEARCH_GROUP,
TOPOLOGY_SAVED_SEARCH_GROUP,
ASSET_SAVED_SEARCH_GROUP,
VULNERABILITY_SAVED_SEARCH_GROUP>"
}

POST /qrm/model_groups/{group_id} DEPRECATED

Updates the owner of a model group.

Updates the owner of a model group.

Table 3186. POST /qrm/model_groups/{group_id} resource details
MIME Type
application/json

Table 3187. POST /qrm/model_groups/{group_id} request parameter details

Parameter Type Optionality Data Type MIME Type Description
group_id path Required Number text/plain null
(Integer)
fields header Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.

7 Previous REST API versions 1417

Table 3188. POST /qrm/model_groups/{group_id} request body details
Parameter Data Type MIME Type Description Sample
group Object application/ Required - Group object with { "child_groups": [ 42 ], "child_items": [ "String" ], "description":
json the owner set to a valid "String", "id": 42, "level": 42, "name": "String", "owner": "String",
deployed user. "parent_id": 42, "type": "String <one of:
LOG_SOURCE_GROUP, REPORT_GROUP, RULE_GROUP,
EVENT_SAVED_SEARCH_GROUP,
FLOW_SAVED_SEARCH_GROUP,
OFFENSE_SAVED_SEARCH_GROUP,
QRM_SAVED_SEARCH_GROUP,
MODEL_SAVED_SEARCH_GROUP,
QUESTION_SAVED_SEARCH_GROUP,
SIMULATION_SAVED_SEARCH_GROUP,
TOPOLOGY_SAVED_SEARCH_GROUP,
ASSET_SAVED_SEARCH_GROUP,
VULNERABILITY_SAVED_SEARCH_GROUP>" }

Table 3189. POST /qrm/model_groups/{group_id} response codes

HTTP Response Code Unique Code Description
200 The model group was updated.
404 1002 The model group does not exist.
409 1004 The provided user does not have the required capabilities to own
the model group.
422 1005 A request parameter is not valid.
500 1020 An error occurred during the attempt to update the model group.

Response Description

The updated Group object. A Group object contains the following fields:
v id - Long - The ID of the group.
v parent_id - Long - The ID of the parent group (default resources can have localized names).
v type - String - The type of the group.
v level - Long - The depth of the group in the group hierarchy.
v name - String - The name of the group (default groups can have localized names).
v description - String - The description of the group (default groups can have localized names).
v owner - String - The owner of the group.
v modified_time - Long - The time in milliseconds since epoch since the group was last modified.
v child_group_ids - Array of Longs - List of the child group IDs.

Response Sample
{
"child_groups": [
42
],
"child_items": [
"String"
],
"description": "String",
"id": 42,
"level": 42,
"modified_time": 42,
"name": "String",
"owner": "String",
"parent_id": 42,
"type": "String <one of:
LOG_SOURCE_GROUP,
REPORT_GROUP,

1418 QRadar API Reference Guide

 RULE_GROUP,
EVENT_SAVED_SEARCH_GROUP,
FLOW_SAVED_SEARCH_GROUP,
OFFENSE_SAVED_SEARCH_GROUP,
QRM_SAVED_SEARCH_GROUP,
MODEL_SAVED_SEARCH_GROUP,
QUESTION_SAVED_SEARCH_GROUP,
SIMULATION_SAVED_SEARCH_GROUP,
TOPOLOGY_SAVED_SEARCH_GROUP,
ASSET_SAVED_SEARCH_GROUP,
VULNERABILITY_SAVED_SEARCH_GROUP>"
}

DELETE /qrm/model_groups/{group_id} DEPRECATED

Deletes a model group.

Deletes a model group.

Table 3190. DELETE /qrm/model_groups/{group_id} resource details
MIME Type
text/plain

Table 3191. DELETE /qrm/model_groups/{group_id} request parameter details

Parameter Type Optionality Data Type MIME Type Description
group_id path Required Number text/plain null
(Integer)

Table 3192. DELETE /qrm/model_groups/{group_id} response codes

HTTP Response Code Unique Code Description
204 The model group was deleted.
404 1002 The model group does not exist.
409 1004 null
500 1020 An error occurred during the attempt to delete the model group.

Response Description

Response Sample

GET /qrm/qrm_saved_search_groups DEPRECATED

Retrieves a list of QRM saved search groups.

Retrieves a list of QRM saved search groups.

Table 3193. GET /qrm/qrm_saved_search_groups resource details
MIME Type
application/json

7 Previous REST API versions 1419

Table 3194. GET /qrm/qrm_saved_search_groups request parameter details
Parameter Type Optionality Data Type MIME Type Description
Range header Optional String text/plain Optional - Use this parameter
to restrict the number of
elements that are returned in
the list to a specified range.
The list is indexed starting at
zero.
filter query Optional String text/plain Optional - This parameter is
used to restrict the elements in
a list base on the contents of
various fields.
fields query Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.

Table 3195. GET /qrm/qrm_saved_search_groups response codes

HTTP Response Code Unique Code Description
200 The QRM saved search groups were returned.
500 1020 An error occurred during the attempt to retrieve the QRM saved
search groups.

Response Description

List of the Group objects. A Group object contains the following fields:
v id - Long - The ID of the group.
v parent_id - Long - The ID of the parent group (default resources can have localized names).
v type - String - The type of the group.
v level - Long - The depth of the group in the group hierarchy.
v name - String - The name of the group (default groups can have localized names).
v description - String - The description of the group (default groups can have localized names).
v owner - String - The owner of the group.
v modified_time - Long - The time in milliseconds since epoch since the group was last modified.
v child_group_ids - Array of Longs - List of the child group IDs.

Response Sample
[
{
"child_groups": [
42
],
"child_items": [
"String"
],
"description": "String",
"id": 42,
"level": 42,

1420 QRadar API Reference Guide

 "modified_time": 42,
"name": "String",
"owner": "String",
"parent_id": 42,
"type": "String <one of:
LOG_SOURCE_GROUP,
REPORT_GROUP,
RULE_GROUP,
EVENT_SAVED_SEARCH_GROUP,
FLOW_SAVED_SEARCH_GROUP,
OFFENSE_SAVED_SEARCH_GROUP,
QRM_SAVED_SEARCH_GROUP,
MODEL_SAVED_SEARCH_GROUP,
QUESTION_SAVED_SEARCH_GROUP,
SIMULATION_SAVED_SEARCH_GROUP,
TOPOLOGY_SAVED_SEARCH_GROUP,
ASSET_SAVED_SEARCH_GROUP,
VULNERABILITY_SAVED_SEARCH_GROUP>"
}
]

GET /qrm/qrm_saved_search_groups/{group_id} DEPRECATED

Retrieves a QRM saved search group.

Retrieves a QRM saved search group.

Table 3196. GET /qrm/qrm_saved_search_groups/{group_id} resource details
MIME Type
application/json

Table 3197. GET /qrm/qrm_saved_search_groups/{group_id} request parameter details

Parameter Type Optionality Data Type MIME Type Description
group_id path Required Number text/plain null
(Integer)
fields query Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.

Table 3198. GET /qrm/qrm_saved_search_groups/{group_id} response codes

HTTP Response Code Unique Code Description
200 The QRM saved search group was retrieved.
404 1002 The QRM saved search group does not exist.
500 1020 An error occurred during the attempt to retrieve the QRM saved
search group.

Response Description

A single Group object. A Group object contains the following fields:

v id - Long - The ID of the group.

7 Previous REST API versions 1421

v parent_id - Long - The ID of the parent group (default resources can have localized names).
v type - String - The type of the group.
v level - Long - The depth of the group in the group hierarchy.
v name - String - The name of the group (default groups can have localized names).
v description - String - The description of the group (default groups can have localized names).
v owner - String - The owner of the group.
v modified_time - Long - The time in milliseconds since epoch since the group was last modified.
v child_group_ids - Array of Longs - List of the child group IDs.

Response Sample
{
"child_groups": [
42
],
"child_items": [
"String"
],
"description": "String",
"id": 42,
"level": 42,
"modified_time": 42,
"name": "String",
"owner": "String",
"parent_id": 42,
"type": "String <one of:
LOG_SOURCE_GROUP,
REPORT_GROUP,
RULE_GROUP,
EVENT_SAVED_SEARCH_GROUP,
FLOW_SAVED_SEARCH_GROUP,
OFFENSE_SAVED_SEARCH_GROUP,
QRM_SAVED_SEARCH_GROUP,
MODEL_SAVED_SEARCH_GROUP,
QUESTION_SAVED_SEARCH_GROUP,
SIMULATION_SAVED_SEARCH_GROUP,
TOPOLOGY_SAVED_SEARCH_GROUP,
ASSET_SAVED_SEARCH_GROUP,
VULNERABILITY_SAVED_SEARCH_GROUP>"
}

POST /qrm/qrm_saved_search_groups/{group_id} DEPRECATED

Updates the owner of a QRM saved search group.

Updates the owner of a QRM saved search group.

Table 3199. POST /qrm/qrm_saved_search_groups/{group_id} resource details
MIME Type
application/json

Table 3200. POST /qrm/qrm_saved_search_groups/{group_id} request parameter details

Parameter Type Optionality Data Type MIME Type Description
group_id path Required Number text/plain null
(Integer)

1422 QRadar API Reference Guide

Table 3200. POST /qrm/qrm_saved_search_groups/{group_id} request parameter details (continued)
Parameter Type Optionality Data Type MIME Type Description
fields header Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.

Table 3201. POST /qrm/qrm_saved_search_groups/{group_id} request body details

Parameter Data Type MIME Type Description Sample
group Object application/json Required - Group object with the { "child_groups": [ 42 ], "child_items": [ "String" ], "description":
owner set to a valid deployed "String", "id": 42, "level": 42, "name": "String", "owner": "String",
user. "parent_id": 42, "type": "String <one of: LOG_SOURCE_GROUP,
REPORT_GROUP, RULE_GROUP,
EVENT_SAVED_SEARCH_GROUP,
FLOW_SAVED_SEARCH_GROUP,
OFFENSE_SAVED_SEARCH_GROUP,
QRM_SAVED_SEARCH_GROUP,
MODEL_SAVED_SEARCH_GROUP,
QUESTION_SAVED_SEARCH_GROUP,
SIMULATION_SAVED_SEARCH_GROUP,
TOPOLOGY_SAVED_SEARCH_GROUP,
ASSET_SAVED_SEARCH_GROUP,
VULNERABILITY_SAVED_SEARCH_GROUP>" }

Table 3202. POST /qrm/qrm_saved_search_groups/{group_id} response codes

HTTP Response Code Unique Code Description
200 The QRM saved search group was updated.
404 1002 The QRM saved search group does not exist.
409 1004 The provided user does not have the required capabilities to own
the QRM saved search group.
422 1005 A request parameter is not valid.
500 1020 An error occurred during the attempt to update the QRM saved
search group.

Response Description

The updated Group object. A Group object contains the following fields:
v id - Long - The ID of the group.
v parent_id - Long - The ID of the parent group (default resources can have localized names).
v type - String - The type of the group.
v level - Long - The depth of the group in the group hierarchy.
v name - String - The name of the group (default groups can have localized names).
v description - String - The description of the group (default groups can have localized names).
v owner - String - The owner of the group.
v modified_time - Long - The time in milliseconds since epoch since the group was last modified.
v child_group_ids - Array of Longs - List of the child group IDs.

Response Sample
{
"child_groups": [
42

7 Previous REST API versions 1423

 ],
"child_items": [
"String"
],
"description": "String",
"id": 42,
"level": 42,
"modified_time": 42,
"name": "String",
"owner": "String",
"parent_id": 42,
"type": "String <one of:
LOG_SOURCE_GROUP,
REPORT_GROUP,
RULE_GROUP,
EVENT_SAVED_SEARCH_GROUP,
FLOW_SAVED_SEARCH_GROUP,
OFFENSE_SAVED_SEARCH_GROUP,
QRM_SAVED_SEARCH_GROUP,
MODEL_SAVED_SEARCH_GROUP,
QUESTION_SAVED_SEARCH_GROUP,
SIMULATION_SAVED_SEARCH_GROUP,
TOPOLOGY_SAVED_SEARCH_GROUP,
ASSET_SAVED_SEARCH_GROUP,
VULNERABILITY_SAVED_SEARCH_GROUP>"
}

DELETE /qrm/qrm_saved_search_groups/{group_id} DEPRECATED

Deletes a QRM saved search group.

Deletes a QRM saved search group.

Table 3203. DELETE /qrm/qrm_saved_search_groups/{group_id} resource details
MIME Type
text/plain

Table 3204. DELETE /qrm/qrm_saved_search_groups/{group_id} request parameter details

Parameter Type Optionality Data Type MIME Type Description
group_id path Required Number text/plain null
(Integer)

Table 3205. DELETE /qrm/qrm_saved_search_groups/{group_id} response codes

HTTP Response Code Unique Code Description
204 The QRM saved search group was deleted.
404 1002 The QRM saved search group does not exist.
409 1004 null
500 1020 An error occurred during the attempt to delete the QRM saved
search group.

1424 QRadar API Reference Guide

Response Description

Response Sample

GET /qrm/question_groups DEPRECATED

Retrieves a list of question groups.

Retrieves a list of question groups.

Table 3206. GET /qrm/question_groups resource details
MIME Type
application/json

Table 3207. GET /qrm/question_groups request parameter details

Parameter Type Optionality Data Type MIME Type Description
Range header Optional String text/plain Optional - Use this parameter
to restrict the number of
elements that are returned in
the list to a specified range.
The list is indexed starting at
zero.
filter query Optional String text/plain Optional - This parameter is
used to restrict the elements in
a list base on the contents of
various fields.
fields query Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.

Table 3208. GET /qrm/question_groups response codes

HTTP Response Code Unique Code Description
200 The question groups were retrieved.
500 1020 An error occurred during the attempt to retrieve the question
groups.

Response Description

List of the Group objects. A Group object contains the following fields:
v id - Long - The ID of the group.
v parent_id - Long - The ID of the parent group (default resources can have localized names).
v type - String - The type of the group.
v level - Long - The depth of the group in the group hierarchy.
v name - String - The name of the group (default groups can have localized names).
v description - String - The description of the group (default groups can have localized names).
v owner - String - The owner of the group.

7 Previous REST API versions 1425

v modified_time - Long - The time in milliseconds since epoch since the group was last modified.
v child_group_ids - Array of Longs - List of the child group IDs.

Response Sample
[
{
"child_groups": [
42
],
"child_items": [
"String"
],
"description": "String",
"id": 42,
"level": 42,
"modified_time": 42,
"name": "String",
"owner": "String",
"parent_id": 42,
"type": "String <one of:
LOG_SOURCE_GROUP,
REPORT_GROUP,
RULE_GROUP,
EVENT_SAVED_SEARCH_GROUP,
FLOW_SAVED_SEARCH_GROUP,
OFFENSE_SAVED_SEARCH_GROUP,
QRM_SAVED_SEARCH_GROUP,
MODEL_SAVED_SEARCH_GROUP,
QUESTION_SAVED_SEARCH_GROUP,
SIMULATION_SAVED_SEARCH_GROUP,
TOPOLOGY_SAVED_SEARCH_GROUP,
ASSET_SAVED_SEARCH_GROUP,
VULNERABILITY_SAVED_SEARCH_GROUP>"
}
]

GET /qrm/question_groups/{group_id} DEPRECATED

Retrieves a question group.

Retrieves a question group.

Table 3209. GET /qrm/question_groups/{group_id} resource details
MIME Type
application/json

Table 3210. GET /qrm/question_groups/{group_id} request parameter details

Parameter Type Optionality Data Type MIME Type Description
group_id path Required Number text/plain null
(Integer)
fields query Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.

1426 QRadar API Reference Guide

Table 3211. GET /qrm/question_groups/{group_id} response codes
HTTP Response Code Unique Code Description
200 The question group was retrieved.
404 1002 The question group does not exist.
500 1020 An error occurred during the attempt to retrieve the question
group.

Response Description

A single Group object. A Group object contains the following fields:

v id - Long - The ID of the group.
v parent_id - Long - The ID of the parent group (default resources can have localized names).
v type - String - The type of the group.
v level - Long - The depth of the group in the group hierarchy.
v name - String - The name of the group (default groups can have localized names).
v description - String - The description of the group (default groups can have localized names).
v owner - String - The owner of the group.
v modified_time - Long - The time in milliseconds since epoch since the group was last modified.
v child_group_ids - Array of Longs - List of the child group IDs.

Response Sample
{
"child_groups": [
42
],
"child_items": [
"String"
],
"description": "String",
"id": 42,
"level": 42,
"modified_time": 42,
"name": "String",
"owner": "String",
"parent_id": 42,
"type": "String <one of:
LOG_SOURCE_GROUP,
REPORT_GROUP,
RULE_GROUP,
EVENT_SAVED_SEARCH_GROUP,
FLOW_SAVED_SEARCH_GROUP,
OFFENSE_SAVED_SEARCH_GROUP,
QRM_SAVED_SEARCH_GROUP,
MODEL_SAVED_SEARCH_GROUP,
QUESTION_SAVED_SEARCH_GROUP,
SIMULATION_SAVED_SEARCH_GROUP,
TOPOLOGY_SAVED_SEARCH_GROUP,
ASSET_SAVED_SEARCH_GROUP,
VULNERABILITY_SAVED_SEARCH_GROUP>"
}

POST /qrm/question_groups/{group_id} DEPRECATED

Updates the owner of a question group.

Updates the owner of a question group.

7 Previous REST API versions 1427

Table 3212. POST /qrm/question_groups/{group_id} resource details
MIME Type
application/json

Table 3213. POST /qrm/question_groups/{group_id} request parameter details

Parameter Type Optionality Data Type MIME Type Description
group_id path Required Number text/plain null
(Integer)
fields header Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.

Table 3214. POST /qrm/question_groups/{group_id} request body details

Parameter Data Type MIME Type Description Sample
group Object application/ Required - Group object with { "child_groups": [ 42 ], "child_items": [ "String" ], "description":
json the owner set to a valid "String", "id": 42, "level": 42, "name": "String", "owner": "String",
deployed user. "parent_id": 42, "type": "String <one of:
LOG_SOURCE_GROUP, REPORT_GROUP, RULE_GROUP,
EVENT_SAVED_SEARCH_GROUP,
FLOW_SAVED_SEARCH_GROUP,
OFFENSE_SAVED_SEARCH_GROUP,
QRM_SAVED_SEARCH_GROUP,
MODEL_SAVED_SEARCH_GROUP,
QUESTION_SAVED_SEARCH_GROUP,
SIMULATION_SAVED_SEARCH_GROUP,
TOPOLOGY_SAVED_SEARCH_GROUP,
ASSET_SAVED_SEARCH_GROUP,
VULNERABILITY_SAVED_SEARCH_GROUP>" }

Table 3215. POST /qrm/question_groups/{group_id} response codes

HTTP Response Code Unique Code Description
200 The question group was updated.
404 1002 The question group does not exist.
409 1004 The provided user does not have the required capabilities to own
the question group.
422 1005 A request parameter is not valid.
500 1020 An error occurred during the attempt to update the question group.

Response Description

The updated Group object. A Group object contains the following fields:
v id - Long - The ID of the group.
v parent_id - Long - The ID of the parent group (default resources can have localized names).
v type - String - The type of the group.
v level - Long - The depth of the group in the group hierarchy.
v name - String - The name of the group (default groups can have localized names).
v description - String - The description of the group (default groups can have localized names).

1428 QRadar API Reference Guide

v owner - String - The owner of the group.
v modified_time - Long - The time in milliseconds since epoch since the group was last modified.
v child_group_ids - Array of Longs - List of the child group IDs.

Response Sample
{
"child_groups": [
42
],
"child_items": [
"String"
],
"description": "String",
"id": 42,
"level": 42,
"modified_time": 42,
"name": "String",
"owner": "String",
"parent_id": 42,
"type": "String <one of:
LOG_SOURCE_GROUP,
REPORT_GROUP,
RULE_GROUP,
EVENT_SAVED_SEARCH_GROUP,
FLOW_SAVED_SEARCH_GROUP,
OFFENSE_SAVED_SEARCH_GROUP,
QRM_SAVED_SEARCH_GROUP,
MODEL_SAVED_SEARCH_GROUP,
QUESTION_SAVED_SEARCH_GROUP,
SIMULATION_SAVED_SEARCH_GROUP,
TOPOLOGY_SAVED_SEARCH_GROUP,
ASSET_SAVED_SEARCH_GROUP,
VULNERABILITY_SAVED_SEARCH_GROUP>"
}

DELETE /qrm/question_groups/{group_id} DEPRECATED

Deletes a question group.

Deletes a question group.

Table 3216. DELETE /qrm/question_groups/{group_id} resource details
MIME Type
text/plain

Table 3217. DELETE /qrm/question_groups/{group_id} request parameter details

Parameter Type Optionality Data Type MIME Type Description
group_id path Required Number text/plain null
(Integer)

Table 3218. DELETE /qrm/question_groups/{group_id} response codes

HTTP Response Code Unique Code Description
204 The question group was deleted.
404 1002 The question group does not exist.
409 1004 null
500 1020 An error occurred during the attempt to delete the question group.

7 Previous REST API versions 1429

Response Description

Response Sample

GET /qrm/simulation_groups DEPRECATED

Retrieves a of list the simulation groups.

Retrieves a list of the simulation groups.

Table 3219. GET /qrm/simulation_groups resource details
MIME Type
application/json

Table 3220. GET /qrm/simulation_groups request parameter details

Parameter Type Optionality Data Type MIME Type Description
Range header Optional String text/plain Optional - Use this parameter
to restrict the number of
elements that are returned in
the list to a specified range.
The list is indexed starting at
zero.
filter query Optional String text/plain Optional - This parameter is
used to restrict the elements in
a list base on the contents of
various fields.
fields query Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.

Table 3221. GET /qrm/simulation_groups response codes

HTTP Response Code Unique Code Description
200 The simulation groups were retrieved.
500 1020 An error occurred during the attempt to retrieve the simulation
groups.

Response Description

List of the Group objects. A Group object contains the following fields:
v id - Long - The ID of the group.
v parent_id - Long - The ID of the parent group (default resources can have localized names).
v type - String - The type of the group.
v level - Long - The depth of the group in the group hierarchy.
v name - String - The name of the group (default groups can have localized names).
v description - String - The description of the group (default groups can have localized names).
v owner - String - The owner of the group.

1430 QRadar API Reference Guide

v modified_time - Long - The time in milliseconds since epoch since the group was last modified.
v child_group_ids - Array of Longs - List of the child group IDs.

Response Sample
[
{
"child_groups": [
42
],
"child_items": [
"String"
],
"description": "String",
"id": 42,
"level": 42,
"modified_time": 42,
"name": "String",
"owner": "String",
"parent_id": 42,
"type": "String <one of:
LOG_SOURCE_GROUP,
REPORT_GROUP,
RULE_GROUP,
EVENT_SAVED_SEARCH_GROUP,
FLOW_SAVED_SEARCH_GROUP,
OFFENSE_SAVED_SEARCH_GROUP,
QRM_SAVED_SEARCH_GROUP,
MODEL_SAVED_SEARCH_GROUP,
QUESTION_SAVED_SEARCH_GROUP,
SIMULATION_SAVED_SEARCH_GROUP,
TOPOLOGY_SAVED_SEARCH_GROUP,
ASSET_SAVED_SEARCH_GROUP,
VULNERABILITY_SAVED_SEARCH_GROUP>"
}
]

GET /qrm/simulation_groups/{group_id} DEPRECATED

Retrieves a simulation group.

Retrieves a simulation group.

Table 3222. GET /qrm/simulation_groups/{group_id} resource details
MIME Type
application/json

Table 3223. GET /qrm/simulation_groups/{group_id} request parameter details

Parameter Type Optionality Data Type MIME Type Description
group_id path Required Number text/plain null
(Integer)
fields query Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.

7 Previous REST API versions 1431

Table 3224. GET /qrm/simulation_groups/{group_id} response codes
HTTP Response Code Unique Code Description
200 The simulation group were retrieved.
404 1002 The simulation group does not exist.
500 1020 An error occurred during the attempt to retrieve the simulation
group.

Response Description

A single Group object. A Group object contains the following fields:

v id - Long - The ID of the group.
v parent_id - Long - The ID of the parent group (default resources can have localized names).
v type - String - The type of the group.
v level - Long - The depth of the group in the group hierarchy.
v name - String - The name of the group (default groups can have localized names).
v description - String - The description of the group (default groups can have localized names).
v owner - String - The owner of the group.
v modified_time - Long - The time in milliseconds since epoch since the group was last modified.
v child_group_ids - Array of Longs - List of the child group IDs.

Response Sample
{
"child_groups": [
42
],
"child_items": [
"String"
],
"description": "String",
"id": 42,
"level": 42,
"modified_time": 42,
"name": "String",
"owner": "String",
"parent_id": 42,
"type": "String <one of:
LOG_SOURCE_GROUP,
REPORT_GROUP,
RULE_GROUP,
EVENT_SAVED_SEARCH_GROUP,
FLOW_SAVED_SEARCH_GROUP,
OFFENSE_SAVED_SEARCH_GROUP,
QRM_SAVED_SEARCH_GROUP,
MODEL_SAVED_SEARCH_GROUP,
QUESTION_SAVED_SEARCH_GROUP,
SIMULATION_SAVED_SEARCH_GROUP,
TOPOLOGY_SAVED_SEARCH_GROUP,
ASSET_SAVED_SEARCH_GROUP,
VULNERABILITY_SAVED_SEARCH_GROUP>"
}

POST /qrm/simulation_groups/{group_id} DEPRECATED

Updates the owner of a simulation group.

Updates the owner of a simulation group.

1432 QRadar API Reference Guide

Table 3225. POST /qrm/simulation_groups/{group_id} resource details
MIME Type
application/json

Table 3226. POST /qrm/simulation_groups/{group_id} request parameter details

Parameter Type Optionality Data Type MIME Type Description
group_id path Required Number text/plain null
(Integer)
fields header Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.

Table 3227. POST /qrm/simulation_groups/{group_id} request body details

Parameter Data Type MIME Type Description Sample
group Object application/ Required - Group object with { "child_groups": [ 42 ], "child_items": [ "String" ], "description":
json the owner set to a valid "String", "id": 42, "level": 42, "name": "String", "owner": "String",
deployed user. "parent_id": 42, "type": "String <one of:
LOG_SOURCE_GROUP, REPORT_GROUP, RULE_GROUP,
EVENT_SAVED_SEARCH_GROUP,
FLOW_SAVED_SEARCH_GROUP,
OFFENSE_SAVED_SEARCH_GROUP,
QRM_SAVED_SEARCH_GROUP,
MODEL_SAVED_SEARCH_GROUP,
QUESTION_SAVED_SEARCH_GROUP,
SIMULATION_SAVED_SEARCH_GROUP,
TOPOLOGY_SAVED_SEARCH_GROUP,
ASSET_SAVED_SEARCH_GROUP,
VULNERABILITY_SAVED_SEARCH_GROUP>" }

Table 3228. POST /qrm/simulation_groups/{group_id} response codes

HTTP Response Code Unique Code Description
200 The simulation group was updated.
404 1002 The simulation group does not exist.
409 1004 The provided user does not have the required capabilities to own
the simulation group.
422 1005 A request parameter is not valid.
500 1020 An error occurred during the attempt to update the simulation
group.

Response Description

The updated Group object. A Group object contains the following fields:
v id - Long - The ID of the group.
v parent_id - Long - The ID of the parent group (default resources can have localized names).
v type - String - The type of the group.
v level - Long - The depth of the group in the group hierarchy.
v name - String - The name of the group (default groups can have localized names).

7 Previous REST API versions 1433

v description - String - The description of the group (default groups can have localized names).
v owner - String - The owner of the group.
v modified_time - Long - The time in milliseconds since epoch since the group was last modified.
v child_group_ids - Array of Longs - List of the child group IDs.

Response Sample
{
"child_groups": [
42
],
"child_items": [
"String"
],
"description": "String",
"id": 42,
"level": 42,
"modified_time": 42,
"name": "String",
"owner": "String",
"parent_id": 42,
"type": "String <one of:
LOG_SOURCE_GROUP,
REPORT_GROUP,
RULE_GROUP,
EVENT_SAVED_SEARCH_GROUP,
FLOW_SAVED_SEARCH_GROUP,
OFFENSE_SAVED_SEARCH_GROUP,
QRM_SAVED_SEARCH_GROUP,
MODEL_SAVED_SEARCH_GROUP,
QUESTION_SAVED_SEARCH_GROUP,
SIMULATION_SAVED_SEARCH_GROUP,
TOPOLOGY_SAVED_SEARCH_GROUP,
ASSET_SAVED_SEARCH_GROUP,
VULNERABILITY_SAVED_SEARCH_GROUP>"
}

DELETE /qrm/simulation_groups/{group_id} DEPRECATED

Deletes a simulation group.

Deletes a simulation group.

Table 3229. DELETE /qrm/simulation_groups/{group_id} resource details
MIME Type
text/plain

Table 3230. DELETE /qrm/simulation_groups/{group_id} request parameter details

Parameter Type Optionality Data Type MIME Type Description
group_id path Required Number text/plain null
(Integer)

Table 3231. DELETE /qrm/simulation_groups/{group_id} response codes

HTTP Response Code Unique Code Description
204 The simulation group has been deleted.
404 1002 The simulation group does not exist.
409 1004 null

1434 QRadar API Reference Guide

Table 3231. DELETE /qrm/simulation_groups/{group_id} response codes (continued)
HTTP Response Code Unique Code Description
500 1020 An error occurred during the attempt to delete the simulation
group.

Response Description

Response Sample

GET /qrm/topology_saved_search_groups DEPRECATED

Retrieves a list of topology saved search groups.

Retrieves a list of topology saved search groups.

Table 3232. GET /qrm/topology_saved_search_groups resource details
MIME Type
application/json

Table 3233. GET /qrm/topology_saved_search_groups request parameter details

Parameter Type Optionality Data Type MIME Type Description
Range header Optional String text/plain Optional - Use this parameter
to restrict the number of
elements that are returned in
the list to a specified range.
The list is indexed starting at
zero.
filter query Optional String text/plain Optional - This parameter is
used to restrict the elements in
a list base on the contents of
various fields.
fields query Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.

Table 3234. GET /qrm/topology_saved_search_groups response codes

HTTP Response Code Unique Code Description
200 The topology saved search groups were returned.
500 1020 An error occurred during the attempt to retrieve the topology saved
search groups.

Response Description

List of the Group objects. A Group object contains the following fields:
v id - Long - The ID of the group.
v parent_id - Long - The ID of the parent group (default resources can have localized names).

7 Previous REST API versions 1435

v type - String - The type of the group.
v level - Long - The depth of the group in the group hierarchy.
v name - String - The name of the group (default groups can have localized names).
v description - String - The description of the group (default groups can have localized names).
v owner - String - The owner of the group.
v modified_time - Long - The time in milliseconds since epoch since the group was last modified.
v child_group_ids - Array of Longs - List of the child group IDs.

Response Sample
[
{
"child_groups": [
42
],
"child_items": [
"String"
],
"description": "String",
"id": 42,
"level": 42,
"modified_time": 42,
"name": "String",
"owner": "String",
"parent_id": 42,
"type": "String <one of:
LOG_SOURCE_GROUP,
REPORT_GROUP,
RULE_GROUP,
EVENT_SAVED_SEARCH_GROUP,
FLOW_SAVED_SEARCH_GROUP,
OFFENSE_SAVED_SEARCH_GROUP,
QRM_SAVED_SEARCH_GROUP,
MODEL_SAVED_SEARCH_GROUP,
QUESTION_SAVED_SEARCH_GROUP,
SIMULATION_SAVED_SEARCH_GROUP,
TOPOLOGY_SAVED_SEARCH_GROUP,
ASSET_SAVED_SEARCH_GROUP,
VULNERABILITY_SAVED_SEARCH_GROUP>"
}
]

GET /qrm/topology_saved_search_groups/{group_id} DEPRECATED

Retrieves a topology saved search group.

Retrieves a topology saved search group.

Table 3235. GET /qrm/topology_saved_search_groups/{group_id} resource details
MIME Type
application/json

Table 3236. GET /qrm/topology_saved_search_groups/{group_id} request parameter details

Parameter Type Optionality Data Type MIME Type Description
group_id path Required Number text/plain null
(Integer)

1436 QRadar API Reference Guide

Table 3236. GET /qrm/topology_saved_search_groups/{group_id} request parameter details (continued)
Parameter Type Optionality Data Type MIME Type Description
fields query Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.

Table 3237. GET /qrm/topology_saved_search_groups/{group_id} response codes

HTTP Response Code Unique Code Description
200 The topology saved search group was retrieved.
404 1002 The topology saved search group does not exist.
500 1020 An error occurred during the attempt to retrieve the topology saved
search group.

Response Description

A single Group object. A Group object contains the following fields:

v id - Long - The ID of the group.
v parent_id - Long - The ID of the parent group (default resources can have localized names).
v type - String - The type of the group.
v level - Long - The depth of the group in the group hierarchy.
v name - String - The name of the group (default groups can have localized names).
v description - String - The description of the group (default groups can have localized names).
v owner - String - The owner of the group.
v modified_time - Long - The time in milliseconds since epoch since the group was last modified.
v child_group_ids - Array of Longs - List of the child group IDs.

Response Sample
{
"child_groups": [
42
],
"child_items": [
"String"
],
"description": "String",
"id": 42,
"level": 42,
"modified_time": 42,
"name": "String",
"owner": "String",
"parent_id": 42,
"type": "String <one of:
LOG_SOURCE_GROUP,
REPORT_GROUP,
RULE_GROUP,
EVENT_SAVED_SEARCH_GROUP,
FLOW_SAVED_SEARCH_GROUP,
OFFENSE_SAVED_SEARCH_GROUP,

7 Previous REST API versions 1437

 QRM_SAVED_SEARCH_GROUP,
MODEL_SAVED_SEARCH_GROUP,
QUESTION_SAVED_SEARCH_GROUP,
SIMULATION_SAVED_SEARCH_GROUP,
TOPOLOGY_SAVED_SEARCH_GROUP,
ASSET_SAVED_SEARCH_GROUP,
VULNERABILITY_SAVED_SEARCH_GROUP>"
}

POST /qrm/topology_saved_search_groups/{group_id} DEPRECATED

Updates the owner of an topology saved search group.

Updates the owner of an topology saved search group.

Table 3238. POST /qrm/topology_saved_search_groups/{group_id} resource details
MIME Type
application/json

Table 3239. POST /qrm/topology_saved_search_groups/{group_id} request parameter details

Parameter Type Optionality Data Type MIME Type Description
group_id path Required Number text/plain null
(Integer)
fields header Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.

Table 3240. POST /qrm/topology_saved_search_groups/{group_id} request body details

Parameter Data Type MIME Type Description Sample
group Object application/ Required - Group object with { "child_groups": [ 42 ], "child_items": [ "String" ], "description":
json the owner set to a valid "String", "id": 42, "level": 42, "name": "String", "owner": "String",
deployed user. "parent_id": 42, "type": "String <one of:
LOG_SOURCE_GROUP, REPORT_GROUP, RULE_GROUP,
EVENT_SAVED_SEARCH_GROUP,
FLOW_SAVED_SEARCH_GROUP,
OFFENSE_SAVED_SEARCH_GROUP,
QRM_SAVED_SEARCH_GROUP,
MODEL_SAVED_SEARCH_GROUP,
QUESTION_SAVED_SEARCH_GROUP,
SIMULATION_SAVED_SEARCH_GROUP,
TOPOLOGY_SAVED_SEARCH_GROUP,
ASSET_SAVED_SEARCH_GROUP,
VULNERABILITY_SAVED_SEARCH_GROUP>" }

Table 3241. POST /qrm/topology_saved_search_groups/{group_id} response codes

HTTP Response Code Unique Code Description
200 The topology saved search group was updated.
404 1002 The topology saved search group does not exist.
409 1004 The provided user does not have the required capabilities to own
the topology saved search group.
422 1005 A request parameter is not valid.

1438 QRadar API Reference Guide

Table 3241. POST /qrm/topology_saved_search_groups/{group_id} response codes (continued)
HTTP Response Code Unique Code Description
500 1020 An error occurred during the attempt to update the topology saved
search group.

Response Description

The updated Group object. A Group object contains the following fields:
v id - Long - The ID of the group.
v parent_id - Long - The ID of the parent group (default resources can have localized names).
v type - String - The type of the group.
v level - Long - The depth of the group in the group hierarchy.
v name - String - The name of the group (default groups can have localized names).
v description - String - The description of the group (default groups can have localized names).
v owner - String - The owner of the group.
v modified_time - Long - The time in milliseconds since epoch since the group was last modified.
v child_group_ids - Array of Longs - List of the child group IDs.

Response Sample
{
"child_groups": [
42
],
"child_items": [
"String"
],
"description": "String",
"id": 42,
"level": 42,
"modified_time": 42,
"name": "String",
"owner": "String",
"parent_id": 42,
"type": "String <one of:
LOG_SOURCE_GROUP,
REPORT_GROUP,
RULE_GROUP,
EVENT_SAVED_SEARCH_GROUP,
FLOW_SAVED_SEARCH_GROUP,
OFFENSE_SAVED_SEARCH_GROUP,
QRM_SAVED_SEARCH_GROUP,
MODEL_SAVED_SEARCH_GROUP,
QUESTION_SAVED_SEARCH_GROUP,
SIMULATION_SAVED_SEARCH_GROUP,
TOPOLOGY_SAVED_SEARCH_GROUP,
ASSET_SAVED_SEARCH_GROUP,
VULNERABILITY_SAVED_SEARCH_GROUP>"
}

DELETE /qrm/topology_saved_search_groups/{group_id} DEPRECATED

Deletes a topology saved search group.

Deletes a topology saved search group.

7 Previous REST API versions 1439

Table 3242. DELETE /qrm/topology_saved_search_groups/{group_id} resource details
MIME Type
text/plain

Table 3243. DELETE /qrm/topology_saved_search_groups/{group_id} request parameter details

Parameter Type Optionality Data Type MIME Type Description
group_id path Required Number text/plain null
(Integer)

Table 3244. DELETE /qrm/topology_saved_search_groups/{group_id} response codes

HTTP Response Code Unique Code Description
204 The topology saved search group was deleted.
404 1002 The topology saved search group does not exist.
409 1004 null
500 1020 An error occurred during the attempt to delete the topology saved
search group.

Response Description

Response Sample

QRadar Vulnerability Manager endpoints

Use the references for REST API V7.0 QRadar Vulnerability Manager endpoints.

GET /qvm/assets DEPRECATED

List the assets with discovered vulnerabilities present in the asset model. The response contains all
available RESTful resources.
Table 3245. GET /qvm/assets resource details
MIME Type
application/json

Table 3246. GET /qvm/assets request parameter details

Parameter Type Optionality Data Type MIME Type Description
savedSearchId query Optional String text/plain Id of saved search
savedSearchName query Optional String text/plain Saved search name
filters query Optional Array<Object> application/json List of JSON objects for
application of bespoke query
search dataset filter. Format
[{"parameter":"<value>",
"operator":"<value>",
"value":"<value>"}] e.g.
[{"parameter":"IPv4 Address",
"operator":"Equals",
"value":"10.100.85.111"}]

Table 3247. GET /qvm/assets response codes

HTTP Response Code Unique Code Description
200 The request to retrieve vulnerabilities by asset completed
successfully
420 9101 Invalid search parameters, search cannot be performed

1440 QRadar API Reference Guide

Response Description

list of assets data

Response Sample

GET /qvm/filters DEPRECATED

Get a list of the allowable filters that can be used or applied against /qvm endpoints.
v /qvm/assets
v /qvm/vulns
v /qvm/vulninstances
v /qvm/openservices
v /qvm/networks
v queries
Table 3248. GET /qvm/filters resource details
MIME Type
application/json

There are no parameters for this endpoint.

Table 3249. GET /qvm/filters response codes
HTTP Response Code Unique Code Description
200 The search executed successfully
420 9102 An error occurred while executing the search

Response Description

list of Filters.

Response Sample

GET /qvm/network DEPRECATED

List the networks present in the asset model with vulnerabilities present. The response contains all
available RESTful resources
Table 3250. GET /qvm/network resource details
MIME Type
application/json

Table 3251. GET /qvm/network request parameter details

Parameter Type Optionality Data Type MIME Type Description
savedSearchId query Optional String text/plain Id of saved search
savedSearchName query Optional String text/plain Saved search name
filters query Optional Array<Object> application/json List of JSON objects for
application of bespoke query
search dataset filter. Format
[{"parameter":"<value>",
"operator":"<value>",
"value":"<value>"}] e.g.
[{"parameter":"IPv4 Address",
"operator":"Equals",
"value":"10.100.85.111"}]

7 Previous REST API versions 1441

Table 3252. GET /qvm/network response codes
HTTP Response Code Unique Code Description
200 The request to retrieve vulnerabilities by network completed
successfully
420 9101 Invalid search parameters, search cannot be performed

Response Description

list of network related data

Response Sample

GET /qvm/openservices DEPRECATED

List the openservices present in the asset model with vulnerabilities present. The response will contain all
available RESTful resources
Table 3253. GET /qvm/openservices resource details
MIME Type
application/json

Table 3254. GET /qvm/openservices request parameter details

Parameter Type Optionality Data Type MIME Type Description
savedSearchId query Optional String text/plain Id of saved search
savedSearchName query Optional String text/plain Saved search name
filters query Optional Array<Object> application/json List of JSON objects for
application of bespoke query
search dataset filter. Format
[{"parameter":"<value>",
"operator":"<value>",
"value":"<value>"}] e.g.
[{"parameter":"IPv4 Address",
"operator":"Equals",
"value":"10.100.85.111"}]

Table 3255. GET /qvm/openservices response codes

HTTP Response Code Unique Code Description
200 The request to retrieve vulnerabilities by open service completed
successfully
420 9101 Invalid search parameters, search cannot be performed

Response Description

list of open services related data

Response Sample

GET /qvm/saved_search_groups DEPRECATED

Retrieves a list of vulnerability saved search groups.

Retrieves a list of vulnerability saved search groups.

Table 3256. GET /qvm/saved_search_groups resource details
MIME Type
application/json

1442 QRadar API Reference Guide

Table 3257. GET /qvm/saved_search_groups request parameter details
Parameter Type Optionality Data Type MIME Type Description
fields query Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.
Range header Optional String text/plain Optional - Use this parameter
to restrict the number of
elements that are returned in
the list to a specified range.
The list is indexed starting at
zero.
filter query Optional String text/plain Optional - This parameter is
used to restrict the elements in
a list base on the contents of
various fields.

Table 3258. GET /qvm/saved_search_groups response codes

HTTP Response Code Unique Code Description
200 The vulnerability saved search groups were returned.
500 1020 An error occurred during the attempt to retrieve the vulnerability
saved search groups.

Response Description

List of the Group objects. A Group object contains the following fields:
v id - Long - The ID of the group.
v parent_id - Long - The ID of the parent group (default resources can have localized names).
v type - String - The type of the group.
v level - Long - The depth of the group in the group hierarchy.
v name - String - The name of the group (default groups can have localized names).
v description - String - The description of the group (default groups can have localized names).
v owner - String - The owner of the group.
v modified_time - Long - The time in milliseconds since epoch since the group was last modified.
v child_group_ids - Array of Longs - List of the child group IDs.

Response Sample
[
{
"child_groups": [
42
],
"child_items": [
"String"
],
"description": "String",
"id": 42,
"level": 42,

7 Previous REST API versions 1443

 "modified_time": 42,
"name": "String",
"owner": "String",
"parent_id": 42,
"type": "String <one of:
LOG_SOURCE_GROUP,
REPORT_GROUP,
RULE_GROUP,
EVENT_SAVED_SEARCH_GROUP,
FLOW_SAVED_SEARCH_GROUP,
OFFENSE_SAVED_SEARCH_GROUP,
QRM_SAVED_SEARCH_GROUP,
MODEL_SAVED_SEARCH_GROUP,
QUESTION_SAVED_SEARCH_GROUP,
SIMULATION_SAVED_SEARCH_GROUP,
TOPOLOGY_SAVED_SEARCH_GROUP,
ASSET_SAVED_SEARCH_GROUP,
VULNERABILITY_SAVED_SEARCH_GROUP>"
}
]

GET /qvm/saved_search_groups/{group_id} DEPRECATED

Retrieves a vulnerability saved search group.

Retrieves a vulnerability saved search group.

Table 3259. GET /qvm/saved_search_groups/{group_id} resource details
MIME Type
application/json

Table 3260. GET /qvm/saved_search_groups/{group_id} request parameter details

Parameter Type Optionality Data Type MIME Type Description
group_id path Required Number text/plain null
(Integer)
fields query Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.

Table 3261. GET /qvm/saved_search_groups/{group_id} response codes

HTTP Response Code Unique Code Description
200 The vulnerability saved search group was retrieved.
404 1002 The vulnerability saved search group does not exist.
422 1005 null
500 1020 An error occurred during the attempt to retrieve the vulnerability
saved search group.

1444 QRadar API Reference Guide

Response Description

A single Group object. A Group object contains the following fields:

v id - Long - The ID of the group.
v parent_id - Long - The ID of the parent group. (default resources can have localized names).
v type - String - The type of the group.
v level - Long - The depth of the group in the group hierarchy.
v name - String - The name of the group (default groups can have localized names).
v description - String - The description of the group (default groups can have localized names).
v owner - String - The owner of the group.
v modified_time - Long - The time in milliseconds since epoch since the group was last modified.
v child_group_ids - Array of Longs - List of the child group IDs.

Response Sample
{
"child_groups": [
42
],
"child_items": [
"String"
],
"description": "String",
"id": 42,
"level": 42,
"modified_time": 42,
"name": "String",
"owner": "String",
"parent_id": 42,
"type": "String <one of:
LOG_SOURCE_GROUP,
REPORT_GROUP,
RULE_GROUP,
EVENT_SAVED_SEARCH_GROUP,
FLOW_SAVED_SEARCH_GROUP,
OFFENSE_SAVED_SEARCH_GROUP,
QRM_SAVED_SEARCH_GROUP,
MODEL_SAVED_SEARCH_GROUP,
QUESTION_SAVED_SEARCH_GROUP,
SIMULATION_SAVED_SEARCH_GROUP,
TOPOLOGY_SAVED_SEARCH_GROUP,
ASSET_SAVED_SEARCH_GROUP,
VULNERABILITY_SAVED_SEARCH_GROUP>"
}

POST /qvm/saved_search_groups/{group_id} DEPRECATED

Updates the owner of an vulnerability saved search group.

Updates the owner of an vulnerability saved search group.

Table 3262. POST /qvm/saved_search_groups/{group_id} resource details
MIME Type
application/json

Table 3263. POST /qvm/saved_search_groups/{group_id} request parameter details

Parameter Type Optionality Data Type MIME Type Description
group_id path Required Number text/plain null
(Integer)

7 Previous REST API versions 1445

Table 3263. POST /qvm/saved_search_groups/{group_id} request parameter details (continued)
Parameter Type Optionality Data Type MIME Type Description
fields header Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.

Table 3264. POST /qvm/saved_search_groups/{group_id} request body details

Parameter Data Type MIME Type Description Sample
group Object application/json Required - Group object with the { "child_groups": [ 42 ], "child_items": [ "String" ], "description":
owner set to a valid deployed "String", "id": 42, "level": 42, "name": "String", "owner": "String",
user. "parent_id": 42, "type": "String <one of: LOG_SOURCE_GROUP,
REPORT_GROUP, RULE_GROUP,
EVENT_SAVED_SEARCH_GROUP,
FLOW_SAVED_SEARCH_GROUP,
OFFENSE_SAVED_SEARCH_GROUP,
QRM_SAVED_SEARCH_GROUP,
MODEL_SAVED_SEARCH_GROUP,
QUESTION_SAVED_SEARCH_GROUP,
SIMULATION_SAVED_SEARCH_GROUP,
TOPOLOGY_SAVED_SEARCH_GROUP,
ASSET_SAVED_SEARCH_GROUP,
VULNERABILITY_SAVED_SEARCH_GROUP>" }

Table 3265. POST /qvm/saved_search_groups/{group_id} response codes

HTTP Response Code Unique Code Description
200 The vulnerability saved search group was updated.
404 1002 The vulnerability saved search group does not exist.
409 1004 The provided user does not have the required capabilities to own
the vulnerability saved search group.
422 1005 A request parameter is not valid.
500 1020 An error occurred during the attempt to update the vulnerability
saved search group.

Response Description

The updated Group object. A Group object contains the following fields:
v id - Long - The ID of the group.
v parent_id - Long - The ID of the parent group (default resources can have localized names).
v type - String - The type of the group.
v level - Long - The depth of the group in the group hierarchy.
v name - String - The name of the group (default groups can have localized names).
v description - String - The description of the group (default groups can have localized names).
v owner - String - The owner of the group.
v modified_time - Long - The time in milliseconds since epoch since the group was last modified.
v child_group_ids - Array of Longs - List of the child group IDs.

Response Sample
{
"child_groups": [
42

1446 QRadar API Reference Guide

 ],
"child_items": [
"String"
],
"description": "String",
"id": 42,
"level": 42,
"modified_time": 42,
"name": "String",
"owner": "String",
"parent_id": 42,
"type": "String <one of:
LOG_SOURCE_GROUP,
REPORT_GROUP,
RULE_GROUP,
EVENT_SAVED_SEARCH_GROUP,
FLOW_SAVED_SEARCH_GROUP,
OFFENSE_SAVED_SEARCH_GROUP,
QRM_SAVED_SEARCH_GROUP,
MODEL_SAVED_SEARCH_GROUP,
QUESTION_SAVED_SEARCH_GROUP,
SIMULATION_SAVED_SEARCH_GROUP,
TOPOLOGY_SAVED_SEARCH_GROUP,
ASSET_SAVED_SEARCH_GROUP,
VULNERABILITY_SAVED_SEARCH_GROUP>"
}

DELETE /qvm/saved_search_groups/{group_id} DEPRECATED

Deletes a vulnerability saved search group.

Deletes a vulnerability saved search group.

Table 3266. DELETE /qvm/saved_search_groups/{group_id} resource details
MIME Type
text/plain

Table 3267. DELETE /qvm/saved_search_groups/{group_id} request parameter details

Parameter Type Optionality Data Type MIME Type Description
group_id path Required Number text/plain null
(Integer)

Table 3268. DELETE /qvm/saved_search_groups/{group_id} response codes

HTTP Response Code Unique Code Description
204 The vulnerability saved search group was deleted.
404 1002 The vulnerability saved search group does not exist.
409 1004 null
500 1020 An error occurred during the attempt to delete the vulnerability
saved search group.

7 Previous REST API versions 1447

Response Description

Response Sample

GET /qvm/saved_searches DEPRECATED

Retrieves a list of vulnerability instance saved searches.

Retrieves a list of vulnerability instance saved searches.

Table 3269. GET /qvm/saved_searches resource details
MIME Type
application/json

Table 3270. GET /qvm/saved_searches request parameter details

Parameter Type Optionality Data Type MIME Type Description
Range header Optional String text/plain Optional - Use this parameter
to restrict the number of
elements that are returned in
the list to a specified range.
The list is indexed starting at
zero.
filter query Optional String text/plain Optional - This parameter is
used to restrict the elements in
a list base on the contents of
various fields.
fields query Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.

Table 3271. GET /qvm/saved_searches response codes

HTTP Response Code Unique Code Description
200 The request to retrieve the list of vulnerability instance saved
searches completed successfully.
500 1020 An error occurred while trying to retrieve the list of saved searches.

Response Description

A list of vulnerability instance saved searches that can be used or applied against:
v /qvm/saved_searches/{saved_search_id}/vuln_instances
v /qvm/assets
v /qvm/vulns
v /qvm/openservices
v /qvm/networks

Each saved search that is returned includes an ID, name, and list of filters that make up this saved
search.

1448 QRadar API Reference Guide

Response Sample
[
{
"filters": [
{
"operator": "String",
"parameter": "String",
"value": "String"
}
],
"id": 42,
"name": "String"
}
]

GET /qvm/saved_searches/vuln_instances/{task_id}/results/assets DEPRECATED

Lists the Vulnerability Instances assets that are returned from the vulnerability instance saved search.

Lists the Vulnerability Instances assets that are returned from the saved search.
Table 3272. GET /qvm/saved_searches/vuln_instances/{task_id}/results/assets resource details
MIME Type
application/json

Table 3273. GET /qvm/saved_searches/vuln_instances/{task_id}/results/assets request parameter details

Parameter Type Optionality Data Type MIME Type Description
task_id path Required Number text/plain null
(Integer)
Range header Optional String text/plain Optional - Use this parameter
to restrict the number of
elements that are returned in
the list to a specified range.
The list is indexed starting at
zero.
filter query Optional String text/plain Optional - This parameter is
used to restrict the elements in
a list base on the contents of
various fields.
fields query Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.

Table 3274. GET /qvm/saved_searches/vuln_instances/{task_id}/results/assets response codes

HTTP Response Code Unique Code Description
200 The request to retrieve vulnerabilities by instance completed
successfully.
404 1002 Resource not found.
500 1020 An error occurred while retrieving results.

7 Previous REST API versions 1449

Response Description

A list of assets associated with the vulnerability instance data.

Response Sample
[{"risk_policies": [{"passed": true,
"name": "String",
"last_evaluated": 42,
"question_type": "String",
"groups": ["String"]}],
"id": 42,
"domain_id": 42,
"interfaces": [{"first_seen_scanner": 42,
"id": 42,
"first_seen_profiler": 42,
"created": 42,
"last_seen_profiler": 42,
"last_seen_scanner": 42,
"mac_address": "String",
"ip_addresses": [{"first_seen_scanner": 42,
"id": 42,
"first_seen_profiler": 42,
"created": 42,
"value": "String",
"last_seen_profiler": 42,
"last_seen_scanner": 42,
"type": "String",
"network_name": "String"
}]
}],
"hostnames": ["String"],
"properties": [{"id": 42,
"name": "String",
"value": "String",
"last_reported": 42,
"type_id": 42,
"last_reported_by": "String"
}],
"operating_systems": [{"last_seen_date": 42,
"name": "String"
}]
}]

GET /qvm/saved_searches/vuln_instances/{task_id}/results/vuln_instances
DEPRECATED
Lists the Vulnerability Instances returned from a vulnerability instance saved search.

Lists the Vulnerability Instances returned from a saved search.

Table 3275. GET /qvm/saved_searches/vuln_instances/{task_id}/results/vuln_instances resource details
MIME Type
application/json

Table 3276. GET /qvm/saved_searches/vuln_instances/{task_id}/results/vuln_instances request parameter details

Parameter Type Optionality Data Type MIME Type Description
task_id path Required Number text/plain null
(Integer)

1450 QRadar API Reference Guide

Table 3276. GET /qvm/saved_searches/vuln_instances/{task_id}/results/vuln_instances request parameter
details (continued)
Parameter Type Optionality Data Type MIME Type Description
Range header Optional String text/plain Optional - Use this parameter
to restrict the number of
elements that are returned in
the list to a specified range.
The list is indexed starting at
zero.
filter query Optional String text/plain Optional - This parameter is
used to restrict the elements in
a list base on the contents of
various fields.
fields query Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.

Table 3277. GET /qvm/saved_searches/vuln_instances/{task_id}/results/vuln_instances response codes

HTTP Response Code Unique Code Description
200 The request to retrieve vulnerabilities by instance completed
successfully.
404 1002 Resource not found
500 1020 An error occurred while retrieving results

Response Description

A list of vulnerability instance data.

Response Sample
[{"id": 42,
"cvss_environmental_score_string": "String",
"last_seen_date": 42,
"asset_id": 42,
"domain_id": 42,
"relevant_patches": [{"security_notice": "String",
"description": "String",
"patch_type": "String <one of: OS, NONOS>"
}],
"cvss_environmental_score": 42.5,
"seen_by_scan_profile": "String",
"risk_score": 42.5,
"vulnerability_id": 42,
"first_seen_date": 42
}]

7 Previous REST API versions 1451

GET /qvm/saved_searches/vuln_instances/{task_id}/results/vulnerabilities
DEPRECATED
List the Vulnerability Instances vulnerabilities returned from the saved search.
Table 3278. GET /qvm/saved_searches/vuln_instances/{task_id}/results/vulnerabilities resource details
MIME Type
application/json

Table 3279. GET /qvm/saved_searches/vuln_instances/{task_id}/results/vulnerabilities request parameter details

Parameter Type Optionality Data Type MIME Type Description
task_id path Required Number text/plain null
(Integer)
Range header Optional String text/plain Optional - Use this parameter
to restrict the number of
elements that are returned in
the list to a specified range.
The list is indexed starting at
zero.
filter query Optional String text/plain Optional - This parameter is
used to restrict the elements in
a list base on the contents of
various fields.
fields query Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.

Table 3280. GET /qvm/saved_searches/vuln_instances/{task_id}/results/vulnerabilities response codes

HTTP Response Code Unique Code Description
200 The request to retrieve vulnerabilities by instance completed
successfully
404 1002 Resource not found
500 1020 Error while retrieving results

Response Description

list of vulnerability instance data

Response Sample
[{"cvss_base_score_string": "String",
"virtual_patches": [{"device": "String",
"qid": "String",
"signature": "String"
}],
"osvdb_title": "String",
"cvss_temporal_score": 42.5,
"cvss_base_score": 42.5,
"concern": "String",
"cve_ids": ["String"],

1452 QRadar API Reference Guide

 "critical_details": "String",
"risk_factor": {"name": "String <one of: High,
Medium,
Low,
Warning>",
"code": 42
},
"cvss_temporal_score_string": "String",
"severity": {"name": "String <one of: Patch,
Urgent,
Critical,
High,
Medium,
Low>",
"code": 42
},
"remediation": "String",
"id": 42, "patches": [{"security_notice": "String",
"description": "String"
}],
"description": "String"
}]

GET /qvm/saved_searches/vuln_instances/{task_id}/status DEPRECATED

Retrieves the current status of a vulnerability instance search that was initiated.

Retrieves the current status of a vulnerability instance search that was initiated.
Table 3281. GET /qvm/saved_searches/vuln_instances/{task_id}/status resource details
MIME Type
application/json

Table 3282. GET /qvm/saved_searches/vuln_instances/{task_id}/status request parameter details

Parameter Type Optionality Data Type MIME Type Description
task_id path Required Number text/plain null
(Integer)
fields query Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.

Table 3283. GET /qvm/saved_searches/vuln_instances/{task_id}/status response codes

HTTP Response Code Unique Code Description
200 The request to retrieve the current status of the vulnerability
instance search completed successfully.
404 1002 Resource not found.
500 1020 An error occurred while retrieving status.

Response Description

Returns the status of the selected vulnerability instance search.

7 Previous REST API versions 1453

Response Sample
{
"id": 42,
"retention_period_in_days": 42,
"status": "String <one of: CANCELLED,
CANCELING,
CANCEL_REQUESTED,
COMPLETED, EXCEPTION,
INITIALIZING,
INTERRUPTED,
PAUSED,
PROCESSING,
QUEUED,
RESUMING>"
}

POST /qvm/saved_searches/vuln_instances/{task_id}/status DEPRECATED

Updates the status of a vulnerability instance saved search.

Updates the status of a vulnerability instance saved search.

Table 3284. POST /qvm/saved_searches/vuln_instances/{task_id}/status resource details
MIME Type
application/json

Table 3285. POST /qvm/saved_searches/vuln_instances/{task_id}/status request parameter details

Parameter Type Optionality Data Type MIME Type Description
task_id path Required Number (Integer) text/plain Required. The ID of the task to
update.
status query Optional String text/plain Optional. The only accepted value
is CANCELLED. If this value is
provided, the search is cancelled.
retention_period_in_days query Optional Number (Integer) text/plain Optional. Set the data retention
period in days for the results.
Accepted values 0 - 14. Use 0 to
delete a result at the next clean up
cycle. Default data retention
period is 2 days.
fields query Optional String text/plain Optional - Use this parameter to
specify which fields you would
like to get back in the response.
Fields that are not named are
excluded. Specify subfields in
brackets and multiple fields in the
same object are separated by
commas.

Table 3286. POST /qvm/saved_searches/vuln_instances/{task_id}/status response codes

HTTP Response Code Unique Code Description
200 The request to retrieve the list of vulnerability instance saved
searches completed successfully.
403 1009 You do not have the proper capabilities to retrieve the Vulnerability
Instance Saved Search.
404 1002 Resource not found.
409 1004 The current status of the search prevented the task from being
cancelled.
422 1005 A request parameter is not valid.
500 1020 An error occurred while retrieving status.

1454 QRadar API Reference Guide

Response Description

Returns the status of the selected Vulnerability Instance search.

Response Sample
{
"id": 42,
"retention_period_in_days": 42,
"status": "String <one of: CANCELLED,
CANCELING,
CANCEL_REQUESTED,
COMPLETED,
CONFLICT,
EXCEPTION,
INITIALIZING,
INTERRUPTED,
PAUSED,
PROCESSING,
QUEUED,
RESUMING>"
}

GET /qvm/saved_searches/{saved_search_id} DEPRECATED

Retrieves a vulnerability instance saved search.

Retrieves a vulnerability instance saved search.

Table 3287. GET /qvm/saved_searches/{saved_search_id} resource details
MIME Type
application/json

Table 3288. GET /qvm/saved_searches/{saved_search_id} request parameter details

Parameter Type Optionality Data Type MIME Type Description
saved_search_id path Required Number text/plain null
(Integer)
fields query Optional String text/plain Optional - Use this parameter to
specify which fields you would
like to get back in the response.
Fields that are not named are
excluded. Specify subfields in
brackets and multiple fields in
the same object are separated by
commas.

Table 3289. GET /qvm/saved_searches/{saved_search_id} response codes

HTTP Response Code Unique Code Description
200 The request to retrieve the list of vulnerability instance saved
searches completed successfully
404 1002 The Saved Search does not exist
500 1020 An error occurred while trying to retrieve the vulnerability instance
saved search

Response Description

A vulnerability instance saved search that can be used or applied against:

v /qvm/saved_searches/{saved_search_id}/vuln_instances

7 Previous REST API versions 1455

v /qvm/assets
v /qvm/vulns
v /qvm/openservices
v /qvm/networks

The saved search contains an ID, name, and list of filters that make up this saved search.

Response Sample
{
"filters": [
{
"operator": "String",
"parameter": "String",
"value": "String"
}
],
"id": 42,
"name": "String"
}

POST /qvm/saved_searches/{saved_search_id} DEPRECATED

Updates the vulnerability saved search owner only.

Updates the vulnerability saved search owner only.

Table 3290. POST /qvm/saved_searches/{saved_search_id} resource details
MIME Type
application/json

Table 3291. POST /qvm/saved_searches/{saved_search_id} request parameter details

Parameter Type Optionality Data Type MIME Type Description
saved_search_id path Required Number text/plain null
(Integer)
fields header Optional String text/plain Optional - Use this parameter to
specify which fields you would
like to get back in the response.
Fields that are not named are
excluded. Specify subfields in
brackets and multiple fields in
the same object are separated by
commas.

Table 3292. POST /qvm/saved_searches/{saved_search_id} request body details

Parameter Data Type MIME Type Description Sample
saved_search Object application/json null { "filters": [ { "operator": "String",
"parameter": "String", "value":
"String" } ], "id": 42, "name":
"String", "owner": "String" }

Table 3293. POST /qvm/saved_searches/{saved_search_id} response codes

HTTP Response Code Unique Code Description
200 The vulnerability saved search was updated.
403 1009 You do not have the required capabilities to update the
vulnerability saved search.
404 1002 The vulnerability saved search does not exist.

1456 QRadar API Reference Guide

Table 3293. POST /qvm/saved_searches/{saved_search_id} response codes (continued)
HTTP Response Code Unique Code Description
409 1004 The provided user does not have the required capabilities to own
the vulnerability saved search.
422 1005 A request parameter is not valid.
500 1020 null

Response Description

The vulnerability saved search after it was updated. A Vulnerability Saved Search object contains the
following fields:
v id - Long - The ID of the asset saved search.
v name - String - The name of the asset saved search.
v owner - String - The owner of the asset saved search.
v isShared - Boolean - True if the asset saved search is shared with other users.
v description - String - The description of the asset saved search.
v filters - List of Strings - The asset saved search filters.
v columns - List of Strings - The asset saved search columns.

Response Sample
{
"filters": [
{
"operator": "String",
"parameter": "String",
"value": "String"
}
],
"id": 42,
"name": "String",
"owner": "String"
}

DELETE /qvm/saved_searches/{saved_search_id} DEPRECATED

Deletes a vulnerability saved search.

Deletes a vulnerability saved search.

Table 3294. DELETE /qvm/saved_searches/{saved_search_id} resource details
MIME Type
text/plain

Table 3295. DELETE /qvm/saved_searches/{saved_search_id} request parameter details

Parameter Type Optionality Data Type MIME Type Description
saved_search_id path Required Number (Integer) text/plain null

Table 3296. DELETE /qvm/saved_searches/{saved_search_id} response codes

HTTP Response Code Unique Code Description
204 The vulnerability saved search was deleted.
403 1009 You do not have the required capabilities to delete the vulnerability
saved search.

7 Previous REST API versions 1457

Table 3296. DELETE /qvm/saved_searches/{saved_search_id} response codes (continued)
HTTP Response Code Unique Code Description
404 1002 The vulnerability saved search does not exist.
500 1020 null

Response Description

Response Sample

GET /qvm/saved_searches/{saved_search_id}/vuln_instances DEPRECATED

Creates the Vulnerability Instances search. This search will return a maximum of 100,000 results.

Creates the Vulnerability Instances search. This search will return a maximum of 100,000 results.
Table 3297. GET /qvm/saved_searches/{saved_search_id}/vuln_instances resource details
MIME Type
application/json

Table 3298. GET /qvm/saved_searches/{saved_search_id}/vuln_instances request parameter details

Parameter Type Optionality Data Type MIME Type Description
saved_search_id path Required Number text/plain ID of saved search
(Integer)
fields query Optional String text/plain Optional - Use this parameter to
specify which fields you would
like to get back in the response.
Fields that are not named are
excluded. Specify subfields in
brackets and multiple fields in
the same object are separated by
commas.

Table 3299. GET /qvm/saved_searches/{saved_search_id}/vuln_instances response codes

HTTP Response Code Unique Code Description
201 The vulnerability instance search is queued.
404 1002 null
500 1020 null

Response Description

The responses returns a task ID.

Response Sample
{
"id": 42,
"retention_period_in_days": 42,
"status": "String <one of: CANCELLED,
CANCELING,
CANCEL_REQUESTED,
COMPLETED,
EXCEPTION,
INITIALIZING,
INTERRUPTED,
PAUSED,

1458 QRadar API Reference Guide

 PROCESSING,
QUEUED,
RESUMING>"
}

POST /qvm/tickets/assign DEPRECATED

Update the remediation ticket for the assigned vulnerability
Table 3300. POST /qvm/tickets/assign resource details
MIME Type
application/json

Table 3301. POST /qvm/tickets/assign request body details

Parameter Data Type MIME Type Description Sample
ticket JSON application/json [ { "ticketId":"1000", "status":"Opened",
'ticketId': required. "priority":"Critical", "dueDate":"2015-01-04
12:00:00", "assignedUser":"admin",
"comment":"testComment",
'priority' one of required : Critical,
"commentUser":"admin" } ]
Major, Minor, Warning, Informational.

'status' one of required : Opened,

Fixed, Re-Opened, Closed .

'dueDate' Optional : yyyy-MM-dd

HH:mm:ss.

'assignedUser' required : valid QRadar

user account name or a valid email.

'comment' Optional : text.

'commentUser' Optional : valid

QRadar user account name, if not
included will default current API user.

Table 3302. POST /qvm/tickets/assign response codes

HTTP Response Code Unique Code Description
200 The request to assign a ticket completed successfully
420 9104 An error occurred while trying to assign a ticket due to invalid
arguments

Response Description

success message if update succeed

Response Sample

GET /qvm/vulns DEPRECATED

List the Vulnerabilities present in the asset model. The response will contain all available RESTful
resources
Table 3303. GET /qvm/vulns resource details
MIME Type
application/json

Table 3304. GET /qvm/vulns request parameter details

Parameter Type Optionality Data Type MIME Type Description
savedSearchId query Optional String text/plain Id of saved search
savedSearchName query Optional String text/plain Saved search name

7 Previous REST API versions 1459

Table 3304. GET /qvm/vulns request parameter details (continued)
Parameter Type Optionality Data Type MIME Type Description
filters query Optional Array<Object> application/json List of JSON objects for
application of bespoke query
search dataset filter. Format
[{"parameter":"<value>",
"operator":"<value>",
"value":"<value>"}] e.g.
[{"parameter":"IPv4 Address",
"operator":"Equals",
"value":"10.100.85.111"}]

Table 3305. GET /qvm/vulns response codes

HTTP Response Code Unique Code Description
200 The request to retrieve vulnerabilities completed successfully
420 9101 Invalid search parameters, search cannot be performed

Response Description

list of vulnerability data

Response Sample

Reference data endpoints

Use the references for REST API V7.0 reference data endpoints.

GET /reference_data/map_delete_tasks/{task_id} DEPRECATED

Retrieves the delete reference data map task status.

Retrieves the delete reference data map task status.

Table 3306. GET /reference_data/map_delete_tasks/{task_id} resource details
MIME Type
application/json

Table 3307. GET /reference_data/map_delete_tasks/{task_id} request parameter details

Parameter Type Optionality Data Type MIME Type Description
task_id path Required Number text/plain null
(Integer)
fields query Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.

Table 3308. GET /reference_data/map_delete_tasks/{task_id} response codes

HTTP Response Code Unique Code Description
200 The delete task status was retrieved.
404 1002 The delete task status does not exist.

1460 QRadar API Reference Guide

Table 3308. GET /reference_data/map_delete_tasks/{task_id} response codes (continued)
HTTP Response Code Unique Code Description
500 1020 An error occurred during the attempt to retrieve the delete task
status.

Response Description

A Delete Task Status object and the location header set to the task status url "/api/reference_data/maps/
map_delete_tasks/{task_id}". A Delete Task Status object contains the following fields:
v id - Long - The ID of the task.
v message - String - The localized task message.
v status - String - The current state of the task.
v name - String - The name of the task.
v created_by - String - The name of the user who started the task.
v created - Long - The time in milliseconds since epoch since the task was created.
v started - Long - The time in milliseconds since epoch since the task was started.
v modified - Long - The time in milliseconds since epoch since the task was modified.
v completed - Long - The time in milliseconds since epoch since the task was completed.

Response Sample
{
"completed": 42,
"created": 42,
"created_by": "String",
"id": 42,
"message": "String",
"modified": 42,
"name": "String",
"started": 42,
"status": "String <one of:
CANCELLED,
CANCELING,
CANCEL_REQUESTED,
COMPLETED,
CONFLICT,
EXCEPTION,
INITIALIZING,
INTERRUPTED,
PAUSED,
PROCESSING,
QUEUED,
RESUMING>"
}

GET /reference_data/map_dependent_tasks/{task_id} DEPRECATED

Retrieves the dependent reference data map task status.

Retrieves the dependent reference data map task status.

Table 3309. GET /reference_data/map_dependent_tasks/{task_id} resource details
MIME Type
application/json

7 Previous REST API versions 1461

Table 3310. GET /reference_data/map_dependent_tasks/{task_id} request parameter details
Parameter Type Optionality Data Type MIME Type Description
task_id path Required Number text/plain null
(Integer)
fields query Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.

Table 3311. GET /reference_data/map_dependent_tasks/{task_id} response codes

HTTP Response Code Unique Code Description
200 The delete task status was retrieved.
404 1002 The delete task status does not exist.
500 1020 An error occurred during the attempt to retrieve the delete task
status.

Response Description

A Dependent Task Status object and the location header set to the task status url "/api/reference_data/
maps/map_dependent_tasks/{task_id}". A Dependent Task Status object contains the following fields:
v id - Long - The ID of the task.
v message - String - The localized task message.
v status - String - The current state of the task.
v name - String - The name of the task.
v created_by - String - The name of the user who started the task.
v cancelled_by - String - The name of the user who requested the cancellation the task.
v created - Long - The time in milliseconds since epoch since the task was created.
v started - Long - The time in milliseconds since epoch since the task was started.
v modified - Long - The time in milliseconds since epoch since the task was modified.
v completed - Long - The time in milliseconds since epoch since the task was completed.
v number_of_dependents - Long - The number of dependents found. The value is null until the task
completes.
v maximum - Long - The maximum number of objects to check for dependency.
v progress - Long - The number of objects that were checked for dependency.
v task_components - Array - An array of task component objects. A task component object contains the
following fields
– message - String - The localized sub-task status message.
– status - String - The current state of the sub-task.
– sub_task_type - String - The type of the sub-task
– maximum - Long - The maximum number of objects to check for dependency.
– progress - Long - The number of objects that were checked for dependency.
– created - Long - The time in milliseconds since epoch since the sub-task was created.
– started - Long - The time in milliseconds since epoch since the sub-task was started.

1462 QRadar API Reference Guide

 – modified - Long - The time in milliseconds since epoch since the sub-task was modified.
– completed - Long - The time in milliseconds since epoch since the sub-task was completed.

Response Sample
{
"cancelled_by": "String",
"completed": 42,
"created": 42,
"created_by": "String",
"id": 42,
"maximum": 42,
"message": "String",
"modified": 42,
"name": "String",
"number_of_dependents": 42,
"progress": 42,
"started": 42,
"status": "String <one of:
CANCELLED,
CANCELING,
CANCEL_REQUESTED,
COMPLETED,
CONFLICT,
EXCEPTION,
INITIALIZING,
INTERRUPTED,
PAUSED,
PROCESSING,
QUEUED,
RESUMING>",
"task_components": [
{
"completed": 42,
"created": 42,
"maximum": 42,
"message": "String",
"modified": 42,
"number_of_dependents": 42,
"progress": 42,
"started": 42,
"status": "String <one of: CANCELLED,
CANCELING,
CANCEL_REQUESTED,
COMPLETED,
CONFLICT,
EXCEPTION,
INITIALIZING,
INTERRUPTED,
PAUSED,
PROCESSING,
QUEUED,
RESUMING>",
"task_sub_type": "String <one of:
FIND_DEPENDENT_ARIEL_SAVED_SEARCHES,
FIND_DEPENDENT_OFFENSE_SAVED_SEARCHES,
FIND_DEPENDENT_ASSET_SAVED_SEARCHES,
FIND_DEPENDENT_VULNERABILITY_SAVED_SEARCHES,
FIND_DEPENDENT_ADE_RULES,
FIND_DEPENDENT_RULES,
FIND_DEPENDENT_CALCULATED_PROPERTIES,
FIND_DEPENDENT_LOG_SOURCE_GROUPS,
FIND_DEPENDENT_CUSTOM_PROPERTIES,
FIND_DEPENDENT_REPORTS,
FIND_DEPENDENT_DASHBOARDS,
FIND_DEPENDENT_STORE_AND_FORWARD_POLICIES,
FIND_DEPENDENT_AUTHORIZED_SERVICES,

7 Previous REST API versions 1463

 FIND_DEPENDENT_OFFENSE_TYPES,
FIND_DEPENDENT_ASSIGNED_OFFENSES,
FIND_DEPENDENT_VULNERABILITIES,
FIND_DEPENDENT_GROUPS,
FIND_DEPENDENT_HISTORICAL_CORRELATION_PROFILES>"
}
]
}

POST /reference_data/map_dependent_tasks/{task_id} DEPRECATED

Cancels the dependent reference data map task.

Cancels the dependent reference data map task.

Table 3312. POST /reference_data/map_dependent_tasks/{task_id} resource details
MIME Type
application/json

Table 3313. POST /reference_data/map_dependent_tasks/{task_id} request parameter details

Parameter Type Optionality Data Type MIME Type Description
task_id path Required Number text/plain null
(Integer)
fields header Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.

Table 3314. POST /reference_data/map_dependent_tasks/{task_id} request body details

Parameter Data Type MIME Type Description Sample
task Object application/ null { "status": "String <one of:
json CANCELLED, CANCELING,
CANCEL_REQUESTED,
COMPLETED, CONFLICT,
EXCEPTION, INITIALIZING,
INTERRUPTED, PAUSED,
PROCESSING, QUEUED,
RESUMING>" }

Table 3315. POST /reference_data/map_dependent_tasks/{task_id} response codes

HTTP Response Code Unique Code Description
200 The Delete task status was retrieved.
404 1002 The dependent task status does not exist.
409 1004 The task is in a completed state
422 1005 A request parameter is not valid
500 1020 An error occurred during the attempt to update the dependent task
status.

1464 QRadar API Reference Guide

Response Description

A Dependent Task Status object and the location header set to the task status url "/api/reference_data/
maps/map_dependent_tasks/{task_id}". A Dependent Task Status object contains the following fields:
v id - Long - The ID of the task.
v message - String - The localized task message.
v status - String - The current state of the task.
v name - String - The name of the task.
v created_by - String - The name of the user who started the task.
v cancelled_by - String - The name of the user who requested the cancellation the task.
v created - Long - The time in milliseconds since epoch since the task was created.
v started - Long - The time in milliseconds since epoch since the task was started.
v modified - Long - The time in milliseconds since epoch since the task was modified.
v completed - Long - The time in milliseconds since epoch since the task was completed.
v number_of_dependents - Long - The number of dependents found. The value is null until the task
completes.
v maximum - Long - The maximum number of objects to check for dependency.
v progress - Long - The number of objects that were checked for dependency.
v task_components - Array - An array of task component objects. A task component object contains the
following fields
– message - String - The localized sub-task status message.
– status - String - The current state of the sub-task.
– sub_task_type - String - The type of the sub-task
– maximum - Long - The maximum number of objects to check for dependency.
– progress - Long - The number of objects that were checked for dependency.
– created - Long - The time in milliseconds since epoch since the sub-task was created.
– started - Long - The time in milliseconds since epoch since the sub-task was started.
– modified - Long - The time in milliseconds since epoch since the sub-task was modified.
– completed - Long - The time in milliseconds since epoch since the sub-task was completed.

Response Sample
{
"cancelled_by": "String",
"completed": 42,
"created": 42,
"created_by": "String",
"id": 42,
"maximum": 42,
"message": "String",
"modified": 42,
"name": "String",
"number_of_dependents": 42,
"progress": 42,
"started": 42,
"status": "String <one of:
CANCELLED,
CANCELING,
CANCEL_REQUESTED,
COMPLETED,
CONFLICT,
EXCEPTION,
INITIALIZING,
INTERRUPTED,
PAUSED,

7 Previous REST API versions 1465

 PROCESSING,
QUEUED,
RESUMING>",
"task_components": [
{
"completed": 42,
"created": 42,
"maximum": 42,
"message": "String",
"modified": 42,
"number_of_dependents": 42,
"progress": 42,
"started": 42,
"status": "String <one of: CANCELLED,
CANCELING,
CANCEL_REQUESTED,
COMPLETED,
CONFLICT,
EXCEPTION,
INITIALIZING,
INTERRUPTED,
PAUSED,
PROCESSING,
QUEUED,
RESUMING>",
"task_sub_type": "String <one of:
FIND_DEPENDENT_ARIEL_SAVED_SEARCHES,
FIND_DEPENDENT_OFFENSE_SAVED_SEARCHES,
FIND_DEPENDENT_ASSET_SAVED_SEARCHES,
FIND_DEPENDENT_VULNERABILITY_SAVED_SEARCHES,
FIND_DEPENDENT_ADE_RULES,
FIND_DEPENDENT_RULES,
FIND_DEPENDENT_CALCULATED_PROPERTIES,
FIND_DEPENDENT_LOG_SOURCE_GROUPS,
FIND_DEPENDENT_CUSTOM_PROPERTIES,
FIND_DEPENDENT_REPORTS,
FIND_DEPENDENT_DASHBOARDS,
FIND_DEPENDENT_STORE_AND_FORWARD_POLICIES,
FIND_DEPENDENT_AUTHORIZED_SERVICES,
FIND_DEPENDENT_OFFENSE_TYPES,
FIND_DEPENDENT_ASSIGNED_OFFENSES,
FIND_DEPENDENT_VULNERABILITIES,
FIND_DEPENDENT_GROUPS,
FIND_DEPENDENT_HISTORICAL_CORRELATION_PROFILES>"
}
]
}

GET /reference_data/map_dependent_tasks/{task_id}/results DEPRECATED

Retrieves the reference data map dependent task results.

Retrieves the reference data map dependent task results.

Table 3316. GET /reference_data/map_dependent_tasks/{task_id}/results resource details
MIME Type
application/json

Table 3317. GET /reference_data/map_dependent_tasks/{task_id}/results request parameter details

Parameter Type Optionality Data Type MIME Type Description
task_id path Required Number text/plain null
(Integer)

1466 QRadar API Reference Guide

Table 3317. GET /reference_data/map_dependent_tasks/{task_id}/results request parameter details (continued)
Parameter Type Optionality Data Type MIME Type Description
fields query Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.

Table 3318. GET /reference_data/map_dependent_tasks/{task_id}/results response codes

HTTP Response Code Unique Code Description
200 The reference data map dependents were retrieved.
404 1002 The dependent task status does not exist.
500 1020 An error occurred during the attempt to retrieve the reference data
maps.

Response Description

An list of Dependent objects. A Dependent object contains the following fields:

v dependent_id - String - The ID of the dependent resource.
v dependent_name - String - The name of the dependent resource. ( Default resources can have localized
names )
v dependent_owner - String - The owner of the dependent resource
v dependent_type - String - The type of the dependent resource
v dependent_database - String - The database of the dependent resource.
v dependent_group_ids - Array of Longs - List of groups that the dependent resource belongs to.
v user_has_edit_permissions - Boolean - The true if the user who created the task has permission to edit
this dependent resource.

Response Sample
[
{
"blocking": true,
"dependent_database": "String <one of: EVENTS, FLOWS>",
"dependent_group_ids": [
42
],
"dependent_id": "String",
"dependent_name": "String",
"dependent_owner": "String",
"dependent_type": "String <one of:
ARIEL_SAVED_SEARCH,
ASSET_SAVED_SEARCH,
OFFENSE_SAVED_SEARCH,
VULNERABILITY_SAVED_SEARCH,
QRM_SAVED_SEARCH_GROUP,
ASSET_SAVED_SEARCH_GROUP,
CUSTOM_RULE_GROUP,
EVENT_ARIEL_SAVED_SEARCH_GROUP,
FLOW_ARIEL_SAVED_SEARCH_GROUP,
LOG_SOURCE_GROUP, MODEL_GROUP,
OFFENSE_SAVED_SEARCH_GROUP,

7 Previous REST API versions 1467

 QUESTION_GROUP,
REPORT_GROUP,
SIMULATION_GROUP,
TOPOLOGY_SAVED_SEARCH_GROUP,
VULNERABILITY_SAVED_SEARCH_GROUP,
ASSIGNED_OFFENSE,
ASSIGNED_VULNERABILITY,
AUTHORIZED_SERVICE,
BUILDING_BLOCK,
CRE_RULE,
CRE_ADE_RULE,
EVENT_REGEX_PROPERTY,
EVENT_CALCULATED_PROPERTY,
FLOW_REGEX_PROPERTY,
FLOW_CALCULATED_PROPERTY,
DASHBOARD,
GV_REFERENCE,
REPORT,
REFERENCE_DATA,
REFERENCE_DATA_MAP_OF_SETS,
REFERENCE_DATA_MAPS,
REFERENCE_DATA_SETS,
REFERENCE_DATA_TABLES,
REFERENCE_DATA_RESPONSE,
REFERENCE_SET_RESPONSE,
EVENT_RETENTION_BUCKET,
FLOW_RETENTION_BUCKET,
ROUTING_RULE,
STORE_AND_FORWARD_POLICY,
USER,
HISTORICAL_PROFILE,
OFFENSE_TYPE>",
"user_has_edit_permissions": true
}
]

GET /reference_data/map_of_sets DEPRECATED

Retrieve a list of all reference map of sets.
Table 3319. GET /reference_data/map_of_sets resource details
MIME Type
application/json

Table 3320. GET /reference_data/map_of_sets request parameter details

Parameter Type Optionality Data Type MIME Type Description
fields query Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.
Range header Optional String text/plain Optional - Use this parameter
to restrict the number of
elements that are returned in
the list to a specified range.
The list is indexed starting at
zero.

1468 QRadar API Reference Guide

Table 3320. GET /reference_data/map_of_sets request parameter details (continued)
Parameter Type Optionality Data Type MIME Type Description
filter query Optional String text/plain Optional - This parameter is
used to restrict the elements in
a list base on the contents of
various fields.

Table 3321. GET /reference_data/map_of_sets response codes

HTTP Response Code Unique Code Description
200 The reference map of sets list has been retrieved
500 1020 An error occurred while attempting to retrieve all of the reference
map of sets

Response Description

A list of all of the reference map of sets. This returns information about the map of sets but not the
contained data.

Response Sample
[
{
"creation_time": 42,
"element_type": "String <one of: ALN, NUM, IP, PORT, ALNIC, DATE>",
"key_label": "String",
"name": "String",
"number_of_elements": 42,
"time_to_live": "String",
"timeout_type": "String <one of: UNKNOWN, FIRST_SEEN, LAST_SEEN>",
"value_label": "String"
}
]

POST /reference_data/map_of_sets DEPRECATED

Create a new reference map of sets.
Table 3322. POST /reference_data/map_of_sets resource details
MIME Type
application/json

Table 3323. POST /reference_data/map_of_sets request parameter details

Parameter Type Optionality Data Type MIME Type Description
name query Required String text/plain Required - The name of the
reference map of sets to create
element_type query Required String text/plain Required - The element type for
the values allowed in the
reference map of sets. The
allowed values are: ALN
(alphanumeric), ALNIC
(alphanumeric ignore case), IP
(IP address), NUM (numeric),
PORT (port number) or DATE.
Note that date values need to be
represented in milliseconds
since the Unix Epoch January
1st 1970.

7 Previous REST API versions 1469

Table 3323. POST /reference_data/map_of_sets request parameter details (continued)
Parameter Type Optionality Data Type MIME Type Description
key_label query Optional String text/plain Optional - The label to describe
the keys
value_label query Optional String text/plain Optional - The label to describe
the data values
timeout_type query Optional String text/plain Optional - The allowed values
are "FIRST_SEEN",
"LAST_SEEN" and
"UNKNOWN". The default
value is "UNKNOWN". This
indicates if the time_to_live
interval is based on when the
data was first seen or last seen.
time_to_live query Optional String text/plain Optional - The time to live
interval, for example: "1 month"
or "5 minutes"
fields query Optional String text/plain Optional - Use this parameter to
specify which fields you would
like to get back in the response.
Fields that are not named are
excluded. Specify subfields in
brackets and multiple fields in
the same object are separated by
commas.

Table 3324. POST /reference_data/map_of_sets response codes

HTTP Response Code Unique Code Description
201 A new reference map of sets was successfully created
409 1004 The reference map of sets could not be created, the name provided
is already in use. Please change the name and try again.
422 1005 A request parameter is not valid
500 1020 An error occurred while attempting to create the reference map of
sets

Response Description

Information about the newly created reference map of sets.

Response Sample
{
"creation_time": 42,
"element_type": "String <one of: ALN, NUM, IP, PORT, ALNIC, DATE>",
"key_label": "String",
"name": "String",
"number_of_elements": 42,
"time_to_live": "String",
"timeout_type": "String <one of: UNKNOWN, FIRST_SEEN, LAST_SEEN>",
"value_label": "String"
}

POST /reference_data/map_of_sets/bulk_load/{name} DEPRECATED

Adds or updates data in a reference map of sets.

Adds or updates data in a reference map of sets.

1470 QRadar API Reference Guide

Table 3325. POST /reference_data/map_of_sets/bulk_load/{name} resource details
MIME Type
application/json

Table 3326. POST /reference_data/map_of_sets/bulk_load/{name} request parameter details

Parameter Type Optionality Data Type MIME Type Description
name path Required String text/plain Required - The name of the
map of sets to add or update
data in.
fields header Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.

Table 3327. POST /reference_data/map_of_sets/bulk_load/{name} request body details

Parameter Data Type MIME Type Description Sample
data Array application/ Required - The {"key1":["Data11","Data12"],
json JSON-formatted data to "key2":["Data21","Data22"],
add or update in the "key3":["Data31","Data32"],
reference map of sets. "key4":["Data41","Data42"],
"key5":["Data51","Data52"],
"key6":["Data61","Data62"]}

Table 3328. POST /reference_data/map_of_sets/bulk_load/{name} response codes

HTTP Response Code Unique Code Description
200 Data was successfully added or updated in the reference map of
sets.
400 1001 An error occurred parsing the JSON-formatted message body.
404 1002 The reference map of sets does not exist.
422 1005 A request parameter is not valid.
500 1020 An error occurred during the attempt to add or update data in the
reference map of sets.

Response Description

Information about the reference map of sets where data was added or updated. This returns information
about the reference map of sets but not the data that it contains.

Response Sample
{
"creation_time": 42,
"element_type": "String <one of: ALN, NUM, IP, PORT, ALNIC, DATE>",
"name": "String",
"number_of_elements": 42,
"time_to_live": "String",
"timeout_type": "String <one of: UNKNOWN, FIRST_SEEN, LAST_SEEN>"
}

7 Previous REST API versions 1471

GET /reference_data/map_of_sets/{name} DEPRECATED
Return the reference map of sets identified by name.

Return the reference map of sets identified by name. If provided, limit specifies the number of records to
return starting at the record that is specified by offset. If the number is not specified, then the first 20
records is returned.
Table 3329. GET /reference_data/map_of_sets/{name} resource details
MIME Type
application/json

Table 3330. GET /reference_data/map_of_sets/{name} request parameter details

Parameter Type Optionality Data Type MIME Type Description
name path Required String text/plain Required - The name of the
reference map of sets to
retrieve
fields query Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.
Range header Optional String text/plain Optional - Use this parameter
to restrict the number of
elements that are returned in
the list to a specified range.
The list is indexed starting at
zero.

Table 3331. GET /reference_data/map_of_sets/{name} response codes

HTTP Response Code Unique Code Description
200 The reference map of sets has been retrieved
404 1002 The reference map of sets does not exist
422 1005 A request parameter is not valid
500 1020 An error occurred while attempting to retrieve the reference map of
sets

Response Description

The reference map of sets identified by the name specified in the request. The portion of the reference
map of sets' data returned is dependent on the limit and offset specified in the request.

Response Sample
{
"creation_time": 42,
"data": {
"String": [
{
"first_seen": 42,
"last_seen": 42,

1472 QRadar API Reference Guide

 "source": "String",
"value": "String"
}
]
},
"element_type": "String <one of: ALN, NUM, IP, PORT, ALNIC, DATE>",
"key_label": "String",
"name": "String",
"number_of_elements": 42,
"time_to_live": "String",
"timeout_type": "String <one of: UNKNOWN, FIRST_SEEN, LAST_SEEN>",
"value_label": "String"
}

POST /reference_data/map_of_sets/{name} DEPRECATED

Add or update an element in a reference map of sets.
Table 3332. POST /reference_data/map_of_sets/{name} resource details
MIME Type
application/json

Table 3333. POST /reference_data/map_of_sets/{name} request parameter details

Parameter Type Optionality Data Type MIME Type Description
name path Required String text/plain Required - The name of the
reference map of sets to add or
update an element in
key query Required String text/plain Required - The key of the set
to add or update
value query Required String text/plain Required - The value to add or
update in the reference map of
sets. Note: Date values must
be represented in milliseconds
since the Unix Epoch January
1st 1970.
source query Optional String text/plain Optional - This indicates
where the data originated. The
default value is 'reference data
api'
fields query Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.

Table 3334. POST /reference_data/map_of_sets/{name} response codes

HTTP Response Code Unique Code Description
200 The reference map of sets has had an element added or updated
404 1002 The reference map of sets does not exist
422 1005 A request parameter is not valid
500 1020 An error occurred while attempting to add or update data in the
reference map of sets

7 Previous REST API versions 1473

Response Description

Information about the reference map of sets that has had an element added or updated. This returns
information about the reference map of sets but not the contained data.

Response Sample
{
"creation_time": 42,
"element_type": "String <one of: ALN, NUM, IP, PORT, ALNIC, DATE>",
"key_label": "String",
"name": "String",
"number_of_elements": 42,
"time_to_live": "String",
"timeout_type": "String <one of: UNKNOWN, FIRST_SEEN, LAST_SEEN>",
"value_label": "String"
}

DELETE /reference_data/map_of_sets/{name} DEPRECATED

Remove a map of sets or purge its contents.
Table 3335. DELETE /reference_data/map_of_sets/{name} resource details
MIME Type
application/json

Table 3336. DELETE /reference_data/map_of_sets/{name} request parameter details

Parameter Type Optionality Data Type MIME Type Description
name path Required String text/plain Required - The name of the
reference map of sets to
remove or purge
purge_only query Optional String text/plain Optional - The allowed values
are "false" or "true". The
default value is false. This
indicates if the reference map
of sets should have its contents
purged (true), keeping the
reference map of sets structure.
If the value is "false" or not
specified the reference map of
sets will be removed
completely.
fields query Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.

Table 3337. DELETE /reference_data/map_of_sets/{name} response codes

HTTP Response Code Unique Code Description
202 The Reference Data Map of Sets deletion or purge request has been
accepted and is in progress

1474 QRadar API Reference Guide

Table 3337. DELETE /reference_data/map_of_sets/{name} response codes (continued)
HTTP Response Code Unique Code Description
404 1002 The reference map of sets does not exist
422 1005 A request parameter is not valid
500 1020 An error occurred while attempting to remove or purge values
from the reference map of sets

Response Description

A status_id to retrieve the Reference Data Map of Sets deletion or purge status with at
/api/system/task_management/task/{status_id}. You can also find the url in the Location header

Response Sample
{
"current_status": {
"cancel_requested": true,
"cancelled_by": "String",
"child_tasks": [
42
],
"completed": 42,
"created": 42,
"created_by": "String",
"id": 42,
"maximum": 42,
"message": "String",
"modified": 42,
"name": "String",
"progress": 42,
"result_url": "String",
"started": 42,
"status": "String <one of: CANCELLED,
CANCELING,
CANCEL_REQUESTED,
COMPLETED,
EXCEPTION,
INITIALIZING,
INTERRUPTED,
PAUSED,
PROCESSING,
QUEUED,
RESUMING>",
"task_components": [
{
"completed": 42,
"created": 42,
"maximum": 42,
"message": "String",
"modified": 42,
"progress": 42,
"started": 42,
"status": "String <one of: CANCELLED,
CANCELING,
CANCEL_REQUESTED,
COMPLETED,
EXCEPTION,
INITIALIZING,
INTERRUPTED,
PAUSED,
PROCESSING,
QUEUED,
RESUMING>"

7 Previous REST API versions 1475

 }
]
},
"message": "String",
"status_location": "String"
}

GET /reference_data/map_of_sets/{name}/dependents DEPRECATED

Retrieves the dependents of the Map of Sets.

Initiates the retrieval of dependents of the Map of Sets

Table 3338. GET /reference_data/map_of_sets/{name}/dependents resource details
MIME Type
application/json

Table 3339. GET /reference_data/map_of_sets/{name}/dependents request parameter details

Parameter Type Optionality Data Type MIME Type Description
name path Required String text/plain Required - The name of the
reference map of sets retrieve
dependents for
fields query Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.

Table 3340. GET /reference_data/map_of_sets/{name}/dependents response codes

HTTP Response Code Unique Code Description
202 The Reference Data Map of Sets dependent retrieval request has
been accepted and is in progress
404 1002 The reference map of sets does not exist
422 1005 A request parameter is not valid
500 1020 An error occurred while attempting to get the dependents for the
reference map of sets

Response Description

A status_id to retrieve the Reference Data Map of Sets dependent retrieval status with at
/api/system/task_management/task/{status_id}. You can also find the url in the Location header

Response Sample
{
"current_status": {
"cancel_requested": true,
"cancelled_by": "String",
"child_tasks": [
42
],
"completed": 42,

1476 QRadar API Reference Guide

 "created": 42,
"created_by": "String",
"id": 42,
"maximum": 42,
"message": "String",
"modified": 42,
"name": "String",
"progress": 42,
"result_url": "String",
"started": 42,
"status": "String <one of: CANCELLED,
CANCELING,
CANCEL_REQUESTED,
COMPLETED,
EXCEPTION,
INITIALIZING,
INTERRUPTED,
PAUSED,
PROCESSING,
QUEUED,
RESUMING>",
"task_components": [
{
"completed": 42,
"created": 42,
"maximum": 42,
"message": "String",
"modified": 42,
"progress": 42,
"started": 42,
"status": "String <one of: CANCELLED,
CANCELING,
CANCEL_REQUESTED,
COMPLETED,
EXCEPTION,
INITIALIZING,
INTERRUPTED,
PAUSED,
PROCESSING,
QUEUED,
RESUMING>"
}
]
},
"message": "String",
"status_location": "String"
}

DELETE /reference_data/map_of_sets/{name}/{key} DEPRECATED

Remove a value from a reference map of sets.

Remove a value from a reference map of sets.

Table 3341. DELETE /reference_data/map_of_sets/{name}/{key} resource details
MIME Type
application/json

Table 3342. DELETE /reference_data/map_of_sets/{name}/{key} request parameter details

Parameter Type Optionality Data Type MIME Type Description
name path Required String text/plain Required - The name of the
reference map of sets to
remove a value from

7 Previous REST API versions 1477

Table 3342. DELETE /reference_data/map_of_sets/{name}/{key} request parameter details (continued)
Parameter Type Optionality Data Type MIME Type Description
key path Required String text/plain Required - The key of the
value to remove
value query Required String text/plain Required - The value to
remove from the reference
map of sets. Note: Date values
must be represented in
milliseconds since the Unix
Epoch January 1st 1970.
fields query Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.

Table 3343. DELETE /reference_data/map_of_sets/{name}/{key} response codes

HTTP Response Code Unique Code Description
200 The reference map of sets has had a value removed
404 1002 The reference map of sets does not exist
404 1003 The record does not exist in the reference map of sets
422 1005 A request parameter is not valid
500 1020 An error occurred while attempting to remove the reference map of
sets value

Response Description

Information about the reference map of sets that had a value removed. This returns information about the
reference map of sets but not the contained data.

Response Sample
{
"creation_time": 42,
"element_type": "String <one of: ALN, NUM, IP, PORT, ALNIC, DATE>",
"key_label": "String",
"name": "String",
"number_of_elements": 42,
"time_to_live": "String",
"timeout_type": "String <one of: UNKNOWN, FIRST_SEEN, LAST_SEEN>",
"value_label": "String"
}

GET /reference_data/map_of_sets_delete_tasks/{task_id} DEPRECATED

Retrieves the delete reference data map of sets task status.

Retrieves the delete reference data map of sets task status.

1478 QRadar API Reference Guide

Table 3344. GET /reference_data/map_of_sets_delete_tasks/{task_id} resource details
MIME Type
application/json

Table 3345. GET /reference_data/map_of_sets_delete_tasks/{task_id} request parameter details

Parameter Type Optionality Data Type MIME Type Description
task_id path Required Number text/plain null
(Integer)
fields query Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.

Table 3346. GET /reference_data/map_of_sets_delete_tasks/{task_id} response codes

HTTP Response Code Unique Code Description
200 The delete task status was retrieved.
404 1002 The delete task status does not exist.
500 1020 An error occurred during the attempt to retrieve the delete task
status.

Response Description

A Delete Task Status object and the location header set to the task status url "/api/reference_data/
map_of_sets/map_of_sets_delete_tasks/{task_id}". A Delete Task Status object contains the following
fields:
v id - Long - The ID of the task.
v message - String - The localized task message.
v status - String - The current state of the task.
v name - String - The name of the task.
v created_by - String - The name of the user who started the task.
v created - Long - The time in milliseconds since epoch since the task was created.
v started - Long - The time in milliseconds since epoch since the task was started.
v modified - Long - The time in milliseconds since epoch since the task was modified.
v completed - Long - The time in milliseconds since epoch since the task was completed.

Response Sample
{
"completed": 42,
"created": 42,
"created_by": "String",
"id": 42,
"message": "String",
"modified": 42,
"name": "String",
"started": 42,
"status": "String <one of: CANCELLED,

7 Previous REST API versions 1479

 CANCELING,
CANCEL_REQUESTED,
COMPLETED,
CONFLICT,
EXCEPTION,
INITIALIZING,
INTERRUPTED,
PAUSED,
PROCESSING,
QUEUED,
RESUMING>"
}

GET /reference_data/map_of_sets_dependent_tasks/{task_id} DEPRECATED

Retrieves the dependent reference data map of sets task status.

Retrieves the dependent reference data map of sets task status.

Table 3347. GET /reference_data/map_of_sets_dependent_tasks/{task_id} resource details
MIME Type
application/json

Table 3348. GET /reference_data/map_of_sets_dependent_tasks/{task_id} request parameter details

Parameter Type Optionality Data Type MIME Type Description
task_id path Required Number text/plain null
(Integer)
fields query Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.

Table 3349. GET /reference_data/map_of_sets_dependent_tasks/{task_id} response codes

HTTP Response Code Unique Code Description
200 The dependent task status was retrieved.
404 1002 The dependent task status does not exist.
500 1020 An error occurred during the attempt to retrieve the dependent task
status.

Response Description

A Dependent Task Status object and the location header set to the task status URL "/api/reference_data/
map_of_sets/map_of_sets_dependent_tasks/{task_id}". A Dependent Task Status object contains the
following fields:
v id - Long - The ID of the task.
v message - String - The localized task message.
v status - String - The current state of the task
v name - String - The name of the task.
v created_by - String - The name of the user who started the task.

1480 QRadar API Reference Guide

v cancelled_by - String - The name of the user who requested to cancel the task.
v created - Long - The time in milliseconds since epoch since the task was created.
v started - Long - The time in milliseconds since epoch since the task was started.
v modified - Long - The time in milliseconds since epoch since the task was modified.
v completed - Long - The time in milliseconds since epoch since the task was completed.
v number_of_dependents - Long - The number of dependents found. The value is null until the task
completes.
v maximum - Long - The maximum number of objects to check for dependency.
v progress - Long - The number of objects that were checked for dependency.
v task_components - Array - An array of task component objects. A task component object contains the
following fields
– message - String - The localized sub-task status message.
– status - String - The current state of the sub-task.
– sub_task_type - String - The type of the sub-task.
– maximum - Long - The maximum number of objects to check for dependency.
– progress - Long - The number of objects that were checked for dependency.
– created - Long - The time in milliseconds since epoch since the sub-task was created.
– started - Long - The time in milliseconds since epoch since the sub-task was started.
– modified - Long - The time in milliseconds since epoch since the sub-task was modified.
– completed - Long - The time in milliseconds since epoch since the sub-task was completed.

Response Sample
{
"cancelled_by": "String",
"completed": 42,
"created": 42,
"created_by": "String",
"id": 42,
"maximum": 42,
"message": "String",
"modified": 42,
"name": "String",
"number_of_dependents": 42,
"progress": 42,
"started": 42,
"status": "String <one of: CANCELLED,
CANCELING,
CANCEL_REQUESTED,
COMPLETED,
CONFLICT,
EXCEPTION,
INITIALIZING,
INTERRUPTED,
PAUSED,
PROCESSING,
QUEUED,
RESUMING>",
"task_components": [
{
"completed": 42,
"created": 42,
"maximum": 42,
"message": "String",
"modified": 42,
"number_of_dependents": 42,
"progress": 42,
"started": 42,

7 Previous REST API versions 1481

 "status": "String <one of: CANCELLED,
CANCELING,
CANCEL_REQUESTED,
COMPLETED,
CONFLICT,
EXCEPTION,
INITIALIZING,
INTERRUPTED,
PAUSED,
PROCESSING,
QUEUED,
RESUMING>",
"task_sub_type": "String <one of:
FIND_DEPENDENT_ARIEL_SAVED_SEARCHES,
FIND_DEPENDENT_OFFENSE_SAVED_SEARCHES,
FIND_DEPENDENT_ASSET_SAVED_SEARCHES,
FIND_DEPENDENT_VULNERABILITY_SAVED_SEARCHES,
FIND_DEPENDENT_ADE_RULES,
FIND_DEPENDENT_RULES,
FIND_DEPENDENT_CALCULATED_PROPERTIES,
FIND_DEPENDENT_LOG_SOURCE_GROUPS,
FIND_DEPENDENT_CUSTOM_PROPERTIES,
FIND_DEPENDENT_REPORTS,
FIND_DEPENDENT_DASHBOARDS,
FIND_DEPENDENT_STORE_AND_FORWARD_POLICIES,
FIND_DEPENDENT_AUTHORIZED_SERVICES,
FIND_DEPENDENT_OFFENSE_TYPES,
FIND_DEPENDENT_ASSIGNED_OFFENSES,
FIND_DEPENDENT_VULNERABILITIES,
FIND_DEPENDENT_GROUPS,
FIND_DEPENDENT_HISTORICAL_CORRELATION_PROFILES>"
}
]
}

POST /reference_data/map_of_sets_dependent_tasks/{task_id} DEPRECATED

Cancels the dependent reference data map of sets task.

Cancels the dependent reference data map of sets task.

Table 3350. POST /reference_data/map_of_sets_dependent_tasks/{task_id} resource details
MIME Type
application/json

Table 3351. POST /reference_data/map_of_sets_dependent_tasks/{task_id} request parameter details

Parameter Type Optionality Data Type MIME Type Description
task_id path Required Number text/plain null
(Integer)
fields header Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.

1482 QRadar API Reference Guide

Table 3352. POST /reference_data/map_of_sets_dependent_tasks/{task_id} request body details
Parameter Data Type MIME Type Description Sample
task Object application/ null { "status": "String <one of:
json CANCELLED, CANCELING,
CANCEL_REQUESTED,
COMPLETED, CONFLICT,
EXCEPTION, INITIALIZING,
INTERRUPTED, PAUSED,
PROCESSING, QUEUED,
RESUMING>" }

Table 3353. POST /reference_data/map_of_sets_dependent_tasks/{task_id} response codes

HTTP Response Code Unique Code Description
200 The dependent task status was retrieved.
404 1002 The dependent task status does not exist.
409 1004 The task is in a completed state.
422 1005 A request parameter is not valid.
500 1020 An error occurred during the attempt to update the dependent task
status.

Response Description

A Dependent Task Status object and the location header set to the task status url "/api/reference_data/
map_of_sets/map_of_sets_dependent_tasks/{task_id}". A Dependent Task Status object contains the
following fields:
v id - Long - The ID of the task.
v message - String - The localized task message.
v status - String - The current state of the task.
v name - String - The name of the task.
v created_by - String - The name of the user who started the task.
v cancelled_by - String - The name of the user who requested to cancel the task.
v created - Long - The time in milliseconds since epoch since the task was created.
v started - Long - The time in milliseconds since epoch since the task was started.
v modified - Long - The time in milliseconds since epoch since the task was modified.
v completed - Long - The time in milliseconds since epoch since the task was completed.
v number_of_dependents - Long - The number of dependents found. The value is null until the task
completes.
v maximum - Long - The maximum number of objects to check for dependency.
v progress - Long - The number of objects that were checked for dependency.
v task_components - Array - An array of task component objects. A task component object contains the
following fields
– message - String - The localized sub-task status message.
– status - String - The current state of the sub-task.
– sub_task_type - String - The type of the sub-task.
– maximum - Long - The maximum number of objects to check for dependency.
– progress - Long - The number of objects that were checked for dependency.
– created - Long - The time in milliseconds since epoch since the sub-task was created.

7 Previous REST API versions 1483

 – started - Long - The time in milliseconds since epoch since the sub-task was started.
– modified - Long - The time in milliseconds since epoch since the sub-task was modified.
– completed - Long - The time in milliseconds since epoch since the sub-task was completed.

Response Sample
{
"cancelled_by": "String",
"completed": 42,
"created": 42,
"created_by": "String",
"id": 42,
"maximum": 42,
"message": "String",
"modified": 42,
"name": "String",
"number_of_dependents": 42,
"progress": 42,
"started": 42,
"status": "String <one of: CANCELLED,
CANCELING,
CANCEL_REQUESTED,
COMPLETED,
CONFLICT,
EXCEPTION,
INITIALIZING,
INTERRUPTED,
PAUSED,
PROCESSING,
QUEUED,
RESUMING>",
"task_components": [
{
"completed": 42,
"created": 42,
"maximum": 42,
"message": "String",
"modified": 42,
"number_of_dependents": 42,
"progress": 42,
"started": 42,
"status": "String <one of: CANCELLED,
CANCELING,
CANCEL_REQUESTED,
COMPLETED,
CONFLICT,
EXCEPTION,
INITIALIZING,
INTERRUPTED,
PAUSED,
PROCESSING,
QUEUED,
RESUMING>",
"task_sub_type": "String <one of:
FIND_DEPENDENT_ARIEL_SAVED_SEARCHES,
FIND_DEPENDENT_OFFENSE_SAVED_SEARCHES,
FIND_DEPENDENT_ASSET_SAVED_SEARCHES,
FIND_DEPENDENT_VULNERABILITY_SAVED_SEARCHES,
FIND_DEPENDENT_ADE_RULES,
FIND_DEPENDENT_RULES,
FIND_DEPENDENT_CALCULATED_PROPERTIES,
FIND_DEPENDENT_LOG_SOURCE_GROUPS,
FIND_DEPENDENT_CUSTOM_PROPERTIES,
FIND_DEPENDENT_REPORTS,
FIND_DEPENDENT_DASHBOARDS,
FIND_DEPENDENT_STORE_AND_FORWARD_POLICIES,

1484 QRadar API Reference Guide

 FIND_DEPENDENT_AUTHORIZED_SERVICES,
FIND_DEPENDENT_OFFENSE_TYPES,
FIND_DEPENDENT_ASSIGNED_OFFENSES,
FIND_DEPENDENT_VULNERABILITIES,
FIND_DEPENDENT_GROUPS,
FIND_DEPENDENT_HISTORICAL_CORRELATION_PROFILES>"
}
]
}

GET /reference_data/map_of_sets_dependent_tasks/{task_id}/results
DEPRECATED
Retrieves the reference data map of sets dependent task results.

Retrieves the reference data map of sets dependent task results.

Table 3354. GET /reference_data/map_of_sets_dependent_tasks/{task_id}/results resource details
MIME Type
application/json

Table 3355. GET /reference_data/map_of_sets_dependent_tasks/{task_id}/results request parameter details

Parameter Type Optionality Data Type MIME Type Description
task_id path Required Number text/plain null
(Integer)
fields query Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.

Table 3356. GET /reference_data/map_of_sets_dependent_tasks/{task_id}/results response codes

HTTP Response Code Unique Code Description
200 The reference data map of sets dependents have been retrieved.
404 1002 The dependent task status does not exist.
500 1020 An error occurred during the attempt to retrieve the reference data
map of sets.

Response Description

An list of Dependent objects. A Dependent object contains the following fields:

v dependent_id - String - The ID of the dependent resource.
v dependent_name - String - The name of the dependent resource (default resources can have localized
names).
v dependent_owner - String - The owner of the dependent resource.
v dependent_type - String - The type of the dependent resource.
v dependent_database - String - The database of the dependent resource.
v dependent_group_ids - Array of Longs - List of groups that the dependent resource belongs to.

7 Previous REST API versions 1485

v user_has_edit_permissions - Boolean - True if the user who created the task has permission to edit this
dependent resource.

Response Sample
[
{
"blocking": true,
"dependent_database": "String <one of: EVENTS, FLOWS>",
"dependent_group_ids": [
42
],
"dependent_id": "String",
"dependent_name": "String",
"dependent_owner": "String",
"dependent_type": "String <one of:
ARIEL_SAVED_SEARCH,
ASSET_SAVED_SEARCH,
OFFENSE_SAVED_SEARCH,
VULNERABILITY_SAVED_SEARCH,
QRM_SAVED_SEARCH_GROUP,
ASSET_SAVED_SEARCH_GROUP,
CUSTOM_RULE_GROUP,
EVENT_ARIEL_SAVED_SEARCH_GROUP,
FLOW_ARIEL_SAVED_SEARCH_GROUP,
LOG_SOURCE_GROUP, MODEL_GROUP,
OFFENSE_SAVED_SEARCH_GROUP,
QUESTION_GROUP,
REPORT_GROUP,
SIMULATION_GROUP,
TOPOLOGY_SAVED_SEARCH_GROUP,
VULNERABILITY_SAVED_SEARCH_GROUP,
ASSIGNED_OFFENSE,
ASSIGNED_VULNERABILITY,
AUTHORIZED_SERVICE,
BUILDING_BLOCK,
CRE_RULE,
CRE_ADE_RULE,
EVENT_REGEX_PROPERTY,
EVENT_CALCULATED_PROPERTY,
FLOW_REGEX_PROPERTY,
FLOW_CALCULATED_PROPERTY,
DASHBOARD,
GV_REFERENCE,
REPORT,
REFERENCE_DATA,
REFERENCE_DATA_MAP_OF_SETS,
REFERENCE_DATA_MAPS,
REFERENCE_DATA_SETS,
REFERENCE_DATA_TABLES,
REFERENCE_DATA_RESPONSE,
REFERENCE_SET_RESPONSE,
EVENT_RETENTION_BUCKET,
FLOW_RETENTION_BUCKET,
ROUTING_RULE,
STORE_AND_FORWARD_POLICY,
USER,
HISTORICAL_PROFILE,
OFFENSE_TYPE>",
"user_has_edit_permissions": true
}
]

1486 QRadar API Reference Guide

GET /reference_data/maps DEPRECATED
Retrieve a list of all reference maps.
Table 3357. GET /reference_data/maps resource details
MIME Type
application/json

Table 3358. GET /reference_data/maps request parameter details

Parameter Type Optionality Data Type MIME Type Description
fields query Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.
Range header Optional String text/plain Optional - Use this parameter
to restrict the number of
elements that are returned in
the list to a specified range.
The list is indexed starting at
zero.
filter query Optional String text/plain Optional - This parameter is
used to restrict the elements in
a list base on the contents of
various fields.

Table 3359. GET /reference_data/maps response codes

HTTP Response Code Unique Code Description
200 The reference map list has been retrieved
500 1020 An error occurred while attempting to retrieve all of the reference
maps

Response Description

A list of all of the reference maps. This returns information about the maps but not the contained data.

Response Sample
[
{
"creation_time": 42,
"element_type": "String <one of: ALN, NUM, IP, PORT, ALNIC, DATE>",
"key_label": "String",
"name": "String",
"number_of_elements": 42,
"time_to_live": "String",
"timeout_type": "String <one of: UNKNOWN, FIRST_SEEN, LAST_SEEN>",
"value_label": "String"
}
]

7 Previous REST API versions 1487

POST /reference_data/maps DEPRECATED
Create a new reference map.
Table 3360. POST /reference_data/maps resource details
MIME Type
application/json

Table 3361. POST /reference_data/maps request parameter details

Parameter Type Optionality Data Type MIME Type Description
name query Required String text/plain Required - The name of the
reference map to create
key_label query Optional String text/plain Optional - The label to describe
the keys
value_label query Optional String text/plain Optional - The label to describe
the data values
element_type query Required String text/plain Required - The element type for
the values allowed in the
reference map. The allowed
values are: ALN (alphanumeric),
ALNIC (alphanumeric ignore
case), IP (IP address), NUM
(numeric), PORT (port number)
or DATE. Note that date values
need to be represented in
milliseconds since the Unix
Epoch January 1st 1970.
timeout_type query Optional String text/plain Optional - The allowed values
are "FIRST_SEEN",
"LAST_SEEN" and
"UNKNOWN". The default
value is "UNKNOWN". This
indicates if the time_to_live
interval is based on when the
data was first seen or last seen.
time_to_live query Optional String text/plain Optional - The time to live
interval, for example: "1 month"
or "5 minutes"
fields query Optional String text/plain Optional - Use this parameter to
specify which fields you would
like to get back in the response.
Fields that are not named are
excluded. Specify subfields in
brackets and multiple fields in
the same object are separated by
commas.

Table 3362. POST /reference_data/maps response codes

HTTP Response Code Unique Code Description
201 A new reference map was successfully created
409 1004 The reference map could not be created, the name provided is
already in use. Please change the name and try again.
422 1005 A request parameter is not valid
500 1020 An error occurred while attempting to create the reference map

1488 QRadar API Reference Guide

Response Description

Information about the newly created reference map.

Response Sample
{
"creation_time": 42,
"element_type": "String <one of: ALN, NUM, IP, PORT, ALNIC, DATE>",
"key_label": "String",
"name": "String",
"number_of_elements": 42,
"time_to_live": "String",
"timeout_type": "String <one of: UNKNOWN, FIRST_SEEN, LAST_SEEN>",
"value_label": "String"
}

POST /reference_data/maps/bulk_load/{name} DEPRECATED

Adds or updates data in a reference map.

Adds or updates data in a reference map.

Table 3363. POST /reference_data/maps/bulk_load/{name} resource details
MIME Type
application/json

Table 3364. POST /reference_data/maps/bulk_load/{name} request parameter details

Parameter Type Optionality Data Type MIME Type Description
name path Required String text/plain Required - The name of map
to add or update data in.
fields header Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.

Table 3365. POST /reference_data/maps/bulk_load/{name} request body details

Parameter Data Type MIME Type Description Sample
data Array application/ Required - The JSON-formatted {"key1":"Data1", "key2":"Data2",
json data to add or update in the "key3":"Data3", "key4":"Data4",
reference map. "key5":"Data5", "key6":"Data6"}

Table 3366. POST /reference_data/maps/bulk_load/{name} response codes

HTTP Response Code Unique Code Description
200 Data was successfully added or updated in the reference map.
400 1001 An error occurred parsing the JSON-formatted message body.
404 1002 The reference map does not exist.
422 1005 A request parameter is not valid.
500 1020 An error occurred during the attempt to add or update data in the
reference map.

7 Previous REST API versions 1489

Response Description

Information about the reference map where data was added or updated. This returns information about
the reference map but not the data that it contains.

Response Sample
{
"creation_time": 42,
"element_type": "String <one of: ALN, NUM, IP, PORT, ALNIC, DATE>",
"name": "String",
"number_of_elements": 42,
"time_to_live": "String",
"timeout_type": "String <one of: UNKNOWN, FIRST_SEEN, LAST_SEEN>"
}

GET /reference_data/maps/{name} DEPRECATED

Retrieve the reference map identified by name.

Retrieve the reference map identified by name. If it is provided, limit specifies the number of records to
return starting at record that is specified by offset. If the number is not specified, then the first 20 records
are returned.
Table 3367. GET /reference_data/maps/{name} resource details
MIME Type
application/json

Table 3368. GET /reference_data/maps/{name} request parameter details

Parameter Type Optionality Data Type MIME Type Description
name path Required String text/plain Required - The name of the
reference map to retrieve
fields query Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.
Range header Optional String text/plain Optional - Use this parameter
to restrict the number of
elements that are returned in
the list to a specified range.
The list is indexed starting at
zero.
filter query Optional String text/plain Optional - This parameter is
used to restrict the elements in
a list base on the contents of
various fields.

Table 3369. GET /reference_data/maps/{name} response codes

HTTP Response Code Unique Code Description
200 The reference map has been retrieved

1490 QRadar API Reference Guide

Table 3369. GET /reference_data/maps/{name} response codes (continued)
HTTP Response Code Unique Code Description
404 1002 The reference map does not exist
422 1005 A request parameter is not valid
500 1020 An error occurred while attempting to retrieve the reference map

Response Description

The reference map identified by the name specified in the request. The portion of the reference map's
data returned is dependent on the limit and offset specified in the request.

Response Sample
{
"creation_time": 42,
"data": {
"String": {
"first_seen": 42,
"last_seen": 42,
"source": "String",
"value": "String"
}
},
"element_type": "String <one of: ALN, NUM, IP, PORT, ALNIC, DATE>",
"key_label": "String",
"name": "String",
"number_of_elements": 42,
"time_to_live": "String",
"timeout_type": "String <one of: UNKNOWN, FIRST_SEEN, LAST_SEEN>",
"value_label": "String"
}

POST /reference_data/maps/{name} DEPRECATED

Add or update an element in a reference map.
Table 3370. POST /reference_data/maps/{name} resource details
MIME Type
application/json

Table 3371. POST /reference_data/maps/{name} request parameter details

Parameter Type Optionality Data Type MIME Type Description
name path Required String text/plain Required - The name of the
reference map to add or
update an element in
key query Required String text/plain Required - The key who's
value we want to add or
update
value query Required String text/plain Required - The value to add or
update in the reference map.
Note: Date values must be
represented in milliseconds
since the Unix Epoch January
1st 1970.

7 Previous REST API versions 1491

Table 3371. POST /reference_data/maps/{name} request parameter details (continued)
Parameter Type Optionality Data Type MIME Type Description
source query Optional String text/plain Optional - An indication of
where the data originated. The
default value is 'reference data
api'
fields query Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.

Table 3372. POST /reference_data/maps/{name} response codes

HTTP Response Code Unique Code Description
200 The reference map has had an element added or updated
404 1002 The reference map does not exist
422 1005 A request parameter is not valid
500 1020 An error occurred while attempting to add or update data in the
reference map

Response Description

Information about the reference map that had an element added or updated. This returns information
about reference map but not the contained data.

Response Sample
{
"creation_time": 42,
"element_type": "String <one of: ALN, NUM, IP, PORT, ALNIC, DATE>",
"key_label": "String",
"name": "String",
"number_of_elements": 42,
"time_to_live": "String",
"timeout_type": "String <one of: UNKNOWN, FIRST_SEEN, LAST_SEEN>",
"value_label": "String"
}

DELETE /reference_data/maps/{name} DEPRECATED

Remove a reference map or purge its contents.
Table 3373. DELETE /reference_data/maps/{name} resource details
MIME Type
application/json

Table 3374. DELETE /reference_data/maps/{name} request parameter details

Parameter Type Optionality Data Type MIME Type Description
name path Required String text/plain Required - The name of the
reference map to remove or
purge

1492 QRadar API Reference Guide

Table 3374. DELETE /reference_data/maps/{name} request parameter details (continued)
Parameter Type Optionality Data Type MIME Type Description
purge_only query Optional String text/plain Optional - The allowed values
are "false" or "true". The
default value is false. This
indicates if the reference map
should have its contents
purged (true), keeping the
reference map structure. If the
value is "false" or not specified
the reference map will be
removed completely.
fields query Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.

Table 3375. DELETE /reference_data/maps/{name} response codes

HTTP Response Code Unique Code Description
202 The Reference Data Maps deletion or purge request has been
accepted and is in progress
404 1002 The reference map does not exist
422 1005 A request parameter is not valid
500 1020 An error occurred while attempting to remove or purge values
from the reference map

Response Description

A status_id to retrieve the Reference Data Maps deletion or purge status with at /api/system/
task_management/task/{status_id}. You can also find the url in the Location header

Response Sample
{
"current_status": {
"cancel_requested": true,
"cancelled_by": "String",
"child_tasks": [
42
],
"completed": 42,
"created": 42,
"created_by": "String",
"id": 42,
"maximum": 42,
"message": "String",
"modified": 42,
"name": "String",
"progress": 42,
"result_url": "String",
"started": 42,
"status": "String <one of: CANCELLED,

7 Previous REST API versions 1493

 CANCELING,
CANCEL_REQUESTED,
COMPLETED,
EXCEPTION,
INITIALIZING,
INTERRUPTED,
PAUSED,
PROCESSING,
QUEUED,
RESUMING>",
"task_components": [
{
"completed": 42,
"created": 42,
"maximum": 42,
"message": "String",
"modified": 42,
"progress": 42,
"started": 42,
"status": "String <one of: CANCELLED,
CANCELING,
CANCEL_REQUESTED,
COMPLETED,
EXCEPTION,
INITIALIZING,
INTERRUPTED,
PAUSED,
PROCESSING,
QUEUED,
RESUMING>"
}
]
},
"message": "String",
"status_location": "String"
}

GET /reference_data/maps/{name}/dependents DEPRECATED

Retrieves the dependents of the Map.
Table 3376. GET /reference_data/maps/{name}/dependents resource details
MIME Type
application/json

Table 3377. GET /reference_data/maps/{name}/dependents request parameter details

Parameter Type Optionality Data Type MIME Type Description
name path Required String text/plain Required - The name of the
reference map retrieve
dependents for
fields query Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.

1494 QRadar API Reference Guide

Table 3378. GET /reference_data/maps/{name}/dependents response codes
HTTP Response Code Unique Code Description
202 The Reference Data Maps dependent retrieval request has been
accepted and is in progress
404 1002 The reference Map does not exist
422 1005 A request parameter is not valid
500 1020 An error occurred while attempting to get the dependents for the
reference map

Response Description

A status_id to retrieve the Reference Data Maps dependent retrieval status with at /api/system/
task_management/task/{status_id}. You can also find the url in the Location header

Response Sample
{
"current_status": {
"cancel_requested": true,
"cancelled_by": "String",
"child_tasks": [
42
],
"completed": 42,
"created": 42,
"created_by": "String",
"id": 42,
"maximum": 42,
"message": "String",
"modified": 42,
"name": "String",
"progress": 42,
"result_url": "String",
"started": 42,
"status": "String <one of: CANCELLED,
CANCELING,
CANCEL_REQUESTED,
COMPLETED,
EXCEPTION,
INITIALIZING,
INTERRUPTED,
PAUSED,
PROCESSING,
QUEUED,
RESUMING>",
"task_components": [
{
"completed": 42,
"created": 42,
"maximum": 42,
"message": "String",
"modified": 42,
"progress": 42,
"started": 42,
"status": "String <one of: CANCELLED,
CANCELING,
CANCEL_REQUESTED,
COMPLETED,
EXCEPTION,
INITIALIZING,
INTERRUPTED,
PAUSED,

7 Previous REST API versions 1495

 PROCESSING,
QUEUED,
RESUMING>"
}
]
},
"message": "String",
"status_location": "String"
}

DELETE /reference_data/maps/{name}/{key} DEPRECATED

Remove a value from a reference map.

Remove a value from a reference map.

Table 3379. DELETE /reference_data/maps/{name}/{key} resource details
MIME Type
application/json

Table 3380. DELETE /reference_data/maps/{name}/{key} request parameter details

Parameter Type Optionality Data Type MIME Type Description
name path Required String text/plain Required - The name of the
reference map to remove a
value from
key path Required String text/plain Required - The key of the
value to remove
value query Required String text/plain Required - The value to
remove from the reference
map. Note: Date values must
be represented in milliseconds
since the Unix Epoch January
1st 1970.
fields query Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.

Table 3381. DELETE /reference_data/maps/{name}/{key} response codes

HTTP Response Code Unique Code Description
200 The reference map has had a value removed
404 1002 The reference map does not exist
404 1003 The record does not exist in the reference map
422 1005 A request parameter is not valid
500 1020 An error occurred while attempting to remove the value from the
reference map

1496 QRadar API Reference Guide

Response Description

Information about the reference map that had an element removed. This returns information about map
but not the contained data.

Response Sample
{
"creation_time": 42,
"element_type": "String <one of: ALN, NUM, IP, PORT, ALNIC, DATE>",
"key_label": "String",
"name": "String",
"number_of_elements": 42,
"time_to_live": "String",
"timeout_type": "String <one of: UNKNOWN, FIRST_SEEN, LAST_SEEN>",
"value_label": "String"
}

GET /reference_data/set_delete_tasks/{task_id} DEPRECATED

Retrieves the delete reference data set task status.

Retrieves the delete reference data set task status.

Table 3382. GET /reference_data/set_delete_tasks/{task_id} resource details
MIME Type
application/json

Table 3383. GET /reference_data/set_delete_tasks/{task_id} request parameter details

Parameter Type Optionality Data Type MIME Type Description
task_id path Required Number text/plain null
(Integer)
fields query Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.

Table 3384. GET /reference_data/set_delete_tasks/{task_id} response codes

HTTP Response Code Unique Code Description
200 The delete task status was retrieved.
404 1002 The delete task status does not exist.
500 1020 An error occurred during the attempt to retrieve the delete task
status.

Response Description

A Delete Task Status object and the location header set to the task status url "/api/reference_data/sets/
set_delete_tasks/{task_id}". A Delete Task Status object contains the following fields:
v id - Long - The ID of the task.
v message - String - The localized task message.

7 Previous REST API versions 1497

v status - String - The current state of the task.
v name - String - The name of the task.
v created_by - String - The name of the user who started the task.
v created - Long - The time in milliseconds since epoch since the task was created.
v started - Long - The time in milliseconds since epoch since the task was started.
v modified - Long - The time in milliseconds since epoch since the task was modified.
v completed - Long - The time in milliseconds since epoch since the task was completed.

Response Sample
{
"completed": 42,
"created": 42,
"created_by": "String",
"id": 42,
"message": "String",
"modified": 42,
"name": "String",
"started": 42,
"status": "String <one of:
CANCELLED,
CANCELING,
CANCEL_REQUESTED,
COMPLETED,
CONFLICT,
EXCEPTION,
INITIALIZING,
INTERRUPTED,
PAUSED,
PROCESSING,
QUEUED,
RESUMING>"
}

GET /reference_data/set_dependent_tasks/{task_id} DEPRECATED

Retrieves the dependent reference data set task status.

Retrieves the dependent reference data set task status.

Table 3385. GET /reference_data/set_dependent_tasks/{task_id} resource details
MIME Type
application/json

Table 3386. GET /reference_data/set_dependent_tasks/{task_id} request parameter details

Parameter Type Optionality Data Type MIME Type Description
task_id path Required Number text/plain null
(Integer)
fields query Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.

1498 QRadar API Reference Guide

Table 3387. GET /reference_data/set_dependent_tasks/{task_id} response codes
HTTP Response Code Unique Code Description
200 The dependent task status was retrieved.
404 1002 The dependent task status does not exist.
500 1020 An error occurred during the attempt to retrieve the dependent task
status.

Response Description

A Dependent Task Status object and the location header set to the task status URL "/api/reference_data/
sets/set_dependent_tasks/{task_id}". A Dependent Task Status object contains the following fields:
v id - Long - The ID of the task.
v message - String - The localized task message.
v status - String - The current state of the task.
v name - String - The name of the task.
v created_by - String - The name of the user who started the task.
v cancelled_by - String - The name of the user who requested cancellation of the task.
v created - Long - The time in milliseconds since epoch since the task was created.
v started - Long - The time in milliseconds since epoch since the task was started.
v modified - Long - The time in milliseconds since epoch since the task was modified.
v completed - Long - The time in milliseconds since epoch since the task was completed.
v number_of_dependents - Long - The number of dependents found. The value is null until the task
completes.
v maximum - Long - The maximum number of objects to check for dependency.
v progress - Long - The number of objects that were checked for dependency.
v task_components - Array - An array of task component objects. A task component object contains the
following fields
– message - String - The localized sub-task status message.
– status - String - The current state of the sub-task.
– sub_task_type - String - The type of the sub-task
– maximum - Long - The maximum number of objects to check for dependency.
– progress - Long - The number of objects that were checked for dependency.
– created - Long - The time in milliseconds since epoch since the sub-task was created.
– started - Long - The time in milliseconds since epoch since the sub-task was started.
– modified - Long - The time in milliseconds since epoch since the sub-task was modified.
– completed - Long - The time in milliseconds since epoch since the sub-task was completed.

Response Sample
{
"cancelled_by": "String",
"completed": 42,
"created": 42,
"created_by": "String",
"id": 42,
"maximum": 42,
"message": "String",
"modified": 42,
"name": "String",
"number_of_dependents": 42,
"progress": 42,

7 Previous REST API versions 1499

 "started": 42,
"status": "String <one of: CANCELLED,
CANCELING,
CANCEL_REQUESTED,
COMPLETED,
CONFLICT,
EXCEPTION,
INITIALIZING,
INTERRUPTED,
PAUSED,
PROCESSING,
QUEUED,
RESUMING>",
"task_components": [
{
"completed": 42,
"created": 42,
"maximum": 42,
"message": "String",
"modified": 42,
"number_of_dependents": 42,
"progress": 42,
"started": 42,
"status": "String <one of: CANCELLED,
CANCELING,
CANCEL_REQUESTED,
COMPLETED,
CONFLICT,
EXCEPTION,
INITIALIZING,
INTERRUPTED,
PAUSED,
PROCESSING,
QUEUED,
RESUMING>",
"task_sub_type": "String <one of:
FIND_DEPENDENT_ARIEL_SAVED_SEARCHES,
FIND_DEPENDENT_OFFENSE_SAVED_SEARCHES,
FIND_DEPENDENT_ASSET_SAVED_SEARCHES,
FIND_DEPENDENT_VULNERABILITY_SAVED_SEARCHES,
FIND_DEPENDENT_ADE_RULES,
FIND_DEPENDENT_RULES,
FIND_DEPENDENT_CALCULATED_PROPERTIES,
FIND_DEPENDENT_LOG_SOURCE_GROUPS,
FIND_DEPENDENT_CUSTOM_PROPERTIES,
FIND_DEPENDENT_REPORTS,
FIND_DEPENDENT_DASHBOARDS,
FIND_DEPENDENT_STORE_AND_FORWARD_POLICIES,
FIND_DEPENDENT_AUTHORIZED_SERVICES,
FIND_DEPENDENT_OFFENSE_TYPES,
FIND_DEPENDENT_ASSIGNED_OFFENSES,
FIND_DEPENDENT_VULNERABILITIES,
FIND_DEPENDENT_GROUPS,
FIND_DEPENDENT_HISTORICAL_CORRELATION_PROFILES>"
}
]
}

POST /reference_data/set_dependent_tasks/{task_id} DEPRECATED

Cancels the dependent reference data set task.

Cancels the dependent reference data set task.

1500 QRadar API Reference Guide

Table 3388. POST /reference_data/set_dependent_tasks/{task_id} resource details
MIME Type
application/json

Table 3389. POST /reference_data/set_dependent_tasks/{task_id} request parameter details

Parameter Type Optionality Data Type MIME Type Description
task_id path Required Number text/plain null
(Integer)
fields header Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.

Table 3390. POST /reference_data/set_dependent_tasks/{task_id} request body details

Parameter Data Type MIME Type Description Sample
task Object application/ null { "status": "String <one of:
json CANCELLED, CANCELING,
CANCEL_REQUESTED,
COMPLETED, CONFLICT,
EXCEPTION, INITIALIZING,
INTERRUPTED, PAUSED,
PROCESSING, QUEUED,
RESUMING>" }

Table 3391. POST /reference_data/set_dependent_tasks/{task_id} response codes

HTTP Response Code Unique Code Description
200 The dependent task status was retrieved.
404 1002 The dependent task status does not exist.
409 1004 The task is in a completed state.
422 1005 A request parameter is not valid.
500 1020 An error occurred during the attempt to update the dependent task
status.

Response Description

A Dependent Task Status object and the location header set to the task status url "/api/reference_data/
sets/set_dependent_tasks/{task_id}". A Dependent Task Status object contains the following fields:
v id - Long - The ID of the task.
v message - String - The localized task message.
v status - String - The current state of the task.
v name - String - The name of the task.
v created_by - String - The name of the user who started the task.
v cancelled_by - String - The name of the user who requested cancellation of the task.
v created - Long - The time in milliseconds since epoch since the task was created.

7 Previous REST API versions 1501

v started - Long - The time in milliseconds since epoch since the task was started.
v modified - Long - The time in milliseconds since epoch since the task was modified.
v completed - Long - The time in milliseconds since epoch since the task was completed.
v number_of_dependents - Long - The number of dependents found. The value is null until the task
completes.
v maximum - Long - The maximum number of objects to check for dependency.
v progress - Long - The number of objects that were checked for dependency.
v task_components - Array - An array of task component objects. A task component object contains the
following fields
– message - String - The localized sub-task status message.
– status - String - The current state of the sub-task.
– sub_task_type - String - The type of the sub-task
– maximum - Long - The maximum number of objects to check for dependency.
– progress - Long - The number of objects that were checked for dependency.
– created - Long - The time in milliseconds since epoch since the sub-task was created.
– started - Long - The time in milliseconds since epoch since the sub-task was started.
– modified - Long - The time in milliseconds since epoch since the sub-task was modified.
– completed - Long - The time in milliseconds since epoch since the sub-task was completed.

Response Sample
{
"cancelled_by": "String",
"completed": 42,
"created": 42,
"created_by": "String",
"id": 42,
"maximum": 42,
"message": "String",
"modified": 42,
"name": "String",
"number_of_dependents": 42,
"progress": 42,
"started": 42,
"status": "String <one of: CANCELLED,
CANCELING,
CANCEL_REQUESTED,
COMPLETED,
CONFLICT,
EXCEPTION,
INITIALIZING,
INTERRUPTED,
PAUSED,
PROCESSING,
QUEUED,
RESUMING>",
"task_components": [
{
"completed": 42,
"created": 42,
"maximum": 42,
"message": "String",
"modified": 42,
"number_of_dependents": 42,
"progress": 42,
"started": 42,
"status": "String <one of: CANCELLED,
CANCELING,
CANCEL_REQUESTED,

1502 QRadar API Reference Guide

 COMPLETED,
CONFLICT,
EXCEPTION,
INITIALIZING,
INTERRUPTED,
PAUSED,
PROCESSING,
QUEUED,
RESUMING>",
"task_sub_type": "String <one of:
FIND_DEPENDENT_ARIEL_SAVED_SEARCHES,
FIND_DEPENDENT_OFFENSE_SAVED_SEARCHES,
FIND_DEPENDENT_ASSET_SAVED_SEARCHES,
FIND_DEPENDENT_VULNERABILITY_SAVED_SEARCHES,
FIND_DEPENDENT_ADE_RULES,
FIND_DEPENDENT_RULES,
FIND_DEPENDENT_CALCULATED_PROPERTIES,
FIND_DEPENDENT_LOG_SOURCE_GROUPS,
FIND_DEPENDENT_CUSTOM_PROPERTIES,
FIND_DEPENDENT_REPORTS,
FIND_DEPENDENT_DASHBOARDS,
FIND_DEPENDENT_STORE_AND_FORWARD_POLICIES,
FIND_DEPENDENT_AUTHORIZED_SERVICES,
FIND_DEPENDENT_OFFENSE_TYPES,
FIND_DEPENDENT_ASSIGNED_OFFENSES,
FIND_DEPENDENT_VULNERABILITIES,
FIND_DEPENDENT_GROUPS,
FIND_DEPENDENT_HISTORICAL_CORRELATION_PROFILES>"
}
]
}

GET /reference_data/set_dependent_tasks/{task_id}/results DEPRECATED

Retrieves the reference data set dependent task results.

Retrieves the reference data set dependent task results.

Table 3392. GET /reference_data/set_dependent_tasks/{task_id}/results resource details
MIME Type
application/json

Table 3393. GET /reference_data/set_dependent_tasks/{task_id}/results request parameter details

Parameter Type Optionality Data Type MIME Type Description
task_id path Required Number text/plain null
(Integer)
fields query Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.

Table 3394. GET /reference_data/set_dependent_tasks/{task_id}/results response codes

HTTP Response Code Unique Code Description
200 The reference data set dependents were retrieved.

7 Previous REST API versions 1503

Table 3394. GET /reference_data/set_dependent_tasks/{task_id}/results response codes (continued)
HTTP Response Code Unique Code Description
404 1002 The dependent task status does not exist.
500 1020 An error occurred during the attempt to retrieve the reference data
sets.

Response Description

An list of Dependent objects. A Dependent object contains the following fields:

v dependent_id - String - The ID of the dependent resource.
v dependent_name - String - The name of the dependent resource (default resources can have localized
names).
v dependent_owner - String - The owner of the dependent resource.
v dependent_type - String - The type of the dependent resource
v dependent_database - String - The database of the dependent resource.
v dependent_group_ids - Array of Longs - List of groups that the dependent resource belongs to.
v user_has_edit_permissions - Boolean - True if the user who created the task has permission to edit this
dependent resource.

Response Sample
[
{
"blocking": true,
"dependent_database": "String <one of: EVENTS, FLOWS>",
"dependent_group_ids": [
42
],
"dependent_id": "String",
"dependent_name": "String",
"dependent_owner": "String",
"dependent_type": "String <one of:
ARIEL_SAVED_SEARCH,
ASSET_SAVED_SEARCH,
OFFENSE_SAVED_SEARCH,
VULNERABILITY_SAVED_SEARCH,
QRM_SAVED_SEARCH_GROUP,
ASSET_SAVED_SEARCH_GROUP,
CUSTOM_RULE_GROUP,
EVENT_ARIEL_SAVED_SEARCH_GROUP,
FLOW_ARIEL_SAVED_SEARCH_GROUP,
LOG_SOURCE_GROUP, MODEL_GROUP,
OFFENSE_SAVED_SEARCH_GROUP,
QUESTION_GROUP,
REPORT_GROUP,
SIMULATION_GROUP,
TOPOLOGY_SAVED_SEARCH_GROUP,
VULNERABILITY_SAVED_SEARCH_GROUP,
ASSIGNED_OFFENSE,
ASSIGNED_VULNERABILITY,
AUTHORIZED_SERVICE,
BUILDING_BLOCK,
CRE_RULE,
CRE_ADE_RULE,
EVENT_REGEX_PROPERTY,
EVENT_CALCULATED_PROPERTY,
FLOW_REGEX_PROPERTY,
FLOW_CALCULATED_PROPERTY,
DASHBOARD,

1504 QRadar API Reference Guide

 GV_REFERENCE,
REPORT,
REFERENCE_DATA,
REFERENCE_DATA_MAP_OF_SETS,
REFERENCE_DATA_MAPS,
REFERENCE_DATA_SETS,
REFERENCE_DATA_TABLES,
REFERENCE_DATA_RESPONSE,
REFERENCE_SET_RESPONSE,
EVENT_RETENTION_BUCKET,
FLOW_RETENTION_BUCKET,
ROUTING_RULE,
STORE_AND_FORWARD_POLICY,
USER,
HISTORICAL_PROFILE,
OFFENSE_TYPE>",
"user_has_edit_permissions": true
}
]

GET /reference_data/sets DEPRECATED

Retrieve a list of all reference sets.
Table 3395. GET /reference_data/sets resource details
MIME Type
application/json

Table 3396. GET /reference_data/sets request parameter details

Parameter Type Optionality Data Type MIME Type Description
fields query Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.
Range header Optional String text/plain Optional - Use this parameter
to restrict the number of
elements that are returned in
the list to a specified range.
The list is indexed starting at
zero.
filter query Optional String text/plain Optional - This parameter is
used to restrict the elements in
a list base on the contents of
various fields.

Table 3397. GET /reference_data/sets response codes

HTTP Response Code Unique Code Description
200 The reference set list has been retrieved
500 1020 An error occurred while attempting to retrieve all of the reference
sets

7 Previous REST API versions 1505

Response Description

A list of all of the reference sets. This returns information about the sets but not the contained data.

Response Sample
[
{
"creation_time": 42,
"element_type": "String <one of: ALN, NUM, IP, PORT, ALNIC, DATE>",
"name": "String",
"number_of_elements": 42,
"time_to_live": "String",
"timeout_type": "String <one of: UNKNOWN, FIRST_SEEN, LAST_SEEN>"
}
]

POST /reference_data/sets DEPRECATED

Create a new reference set.
Table 3398. POST /reference_data/sets resource details
MIME Type
application/json

Table 3399. POST /reference_data/sets request parameter details

Parameter Type Optionality Data Type MIME Type Description
name query Required String text/plain Required - The name of the
reference set being created
element_type query Required String text/plain Required - The element type for
the values allowed in the
reference set. The allowed
values are: ALN (alphanumeric),
ALNIC (alphanumeric ignore
case), IP (IP address), NUM
(numeric), PORT (port number)
or DATE. Note that date values
need to be represented in
milliseconds since the Unix
Epoch January 1st 1970.
timeout_type query Optional String text/plain Optional - The allowed values
are "FIRST_SEEN",
"LAST_SEEN" and
"UNKNOWN". The default
value is "UNKNOWN". This
indicates if the time_to_live
interval is based on when the
data was first seen or last seen.
time_to_live query Optional String text/plain Optional - The time to live
interval, for example: "1 month"
or "5 minutes"
fields query Optional String text/plain Optional - Use this parameter to
specify which fields you would
like to get back in the response.
Fields that are not named are
excluded. Specify subfields in
brackets and multiple fields in
the same object are separated by
commas.

1506 QRadar API Reference Guide

Table 3400. POST /reference_data/sets response codes
HTTP Response Code Unique Code Description
201 A new reference set was successfully created
409 1004 The reference set could not be created, the name provided is
already in use. Please change the name and try again.
422 1005 A request parameter is not valid
500 1020 An error occurred while attempting to create the reference set

Response Description

Information about the newly created reference set.

Response Sample
{
"creation_time": 42,
"element_type": "String <one of: ALN, NUM, IP, PORT, ALNIC, DATE>",
"name": "String",
"number_of_elements": 42,
"time_to_live": "String",
"timeout_type": "String <one of: UNKNOWN, FIRST_SEEN, LAST_SEEN>"
}

POST /reference_data/sets/bulk_load/{name} DEPRECATED

Add or update data in a reference set.
Table 3401. POST /reference_data/sets/bulk_load/{name} resource details
MIME Type
application/json

Table 3402. POST /reference_data/sets/bulk_load/{name} request parameter details

Parameter Type Optionality Data Type MIME Type Description
name path Required String text/plain Required - The name of set to
add or update data in
fields header Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.

Table 3403. POST /reference_data/sets/bulk_load/{name} request body details

Parameter Data Type MIME Type Description Sample
data Array application/json Required - The JSON formated ["String", "String", "String",
data to add or update in the "String", "String", "String",
reference set "String", "String", "String",
"String", "String"]

7 Previous REST API versions 1507

Table 3404. POST /reference_data/sets/bulk_load/{name} response codes
HTTP Response Code Unique Code Description
200 The reference set has had data added or updated
400 1001 An error occurred parsing the JSON formatted message body
404 1002 The reference set does not exist
422 1005 A request parameter is not valid
500 1020 An error occurred while attempting to add or update data in the
reference set

Response Description

Information about the reference set that had data added or updated. This returns information about the
reference set but not the contained data.

Response Sample
{
"creation_time": 42,
"element_type": "String <one of: ALN, NUM, IP, PORT, ALNIC, DATE>",
"name": "String",
"number_of_elements": 42,
"time_to_live": "String",
"timeout_type": "String <one of: UNKNOWN, FIRST_SEEN, LAST_SEEN>"
}

GET /reference_data/sets/{name} DEPRECATED

Retrieve the reference set identified by name.

Retrieve the reference set that is identified by name. If it is provided, limit specifies the number of
records to return starting at the record that is specified by offset. If the number is not specified, then the
first 20 records are returned.
Table 3405. GET /reference_data/sets/{name} resource details
MIME Type
application/json

Table 3406. GET /reference_data/sets/{name} request parameter details

Parameter Type Optionality Data Type MIME Type Description
name path Required String text/plain Required - The name of the
reference set to retrieve
fields query Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.

1508 QRadar API Reference Guide

Table 3406. GET /reference_data/sets/{name} request parameter details (continued)
Parameter Type Optionality Data Type MIME Type Description
Range header Optional String text/plain Optional - Use this parameter
to restrict the number of
elements that are returned in
the list to a specified range.
The list is indexed starting at
zero.
filter query Optional String text/plain Optional - This parameter is
used to restrict the elements in
a list base on the contents of
various fields.

Table 3407. GET /reference_data/sets/{name} response codes

HTTP Response Code Unique Code Description
200 The reference set has been retrieved
404 1002 The reference set does not exist.
422 1005 A request parameter is not valid
500 1020 An error occurred while attempting to retrieve the reference set

Response Description

The reference set identified by the name specified in the request. The portion of the set's data returned is
dependent on the limit and offset specified in the request.

Response Sample
{
"creation_time": 42,
"data": [
{
"first_seen": 42,
"last_seen": 42,
"source": "String",
"value": "String"
}
],
"element_type": "String <one of: ALN, NUM, IP, PORT, ALNIC, DATE>",
"name": "String",
"number_of_elements": 42,
"time_to_live": "String",
"timeout_type": "String <one of: UNKNOWN, FIRST_SEEN, LAST_SEEN>"
}

POST /reference_data/sets/{name} DEPRECATED

Add or update an element in a reference set.
Table 3408. POST /reference_data/sets/{name} resource details
MIME Type
application/json

7 Previous REST API versions 1509

Table 3409. POST /reference_data/sets/{name} request parameter details
Parameter Type Optionality Data Type MIME Type Description
name path Required String text/plain Required - The name of the
reference set to add or update
an element in
value query Required String text/plain Required - The value to add or
update in the reference set.
Note: Date values must be
represented in milliseconds
since the Unix Epoch January
1st 1970.
source query Optional String text/plain Optional - An indication of
where the data originated. The
default value is 'reference data
api'
fields query Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.

Table 3410. POST /reference_data/sets/{name} response codes

HTTP Response Code Unique Code Description
200 The reference set has had an element added or updated
404 1002 The reference set does not exist
422 1005 A request parameter is not valid
500 1020 An error occurred while attempting to add or update an element in
the reference set

Response Description

Information about the reference set that had an element added or updated. This returns information
about the reference set but not the contained data.

Response Sample
{
"creation_time": 42,
"element_type": "String <one of: ALN, NUM, IP, PORT, ALNIC, DATE>",
"name": "String",
"number_of_elements": 42,
"time_to_live": "String",
"timeout_type": "String <one of: UNKNOWN, FIRST_SEEN, LAST_SEEN>"
}

1510 QRadar API Reference Guide

DELETE /reference_data/sets/{name} DEPRECATED
Remove a reference set or purge its contents.
Table 3411. DELETE /reference_data/sets/{name} resource details
MIME Type
application/json

Table 3412. DELETE /reference_data/sets/{name} request parameter details

Parameter Type Optionality Data Type MIME Type Description
name path Required String text/plain Required - The name of the set
to remove or purge
purge_only query Optional String text/plain Optional - The allowed values
are "false" or "true". The
default value is false. This
indicates if the reference set
should have its contents
purged (true), keeping the
reference set structure. If the
value is "false" or not specified
the reference set will be
removed completely.
fields query Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.

Table 3413. DELETE /reference_data/sets/{name} response codes

HTTP Response Code Unique Code Description
202 The Reference Data Sets deletion or purge request has been
accepted and is in progress
404 1002 The reference set does not exist
422 1005 A request parameter is not valid
500 1020 An error occurred while attempting to remove or purge values
from the reference set

Response Description

A status_id to retrieve the Reference Data Sets deletion or purge status with at /api/system/
task_management/task/{status_id}. You can also find the url in the Location header

Response Sample
{
"current_status": {
"cancel_requested": true,
"cancelled_by": "String",
"child_tasks": [
42
],

7 Previous REST API versions 1511

 "completed": 42,
"created": 42,
"created_by": "String",
"id": 42,
"maximum": 42,
"message": "String",
"modified": 42,
"name": "String",
"progress": 42,
"result_url": "String",
"started": 42,
"status": "String <one of: CANCELLED,
CANCELING,
CANCEL_REQUESTED,
COMPLETED,
EXCEPTION,
INITIALIZING,
INTERRUPTED,
PAUSED,
PROCESSING,
QUEUED,
RESUMING>",
"task_components": [
{
"completed": 42,
"created": 42,
"maximum": 42,
"message": "String",
"modified": 42,
"progress": 42,
"started": 42,
"status": "String <one of: CANCELLED,
CANCELING,
CANCEL_REQUESTED,
COMPLETED,
EXCEPTION,
INITIALIZING,
INTERRUPTED,
PAUSED,
PROCESSING,
QUEUED,
RESUMING>"
}
]
},
"message": "String",
"status_location": "String"
}

DELETE /reference_data/sets/{name}/{value} DEPRECATED

Remove a value from a reference set.

Remove a value from a reference set.

Table 3414. DELETE /reference_data/sets/{name}/{value} resource details
MIME Type
application/json

1512 QRadar API Reference Guide

Table 3415. DELETE /reference_data/sets/{name}/{value} request parameter details
Parameter Type Optionality Data Type MIME Type Description
name path Required String text/plain Required - The name of the
reference set to remove a value
from
value path Required String text/plain Required - The value to
remove from the reference set.
Note: Date values must be
represented in milliseconds
since the Unix Epoch January
1st 1970.
fields query Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.

Table 3416. DELETE /reference_data/sets/{name}/{value} response codes

HTTP Response Code Unique Code Description
200 The reference set that had a value removed
404 1002 The reference set does not exist
404 1003 The record does not exist in the reference set
422 1005 A request parameter is not valid
500 1020 An error occurred while attempting to remove the value from the
reference set.

Response Description

Information about the reference set that had an value removed. This returns information about the
reference set but not the contained data.

Response Sample
{
"creation_time": 42,
"element_type": "String <one of: ALN, NUM, IP, PORT, ALNIC, DATE>",
"name": "String",
"number_of_elements": 42,
"time_to_live": "String",
"timeout_type": "String <one of: UNKNOWN, FIRST_SEEN, LAST_SEEN>"
}

GET /reference_data/sets/{name}/dependents DEPRECATED

Retrieves the dependents of the set.
Table 3417. GET /reference_data/sets/{name}/dependents resource details
MIME Type
application/json

7 Previous REST API versions 1513

Table 3418. GET /reference_data/sets/{name}/dependents request parameter details
Parameter Type Optionality Data Type MIME Type Description
name path Required String text/plain Required - The name of the
Reference Set retrieve
dependents for
fields query Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.

Table 3419. GET /reference_data/sets/{name}/dependents response codes

HTTP Response Code Unique Code Description
202 The Reference Data Sets dependent retrieval request has been
accepted and is in progress
404 1002 The Reference Set does not exist
422 1005 A request parameter is not valid
500 1020 An error occurred while attempting to get the dependents for the
Reference Set

Response Description

A status_id to retrieve the Reference Data Sets dependent retrieval status with at /api/system/
task_management/task/{status_id}. You can also find the url in the Location header

Response Sample
{
"current_status": {
"cancel_requested": true,
"cancelled_by": "String",
"child_tasks": [
42
],
"completed": 42,
"created": 42,
"created_by": "String",
"id": 42,
"maximum": 42,
"message": "String",
"modified": 42,
"name": "String",
"progress": 42,
"result_url": "String",
"started": 42,
"status": "String <one of: CANCELLED,
CANCELING,
CANCEL_REQUESTED,
COMPLETED,
EXCEPTION,
INITIALIZING,
INTERRUPTED,
PAUSED,
PROCESSING,

1514 QRadar API Reference Guide

 QUEUED,
RESUMING>",
"task_components": [
{
"completed": 42,
"created": 42,
"maximum": 42,
"message": "String",
"modified": 42,
"progress": 42,
"started": 42,
"status": "String <one of: CANCELLED,
CANCELING,
CANCEL_REQUESTED,
COMPLETED,
EXCEPTION,
INITIALIZING,
INTERRUPTED,
PAUSED,
PROCESSING,
QUEUED,
RESUMING>"
}
]
},
"message": "String",
"status_location": "String"
}

GET /reference_data/tables DEPRECATED

Retrieve a list of all reference tables.
Table 3420. GET /reference_data/tables resource details
MIME Type
application/json

Table 3421. GET /reference_data/tables request parameter details

Parameter Type Optionality Data Type MIME Type Description
fields query Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.
Range header Optional String text/plain Optional - Use this parameter
to restrict the number of
elements that are returned in
the list to a specified range.
The list is indexed starting at
zero.
filter query Optional String text/plain Optional - This parameter is
used to restrict the elements in
a list base on the contents of
various fields.

7 Previous REST API versions 1515

Table 3422. GET /reference_data/tables response codes
HTTP Response Code Unique Code Description
200 The reference table list has been retrieved
500 1020 An error occurred while attempting to retrieve all of the reference
tables

Response Description

A list of all of the reference tables. This returns information about the tables but not the contained data.

Response Sample
[
{
"creation_time": 42,
"element_type": "String <one of: ALN, NUM, IP, PORT, ALNIC, DATE>",
"key_label": "String",
"key_name_types": {
"String": "String <one of: ALN, NUM, IP, PORT, ALNIC, DATE>"
},
"name": "String",
"number_of_elements": 42,
"time_to_live": "String",
"timeout_type": "String <one of: UNKNOWN, FIRST_SEEN, LAST_SEEN>"
}
]

POST /reference_data/tables DEPRECATED

Create a new reference table.
Table 3423. POST /reference_data/tables resource details
MIME Type
application/json

Table 3424. POST /reference_data/tables request parameter details

Parameter Type Optionality Data Type MIME Type Description
name query Required String text/plain Required - The name of the
reference table to create
element_type query Required String text/plain Required - The default element
type for the values allowed in the
reference table. This is used when
values are added or updated in
the reference table who's inner
key was not defined in the
key_name_types parameter. The
allowed values are: ALN
(alphanumeric), ALNIC
(alphanumeric ignore case), IP (IP
address), NUM (numeric), PORT
(port number) or DATE. Note that
date values need to be
represented in milliseconds since
the Unix Epoch January 1st 1970.
outer_key_label query Optional String text/plain Optional - The label to describe
the outer keys
timeout_type query Optional String text/plain Optional - The allowed values are
"FIRST_SEEN", "LAST_SEEN" and
"UNKNOWN". The default value
is "UNKNOWN". This indicates if
the time_to_live interval is based
on when the data was first seen
or last seen.
time_to_live query Optional String text/plain Optional - The time to live
interval, for example: "1 month"
or "5 minutes"

1516 QRadar API Reference Guide

Table 3424. POST /reference_data/tables request parameter details (continued)
Parameter Type Optionality Data Type MIME Type Description
key_name_types query Optional Array<Object> application/json Optional - A JSON formatted
string. This array creates the inner
key names and corresponding
value types for the table
fields query Optional String text/plain Optional - Use this parameter to
specify which fields you would
like to get back in the response.
Fields that are not named are
excluded. Specify subfields in
brackets and multiple fields in the
same object are separated by
commas.

Table 3425. POST /reference_data/tables response codes

HTTP Response Code Unique Code Description
201 A new reference table was successfully created
409 1004 The reference table could not be created, the name provided is
already in use. Please change the name and try again.
422 1005 A request parameter is not valid
500 1020 An error occurred while attempting to create the reference table

Response Description

Information about the newly created reference table.

Response Sample
{
"creation_time": 42,
"element_type": "String <one of: ALN, NUM, IP, PORT, ALNIC, DATE>",
"key_label": "String",
"key_name_types": {
"String": "String <one of: ALN, NUM, IP, PORT, ALNIC, DATE>"
},
"name": "String",
"number_of_elements": 42,
"time_to_live": "String",
"timeout_type": "String <one of: UNKNOWN, FIRST_SEEN, LAST_SEEN>"
}

POST /reference_data/tables/bulk_load/{name} DEPRECATED

Adds or updates data in a reference table.

Adds or updates data in a reference table.

Table 3426. POST /reference_data/tables/bulk_load/{name} resource details
MIME Type
application/json

Table 3427. POST /reference_data/tables/bulk_load/{name} request parameter details

Parameter Type Optionality Data Type MIME Type Description
name path Required String text/plain Required - The name of table
to add or update data in.

7 Previous REST API versions 1517

Table 3427. POST /reference_data/tables/bulk_load/{name} request parameter details (continued)
Parameter Type Optionality Data Type MIME Type Description
fields header Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.

Table 3428. POST /reference_data/tables/bulk_load/{name} request body details

Parameter Data Type MIME Type Description Sample
data Array application/ Required - The JSON-formatted {"key1":{"col1":"Data11","col2":"Data12",
json data to add or update in the "col3":"Data13","col4":"Data14"},
reference table. "key2":{"col1":"Data21","col2":"Data22",
"col3":"Data23","col4":"Data24"},
"key3":{"col1":"Data31","col2":"Data32",
"col3":"Data33","col4":"Data34"},
"key4":{"col1":"Data41","col2":"Data42",
"col3":"Data43","col4":"Data44"},
"key5":{"col1":"Data51","col2":"Data52",
"col3":"Data53","col4":"Data54"},
"key6":{"col1":"Data61","col2":"Data62",
"col3":"Data63","col4":"Data64"}}

Table 3429. POST /reference_data/tables/bulk_load/{name} response codes

HTTP Response Code Unique Code Description
200 Data was successfully added or updated in the reference table.
400 1001 An error occurred parsing the JSON-formatted message body.
404 1002 The reference table does not exist.
422 1005 A request parameter is not valid.
500 1020 An error occurred during the attempt to add or update data in the
reference table.

Response Description

Information about the reference table where data was added or updated. This returns information about
the reference table but not the data that it contains.

Response Sample
{
"creation_time": 42,
"element_type": "String <one of: ALN, NUM, IP, PORT, ALNIC, DATE>",
"name": "String",
"number_of_elements": 42,
"time_to_live": "String",
"timeout_type": "String <one of: UNKNOWN, FIRST_SEEN, LAST_SEEN>"
}

GET /reference_data/tables/{name} DEPRECATED

Return the reference table identified by name.

1518 QRadar API Reference Guide

Return the reference table that is identified by name. If it is provided, limit specifies the number of
records to return starting at the record that is specified by offset. If the number is not specified, then the
first 20 records are returned.
Table 3430. GET /reference_data/tables/{name} resource details
MIME Type
application/json

Table 3431. GET /reference_data/tables/{name} request parameter details

Parameter Type Optionality Data Type MIME Type Description
name path Required String text/plain Required - The name of the
reference table to retrieve
fields query Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.
Range header Optional String text/plain Optional - Use this parameter
to restrict the number of
elements that are returned in
the list to a specified range.
The list is indexed starting at
zero.

Table 3432. GET /reference_data/tables/{name} response codes

HTTP Response Code Unique Code Description
200 The reference table has been retrieved
404 1002 The reference table does not exist
422 1005 A request parameter is not valid
500 1020 An error occurred while attempting to retrieve the reference table

Response Description

The reference table identified by the name specified in the request. The portion of the reference table's
data returned is dependent on the limit and offset specified in the request.

Response Sample
{
"creation_time": 42,
"data": {
"String": {
"String": {
"first_seen": 42,
"last_seen": 42,
"source": "String",
"value": "String"
}
}
},
"element_type": "String <one of: ALN, NUM, IP, PORT, ALNIC, DATE>",

7 Previous REST API versions 1519

 "key_label": "String",
"key_name_types": {
"String": "String <one of: ALN, NUM, IP, PORT, ALNIC, DATE>"
},
"name": "String",
"number_of_elements": 42,
"time_to_live": "String",
"timeout_type": "String <one of: UNKNOWN, FIRST_SEEN, LAST_SEEN>"
}

POST /reference_data/tables/{name} DEPRECATED

Add or update an element in a reference table.

Add or update an element in a reference table. The value to be added must be of the appropriate type.
Either the type that corresponds to the innerKey that is predefined for the reference table, or the default
elementType of the reference table
Table 3433. POST /reference_data/tables/{name} resource details
MIME Type
application/json

Table 3434. POST /reference_data/tables/{name} request parameter details

Parameter Type Optionality Data Type MIME Type Description
name path Required String text/plain Required - The name of the
reference table to add or
update an element in
outer_key query Required String text/plain Required - The outer key for
the element to add or update
inner_key query Required String text/plain Required - The inner key for
the element to add or update
value query Required String text/plain Required - The value to add or
update in the reference table.
Note: Date values must be
represented in milliseconds
since the Unix Epoch January
1st 1970.
source query Optional String text/plain Optional - An indication of
where the data originated. The
default value is 'reference data
api'
fields query Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.

Table 3435. POST /reference_data/tables/{name} response codes

HTTP Response Code Unique Code Description
200 The reference table has had an element added or updated
404 1002 The reference table does not exist

1520 QRadar API Reference Guide

Table 3435. POST /reference_data/tables/{name} response codes (continued)
HTTP Response Code Unique Code Description
422 1005 A request parameter is not valid
500 1020 An error occurred while attempting to add or update data in the
reference table

Response Description

Information about the reference table that had an element added or updated. This returns information
about the reference table but not the contained data.

Response Sample
{
"creation_time": 42,
"element_type": "String <one of: ALN, NUM, IP, PORT, ALNIC, DATE>",
"key_label": "String",
"key_name_types": {
"String": "String <one of: ALN, NUM, IP, PORT, ALNIC, DATE>"
},
"name": "String",
"number_of_elements": 42,
"time_to_live": "String",
"timeout_type": "String <one of: UNKNOWN, FIRST_SEEN, LAST_SEEN>"
}

DELETE /reference_data/tables/{name} DEPRECATED

Removes a reference table or purge its contents.
Table 3436. DELETE /reference_data/tables/{name} resource details
MIME Type
application/json

Table 3437. DELETE /reference_data/tables/{name} request parameter details

Parameter Type Optionality Data Type MIME Type Description
name path Required String text/plain Required - The name of the
reference table to remove or
purge
purge_only query Optional String text/plain Optional - The allowed values
are "false" or "true". The
default value is false. This
indicates if the reference table
should have its contents
purged (true), keeping the
reference table structure. If the
value is "false" or not specified
the reference table will be
removed completely.

7 Previous REST API versions 1521

Table 3437. DELETE /reference_data/tables/{name} request parameter details (continued)
Parameter Type Optionality Data Type MIME Type Description
fields query Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.

Table 3438. DELETE /reference_data/tables/{name} response codes

HTTP Response Code Unique Code Description
202 The Reference Data Tables deletion or purge request has been
accepted and is in progress
404 1002 The reference table does not exist
422 1005 A request parameter is not valid
500 1020 An error occurred while attempting to remove or purge values
from the reference table

Response Description

A status_id to retrieve the Reference Data Tables deletion or purge status with at /api/system/
task_management/task/{status_id}. You can also find the url in the Location header

Response Sample
{
"current_status": {
"cancel_requested": true,
"cancelled_by": "String",
"child_tasks": [
42
],
"completed": 42,
"created": 42,
"created_by": "String",
"id": 42,
"maximum": 42,
"message": "String",
"modified": 42,
"name": "String",
"progress": 42,
"result_url": "String",
"started": 42,
"status": "String <one of: CANCELLED,
CANCELING,
CANCEL_REQUESTED,
COMPLETED,
EXCEPTION,
INITIALIZING,
INTERRUPTED,
PAUSED,
PROCESSING,
QUEUED,
RESUMING>",
"task_components": [
{

1522 QRadar API Reference Guide

 "completed": 42,
"created": 42,
"maximum": 42,
"message": "String",
"modified": 42,
"progress": 42,
"started": 42,
"status": "String <one of: CANCELLED,
CANCELING,
CANCEL_REQUESTED,
COMPLETED,
EXCEPTION,
INITIALIZING,
INTERRUPTED,
PAUSED,
PROCESSING,
QUEUED,
RESUMING>"
}
]
},
"message": "String",
"status_location": "String"
}

GET /reference_data/tables/{name}/dependents DEPRECATED

Retrieves the dependents of the table.
Table 3439. GET /reference_data/tables/{name}/dependents resource details
MIME Type
application/json

Table 3440. GET /reference_data/tables/{name}/dependents request parameter details

Parameter Type Optionality Data Type MIME Type Description
name path Required String text/plain Required - The name of the
reference map of sets retrieve
dependents for
fields query Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.

Table 3441. GET /reference_data/tables/{name}/dependents response codes

HTTP Response Code Unique Code Description
202 The Reference Data Tables dependent retrieval request has been
accepted and is in progress
404 1002 The reference map of sets does not exist
422 1005 A request parameter is not valid
500 1020 An error occurred while attempting to get the dependents for the
reference map of sets

7 Previous REST API versions 1523

Response Description

A status_id to retrieve the Reference Data Tables dependent retrieval status with at /api/system/
task_management/task/{status_id}. You can also find the url in the Location header

Response Sample
{
"current_status": {
"cancel_requested": true,
"cancelled_by": "String",
"child_tasks": [
42
],
"completed": 42,
"created": 42,
"created_by": "String",
"id": 42,
"maximum": 42,
"message": "String",
"modified": 42,
"name": "String",
"progress": 42,
"result_url": "String",
"started": 42,
"status": "String <one of: CANCELLED,
CANCELING,
CANCEL_REQUESTED,
COMPLETED,
EXCEPTION,
INITIALIZING,
INTERRUPTED,
PAUSED,
PROCESSING,
QUEUED,
RESUMING>",
"task_components": [
{
"completed": 42,
"created": 42,
"maximum": 42,
"message": "String",
"modified": 42,
"progress": 42,
"started": 42,
"status": "String <one of: CANCELLED,
CANCELING,
CANCEL_REQUESTED,
COMPLETED,
EXCEPTION,
INITIALIZING,
INTERRUPTED,
PAUSED,
PROCESSING,
QUEUED,
RESUMING>"
}
]
},
"message": "String",
"status_location": "String"
}

1524 QRadar API Reference Guide

DELETE /reference_data/tables/{name}/{outer_key}/{inner_key} DEPRECATED
Removes a value from a reference table.

Remove a value from a reference table.

Table 3442. DELETE /reference_data/tables/{name}/{outer_key}/{inner_key} resource details
MIME Type
application/json

Table 3443. DELETE /reference_data/tables/{name}/{outer_key}/{inner_key} request parameter details

Parameter Type Optionality Data Type MIME Type Description
name path Required String text/plain Required - The name of the
reference table to remove a
value from
outer_key path Required String text/plain Required - The outer key of
the value to remove
inner_key path Required String text/plain Required - The inner key of
the value to remove
value query Required String text/plain Required - The value to
remove from the reference
table. Note: Date values must
be represented in milliseconds
since the Unix Epoch January
1st 1970.
fields query Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.

Table 3444. DELETE /reference_data/tables/{name}/{outer_key}/{inner_key} response codes

HTTP Response Code Unique Code Description
200 The reference table had had a value removed
404 1002 The reference table does not exist
404 1003 The record does not exist in the reference table
422 1005 A request parameter is not valid
500 1020 An error occurred while attempting to remove the reference table
value

Response Description

Information about the reference table that had an element removed. This returns information about table
but not the contained data.

7 Previous REST API versions 1525

Response Sample
{
"creation_time": 42,
"element_type": "String <one of: ALN, NUM, IP, PORT, ALNIC, DATE>",
"key_label": "String",
"key_name_types": {
"String": "String <one of: ALN, NUM, IP, PORT, ALNIC, DATE>"
},
"name": "String",
"number_of_elements": 42,
"time_to_live": "String",
"timeout_type": "String <one of: UNKNOWN, FIRST_SEEN, LAST_SEEN>"
}

Scanner endpoints
Use the references for REST API V7.0 scanner endpoints.

GET /scanner/profiles DEPRECATED

Retrieves all of the currently created scan profiles.

No parameters are required and the following information should be retrieved for each scan profile.
v scanProfileId
v scanProfileName
v description
v scanType
v scannerName
Table 3445. GET /scanner/profiles resource details
MIME Type
application/json

There are no parameters for this endpoint.

Table 3446. GET /scanner/profiles response codes
HTTP Response Code Unique Code Description
200 The list of scan profiles was successfully returned
500 1030 Occurs when an attempt is made to list scan profiles when certain
conditions are not met, or when too many scan requests have been
made

Response Description

The list of scan profiles currently configured in QVM

Response Sample

POST /scanner/profiles/create DEPRECATED

Initiates a request to create a new Scan Profile.

The request takes one parameter - createScanRequest, which is just a POJO. To create the scan, you will
need to build up a JSON object that contains the Scan Profile name and IP addresses to scan. For
example:
{’name’:’New Scan Profile’, ’ips’:[’10.100.85.135’]}

1526 QRadar API Reference Guide

Table 3447. POST /scanner/profiles/create resource details
MIME Type
text/plain

Table 3448. POST /scanner/profiles/create request body details

Parameter Data Type MIME Type Description Sample
scanProfile JSON application/json null null

Table 3449. POST /scanner/profiles/create response codes

HTTP Response Code Unique Code Description
200 The scan has been successfully created
419 9101 Occurs when a parameter is missing or invalid
500 1030 Occurs when an attempt is made to create a scan when certain
conditions are not met, or when too many scan requests have been
made

Response Description

An indicator of whether the scan has been created successfully or not.

Response Sample
String

POST /scanner/profiles/start DEPRECATED

Initiates a request to start an already created scanProfile.

The request takes one parameter - scanProfileId. To get a list of scanProfileIds, get a list of the current
scan profiles by initiating a 'profiles' request on the scanner endpoint. The scanProfileId is validated and
an appropriate message is returned.
Table 3450. POST /scanner/profiles/start resource details
MIME Type
text/plain

Table 3451. POST /scanner/profiles/start request parameter details

Parameter Type Optionality Data Type MIME Type Description
scanProfileId query Required String text/plain The unique id of the scan profile
we want to start

Table 3452. POST /scanner/profiles/start response codes

HTTP Response Code Unique Code Description
200 The scan has been successfully started
403 1000 Occurs if the user does not have permission to start a scan, or the
scan is in progress
500 1030 Occurs when an attempt is made to start a scan when certain
conditions are not met, or when too many scan requests have been
made

7 Previous REST API versions 1527

Response Description

An indicator of whether the scan has been started successfully or not.

Response Sample
String

GET /scanner/scanprofiles DEPRECATED

Retrieves all of the currently created scan profiles.

No parameters are required and the following information should be retrieved for each scan profile.
v scanProfileId
v scanProfileName
v description
v scanType
v scannerName
v schedule
v status
v progress
v endTime
v duration
Table 3453. GET /scanner/scanprofiles resource details
MIME Type
application/json

Table 3454. GET /scanner/scanprofiles request parameter details

Parameter Type Optionality Data Type MIME Type Description
fields query Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.
filter query Optional String text/plain Optional - This parameter is
used to restrict the elements in
a list base on the contents of
various fields.
Range header Optional String text/plain Optional - Use this parameter
to restrict the number of
elements that are returned in
the list to a specified range.
The list is indexed starting at
zero.

Table 3455. GET /scanner/scanprofiles response codes

HTTP Response Code Unique Code Description
200 The list of scan profiles was successfully returned

1528 QRadar API Reference Guide

Table 3455. GET /scanner/scanprofiles response codes (continued)
HTTP Response Code Unique Code Description
500 1030 Occurs when an attempt is made to list scan profiles when certain
conditions are not met, or when too many scan requests have been
made

Response Description

The list of scan profiles currently configured in QVM

Response Sample
[
{
"description": "String",
"duration": {
"days": 42,
"hours": 42,
"minutes": 42,
"months": 42,
"seconds": 42.5,
"type": "String",
"value": "String",
"years": 42
},
"endTime": {
"date": 42,
"day": 42,
"hours": 42,
"minutes": 42,
"month": 42,
"seconds": 42,
"time": 42,
"timezoneOffset": 42,
"year": 42
},
"progress": 42,
"scanProfileId": 42,
"scanProfileName": "String",
"scanType": "String",
"scannerName": "String",
"schedule": "String",
"status": "String"
}
]

POST /scanner/scanprofiles DEPRECATED

Initiates a request to create a new scanProfile.

The request takes one parameter - createScanRequest, which is just a POJO. To create the scan, you will
need to build up a JSON object that contains the Scan Profile name and hosts to scan. For example:
{’name’:’New Scan Profile’, ’hosts’:[’10.100.85.135’]}
Table 3456. POST /scanner/scanprofiles resource details
MIME Type
text/plain

7 Previous REST API versions 1529

Table 3457. POST /scanner/scanprofiles request body details
Parameter Data Type MIME Type Description Sample
scanProfile Object application/json null { "description": "String",
"hosts": [ "String" ], "name":
"String" }

Table 3458. POST /scanner/scanprofiles response codes

HTTP Response Code Unique Code Description
200 The scan has been successfully created
500 1030 Occurs when an attempt is made to create a scan when certain
conditions are not met, or when too many scan requests have been
made

Response Description

An indicator of whether the scan has been created successfully or not.

Response Sample
String

GET /scanner/scanprofiles/{profileid} DEPRECATED

Retrieves a scan profile for a given Scan Profile ID.

No parameters are required and the following information should be retrieved for each scan profile.
v scanProfileId
v name
v description
v scanType
v scannerName
v schedule
v status
v progress
v endTime
v duration
Table 3459. GET /scanner/scanprofiles/{profileid} resource details
MIME Type
application/json

Table 3460. GET /scanner/scanprofiles/{profileid} request parameter details

Parameter Type Optionality Data Type MIME Type Description
profileid path Required String text/plain The unique id of the scan
profile we need to retrieve
information for

1530 QRadar API Reference Guide

Table 3460. GET /scanner/scanprofiles/{profileid} request parameter details (continued)
Parameter Type Optionality Data Type MIME Type Description
fields query Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.
filter query Optional String text/plain Optional - This parameter is
used to restrict the elements in
a list base on the contents of
various fields.
Range header Optional String text/plain Optional - Use this parameter
to restrict the number of
elements that are returned in
the list to a specified range.
The list is indexed starting at
zero.

Table 3461. GET /scanner/scanprofiles/{profileid} response codes

HTTP Response Code Unique Code Description
200 The scan profile was successfully returned
500 1030 Occurs when an attempt is made to list a scan profile when certain
conditions are not met, or when too many scan requests have been
made

Response Description

The list of scan profiles currently configured in QVM

Response Sample
[
{
"description": "String",
"duration": {
"days": 42,
"hours": 42,
"minutes": 42,
"months": 42,
"seconds": 42.5,
"type": "String",
"value": "String",
"years": 42
},
"endTime": {
"date": 42,
"day": 42,
"hours": 42,
"minutes": 42,
"month": 42,
"seconds": 42,
"time": 42,
"timezoneOffset": 42,
"year": 42

7 Previous REST API versions 1531

 },
"progress": 42,
"scanProfileId": 42,
"scanProfileName": "String",
"scanType": "String",
"scannerName": "String",
"schedule": "String",
"status": "String"
}
]

POST /scanner/scanprofiles/{profileid} DEPRECATED

Update a scan profile. The Scan Profile ID is required.

The following information on a scan profile can be updated:

v name
v description
v IP addresses

For example:
{’name’:’Updated Scan Profile’, ’ips’:[’10.100.85.135’]}

Table 3462. POST /scanner/scanprofiles/{profileid} resource details

MIME Type
application/json

Table 3463. POST /scanner/scanprofiles/{profileid} request parameter details

Parameter Type Optionality Data Type MIME Type Description
profileid path Required String text/plain The unique id of the scan
profile used to update

Table 3464. POST /scanner/scanprofiles/{profileid} request body details

Parameter Data Type MIME Type Description Sample
scanProfile JSON application/json null null

Table 3465. POST /scanner/scanprofiles/{profileid} response codes

HTTP Response Code Unique Code Description
202 The scan profile was successfully updated
500 1030 Occurs when an attempt is made to update a scan profile when
certain conditions are not met, or when too many scan requests
have been made

Response Description

A message to indicate whether the scan profile has updated or not.

Response Sample

DELETE /scanner/scanprofiles/{profileid} DEPRECATED

Initiates a request to delete a scanProfile.

The request takes one parameter - the Scan Profile ID.

1532 QRadar API Reference Guide

Table 3466. DELETE /scanner/scanprofiles/{profileid} resource details
MIME Type
text/plain

Table 3467. DELETE /scanner/scanprofiles/{profileid} request parameter details

Parameter Type Optionality Data Type MIME Type Description
profileid path Required String text/plain null

Table 3468. DELETE /scanner/scanprofiles/{profileid} response codes

HTTP Response Code Unique Code Description
204 The scan has been successfully deleted
500 1030 Occurs when an attempt is made to delete a scan when certain
conditions are not met, or when too many scan requests have been
made

Response Description

An indicator of whether the scan has been deleted successfully or not.

Response Sample
String

POST /scanner/scanprofiles/{profileid}/start DEPRECATED

Initiates a request to start an already created scanProfile.

The request takes one parameter, scanProfileId, and one optional parameter, ips. To get a list of
scanProfileIds, simply get a list of the current scan profiles by initiating a 'profiles' request on the scanner
endpoint. The scanProfileId, is validated and an appropriate message returned.
Table 3469. POST /scanner/scanprofiles/{profileid}/start resource details
MIME Type
text/plain

Table 3470. POST /scanner/scanprofiles/{profileid}/start request parameter details

Parameter Type Optionality Data Type MIME Type Description
profileid path Required String text/plain The unique id of the scan
profile we want to start

Table 3471. POST /scanner/scanprofiles/{profileid}/start request body details

Parameter Data Type MIME Type Description Sample
ips JSON application/json null null

Table 3472. POST /scanner/scanprofiles/{profileid}/start response codes

HTTP Response Code Unique Code Description
202 The scan has been successfully started
403 1000 Occurs if the user does not have permission to start a scan, or the
scan is in progress

7 Previous REST API versions 1533

Table 3472. POST /scanner/scanprofiles/{profileid}/start response codes (continued)
HTTP Response Code Unique Code Description
500 1030 Occurs when an attempt is made to start a scan when certain
conditions are not met, or when too many scan requests have been
made

Response Description

An indicator of whether the scan has been started successfully or not.

Response Sample
String

SIEM endpoints
Use the references for REST API V7.0 SIEM endpoints.

GET /siem/local_destination_addresses DEPRECATED

Retrieve a list offense local destination addresses currently in the system.
Table 3473. GET /siem/local_destination_addresses resource details
MIME Type
application/json

Table 3474. GET /siem/local_destination_addresses request parameter details

Parameter Type Optionality Data Type MIME Type Description
fields query Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.
Range header Optional String text/plain Optional - Use this parameter
to restrict the number of
elements that are returned in
the list to a specified range.
The list is indexed starting at
zero.
filter query Optional String text/plain Optional - This parameter is
used to restrict the elements in
a list base on the contents of
various fields.

Table 3475. GET /siem/local_destination_addresses response codes

HTTP Response Code Unique Code Description
200 The local destination address list was retrieved.
422 1005 A request parameter is not valid.
422 1010 The filter parameter is not valid.

1534 QRadar API Reference Guide

Table 3475. GET /siem/local_destination_addresses response codes (continued)
HTTP Response Code Unique Code Description
500 1020 An error occurred while the local destination address list was being
retrieved.

Response Description

An array of local destination address objects. A local destination address object contains the following
fields:
v id - Number - The ID of the destination address.
v local_destination_ip - String - The IP address.
v magnitude - Number - The magnitude of the destination address.
v network - String - The network of the destination address.
v offense_ids - Array of Numbers - List of offense IDs the destination address is part of.
v source_address_ids - Array of Numbers - List of source address IDs associated with the destination
address.
v event_flow_count - Number - The number of events and flows that are associated with the destination
address.
v first_event_flow_seen - Number - The number of milliseconds since epoch when the first event or
flow was seen.
v last_event_flow_seen - Number - The number of milliseconds since epoch when the last event or flow
was seen.
v domain_id - Number - The ID of associated domain.

Response Sample
[
{
"domain_id": 42,
"event_flow_count": 42,
"first_event_flow_seen": 42,
"id": 42,
"last_event_flow_seen": 42,
"local_destination_ip": "String",
"magnitude": 42,
"network": "String",
"offense_ids": [
42
],
"source_address_ids": [
42
]
}
]

GET /siem/local_destination_addresses/{local_destination_address_id}
DEPRECATED
Retrieve an offense local destination address.
Table 3476. GET /siem/local_destination_addresses/{local_destination_address_id} resource details
MIME Type
application/json

7 Previous REST API versions 1535

Table 3477. GET /siem/local_destination_addresses/{local_destination_address_id} request parameter details
Parameter Type Optionality Data Type MIME Type Description
local_destination_address_id path Required Number text/plain Required - The ID of the local
(Integer) destination address to retrieve.
fields query Optional String text/plain Optional - Use this parameter to
specify which fields you would
like to get back in the response.
Fields that are not named are
excluded. Specify subfields in
brackets and multiple fields in
the same object are separated by
commas.

Table 3478. GET /siem/local_destination_addresses/{local_destination_address_id} response codes

HTTP Response Code Unique Code Description
200 The local destination was retrieved.
404 1002 No local destination address was found for the provided
local_destination_address_id.
422 1005 A request parameter is not valid.
500 1020 An error occurred while the local destination address was being
retrieved.

Response Description

A local destination address object. A local destination address object contains the following fields:
v id - Number - The ID of the destination address.
v local_destination_ip - String - The IP address.
v magnitude - Number - The magnitude of the destination address.
v network - String - The network of the destination address.
v offense_ids - Array of Numbers - List of offense IDs the destination address is part of.
v source_address_ids - Array of Numbers - List of source address IDs associated with the destination
address.
v event_flow_count - Number - The number of events and flows that are associated with the destination
address.
v first_event_flow_seen - Number - The number of milliseconds since epoch when the first event or
flow was seen.
v last_event_flow_seen - Number - The number of milliseconds since epoch when the last event or flow
was seen.
v domain_id - Number - The ID of associated domain.

Response Sample
{
"domain_id": 42,
"event_flow_count": 42,
"first_event_flow_seen": 42,
"id": 42,
"last_event_flow_seen": 42,
"local_destination_ip": "String",
"magnitude": 42,
"network": "String",
"offense_ids": [
42
],

1536 QRadar API Reference Guide

 "source_address_ids": [
42
]
}

GET /siem/offense_closing_reasons DEPRECATED

Retrieve a list of all offense closing reasons.
Table 3479. GET /siem/offense_closing_reasons resource details
MIME Type
application/json

Table 3480. GET /siem/offense_closing_reasons request parameter details

Parameter Type Optionality Data Type MIME Type Description
include_reserved query Optional Boolean text/plain Optional - If true, reserved
closing reasons are included
in the response. Defaults to
false. Reserved closing reasons
cannot be used to close an
offense.
include_deleted query Optional Boolean text/plain Optional - If true, deleted
closing reasons are included
in the response. Defaults to
false. Deleted closing reasons
cannot be used to close an
offense.
fields query Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.
Range header Optional String text/plain Optional - Use this parameter
to restrict the number of
elements that are returned in
the list to a specified range.
The list is indexed starting at
zero.
filter query Optional String text/plain Optional - This parameter is
used to restrict the elements
in a list base on the contents
of various fields.

Table 3481. GET /siem/offense_closing_reasons response codes

HTTP Response Code Unique Code Description
200 The closing reasons list was retrieved.
500 1020 An error occurred while the closing reasons list was being
retrieved.

Response Description

An array of ClosingReason objects. A closing reason object contains the following fields:
v id - Number - The ID of the closing reason.
v text - String - The text of the closing reason.

7 Previous REST API versions 1537

v is_deleted - Boolean - Determines whether the closing reason is deleted. Deleted closing reasons cannot
be used to close an offense.
v is_reserved - Boolean - Determines whether the closing reason is reserved. Reserved closing reasons
cannot be used to close an offense.

Response Sample
[
{
"id": 42,
"is_deleted": true,
"is_reserved": true,
"text": "String"
}
]

POST /siem/offense_closing_reasons DEPRECATED

Create an offense closing reason.
Table 3482. POST /siem/offense_closing_reasons resource details
MIME Type
application/json

Table 3483. POST /siem/offense_closing_reasons request parameter details

Parameter Type Optionality Data Type MIME Type Description
reason query Required String text/plain Required - The text of the
offense closing reason must be
5 - 60 characters in length.
fields query Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.

Table 3484. POST /siem/offense_closing_reasons response codes

HTTP Response Code Unique Code Description
201 The closing reason was created.
409 1004 The closing reason already exists.
422 1005 A request parameter is not valid.
500 1020 An error occurred while attempting to create the closing reason.

Response Description

A ClosingReason object. A closing reason object contains the following fields:

v id - Number - The ID of the closing reason.
v text - String - The text of the closing reason.
v is_deleted - Boolean - Determines whether the closing reason is deleted. Deleted closing reasons cannot
be used to close an offense.

1538 QRadar API Reference Guide

v is_reserved - Boolean - Determines whether the closing reason is reserved. Reserved closing reasons
cannot be used to close an offense.

Response Sample
{
"id": 42,
"is_deleted": true,
"is_reserved": true,
"text": "String"
}

GET /siem/offense_closing_reasons/{closing_reason_id} DEPRECATED

Retrieve an offense closing reason.
Table 3485. GET /siem/offense_closing_reasons/{closing_reason_id} resource details
MIME Type
application/json

Table 3486. GET /siem/offense_closing_reasons/{closing_reason_id} request parameter details

Parameter Type Optionality Data Type MIME Type Description
closing_reason_id path Required Number text/plain Required - The closing reason
(Integer) ID.
fields query Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.

Table 3487. GET /siem/offense_closing_reasons/{closing_reason_id} response codes

HTTP Response Code Unique Code Description
200 The closing reason was retrieved.
404 1002 No closing reason was found for the provided closing_reason_id.
422 1005 A request parameter is not valid.
500 1020 An error occurred while attempting to retrieve the closing reason.

Response Description

A ClosingReason object. A closing reason object contains the following fields:

v id - Number - The ID of the closing reason.
v text - String - The text of the closing reason.
v is_deleted - Boolean - Determines whether the closing reason is deleted. Deleted closing reasons cannot
be used to close an offense.
v is_reserved - Boolean - Determines whether the closing reason is reserved. Reserved closing reasons
cannot be used to close an offense.

7 Previous REST API versions 1539

Response Sample
{
"id": 42,
"is_deleted": true,
"is_reserved": true,
"text": "String"
}

GET /siem/offense_saved_search_delete_tasks/{task_id} DEPRECATED

Retrieves the delete the offense saved search task status.

Retrieves the delete offense saved search task status.

Table 3488. GET /siem/offense_saved_search_delete_tasks/{task_id} resource details
MIME Type
application/json

Table 3489. GET /siem/offense_saved_search_delete_tasks/{task_id} request parameter details

Parameter Type Optionality Data Type MIME Type Description
task_id path Required Number text/plain null
(Integer)
fields query Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.

Table 3490. GET /siem/offense_saved_search_delete_tasks/{task_id} response codes

HTTP Response Code Unique Code Description
200 The delete task status was retrieved.
404 1002 The delete task status does not exist.
500 1020 An error occurred during the attempt to retrieve the delete task
status.

Response Description

A Delete Task Status object and the location header set to the task status url "/api/siem/
offense_saved_search_delete_tasks/{task_id}". A Delete Task Status object contains the following fields:
v id - Long - The ID of the task.
v message - String - The localized task message.
v status - String - The current state of the task.
v name - String - The name of the task.
v created_by - String - The name of the user who started the task.
v created - Long - The time in milliseconds since epoch since the task was created.
v started - Long - The time in milliseconds since epoch since the task was started.
v modified - Long - The time in milliseconds since epoch since the task was modified.
v completed - Long - The time in milliseconds since epoch since the task was completed.

1540 QRadar API Reference Guide

Response Sample
{
"completed": 42,
"created": 42,
"created_by": "String",
"id": 42,
"message": "String",
"modified": 42,
"name": "String",
"started": 42,
"status": "String <one of: CANCELLED,
CANCELING,
CANCEL_REQUESTED,
COMPLETED,
CONFLICT,
EXCEPTION,
INITIALIZING,
INTERRUPTED,
PAUSED,
PROCESSING,
QUEUED,
RESUMING>",
}

GET /siem/offense_saved_search_dependent_tasks/{task_id} DEPRECATED

Retrieves the dependent the offense saved search task status.

Retrieves the dependent offense saved search task status.

Table 3491. GET /siem/offense_saved_search_dependent_tasks/{task_id} resource details
MIME Type
application/json

Table 3492. GET /siem/offense_saved_search_dependent_tasks/{task_id} request parameter details

Parameter Type Optionality Data Type MIME Type Description
task_id path Required Number (Integer) text/plain null
fields query Optional String text/plain Optional - Use this parameter to
specify which fields you would
like to get back in the response.
Fields that are not named are
excluded. Specify subfields in
brackets and multiple fields in the
same object are separated by
commas.

Table 3493. GET /siem/offense_saved_search_dependent_tasks/{task_id} response codes

HTTP Response Code Unique Code Description
200 The delete task status was retrieved.
404 1002 The delete task status does not exist.
500 1020 An error occurred during the attempt to retrieve the delete task
status.

Response Description

A Dependent Task Status object and the location header set to the task status url "/api/siem/
offense_saved_search_dependent_tasks/{task_id}". A Dependent Task Status object contains the following
fields:

7 Previous REST API versions 1541

v id - Long - The ID of the task.
v message - String - The localized task message.
v status - String - The current state of the task.
v name - String - The name of the task.
v created_by - String - The name of the user who started the task.
v cancelled_by - String - The name of the user who requested to cancel the task.
v created - Long - The time in milliseconds since epoch since the task was created.
v started - Long - The time in milliseconds since epoch since the task was started.
v modified - Long - The time in milliseconds since epoch since the task was modified.
v completed - Long - The time in milliseconds since epoch since the task was completed.
v number_of_dependents - Long - The number of dependents found. The value is null until the task
completes.
v maximum - Long - The maximum number of objects to check for dependency.
v progress - Long - The number of objects checked for dependency.
v task_components - Array - An array of task component objects. A task component object contains the
following fields:
– message - String - The localized sub-task status message.
– status - String - The current state of the sub-task.
– sub_task_type - String - The type of the sub-task.
– maximum - Long - The maximum number of objects to check for dependency.
– progress - Long - The number of objects that were checked for dependency.
– created - Long - The time in milliseconds since epoch since the sub-task was created.
– started - Long - The time in milliseconds since epoch since the sub-task was started.
– modified - Long - The time in milliseconds since epoch since the sub-task was modified.
– completed - Long - The time in milliseconds since epoch since the sub-task was completed.

Response Sample
{
"cancelled_by": "String",
"completed": 42,
"created": 42,
"created_by": "String",
"id": 42,
"maximum": 42,
"message": "String",
"modified": 42,
"name": "String",
"number_of_dependents": 42,
"progress": 42,
"started": 42,
"status": "String <one of: CANCELLED,
CANCELING,
CANCEL_REQUESTED,
COMPLETED,
CONFLICT,
EXCEPTION,
INITIALIZING,
INTERRUPTED,
PAUSED,
PROCESSING,
QUEUED,
RESUMING>",
"task_components": [
{
"completed": 42,

1542 QRadar API Reference Guide

 "created": 42,
"maximum": 42,
"message": "String",
"modified": 42,
"number_of_dependents": 42,
"progress": 42,
"started": 42,
"status": "String <one of: CANCELLED,
CANCELING,
CANCEL_REQUESTED,
COMPLETED,
CONFLICT,
EXCEPTION,
INITIALIZING,
INTERRUPTED,
PAUSED,
PROCESSING,
QUEUED,
RESUMING>",
"task_sub_type": "String <one of:
FIND_DEPENDENT_ARIEL_SAVED_SEARCHES,
FIND_DEPENDENT_OFFENSE_SAVED_SEARCHES,
FIND_DEPENDENT_ASSET_SAVED_SEARCHES,
FIND_DEPENDENT_VULNERABILITY_SAVED_SEARCHES,
FIND_DEPENDENT_ADE_RULES,
FIND_DEPENDENT_RULES,
FIND_DEPENDENT_CALCULATED_PROPERTIES,
FIND_DEPENDENT_LOG_SOURCE_GROUPS,
FIND_DEPENDENT_CUSTOM_PROPERTIES,
FIND_DEPENDENT_REPORTS,
FIND_DEPENDENT_DASHBOARDS,
FIND_DEPENDENT_STORE_AND_FORWARD_POLICIES,
FIND_DEPENDENT_AUTHORIZED_SERVICES,
FIND_DEPENDENT_OFFENSE_TYPES,
FIND_DEPENDENT_ASSIGNED_OFFENSES,
FIND_DEPENDENT_VULNERABILITIES,
FIND_DEPENDENT_GROUPS,
FIND_DEPENDENT_HISTORICAL_CORRELATION_PROFILES>"
}
]
}

POST /siem/offense_saved _search_dependent_tasks/{task_id} DEPRECATED

Cancels the dependent the offense saved search task.

Cancels the dependent offense saved search task.

Table 3494. POST /siem/offense_saved_search_dependent_tasks/{task_id} resource details
MIME Type
application/json

Table 3495. POST /siem/offense_saved_search_dependent_tasks/{task_id} request parameter details

Parameter Type Optionality Data Type MIME Type Description
task_id path Required Number text/plain null
(Integer)

7 Previous REST API versions 1543

Table 3495. POST /siem/offense_saved_search_dependent_tasks/{task_id} request parameter details (continued)
Parameter Type Optionality Data Type MIME Type Description
fields header Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.

Table 3496. POST /siem/offense_saved_search_dependent_tasks/{task_id} request body details

Parameter Data Type MIME Type Description Sample
task Object application/ null { "status": "String <one of:
json CANCELLED, CANCELING,
CANCEL_REQUESTED,
COMPLETED, CONFLICT,
EXCEPTION, INITIALIZING,
INTERRUPTED, PAUSED,
PROCESSING, QUEUED,
RESUMING>" }

Table 3497. POST /siem/offense_saved_search_dependent_tasks/{task_id} response codes

HTTP Response Code Unique Code Description
200 The dependent task status was retrieved.
404 1002 The dependent task status does not exist.
409 1004 The task is in a completed state.
422 1005 A request parameter is not valid.
500 1020 An error occurred during the attempt to update the dependent task
status.

Response Description

A Dependent Task Status object and the location header set to the task status url "/api/siem/
offense_saved_search_dependent_tasks/{task_id}". A Dependent Task Status object contains the following
fields:
v id - Long - The ID of the task.
v message - String - The localized task message.
v status - String - The current state of the task.
v name - String - The name of the task.
v created_by - String - The name of the user who started the task.
v cancelled_by - String - The name of the user who requested to cancel the task.
v created - Long - The time in milliseconds since epoch since the task was created.
v started - Long - The time in milliseconds since epoch since the task was started.
v modified - Long - The time in milliseconds since epoch since the task was modified.
v completed - Long - The time in milliseconds since epoch since the task was completed.
v number_of_dependents - Long - The number of dependents found. The value is null until the task
completes.

1544 QRadar API Reference Guide

v maximum - Long - The maximum number of objects to check for dependency.
v progress - Long - The number of objects checked for dependency.
v task_components - Array - An array of task component objects. A task component object contains the
following fields:
– message - String - The localized sub-task status message.
– status - String - The current state the sub-task is in.
– sub_task_type - String - The type of the sub-task
– maximum - Long - The maximum number of objects to check for dependency.
– progress - Long - The number of objects that were checked for dependency.
– created - Long - The time in milliseconds since epoch since the sub-task was created.
– started - Long - The time in milliseconds since epoch since the sub-task was started.
– modified - Long - The time in milliseconds since epoch since the sub-task was modified.
– completed - Long - The time in milliseconds since epoch since the sub-task was completed.

Response Sample
{
"cancelled_by": "String",
"completed": 42,
"created": 42,
"created_by": "String",
"id": 42,
"maximum": 42,
"message": "String",
"modified": 42,
"name": "String",
"number_of_dependents": 42,
"progress": 42,
"started": 42,
"status": "String <one of: CANCELLED,
CANCELING,
CANCEL_REQUESTED,
COMPLETED,
CONFLICT,
EXCEPTION,
INITIALIZING,
INTERRUPTED,
PAUSED,
PROCESSING,
QUEUED,
RESUMING>",
"task_components": [
{
"completed": 42,
"created": 42,
"maximum": 42,
"message": "String",
"modified": 42,
"number_of_dependents": 42,
"progress": 42,
"started": 42,
"status": "String <one of: CANCELLED,
CANCELING,
CANCEL_REQUESTED,
COMPLETED,
CONFLICT,
EXCEPTION,
INITIALIZING,
INTERRUPTED,
PAUSED,
PROCESSING,
QUEUED,

7 Previous REST API versions 1545

 RESUMING>",
"task_sub_type": "String <one of:
FIND_DEPENDENT_ARIEL_SAVED_SEARCHES,
FIND_DEPENDENT_OFFENSE_SAVED_SEARCHES,
FIND_DEPENDENT_ASSET_SAVED_SEARCHES,
FIND_DEPENDENT_VULNERABILITY_SAVED_SEARCHES,
FIND_DEPENDENT_ADE_RULES,
FIND_DEPENDENT_RULES,
FIND_DEPENDENT_CALCULATED_PROPERTIES,
FIND_DEPENDENT_LOG_SOURCE_GROUPS,
FIND_DEPENDENT_CUSTOM_PROPERTIES,
FIND_DEPENDENT_REPORTS,
FIND_DEPENDENT_DASHBOARDS,
FIND_DEPENDENT_STORE_AND_FORWARD_POLICIES,
FIND_DEPENDENT_AUTHORIZED_SERVICES,
FIND_DEPENDENT_OFFENSE_TYPES,
FIND_DEPENDENT_ASSIGNED_OFFENSES,
FIND_DEPENDENT_VULNERABILITIES,
FIND_DEPENDENT_GROUPS,
FIND_DEPENDENT_HISTORICAL_CORRELATION_PROFILES>"
}
]
}

GET /siem/offense_saved _search_dependent_tasks/{task_id}/results

DEPRECATED
Retrieves the offense saved search dependent task results.

Retrieves the offense saved search dependent task results.

Table 3498. GET /siem/offense_saved_search_dependent_tasks/{task_id}/results resource details
MIME Type
application/json

Table 3499. GET /siem/offense_saved_search_dependent_tasks/{task_id}/results request parameter details

Parameter Type Optionality Data Type MIME Type Description
task_id path Required Number text/plain null
(Integer)
fields query Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.

Table 3500. GET /siem/offense_saved_search_dependent_tasks/{task_id}/results response codes

HTTP Response Code Unique Code Description
200 The offense saved search dependents were retrieved
404 1002 The dependent task status does not exist.
500 1020 An error occurred during the attempt to retrieve the offense saved
searches.

1546 QRadar API Reference Guide

Response Description

An list of Dependent objects. A Dependent object contains the following fields:

v dependent_id - String - The ID of the dependent resource.
v dependent_name - String - The name of the dependent resource (default resources can have localized
names).
v dependent_owner - String - The owner of the dependent resource
v dependent_type - String - The type of the dependent resource
v dependent_database - String - The database of the dependent resource.
v dependent_group_ids - Array of Longs - List of groups that the dependent resource belongs to.
v user_has_edit_permissions - Boolean - True if the user who created the task has permission to edit this
dependent resource.

Response Sample
[
{
"blocking": true,
"dependent_database": "String <one of: EVENTS, FLOWS>",
"dependent_group_ids": [
42
],
"dependent_id": "String",
"dependent_name": "String",
"dependent_owner": "String",
"dependent_type": "String <one of:
ARIEL_SAVED_SEARCH,
ASSET_SAVED_SEARCH,
OFFENSE_SAVED_SEARCH,
VULNERABILITY_SAVED_SEARCH,
QRM_SAVED_SEARCH_GROUP,
ASSET_SAVED_SEARCH_GROUP,
CUSTOM_RULE_GROUP,
EVENT_ARIEL_SAVED_SEARCH_GROUP,
FLOW_ARIEL_SAVED_SEARCH_GROUP,
LOG_SOURCE_GROUP, MODEL_GROUP,
OFFENSE_SAVED_SEARCH_GROUP,
QUESTION_GROUP,
REPORT_GROUP,
SIMULATION_GROUP,
TOPOLOGY_SAVED_SEARCH_GROUP,
VULNERABILITY_SAVED_SEARCH_GROUP,
ASSIGNED_OFFENSE,
ASSIGNED_VULNERABILITY,
AUTHORIZED_SERVICE,
BUILDING_BLOCK,
CRE_RULE,
CRE_ADE_RULE,
EVENT_REGEX_PROPERTY,
EVENT_CALCULATED_PROPERTY,
FLOW_REGEX_PROPERTY,
FLOW_CALCULATED_PROPERTY,
DASHBOARD,
GV_REFERENCE,
REPORT,
REFERENCE_DATA,
REFERENCE_DATA_MAP_OF_SETS,
REFERENCE_DATA_MAPS,
REFERENCE_DATA_SETS,
REFERENCE_DATA_TABLES,
REFERENCE_DATA_RESPONSE,
REFERENCE_SET_RESPONSE,
EVENT_RETENTION_BUCKET,

7 Previous REST API versions 1547

 FLOW_RETENTION_BUCKET,
ROUTING_RULE,
STORE_AND_FORWARD_POLICY,
USER,
HISTORICAL_PROFILE,
OFFENSE_TYPE>",
"user_has_edit_permissions": true
}
]

GET /siem/offense_saved_search_groups DEPRECATED

Retrieves a list of offense saved search groups.

Retrieves a list of offense saved search groups.

Table 3501. GET /siem/offense_saved_search_groups resource details
MIME Type
application/json

Table 3502. GET /siem/offense_saved_search_groups request parameter details

Parameter Type Optionality Data Type MIME Type Description
Range header Optional String text/plain Optional - Use this parameter
to restrict the number of
elements that are returned in
the list to a specified range.
The list is indexed starting at
zero.
filter query Optional String text/plain Optional - This parameter is
used to restrict the elements in
a list base on the contents of
various fields.
fields query Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.

Table 3503. GET /siem/offense_saved_search_groups response codes

HTTP Response Code Unique Code Description
200 The offense saved search groups were returned.
500 1020 An error occurred during the attempt to retrieve the offense saved
search groups.

Response Description

List of the Group objects. A Group object contains the following fields:
v id - Long - The ID of the group.
v parent_id - Long - The ID of the parent group (default resources can have localized names).
v type - String - The type of the group.

1548 QRadar API Reference Guide

v level - Long - The depth of the group in the group hierarchy.
v name - String - The name of the group (default resources can have localized names).
v description - String - The description of the group (default resources can have localized names).
v owner - String - The owner of the group.
v modified_time - Long - The time in milliseconds since epoch since the group was last modified.
v child_group_ids - Array of Longs - List of the child group IDs.

Response Sample
[
{
"child_groups": [
42
],
"child_items": [
"String"
],
"description": "String",
"id": 42,
"level": 42,
"modified_time": 42,
"name": "String",
"owner": "String",
"parent_id": 42,
"type": "String <one of: LOG_SOURCE_GROUP,
REPORT_GROUP,
RULE_GROUP,
EVENT_SAVED_SEARCH_GROUP,
FLOW_SAVED_SEARCH_GROUP,
OFFENSE_SAVED_SEARCH_GROUP,
QRM_SAVED_SEARCH_GROUP,
MODEL_SAVED_SEARCH_GROUP,
QUESTION_SAVED_SEARCH_GROUP,
SIMULATION_SAVED_SEARCH_GROUP,
TOPOLOGY_SAVED_SEARCH_GROUP,
ASSET_SAVED_SEARCH_GROUP,
VULNERABILITY_SAVED_SEARCH_GROUP>"
}
]

GET /siem/offense_saved_search_groups/{group_id} DEPRECATED

Retrieves an offense saved search group.

Retrieves an offense saved search group.

Table 3504. GET /siem/offense_saved_search_groups/{group_id} resource details
MIME Type
application/json

Table 3505. GET /siem/offense_saved_search_groups/{group_id} request parameter details

Parameter Type Optionality Data Type MIME Type Description
group_id path Required Number text/plain null
(Integer)

7 Previous REST API versions 1549

Table 3505. GET /siem/offense_saved_search_groups/{group_id} request parameter details (continued)
Parameter Type Optionality Data Type MIME Type Description
fields query Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.

Table 3506. GET /siem/offense_saved_search_groups/{group_id} response codes

HTTP Response Code Unique Code Description
200 The offense saved search group was retrieved.
404 1002 The offense saved search group does not exist.
500 1020 An error occurred during the attempt to retrieve the offense saved
search group.

Response Description

A single Group object. A Group object contains the following fields:

v id - Long - The ID of the group.
v parent_id - Long - The ID of the parent group (default resources can have localized names).
v type - String - The type of the group.
v level - Long - The depth of the group in the group hierarchy.
v name - String - The name of the group (default resources can have localized names).
v description - String - The description of the group (default resources can have localized names).
v owner - String - The owner of the group.
v modified_time - Long - The time in milliseconds since epoch since the group was last modified.
v child_group_ids - Array of Longs - List of the child group IDs.

Response Sample
{
"child_groups": [
42
],
"child_items": [
"String"
],
"description": "String",
"id": 42,
"level": 42,
"modified_time": 42,
"name": "String",
"owner": "String",
"parent_id": 42,
"type": "String <one of: LOG_SOURCE_GROUP,
REPORT_GROUP,
RULE_GROUP,
EVENT_SAVED_SEARCH_GROUP,
FLOW_SAVED_SEARCH_GROUP,
OFFENSE_SAVED_SEARCH_GROUP,
QRM_SAVED_SEARCH_GROUP,

1550 QRadar API Reference Guide

 MODEL_SAVED_SEARCH_GROUP,
QUESTION_SAVED_SEARCH_GROUP,
SIMULATION_SAVED_SEARCH_GROUP,
TOPOLOGY_SAVED_SEARCH_GROUP,
ASSET_SAVED_SEARCH_GROUP,
VULNERABILITY_SAVED_SEARCH_GROUP>"
}

POST /siem/offense_saved_search_groups/{group_id} DEPRECATED

Updates the owner of an offense saved search group.

Updates the owner of an offense saved search group.

Table 3507. POST /siem/offense_saved_search_groups/{group_id} resource details
MIME Type
application/json

Table 3508. POST /siem/offense_saved_search_groups/{group_id} request parameter details

Parameter Type Optionality Data Type MIME Type Description
group_id path Required Number text/plain null
(Integer)
fields header Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.

Table 3509. POST /siem/offense_saved_search_groups/{group_id} request body details

Parameter Data Type MIME Type Description Sample
group Object application/ Required - Group object with { "child_groups": [ 42 ], "child_items": [ "String" ], "description":
json the owner set to a valid "String", "id": 42, "level": 42, "name": "String", "owner": "String",
deployed user. "parent_id": 42, "type": "String <one of:
LOG_SOURCE_GROUP, REPORT_GROUP, RULE_GROUP,
EVENT_SAVED_SEARCH_GROUP,
FLOW_SAVED_SEARCH_GROUP,
OFFENSE_SAVED_SEARCH_GROUP,
QRM_SAVED_SEARCH_GROUP,
MODEL_SAVED_SEARCH_GROUP,
QUESTION_SAVED_SEARCH_GROUP,
SIMULATION_SAVED_SEARCH_GROUP,
TOPOLOGY_SAVED_SEARCH_GROUP,
ASSET_SAVED_SEARCH_GROUP,
VULNERABILITY_SAVED_SEARCH_GROUP>" }

Table 3510. POST /siem/offense_saved_search_groups/{group_id} response codes

HTTP Response Code Unique Code Description
200 The offense saved search group was updated.
404 1002 The offense saved search group does not exist.
409 1004 The provided user does not have the required capabilities to own
the offense saved search group.
422 1005 A request parameter is not valid.
500 1020 An error occurred during the attempt to update the offense saved
search group.

7 Previous REST API versions 1551

Response Description

The updated Group object. A Group object contains the following fields:
v id - Long - The ID of the group.
v parent_id - Long - The ID of the parent group (default resources can have localized names).
v type - String - The type of the group.
v level - Long - The depth of the group in the group hierarchy.
v name - String - The name of the group (default resources can have localized names).
v description - String - The description of the group (default resources can have localized names).
v owner - String - The owner of the group.
v modified_time - Long - The time in milliseconds since epoch since the group was last modified.
v child_group_ids - Array of Longs - List of the child group IDs.

Response Sample
{
"child_groups": [
42
],
"child_items": [
"String"
],
"description": "String",
"id": 42,
"level": 42,
"modified_time": 42,
"name": "String",
"owner": "String",
"parent_id": 42,
"type": "String <one of: LOG_SOURCE_GROUP,
REPORT_GROUP,
RULE_GROUP,
EVENT_SAVED_SEARCH_GROUP,
FLOW_SAVED_SEARCH_GROUP,
OFFENSE_SAVED_SEARCH_GROUP,
QRM_SAVED_SEARCH_GROUP,
MODEL_SAVED_SEARCH_GROUP,
QUESTION_SAVED_SEARCH_GROUP,
SIMULATION_SAVED_SEARCH_GROUP,
TOPOLOGY_SAVED_SEARCH_GROUP,
ASSET_SAVED_SEARCH_GROUP,
VULNERABILITY_SAVED_SEARCH_GROUP>"
}

DELETE /siem/offense_saved_search_groups/{group_id} DEPRECATED

Deletes an offense saved search group.

Deletes an offense saved search group.

Table 3511. DELETE /siem/offense_saved_search_groups/{group_id} resource details
MIME Type
text/plain

1552 QRadar API Reference Guide

Table 3512. DELETE /siem/offense_saved_search_groups/{group_id} request parameter details
Parameter Type Optionality Data Type MIME Type Description
group_id path Required Number text/plain null
(Integer)

Table 3513. DELETE /siem/offense_saved_search_groups/{group_id} response codes

HTTP Response Code Unique Code Description
204 The offense saved search group has been deleted.
404 1002 The offense saved search group does not exist.
409 1004 null
500 1020 An error occurred during the attempt to delete the offense saved
search group.

Response Description

Response Sample

GET /siem/offense_saved_searches DEPRECATED

Retrieves a list of offense saved searches.

Retrieves a list of offense saved searches.

Table 3514. GET /siem/offense_saved_searches resource details
MIME Type
application/json

Table 3515. GET /siem/offense_saved_searches request parameter details

Parameter Type Optionality Data Type MIME Type Description
Range header Optional String text/plain Optional - Use this parameter
to restrict the number of
elements that are returned in
the list to a specified range.
The list is indexed starting at
zero.
filter query Optional String text/plain Optional - This parameter is
used to restrict the elements in
a list base on the contents of
various fields.
fields query Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.

7 Previous REST API versions 1553

Table 3516. GET /siem/offense_saved_searches response codes
HTTP Response Code Unique Code Description
200 The offense saved searches were retrieved.
500 1020 An error occurred during the attempt to retrieve the offense saved
searches.

Response Description

An array of offense saved search objects. An offense saved search object contains the following fields:
v id - Long - The ID of the offense saved search.
v name - String - The name of the offense saved search.
v owner - String - The owner of the offense saved search.

Response Sample
[
{
"id": 42,
"name": "String",
"owner": "String"
}
]

GET /siem/offense_saved_searches/{id} DEPRECATED

Retrieves an offense saved search.

Retrieves an offense saved search.

Table 3517. GET /siem/offense_saved_searches/{id} resource details
MIME Type
application/json

Table 3518. GET /siem/offense_saved_searches/{id} request parameter details

Parameter Type Optionality Data Type MIME Type Description
id path Required Number text/plain null
(Integer)
Range header Optional String text/plain Optional - Use this parameter
to restrict the number of
elements that are returned in
the list to a specified range.
The list is indexed starting at
zero.
filter query Optional String text/plain Optional - This parameter is
used to restrict the elements in
a list base on the contents of
various fields.

1554 QRadar API Reference Guide

Table 3518. GET /siem/offense_saved_searches/{id} request parameter details (continued)
Parameter Type Optionality Data Type MIME Type Description
fields query Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.

Table 3519. GET /siem/offense_saved_searches/{id} response codes

HTTP Response Code Unique Code Description
200 The offense saved search was retrieved.
404 1002 The offense saved search does not exist.
500 1020 An error occurred during the attempt to retrieve the offense saved
search.

Response Description

The offense saved search after it has been retrieved. An offense saved search object contains the following
fields:
v id - Long - The ID of the offense saved search.
v name - String - The name of the offense saved search.
v owner - String - The owner of the offense saved search.

Response Sample
{
"id": 42,
"name": "String",
"owner": "String"
}

POST /siem/offense_saved_searches/{id} DEPRECATED

Updates the offense saved search owner only.

Updates the offense saved search owner only.

Table 3520. POST /siem/offense_saved_searches/{id} resource details
MIME Type
application/json

Table 3521. POST /siem/offense_saved_searches/{id} request parameter details

Parameter Type Optionality Data Type MIME Type Description
id path Required Number text/plain null
(Integer)

7 Previous REST API versions 1555

Table 3521. POST /siem/offense_saved_searches/{id} request parameter details (continued)
Parameter Type Optionality Data Type MIME Type Description
Range header Optional String text/plain Optional - Use this parameter
to restrict the number of
elements that are returned in
the list to a specified range.
The list is indexed starting at
zero.
filter header Optional String text/plain Optional - This parameter is
used to restrict the elements
in a list base on the contents
of various fields.
fields header Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.

Table 3522. POST /siem/offense_saved_searches/{id} request body details

Parameter Data Type MIME Type Description Sample
saved_search Object application/ null { "id": "1", "name": "String",
json "is_shared": true, "owner":
"String" }

Table 3523. POST /siem/offense_saved_searches/{id} response codes

HTTP Response Code Unique Code Description
200 The offense saved search was updated.
403 1009 You do not have the required capabilities to update the offense
saved search.
404 1002 The offense saved search does not exist.
409 1004 The provided user does not have the required capabilities to own
the offense saved search.
422 1005 A request parameter is not valid.
500 1020 An error occurred during the attempt to update the offense saved
search.

Response Description

The offense saved search after it is updated. An offense saved search object contains the following fields:
v id - Long - The ID of the offense saved search.
v name - String - The name of the offense saved search.
v owner - String - The owner of the offense saved search.

1556 QRadar API Reference Guide

Response Sample
{
"id": 42,
"name": "String",
"owner": "String"
}

DELETE /siem/offense_saved_searches/{id} DEPRECATED

Deletes an offense saved search. To ensure safe deletion, a dependency check is carried out. This check
might take some time. An asynchronous task is started for this check.

Deletes an offense saved search. To ensure safe deletion, a dependency check is carried out. This check
might take some time. An asynchronous task is started for this check.
Table 3524. DELETE /siem/offense_saved_searches/{id} resource details
MIME Type
application/json

Table 3525. DELETE /siem/offense_saved_searches/{id} request parameter details

Parameter Type Optionality Data Type MIME Type Description
id path Required Number text/plain null
(Integer)
Range header Optional String text/plain Optional - Use this parameter
to restrict the number of
elements that are returned in
the list to a specified range.
The list is indexed starting at
zero.
filter query Optional String text/plain Optional - This parameter is
used to restrict the elements in
a list base on the contents of
various fields.
fields query Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.

Table 3526. DELETE /siem/offense_saved_searches/{id} response codes

HTTP Response Code Unique Code Description
202 The offense saved search delete command was accepted and is in
progress.
403 1009 You do not have the required capabilities to delete the offense
saved search.
404 1002 The offense saved search does not exist.
500 1020 An error occurred during the attempt to delete the offense saved
search.

7 Previous REST API versions 1557

Response Description

A Delete Task Status object and the location header set to the task status url "/api/siem/
offense_saved_search_delete_tasks/{task_id}". A Delete Task Status object contains the following fields:
v id - Long - The ID of the task.
v message - String - The localized task message.
v status - String - The current state of the task.
v name - String - The name of the task.
v created_by - String - The name of the user who started the task.
v created - Long - The time in milliseconds since epoch since the task was created.
v started - Long - The time in milliseconds since epoch since the task was started.
v modified - Long - The time in milliseconds since epoch since the task was modified.
v completed - Long - The time in milliseconds since epoch since the task was completed.

Response Sample
{
"completed": 42,
"created": 42,
"created_by": "String",
"id": 42,
"message": "String",
"modified": 42,
"name": "String",
"started": 42,
"status": "String <one of: CANCELLED,
CANCELING,
CANCEL_REQUESTED,
COMPLETED,
CONFLICT,
EXCEPTION,
INITIALIZING,
INTERRUPTED,
PAUSED,
PROCESSING,
QUEUED,
RESUMING>"
}

GET /siem/offense_saved_searches/{id}/dependents DEPRECATED

Retrieves the objects that depend on an offense saved search.

Retrieves the objects that depend on an offense saved search.

Table 3527. GET /siem/offense_saved_searches/{id}/dependents resource details
MIME Type
application/json

Table 3528. GET /siem/offense_saved_searches/{id}/dependents request parameter details

Parameter Type Optionality Data Type MIME Type Description
id path Required Number text/plain null
(Integer)

1558 QRadar API Reference Guide

Table 3528. GET /siem/offense_saved_searches/{id}/dependents request parameter details (continued)
Parameter Type Optionality Data Type MIME Type Description
fields query Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.

Table 3529. GET /siem/offense_saved_searches/{id}/dependents response codes

HTTP Response Code Unique Code Description
202 The offense saved search dependents retrieval was accepted and is
in progress.
404 1002 The offense saved search does not exist.
500 1020 An error occurred during the attempt to initiate the offense saved
search dependents retrieval task.

Response Description

A Dependents Task Status object and the location header set to the task status url "/api/siem/
offense_saved_search_dependents_tasks/{task_id}". A Dependent Task Status object contains the following
fields:
v id - Long - The ID of the task.
v message - String - The localized task message.
v status - String - The current state of the task.
v name - String - The name of the task.
v created_by - String - The name of the user who started the task.
v cancelled_by - String - The name of the user who requested to cancel the task.
v created - Long - The time in milliseconds since epoch since the task was created.
v started - Long - The time in milliseconds since epoch since the task was started.
v modified - Long - The time in milliseconds since epoch since the task was modified.
v completed - Long - The time in milliseconds since epoch since the task was completed.
v number_of_dependents - Long - The number of dependents found. The value is null until the task
completes.
v maximum - Long - The maximum number of objects to check for dependency.
v progress - Long - The number of objects checked for dependency.
v task_components - Array - An array of task component objects. A task component object contains the
following fields:
– message - String - The localized sub-task status message.
– status - String - The current state of the sub-task.
– sub_task_type - String - The type of the sub-task
– maximum - Long - The maximum number of objects to check for dependency.
– progress - Long - The number of objects that were checked for dependency.
– created - Long - The time in milliseconds since epoch since the sub-task was created.
– started - Long - The time in milliseconds since epoch since the sub-task was started.

7 Previous REST API versions 1559

 – modified - Long - The time in milliseconds since epoch since the sub-task was modified.
– completed - Long - The time in milliseconds since epoch since the sub-task was completed.

Response Sample
{
"cancelled_by": "String",
"completed": 42,
"created": 42,
"created_by": "String",
"id": 42,
"maximum": 42,
"message": "String",
"modified": 42,
"name": "String",
"number_of_dependents": 42,
"progress": 42,
"started": 42,
"status": "String <one of: CANCELLED,
CANCELING,
CANCEL_REQUESTED,
COMPLETED,
CONFLICT,
EXCEPTION,
INITIALIZING,
INTERRUPTED,
PAUSED,
PROCESSING,
QUEUED,
RESUMING>",
"task_components": [
{
"completed": 42,
"created": 42,
"maximum": 42,
"message": "String",
"modified": 42,
"number_of_dependents": 42,
"progress": 42,
"started": 42,
"status": "String <one of: CANCELLED,
CANCELING,
CANCEL_REQUESTED,
COMPLETED,
CONFLICT,
EXCEPTION,
INITIALIZING,
INTERRUPTED,
PAUSED,
PROCESSING,
QUEUED,
RESUMING>",
"task_sub_type": "String <one of:
FIND_DEPENDENT_ARIEL_SAVED_SEARCHES,
FIND_DEPENDENT_OFFENSE_SAVED_SEARCHES,
FIND_DEPENDENT_ASSET_SAVED_SEARCHES,
FIND_DEPENDENT_VULNERABILITY_SAVED_SEARCHES,
FIND_DEPENDENT_ADE_RULES,
FIND_DEPENDENT_RULES,
FIND_DEPENDENT_CALCULATED_PROPERTIES,
FIND_DEPENDENT_LOG_SOURCE_GROUPS,
FIND_DEPENDENT_CUSTOM_PROPERTIES,
FIND_DEPENDENT_REPORTS,
FIND_DEPENDENT_DASHBOARDS,
FIND_DEPENDENT_STORE_AND_FORWARD_POLICIES,
FIND_DEPENDENT_AUTHORIZED_SERVICES,
FIND_DEPENDENT_OFFENSE_TYPES,

1560 QRadar API Reference Guide

 FIND_DEPENDENT_ASSIGNED_OFFENSES,
FIND_DEPENDENT_VULNERABILITIES,
FIND_DEPENDENT_GROUPS,
FIND_DEPENDENT_HISTORICAL_CORRELATION_PROFILES>"
}
]
}

GET /siem/offenses DEPRECATED

Retrieve a list of offenses currently in the system.

Retrieve a list of offenses currently in the system.

Table 3530. GET /siem/offenses resource details
MIME Type
application/json

Table 3531. GET /siem/offenses request parameter details

Parameter Type Optionality Data Type MIME Type Description
filter query Optional String text/plain Optional - This parameter is
used to restrict the elements in
a list base on the contents of
various fields.
fields query Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.
Range header Optional String text/plain Optional - Use this parameter
to restrict the number of
elements that are returned in
the list to a specified range.
The list is indexed starting at
zero.

Table 3532. GET /siem/offenses response codes

HTTP Response Code Unique Code Description
200 The offense list was retrieved.
422 1005 A request parameter is not valid.
422 1010 The filter parameter is not valid.
500 1020 An error occurred while the offense list was being retrieved.

Response Description

An array of Offense objects. An Offense object contains the following fields:

v id - Number - The ID of the offense.
v description - String - The description of the offense. Filtering is not supported on this field.
v assigned_to - String - The user the offense is assigned to.

7 Previous REST API versions 1561

v categories - Array of strings - Event categories that are associated with the offense.
v category_count - Number - The number of event categories that are associated with the offense.
v policy_category_count - Number - The number of policy event categories that are associated with the
offense.
v security_category_count - Number - The number of security event categories that are associated with
the offense.
v close_time - Number - The number of milliseconds since epoch when the offense was closed.
v closing_user - String - The user that closed the offense.
v closing_reason_id - Number - The ID of the offense closing reason. The reason the offense was closed.
v credibility - Number - The credibility of the offense.
v relevance - Number - The relevance of the offense.
v severity - Number - The severity of the offense.
v magnitude - Number - The magnitude of the offense.
v destination_networks - Array of strings - The destination networks that are associated with the
offense.
v source_network - String - The source network that is associated with the offense. Filtering is not
supported on this field.
v device_count - Number - The number of devices that are associated with the offense.
v event_count - Number - The number of events that are associated with the offense.
v flow_count - Number - The number of flows that are associated with the offense.
v inactive - Boolean - True if the offense is inactive.
v last_updated_time - Number - The number of milliseconds since epoch when the offense was last
updated.
v local_destination_count - Number - The number of local destinations that are associated with the
offense.
v offense_source - String - The source of the offense. Filtering is not supported on this field.
v offense_type - Number - A number that represents the offense type. Use GET /siem/offense_types to
retrieve the list.
v protected - Boolean - True if the offense is protected.
v follow_up - Boolean - True if the offense is marked for follow up.
v remote_destination_count - Number - The number of remote destinations that are associated wit the
offense.
v source_count - Number - The number of sources that are associated with the offense.
v start_time - Number - The number of milliseconds since epoch when the offense was started.
v status - String - The status of the offense. One of "OPEN", "HIDDEN", or "CLOSED". The following
operators are not supported when you filter on this field: "<", ">", "<=", ">=", "BETWEEN".
v username_count - The number of usernames that are associated with the offense.
v source_address_ids - Array of numbers -The source address IDs that are associated with the offense.
v local_destination_address_ids - Array of numbers - The local destination address IDs that are
associated with the offense.
v domain_id - Number - Optional. ID of associated domain if the offense is associated with a single
domain.

Response Sample
[{"credibility": 42,
"source_address_ids": [42],
"remote_destination_count": 42,
"local_destination_address_ids": [42],
"assigned_to": "String",

1562 QRadar API Reference Guide

 "local_destination_count": 42,
"source_count": 42,
"start_time": 42,
"id": 42,
"destination_networks": ["String"],
"inactive": true,
"protected": true,
"policy_category_count": 42,
"description": "String",
"category_count": 42,
"domain_id": 42,
"relevance": 42,
"device_count": 42,
"security_category_count": 42,
"flow_count": 42,
"event_count": 42,
"offense_source": "String",
"status": "String <one of: OPEN, HIDDEN, CLOSED>",
"magnitude": 42,
"severity": 42,
"username_count": 42,
"closing_user": "String",
"follow_up": true,
"closing_reason_id": 42,
"close_time": 42,
"source_network": "String",
"last_updated_time": 42,
"categories": ["String"],
"offense_type": 42
}]

GET /siem/offenses/{offense_id} DEPRECATED

Retrieve an offense structure that describes properties of an offense

Retrieve an offense structure that describes properties of an offense

Table 3533. GET /siem/offenses/{offense_id} resource details
MIME Type
application/json

Table 3534. GET /siem/offenses/{offense_id} request parameter details

Parameter Type Optionality Data Type MIME Type Description
offense_id path Required Number text/plain Required - The offense ID.
(Integer)
fields query Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.

Table 3535. GET /siem/offenses/{offense_id} response codes

HTTP Response Code Unique Code Description
200 The offense was retrieved.
404 1002 No offense was found for the provided offense_id.

7 Previous REST API versions 1563

Table 3535. GET /siem/offenses/{offense_id} response codes (continued)
HTTP Response Code Unique Code Description
422 1005 A request parameter is not valid.
500 1020 An error occurred while the offense was being retrieved.

Response Description

An Offense object. An Offense object contains the following fields:

v id - Number - The ID of the offense.
v description - String - The description of the offense.
v assigned_to - String - The user the offense is assigned to.
v categories - Array of strings - Event categories that are associated with the offense.
v category_count - Number - The number of event categories that are associated with the offense.
v policy_category_count - Number - The number of policy event categories that are associated with the
offense.
v security_category_count - Number - The number of security event categories that are associated with
the offense.
v close_time - Number - The number of milliseconds since epoch when the offense was closed.
v closing_user - String - The user that closed the offense.
v closing_reason_id - Number - The ID of the offense closing reason. The reason the offense was closed.
v credibility - Number - The credibility of the offense.
v relevance - Number - The relevance of the offense.
v severity - Number - The severity of the offense.
v magnitude - Number - The magnitude of the offense.
v destination_networks - Array of strings - The destination networks that are associated with the
offense.
v source_network - String - The source network that is associated with the offense.
v device_count - Number - The number of devices that are associated with the offense.
v event_count - Number - The number of events that are associated with the offense.
v flow_count - Number - The number of flows that are associated with the offense.
v inactive - Boolean - True if the offense is inactive.
v last_updated_time - Number - The number of milliseconds since epoch when the offense was last
updated.
v local_destination_count - Number - The number of local destinations that are associated with the
offense.
v offense_source - String - The source of the offense.
v offense_type - Number - A number that represents the offense type. Use GET /siem/offense_types to
retrieve the list.
v protected - Boolean - True if the offense is protected.
v follow_up - Boolean - True if the offense is marked for follow up.
v remote_destination_count - Number - The number of remote destinations that are associated wit the
offense.
v source_count - Number - The number of sources that are associated with the offense.
v start_time - Number - The number of milliseconds since epoch when the offense was started.
v status - String - The status of the offense. One of "OPEN", "HIDDEN", or "CLOSED".
v username_count - The number of usernames that are associated with the offense.

1564 QRadar API Reference Guide

v source_address_ids - Array of numbers -The source address IDs that are associated with the offense.
v local_destination_address_ids - Array of numbers - The local destination address IDs that are
associated with the offense.
v domain_id - Number - Optional. ID of associated domain if the offense is associated with a single
domain.

Response Sample
{
"assigned_to": "String",
"categories": [
"String"
],
"category_count": 42,
"close_time": 42,
"closing_reason_id": 42,
"closing_user": "String",
"credibility": 42,
"description": "String",
"destination_networks": [
"String"
],
"device_count": 42,
"domain_id": 42,
"event_count": 42,
"flow_count": 42,
"follow_up": true,
"id": 42,
"inactive": true,
"last_updated_time": 42,
"local_destination_address_ids": [
42
],
"local_destination_count": 42,
"magnitude": 42,
"offense_source": "String",
"offense_type": 42,
"policy_category_count": 42,
"protected": true,
"relevance": 42,
"remote_destination_count": 42,
"security_category_count": 42,
"severity": 42,
"source_address_ids": [
42
],
"source_count": 42,
"source_network": "String",
"start_time": 42,
"status": "String <one of: OPEN, HIDDEN, CLOSED>",
"username_count": 42
}

GET /siem/offenses/{offense_id}/notes DEPRECATED

Retrieve a list of notes for an offense.
Table 3536. GET /siem/offenses/{offense_id}/notes resource details
MIME Type
application/json

7 Previous REST API versions 1565

Table 3537. GET /siem/offenses/{offense_id}/notes request parameter details
Parameter Type Optionality Data Type MIME Type Description
offense_id path Required Number text/plain Required - The offense ID to
(Integer) retrieve the notes for.
fields query Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.
Range header Optional String text/plain Optional - Use this parameter
to restrict the number of
elements that are returned in
the list to a specified range.
The list is indexed starting at
zero.
filter query Optional String text/plain Optional - This parameter is
used to restrict the elements in
a list base on the contents of
various fields.

Table 3538. GET /siem/offenses/{offense_id}/notes response codes

HTTP Response Code Unique Code Description
200 The note list was retrieved.
404 1002 No offense was found for the provided offense_id.
422 1005 A request parameter is not valid.
500 1020 An error occurred while the note list was being retrieved.

Response Description

An array of Note objects. A Note object contains the following fields:

v id - Number - The ID of the note.
v create_time - Number - The number of milliseconds since epoch when the note was created.
v username - String - The user or authorized service that created the note.
v note_text - String - The note text.

Response Sample
[
{
"create_time": 42,
"id": 42,
"note_text": "String",
"username": "String"
}
]

1566 QRadar API Reference Guide

GET /siem/offenses/{offense_id}/notes/{note_id} DEPRECATED
Retrieve a note for an offense.
Table 3539. GET /siem/offenses/{offense_id}/notes/{note_id} resource details
MIME Type
application/json

Table 3540. GET /siem/offenses/{offense_id}/notes/{note_id} request parameter details

Parameter Type Optionality Data Type MIME Type Description
offense_id path Required Number text/plain Required - The offense ID to
(Integer) retrieve the note from.
note_id path Required Number text/plain Required - The note ID.
(Integer)
fields query Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.

Table 3541. GET /siem/offenses/{offense_id}/notes/{note_id} response codes

HTTP Response Code Unique Code Description
200 The note was retrieved.
404 1002 No offense was found for the provided offense_id.
404 1003 No note was found for the provided note_id.
422 1005 A request parameter is not valid.
500 1020 An error occurred while attempting to retrieve the note.

Response Description

The Note object for the note ID. A Note object contains the following fields:
v id - Number - The ID of the note.
v create_time - Number - The number of milliseconds since epoch when the note was created.
v username - String - The user or authorized service that created the note.
v note_text - String - The note text.

Response Sample
{
"create_time": 42,
"id": 42,
"note_text": "String",
"username": "String"
}

7 Previous REST API versions 1567

POST /siem/offenses/{offense_id}/notes DEPRECATED
Create a note on an offense.
Table 3542. POST /siem/offenses/{offense_id}/notes resource details
MIME Type
application/json

Table 3543. POST /siem/offenses/{offense_id}/notes request parameter details

Parameter Type Optionality Data Type MIME Type Description
offense_id path Required Number text/plain Required - The offense ID to
(Integer) add the note to.
note_text query Required String text/plain Required - The note text.
fields query Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.

Table 3544. POST /siem/offenses/{offense_id}/notes response codes

HTTP Response Code Unique Code Description
201 The note was created.
404 1002 No offense was found for the provided offense_id.
422 1005 A request parameter is not valid.
500 1020 An error occurred while attempting to create the note.

Response Description

The Note object that was created. A Note object contains the following fields:
v id - Number - The ID of the note.
v create_time - Number - The number of milliseconds since epoch when the note was created.
v username - String - The user or authorized service that created the note.
v note_text - String - The note text.

Response Sample
{
"create_time": 42,
"id": 42,
"note_text": "String",
"username": "String"
}

POST /siem/offenses/{offense_id} DEPRECATED

Update an offense.
Table 3545. POST /siem/offenses/{offense_id} resource details
MIME Type
application/json

1568 QRadar API Reference Guide

Table 3546. POST /siem/offenses/{offense_id} request parameter details
Parameter Type Optionality Data Type MIME Type Description
offense_id path Required Number text/plain Required - The ID of the
(Integer) offense to update.
protected query Optional Boolean text/plain Optional - Set to true to
protect the offense.
follow_up query Optional Boolean text/plain Optional - Set to true to set
the follow up flag on the
offense.
status query Optional String text/plain Optional - The new status for
the offense. Set to one of:
OPEN, HIDDEN, CLOSED.
When the status of an offense
is being set to CLOSED, a
valid closing_reason_id must
be provided. To hide an
offense, use the HIDDEN
status. To show a previously
hidden offense, use the OPEN
status.
closing_reason_id query Optional Number text/plain Optional - The ID of a closing
(Integer) reason. You must provide a
valid closing_reason_id when
you close an offense.
assigned_to query Optional String text/plain Optional - A user to assign the
offense to.
fields query Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.

Table 3547. POST /siem/offenses/{offense_id} response codes

HTTP Response Code Unique Code Description
200 The offense was updated.
403 1009 User does not have the required capability to assign an offense.
404 1002 No offense was found for the provided offense_id.
409 1008 Request cannot be completed due to the state of the offense.
422 1005 A request parameter is not valid.
500 1020 An error occurred while the offense was being updated.

Response Description

An updated Offense object. An Offense object contains the following fields:

v id - Number - The ID of the offense.
v description - String - The description of the offense.
v assigned_to - String - The user the offense is assigned to.
v categories - Array of strings - Event categories that are associated with the offense.
v category_count - Number - The number of event categories that are associated with the offense.

7 Previous REST API versions 1569

v policy_category_count - Number - The number of policy event categories that are associated with the
offense.
v security_category_count - Number - The number of security event categories that are associated with
the offense.
v close_time - Number - The number of milliseconds since epoch when the offense was closed.
v closing_user - String - The user that closed the offense.
v closing_reason_id - Number - The ID of the offense closing reason. The reason the offense was closed.
v credibility - Number - The credibility of the offense.
v relevance - Number - The relevance of the offense.
v severity - Number - The severity of the offense.
v magnitude - Number - The magnitude of the offense.
v destination_networks - Array of strings - The destination networks that are associated with the
offense.
v source_network - String - The source network that is associated with the offense.
v device_count - Number - The number of devices that are associated with the offense.
v event_count - Number - The number of events that are associated with the offense.
v flow_count - Number - The number of flows that are associated with the offense.
v inactive - Boolean - True if the offense is inactive.
v last_updated_time - Number - The number of milliseconds since epoch when the offense was last
updated.
v local_destination_count - Number - The number of local destinations that are associated with the
offense.
v offense_source - String - The source of the offense.
v offense_type - Number - A number that represents the offense type. See the Offense Type Codes table
for the code to offense type mapping.
v protected - Boolean - True if the offense is protected.
v follow_up - Boolean - True if the offense is marked for follow up.
v remote_destination_count - Number - The number of remote destinations that are associated wit the
offense.
v source_count - Number - The number of sources that are associated with the offense.
v start_time - Number - The number of milliseconds since epoch when the offense was started.
v status - String - The status of the offense. One of "OPEN", "HIDDEN", or "CLOSED".
v username_count - The number of usernames that are associated with the offense.
v source_address_ids - Array of numbers -The source address IDs that are associated with the offense.
v local_destination_address_ids - Array of numbers - The local destination address IDs that are
associated with the offense.
v domain_id - Number - Optional. ID of associated domain if the offense is associated with a single
domain.
Table 3548. Offense Type Codes
Code Offense Type
0 Source IP
1 Destination IP
2 Event Name
3 Username
4 Source MAC Address
5 Destination MAC Address

1570 QRadar API Reference Guide

Table 3548. Offense Type Codes (continued)
Code Offense Type
6 Log Source
7 Hostname
8 Source Port
9 Destination Port
10 Source IPv6
11 Destination IPv6
12 Source ASN
13 Destination ASN
14 Rule
15 App Id
18 Scheduled Search

Response Sample
{
"assigned_to": "String",
"categories": [
"String"
],
"category_count": 42,
"close_time": 42,
"closing_reason_id": 42,
"closing_user": "String",
"credibility": 42,
"description": "String",
"destination_networks": [
"String"
],
"device_count": 42,
"domain_id": 42,
"event_count": 42,
"flow_count": 42,
"follow_up": true,
"id": 42,
"inactive": true,
"last_updated_time": 42,
"local_destination_address_ids": [
42
],
"local_destination_count": 42,
"magnitude": 42,
"offense_source": "String",
"offense_type": 42,
"policy_category_count": 42,
"protected": true,
"relevance": 42,
"remote_destination_count": 42,
"security_category_count": 42,
"severity": 42,
"source_address_ids": [
42
],
"source_count": 42,
"source_network": "String",

7 Previous REST API versions 1571

 "start_time": 42,
"status": "String <one of: OPEN, HIDDEN, CLOSED>",
"username_count": 42
}

GET /siem/offense_types DEPRECATED

Retrieve all the Offense Types

Retrieve all Offense Types

Table 3549. GET /siem/offense_types resource details
MIME Type
application/json

Table 3550. GET /siem/offense_types request parameter details

Parameter Type Optionality Data Type MIME Type Description
filter query Optional String text/plain Optional - This parameter is
used to restrict the elements in
a list base on the contents of
various fields.
fields query Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.
Range header Optional String text/plain Optional - Use this parameter
to restrict the number of
elements that are returned in
the list to a specified range.
The list is indexed starting at
zero.
sort query Optional String text/plain Optional - This parameter is
used to sort the elements in a
list.

Table 3551. GET /siem/offense_types response codes

HTTP Response Code Unique Code Description
200 The requested offense types list has been retrieved.
422 1005 A request parameter is not valid.
422 1012 The selected field cannot be used for sorting or it does not exist.
500 1020 An error occurred while attempting to retrieve the offense type list.

Response Description

The Offense Types that exist at the moment. Offense types may include custom flow/event properties
only if they have been selected as part of a rule action or rule response limiter.
v id - Number - The ID of the offense type and what is presented in the offense's offense_type.

1572 QRadar API Reference Guide

v property_name - String - The name of the event or flow property represented by this offense type for
flow or event properties or the unique identifier for custom flow or event properties.
v name - String - The offense type's name.
v database_type - String - Database where this type is present. Possible values are: EVENTS, FLOWS, or
COMMON (if it belongs to both events and flows)
v custom - boolean - True if the offense type is based on a custom flow or event property.
The following field can be sorted on: id.

Response Sample
[
{
"custom": true,
"database_type": "String <one of: EVENTS,
FLOWS,
COMMON>",
"id": 42,
"name": "String",
"property_name": "String"
}
]

GET /siem/offense_types/{offense_type_id} DEPRECATED

Retrieve an offense type structure that describes the properties of an offense type.

Retrieve an Offense Type

Table 3552. GET /siem/offense_types/{offense_type_id} resource details
MIME Type
application/json

Table 3553. GET /siem/offense_types/{offense_type_id} request parameter details

Parameter Type Optionality Data Type MIME Type Description
offense_type_id path Required Number text/plain Required - int - The offense type
(Integer) id.
fields query Optional String text/plain Optional - Use this parameter to
specify which fields you would
like to get back in the response.
Fields that are not named are
excluded. Specify subfields in
brackets and multiple fields in
the same object are separated by
commas.

Table 3554. GET /siem/offense_types/{offense_type_id} response codes

HTTP Response Code Unique Code Description
200 The requested offense type has been retrieved.
404 1002 The requested offense type cannot be found.
422 1005 A request parameter is not valid.
500 1020 An error occurred while attempting to retrieve the requested
offense type.

7 Previous REST API versions 1573

Response Description

The Offense Type with the entered offense_type_id.

v id - Number - The ID of the offense type and what is presented in the offense's offense_type.
v property_name - String - The name of the of the event or flow property represented by this offense
type for flow or event properties or the unique identifier for custom flow or event properties.
v name - String - The offense type's name.
v database_type - String - Database where this type is present. Possible values are: EVENTS, FLOWS, or
COMMON (if it belongs to both events and flows)
v custom - boolean - True if the offense type is based on a custom flow or event property.

Response Sample
{
"custom": true,
"database_type": "String <one of: EVENTS,
FLOWS,
COMMON>",
"id": 42,
"name": "String",
"property_name": "String"
}

GET /siem/source_addresses DEPRECATED

Retrieve a list offense source addresses currently in the system.
Table 3555. GET /siem/source_addresses resource details
MIME Type
application/json

Table 3556. GET /siem/source_addresses request parameter details

Parameter Type Optionality Data Type MIME Type Description
fields query Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.
Range header Optional String text/plain Optional - Use this parameter
to restrict the number of
elements that are returned in
the list to a specified range.
The list is indexed starting at
zero.
filter query Optional String text/plain Optional - This parameter is
used to restrict the elements in
a list base on the contents of
various fields.

Table 3557. GET /siem/source_addresses response codes

HTTP Response Code Unique Code Description
200 The source address list was retrieved.

1574 QRadar API Reference Guide

Table 3557. GET /siem/source_addresses response codes (continued)
HTTP Response Code Unique Code Description
422 1005 A request parameter is not valid.
422 1010 The filter parameter is not valid.
500 1020 An error occurred while the source address list was being retrieved.

Response Description

An array of source address objects. A source address object contains the following fields:
v id - Number - The ID of the source.
v source_ip - String - The IP address.
v magnitude - Number - The magnitude of the source address.
v network - String - The network of the source address.
v offense_ids - Array of Numbers - List of offense IDs the source is part of.
v local_destination_address_ids - Array of Numbers - List of local destination address IDs associated
with the source address.
v event_flow_count - Number - The number of events and flows that are associated with the source.
v first_event_flow_seen - Number - The number of milliseconds since epoch when the first event or
flow was seen.
v last_event_flow_seen - Number - The number of milliseconds since epoch when the last event or flow
was seen.
v domain_id - Number - The ID of associated domain.

Response Sample
[
{
"domain_id": 42,
"event_flow_count": 42,
"first_event_flow_seen": 42,
"id": 42,
"last_event_flow_seen": 42,
"local_destination_address_ids": [
42
],
"magnitude": 42,
"network": "String",
"offense_ids": [
42
],
"source_ip": "String"
}
]

GET /siem/source_addresses/{source_address_id} DEPRECATED

Retrieve an offense source address.
Table 3558. GET /siem/source_addresses/{source_address_id} resource details
MIME Type
application/json

7 Previous REST API versions 1575

Table 3559. GET /siem/source_addresses/{source_address_id} request parameter details
Parameter Type Optionality Data Type MIME Type Description
source_address_id path Required Number text/plain Required - The ID of the source
(Integer) address to retrieve.
fields query Optional String text/plain Optional - Use this parameter to
specify which fields you would
like to get back in the response.
Fields that are not named are
excluded. Specify subfields in
brackets and multiple fields in
the same object are separated by
commas.

Table 3560. GET /siem/source_addresses/{source_address_id} response codes

HTTP Response Code Unique Code Description
200 The source address was retrieved.
404 1002 No source address was found for the provided source_address_id.
422 1005 A request parameter is not valid.
500 1020 An error occurred while the source address was being retrieved.

Response Description

A source address object. A source address object contains the following fields:
v id - Number - The ID of the source.
v source_ip - String - The IP address.
v magnitude - Number - The magnitude of the source address.
v network - String - The network of the source address.
v offense_ids - Array of Numbers - List of offense IDs the source is part of.
v local_destination_address_ids - Array of Numbers - List of local destination address IDs associated
with the source address.
v event_flow_count - Number - The number of events and flows that are associated with the source.
v first_event_flow_seen - Number - The number of milliseconds since epoch when the first event or
flow was seen.
v last_event_flow_seen - Number - The number of milliseconds since epoch when the last event or flow
was seen.
v domain_id - Number - The ID of associated domain.

Response Sample
{
"domain_id": 42,
"event_flow_count": 42,
"first_event_flow_seen": 42,
"id": 42,
"last_event_flow_seen": 42,
"local_destination_address_ids": [
42
],
"magnitude": 42,
"network": "String",
"offense_ids": [
42
],
"source_ip": "String"
}

1576 QRadar API Reference Guide

Staged configuration endpoints
Use the references for REST API V7.0 staged configuration endpoints.

GET /staged_config/deploy_status DEPRECATED

Retrieves the status of a deploy in progress.

Retrieves the status of a deploy in progress.

Table 3561. GET /staged_config/deploy_status resource details
MIME Type
application/json

There are no parameters for this endpoint.

Table 3562. GET /staged_config/deploy_status response codes
HTTP Response Code Unique Code Description
200 The event Ariel saved search group was updated.
500 1020 An error occurred during the attempt to retrieve the status of the
running deploy,

Response Description

The deploy status object. A deploy status object contains the following fields:
v initiated_by - String - The name of the user who initiated the deploy.
v initiated_from - String - The hostname from where the deploy was initiated.
v type - String - The type of deploy: FULL or INCREMENTAL.
v status - String - The status of the deploy: UNKNOWN, START, DONE.
v hosts - Map of < String, List of String > - A map of status states and a list of hosts.
v error_message - String - The deployment error message.
v has_errors - Boolean - True if the deploy has encountered an error.
v percent_complete - Integer - The percentage of completion of the deploy. ( 0 - 100 )

Response Sample
{
"hosts": [
{
"host_status": "String <one of: SUCCESS,
INITIATING,
IN_PROGRESS,
TIMED_OUT, ERROR>",
"ip": "String",
"status": "String <one of: SUCCESS,
INITIATING,
IN_PROGRESS,
TIMED_OUT, ERROR>"
}
],
"initiated_by": "String",
"initiated_from": "String",
"percent_complete": 42,
"status": "String <one of: INITIALIZING,

7 Previous REST API versions 1577

 IN_PROGRESS,
COMPLETE>",
"type": "String <one of: INCREMENTAL, FULL>"
}

POST /staged_config/deploy_status DEPRECATED

Executes a deploy.

Executes a deploy.
Table 3563. POST /staged_config/deploy_status resource details
MIME Type
application/json

Table 3564. POST /staged_config/deploy_status request body details

Parameter Data Type MIME Type Description Sample
deploy_status Object application/ null { "hosts": [ { "host_status":
json "String <one of: SUCCESS,
INITIATING, IN_PROGRESS,
TIMED_OUT, ERROR>", "ip":
"String", "status": "String
<one of: SUCCESS,
INITIATING, IN_PROGRESS,
TIMED_OUT, ERROR>" } ],
"initiated_by": "String",
"initiated_from": "String",
"percent_complete": 42,
"status": "String <one of:
INITIALIZING,
IN_PROGRESS,
COMPLETE>", "type":
"String <one of:
INCREMENTAL, FULL>" }

Table 3565. POST /staged_config/deploy_status response codes

HTTP Response Code Unique Code Description
200 The deploy was scheduled.
409 1002 Theere already exists a deploy in action, or there are no changes to
deploy.
409 1003 null
409 1004 null
422 1005 null
500 1020 An error occurred during the attempt to run the deploy

Response Description

The deploy status object. A deploy status object contains the following fields:
v initiated_by - String - The name of the user who initiated the deploy.
v initiated_from - String - The hostname from where the deploy was initiated.
v type - String - The type of deploy: FULL or INCREMENTAL.
v status - String - The status of the deploy: UNKNOWN, START, DONE.
v hosts - Map of < String, List of String > - A map of status states and a list of hosts.

1578 QRadar API Reference Guide

v error_message - String - The deployment error message.
v has_errors - Boolean - True if the deploy has encountered an error.
v percent_complete - Integer - The percentage of completion of the deploy. ( 0 - 100 )

Response Sample
{
"hosts": [
{
"host_status": "String <one of: SUCCESS,
INITIATING,
IN_PROGRESS,
TIMED_OUT, ERROR>",
"ip": "String",
"status": "String <one of: SUCCESS,
INITIATING,
IN_PROGRESS,
TIMED_OUT, ERROR>"
}
],
"initiated_by": "String",
"initiated_from": "String",
"percent_complete": 42,
"status": "String <one of: INITIALIZING,
IN_PROGRESS,
COMPLETE>",
"type": "String <one of: INCREMENTAL, FULL>"
}

GET /staged_config/global_system_notifications DEPRECATED

Retrieves a list of all staged global system notifications.

Retrieves the list of staged global system notifications

Table 3566. GET /staged_config/global_system_notifications resource details
MIME Type
application/json

Table 3567. GET /staged_config/global_system_notifications request parameter details

Parameter Type Optionality Data Type MIME Type Description
Range header Optional String text/plain Optional - Use this parameter
to restrict the number of
elements that are returned in
the list to a specified range.
The list is indexed starting at
zero.
filter query Optional String text/plain Optional - This parameter is
used to restrict the elements in
a list base on the contents of
various fields.
fields query Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.

7 Previous REST API versions 1579

Table 3568. GET /staged_config/global_system_notifications response codes
HTTP Response Code Unique Code Description
200 The staged global system notifications list was successfully
retrieved.
500 1020 An internal server error occurred while retrieving the list of staged
global system notifications.

Response Description

A list of all staged global system notifications.

Response Sample
[
{
"default": true,
"enabled": true,
"id": 42,
"message": "String",
"name": "String",
"operator": "String",
"value": 42.5
}
]

GET /staged_config/global_system_notifications/{notification_id} DEPRECATED

Retrieves a staged global system notification by ID.

Retrieves a staged global system notification by ID.

Table 3569. GET /staged_config/global_system_notifications/{notification_id} resource details
MIME Type
application/json

Table 3570. GET /staged_config/global_system_notifications/{notification_id} request parameter details

Parameter Type Optionality Data Type MIME Type Description
notification_id path Required Number text/plain ID that is used for retrieving a
(Integer) staged global system notification.
fields query Optional String text/plain Optional - Use this parameter to
specify which fields you would
like to get back in the response.
Fields that are not named are
excluded. Specify subfields in
brackets and multiple fields in
the same object are separated by
commas.

Table 3571. GET /staged_config/global_system_notifications/{notification_id} response codes

HTTP Response Code Unique Code Description
200 The staged global system notification was successfully retrieved.
404 1002 No staged global system notification was found for the provided
notification ID.
500 1020 An error occurred while the notification was being retrieved.

1580 QRadar API Reference Guide

Response Description

The associated staged global system notification object.

Response Sample
{
"default": true,
"enabled": true,
"id": 42,
"message": "String",
"name": "String",
"operator": "String",
"value": 42.5
}

POST /staged_config/global_system_notifications/{notification_id} DEPRECATED

Updates an existing staged global system notification.

Updates an existing staged global system notification.

Table 3572. POST /staged_config/global_system_notifications/{notification_id} resource details
MIME Type
application/json

Table 3573. POST /staged_config/global_system_notifications/{notification_id} request parameter details

Parameter Type Optionality Data Type MIME Type Description
notification_id path Required Number text/plain ID that is used for updating a
(Integer) staged global system notification.
fields header Optional String text/plain Optional - Use this parameter to
specify which fields you would
like to get back in the response.
Fields that are not named are
excluded. Specify subfields in
brackets and multiple fields in
the same object are separated by
commas.

Table 3574. POST /staged_config/global_system_notifications/{notification_id} request body details

Parameter Data Type MIME Type Description Sample
notification Object application/ The updated global system { "id": 1, "name": "Systemloadover1minute",
json notification object. "operator": "GT", "value": 3.6, "message": "If
your system continues to exhibit this
behavior, please contact Customer Support.",
"enabled": true, "isDefault": true }

Table 3575. POST /staged_config/global_system_notifications/{notification_id} response codes

HTTP Response Code Unique Code Description
200 The staged global system notification was successfully updated.
404 1002 No staged global system notification was found for the provided
notification ID.
422 1005 A request parameter is invalid.
500 1020 An error occurred while the notification was being retrieved.

7 Previous REST API versions 1581

Response Description

The associated updated staged global system notification object.

Response Sample
{
"default": true,
"enabled": true,
"id": 42,
"message": "String",
"name": "String",
"operator": "String",
"value": 42.5
}

DELETE /staged_config/yara_rules DEPRECATED

Deletes all Yara rules from the QRadar system.

Deletes all Yara rules from the QRadar system.

Table 3576. DELETE /staged_config/yara_rules resource details
MIME Type
text/plain

There are no parameters for this endpoint.

Table 3577. DELETE /staged_config/yara_rules response codes
HTTP Response Code Unique Code Description
204 Yara rules were successfully deleted from the system.
500 1020 An error occurred during the attempt to delete the Yara rules.

Response Description

In case of an error, the method returns an exception.

Response Sample

PUT /staged_config/yara_rules DEPRECATED

Uploads the supplied Yara rule file to the QRadar system. If the provided Yara file is empty - all rules are
deleted from the system.

Uploads the supplied Yara rule file to the QRadar system.

Table 3578. PUT /staged_config/yara_rules resource details
MIME Type
text/plain

1582 QRadar API Reference Guide

Table 3579. PUT /staged_config/yara_rules request body details
Parameter Data Type MIME Type Description Sample
file File application/zip Required - The Yara rule file. File
Must be properly-formed Yara
rule content, either a TEXT file,
or a TEXT file within a ZIP or
TAR.GZ archive. Must be
provided with MIME type
text/plain, application/zip,
application/x-gzip or
multipart/form-data

Table 3580. PUT /staged_config/yara_rules response codes

HTTP Response Code Unique Code Description
200 The supplied Yara rule file was uploaded.
422 1101 Must be a correctly-formatted Yara rule file.
422 1103 The archive file must only contain a single Yara rule file.
422 1107 Invalid archive file was provided.
500 1104 Failed to extract the contents of the archive file.
500 1105 Yara validator script was terminated owing to timeout.
500 1106 Yara validator script encountered an unknown exception.

Response Description

In case of an error, the method returns an exception.

Response Sample

System endpoints
Use the references for REST API V7 system endpoints.

GET /system/information/locales DEPRECATED

Retrieves a list of locales from the system, with the option to include samples.

Retrieves a list of locales from the system, with the option to include samples.
Table 3581. GET /system/information/locales resource details
MIME Type
application/json

Table 3582. GET /system/information/locales request parameter details

Parameter Type Optionality Data Type MIME Type Description
sample_type query Optional String text/plain Optional - type of samples for
the locale. Currently the only
supported option is NUMBER.
Range header Optional String text/plain Optional - Use this parameter to
restrict the number of elements
that are returned in the list to a
specified range. The list is
indexed starting at zero.

7 Previous REST API versions 1583

Table 3582. GET /system/information/locales request parameter details (continued)
Parameter Type Optionality Data Type MIME Type Description
filter query Optional String text/plain Optional - This parameter is
used to restrict the elements in a
list base on the contents of
various fields.
fields query Optional String text/plain Optional - Use this parameter to
specify which fields you would
like to get back in the response.
Fields that are not named are
excluded. Specify subfields in
brackets and multiple fields in
the same object are separated by
commas.

Table 3583. GET /system/information/locales response codes

HTTP Response Code Unique Code Description
200 The requested list of locales was retrieved.
500 1020 An error occurred during the attempt to retrieve the list of locales.

Response Description

A list of locales. A locale contains the following fields:

v id - String - The tag of the locale.
v label - String - The name of the locale.
v sample - String - The optional sample for the locale.

Response Sample
[
{
"id": "sq",
"label": "Albanian",
"sample": "1 234 567,89"
},
{
"id": "sq-AL",
"label": "Albanian (Albania)",
"sample": "1 234 567,89"
},
{
"id": "ar",
"label": "Arabic",
"sample": "١٬٢٣٤٬٥٦٧٫Ù}Ù©"
},
{
"id": "ar-DZ",
"label": "Arabic (Algeria)",
"sample": "1.234.567,89"
},
{
"id": "ar-BH",
"label": "Arabic (Bahrain)",
"sample": "١٬٢٣٤٬٥٦٧٫Ù}Ù©"
}
]

1584 QRadar API Reference Guide

GET /system/servers DEPRECATED
Retrieve a list of all server hosts in the deployment.
Table 3584. GET /system/servers resource details
MIME Type
application/json

Table 3585. GET /system/servers request parameter details

Parameter Type Optionality Data Type MIME Type Description
filter query Optional String text/plain Optional - This parameter is
used to restrict the elements in
a list base on the contents of
various fields.
Range header Optional String text/plain Optional - Use this parameter
to restrict the number of
elements that are returned in
the list to a specified range.
The list is indexed starting at
zero.
fields query Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.

Table 3586. GET /system/servers response codes

HTTP Response Code Unique Code Description
200 The requested list of server records has been successfully retrieved.
500 1020 An error has occurred while trying to retrieve the requested servers.

Response Description

A list of the servers. A server record contains the following fields:

v hostname - String - hostname
v managed_host_id - Number - Id of the managed host the server host belongs to
v private_ip - String - The private ip of this server
v status - String - The status of this server

Response Sample
[
{
"hostname": "String",
"managed_host_id": 42,
"private_ip": "String",
"server_id": 42,
"status": "String"
}
]

7 Previous REST API versions 1585

GET /system/servers/{server_id} DEPRECATED
Retrieve a server host based on the supplied server ID.
Table 3587. GET /system/servers/{server_id} resource details
MIME Type
application/json

Table 3588. GET /system/servers/{server_id} request parameter details

Parameter Type Optionality Data Type MIME Type Description
server_id path Required Number text/plain Required - The id of the server
(Integer)
fields query Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.

Table 3589. GET /system/servers/{server_id} response codes

HTTP Response Code Unique Code Description
200 The requested server record has been retrieved.
404 1002 The requested server record with the given server_id cannot be
found.
422 1005 One or more parameters are invalid in request.
500 1020 An error has occurred while trying to retrieve the requested server
host with the given Id.

Response Description

A server record containing the following fields:

v email_server_address - String - email server address
v hostname - String - hostname
v managed_host_id - Number - Id of the managed host the server host belongs to
v private_ip - String - The private ip of this server
v status - String - The status of this server

Response Sample
{
"email_server_address": "String",
"hostname": "String",
"managed_host_id": 42,
"private_ip": "String",
"server_id": 42,
"status": "String"
}

1586 QRadar API Reference Guide

POST /system/servers/{server_id} DEPRECATED
Updates an existing server.
Table 3590. POST /system/servers/{server_id} resource details
MIME Type
application/json

Table 3591. POST /system/servers/{server_id} request parameter details

Parameter Type Optionality Data Type MIME Type Description
server_id path Required Number text/plain Required - The id of the
(Integer) server.

Table 3592. POST /system/servers/{server_id} request body details

Parameter Data Type MIME Type Description Sample
details Object application/json Required - A server details { "email_server_address":
record containing the "String" }
following field:

email_server_address - String
- email server address. Must
be a valid server address that
the server can connect to
through port 25.

Table 3593. POST /system/servers/{server_id} response codes

HTTP Response Code Unique Code Description
200 The server record has been updated.
404 1002 The requested server record with the given server_id cannot be
found.
422 1005 One or more parameters are invalid in request.
422 1006 Cannot connect to the mail server address on port 25.
500 1020 An error has occurred while trying to retrieve the requested server
host with the given Id.

Response Description

The updated server record containing the following fields:

v email_server_address - String - email server address.
v hostname - String - hostname
v managed_host_id - Number - Id of the managed host the server host belongs to
v private_ip - String - The private ip of this server
v status - String - The status of this server

Response Sample
{
"email_server_address": "String",
"hostname": "String",
"managed_host_id": 42,
"private_ip": "String",
"server_id": 42,
"status": "String"
}

7 Previous REST API versions 1587

GET /system/servers/{server_id}/firewall_rules DEPRECATED
Retrieve a list of access control firewall rules based on the supplied server ID.
Table 3594. GET /system/servers/{server_id}/firewall_rules resource details
MIME Type
application/json

Table 3595. GET /system/servers/{server_id}/firewall_rules request parameter details

Parameter Type Optionality Data Type MIME Type Description
server_id path Required Number text/plain Required - The id of the
(Integer) server.
filter query Optional String text/plain Optional - This parameter is
used to restrict the elements in
a list base on the contents of
various fields.
Range header Optional String text/plain Optional - Use this parameter
to restrict the number of
elements that are returned in
the list to a specified range.
The list is indexed starting at
zero.
fields query Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.

Table 3596. GET /system/servers/{server_id}/firewall_rules response codes

HTTP Response Code Unique Code Description
200 The rules records have been retrieved.
404 1002 The requested server with the given server_id cannot be found.
422 1005 One or more parameters are invalid in request.
500 1020 An error has occurred while trying to retrieve the requested access
control firewall rules on the server with the given Id.

Response Description

A list of the rules. Each rule record contains the following fields:
v is_any_source_ip - Boolean - Whether any source IP is accepted
v port_range - String - A port range in the format of start-end
v port_type - String - one of: ANY, SINGLE, RANGE
v protocol - String - one of: ANY, TCP, UDP
v single_port - String - A single port
v source_ip - String - A specific IP address

1588 QRadar API Reference Guide

Response Sample
[
{
"is_any_source_ip": true,
"port_range": "String",
"port_type": "String <one of: ANY, SINGLE, RANGE>",
"protocol": "String <one of: ANY, TCP, UDP>",
"single_port": "String",
"source_ip": "String"
}
]

PUT /system/servers/{server_id}/firewall_rules DEPRECATED

Set the access control firewall rules based on the supplied server ID.
Table 3597. PUT /system/servers/{server_id}/firewall_rules resource details
MIME Type
application/json

Table 3598. PUT /system/servers/{server_id}/firewall_rules request parameter details

Parameter Type Optionality Data Type MIME Type Description
server_id path Required Number text/plain Required - The id of the
(Integer) server.

Table 3599. PUT /system/servers/{server_id}/firewall_rules request body details

Parameter Data Type MIME Type Description Sample
rules Array<Object> application/json Required - A list of new rules [ { "is_any_source_ip": true,
in a JSON string. Each rule "port_range": "String",
record contains the following "port_type": "String <one of:
field: ANY, SINGLE, RANGE>",
v is_any_source_ip - Boolean - "protocol": "String <one of:
Whether any source IP is ANY, TCP, UDP>",
"single_port": "String",
accepted
"source_ip": "String" } ]
v port_range - String - A port
range in the format of
start-end
v port_type - String - one of:
ANY, SINGLE, RANGE
v protocol - String - one of:
ANY, TCP, UDP
v single_port - String - A
single port
v source_ip - String - A
specific IP address.

Table 3600. PUT /system/servers/{server_id}/firewall_rules response codes

HTTP Response Code Unique Code Description
200 The rules have been updated.
404 1002 The requested server with the given server_id cannot be found.
422 1005 One or more parameters are invalid in request.
500 1020 An error has occurred while trying to set the access control firewall
rules on the server with the given Id.

7 Previous REST API versions 1589

Response Description

A list of the rules in a JSON string. Each rule contains the following fields:
v is_any_source_ip - Boolean - Whether any source IP is accepted
v port_range - String - A port range in the format of start-end
v port_type - String - one of: ANY, SINGLE, RANGE
v protocol - String - one of: ANY, TCP, UDP
v single_port - String - A single port
v source_ip - String - A specific IP address

Response Sample
[
{
"is_any_source_ip": true,
"port_range": "String",
"port_type": "String <one of: ANY, SINGLE, RANGE>",
"protocol": "String <one of: ANY, TCP, UDP>",
"single_port": "String",
"source_ip": "String"
}
]

GET /system/servers/{server_id}/network_interfaces/bonded DEPRECATED

Retrieves a list of the bonded network interfaces based on the supplied server ID.
Table 3601. GET /system/servers/{server_id}/network_interfaces/bonded resource details
MIME Type
application/json

Table 3602. GET /system/servers/{server_id}/network_interfaces/bonded request parameter details

Parameter Type Optionality Data Type MIME Type Description
server_id path Required Number text/plain Required - The id of the
(Integer) server.
fields query Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.
filter query Optional String text/plain Optional - This parameter is
used to restrict the elements in
a list base on the contents of
various fields.
Range header Optional String text/plain Optional - Use this parameter
to restrict the number of
elements that are returned in
the list to a specified range.
The list is indexed starting at
zero.

1590 QRadar API Reference Guide

Table 3603. GET /system/servers/{server_id}/network_interfaces/bonded response codes
HTTP Response Code Unique Code Description
200 A list of the bonded network interfaces were retrieved.
404 1002 The requested server with the given server ID cannot be found.
422 1005 One or more parameters are invalid in request.
500 1020 An error occurred while trying to retrieve the bonded interfaces on
the server with the given ID.
500 1022 Timeout while performing the task.

Response Description

A list of the bonded network interfaces. Each record contains the following fields:
v device_name - String - The name of the network interface.
v desc - String - The description of the network interface.
v role - String - The role of the network interface. One of: regular, management, hacrossover,
hacrossover_disabled, monitor, disabled.
v ipversion - String - The verson of the IP address configured on the network interface. One of: ipv4,
ipv6.
v ip - String - The IP address that is configured on the network interface.
v mask - String - The netmask that is configured on the network interface.
v is_auto_ip - Boolean - Is the IP address auto-configured?
v is_cable_linked - String - Is the network interface cable linked? One of: YES, NO, UNKNOWN
v is_moving_config_with_active_ha - Boolean - Will apply the same settings to a new active HA server
during failover.
v hacrossover_params - String - A map of key-value pairs of HA crossover parameters if the network
interface is used for HA crossover.
v bonding_opts - String - The bonding options that are configured on the bonded network interface.
v slaves - List - The slaves of the bonded network interface. Each slave record contains the follow fields:
– device_name - String - The name of the slave interface.
– desc - String - The description of the slave interface.
– role - String - The role of the slave interface. One of: slave, slave_disabled
– is_cable_linked - String - Is the slave interface cable linked. One of: true, false, unknown

Response Sample
[
{
"bonding_opts": "String",
"desc": "String",
"device_name": "String",
"hacrossover_params": {
"String": "String"
},
"ip": "String",
"ipversion": "String <one of: ipv4,
ipv6>",
"is_auto_ip": true,
"is_cable_linked": "String <one of: true,
false,
unknown>",
"is_moving_config_with_active_ha": true,
"mask": "String",
"role": "String <one of: regular,

7 Previous REST API versions 1591

 management,
hacrossover,
hacrossover_disabled,
monitor,
disabled,
slave,
slave_disabled>",
"slaves": [
{
"desc": "String",
"device_name": "String",
"is_cable_linked": "String <one of: true,
false,
unknown>",
"role": "String <one of: regular,
management,
hacrossover,
hacrossover_disabled,
monitor,
disabled,
slave,
slave_disabled>"
}
]
}
]

POST /system/servers/{server_id}/network_interfaces/bonded DEPRECATED

Creates a new bonded network interface.
Table 3604. POST /system/servers/{server_id}/network_interfaces/bonded resource details
MIME Type
application/json

Table 3605. POST /system/servers/{server_id}/network_interfaces/bonded request parameter details

Parameter Type Optionality Data Type MIME Type Description
server_id path Required Number text/plain Required - The ID of the
(Integer) server.

1592 QRadar API Reference Guide

Table 3606. POST /system/servers/{server_id}/network_interfaces/bonded request body details
Parameter Data Type MIME Type Description Sample
details Object application/json Required - The details of the bonded { "bonding_opts": "String", "ip": "String", "ipversion": "String
network interface that contains the <one of: ipv4, ipv6>", "is_auto_ip": true,
following fields: "is_moving_config_with_active_ha": true, "mask": "String",
"role": "String <one of: regular, management, hacrossover,
v role - String - The role of the network
hacrossover_disabled, monitor, disabled, slave,
interface. One of: regular, monitor,
slave_disabled>", "slaves": [ { "device_name": "String" } ] }
disabled.
v ipversion - String - The verson of the
IP address that is configured on the
network interface. One of: ipv4, ipv6.
v ip - String - The IP address that is
configured on the network interface.
This parameter is required when
ipversion is ipv4 or (ipversion is ipv6
and is_auto_ip is false). The subnet
that is computed from the IP address
and the mask must not be the same
subnet that is configured on the
management interface.
v mask - String - The netmask that is
configured on the network interface.
This parameter is equired when
ipversion is ipv4. The subnet that is
computed from the ip and the mask
must not be the same subnet that is
configured on the management
interface.
v is_auto_ip - Boolean - Is the address
auto-configured? Required.
v is_moving_config _with_active_ha -
Boolean - Applies the same settings to
a new active HA server during
failover. This parameter can be true
only when the server host is an active
HA server host.
v bonding_opts - String - The bonding
options that are configured on the
bonded network interface.

Table 3607. POST /system/servers/{server_id}/network_interfaces/bonded response codes

HTTP Response Code Unique Code Description
201 The bonded network interface was created.
404 1002 The requested server with the given server_id cannot be found.
409 1004 The ip address has been used by another network interface.
422 1005 One or more parameters are invalid in request.
500 1020 An error occurred while trying to create the bonded interface on
the server with the given ID.
500 1022 Timeout while performing the task.

Response Description

The created bonded network interface that contains the following fields:
v device_name - String - The name of the network interface.
v role - String - The role of the network interface. One of: regular, management, hacrossover,
hacrossover_disabled, monitor, disabled.
v ipversion - String - The verson of the IP address that is configured on the network interface. One of:
ipv4, ipv6.
v ip - String - The Ip address that is configured on the network interface.
v mask - String - The netmask that is configured on the network interface.
v is_auto_ip - Boolean - Is the Ip address auto-configured?

7 Previous REST API versions 1593

v is_moving_config_with_active_ha - Boolean - Applies the same settings to a new active HA server
during failover.
v bonding_opts - String - The bonding options that are configured on the bonded network interface.
v slaves - Array - The slave ethernet interfaces of the bonded interface. Each slave interface has one field:
device_name. The device_name must be an existing ethernet interface that cannot be the management
interface, the HA crossover interface or a slave interface of another bonded network interface. The
array must contain at least one ethernet interface.

Response Sample
{
"bonding_opts": "String",
"desc": "String",
"device_name": "String",
"hacrossover_params": {
"String": "String"
},
"ip": "String",
"ipversion": "String <one of: ipv4, ipv6>",
"is_auto_ip": true,
"is_cable_linked": "String <one of: true,
false,
unknown>",
"is_moving_config_with_active_ha": true,
"mask": "String",
"role": "String <one of: regular,
management,
hacrossover,
hacrossover_disabled,
monitor,
disabled,
slave,
slave_disabled>",
"slaves": [
{
"desc": "String",
"device_name": "String",
"is_cable_linked": "String <one of: true, false, unknown>",
"role": "String <one of: regular,
management,
hacrossover,
hacrossover_disabled,
monitor,
disabled,
slave,
slave_disabled>"
}
]
}

POST /system/servers/{server_id}/network_interfaces/bonded/{device_name}
DEPRECATED
Updates an existing bonded network interface.
Table 3608. POST /system/servers/{server_id}/network_interfaces/bonded/{device_name} resource details
MIME Type
application/json

1594 QRadar API Reference Guide

Table 3609. POST /system/servers/{server_id}/network_interfaces/bonded/{device_name} request parameter details
Parameter Type Optionality Data Type MIME Type Description
server_id path Required Number text/plain Required - The ID of the
(Integer) server.
device_name path Required String text/plain Required - The name of an
existing bonded network
interface. The interface
cannot be the management
interface or HA crossover
interface. The interface must
be cable linked.

Table 3610. POST /system/servers/{server_id}/network_interfaces/bonded/{device_name} request body details

Parameter Data Type MIME Type Description Sample
details Object application/json Required - The details of the bonded { "bonding_opts": "String", "ip": "String", "ipversion": "String
network interface that contains the <one of: ipv4, ipv6>", "is_auto_ip": true,
following fields: "is_moving_config_with_active_ha": true, "mask": "String",
"role": "String <one of: regular, management, hacrossover,
v role - String - The role of the network
hacrossover_disabled, monitor, disabled, slave,
interface. One of: regular, monitor,
slave_disabled>", "slaves": [ { "device_name": "String" } ] }
disabled
v ipversion - String - The verson of the
IP address that is configured on the
network interface. one of: ipv4, ipv6.
v ip - String - The IP address that is
configured on the network interface.
This parameter is required when
ipversion is ipv4 or (ipversion is ipv6
and is_auto_ip is false). The subnet
that is computed from the IP address
and the mask must not be the same
subnet that is configured on the
management interface.
v mask - String - The netmask that is
configured on the network interface.
This parameter is equired when
ipversion is ipv4. The subnet that is
computed from the IP address and the
mask must not be the same subnet
that is configured on the management
interface.
v is_auto_ip - Boolean - Is the IP
address auto-configured? Required.
v is_moving_config _with_active_ha -
Boolean - Applies the same settings to
a new active HA server during
failover. This parameter can be true
only when the server host is an active
HA server host
v slaves - Array - The slave ethernet
interfaces of the bonded interface.
Each slave interface has one field:
device_name. The device_name must
be an existing ethernet interface wthat
cannot be the management interface,
the HA crossover interface, or a slave
interface of another bonded network
interface. If slaves are not null, the
slaves in this array will override the
existing slaves of the bonded interface.
When not null, the array must contain
at least one ethernet interface. If null,
the endpoint does not change the
existing slave interfaces.
v bonding_opts - String - The bonding
options that are configured on the
bonded network interface

7 Previous REST API versions 1595

Table 3611. POST /system/servers/{server_id}/network_interfaces/bonded/{device_name} response codes
HTTP Response Code Unique Code Description
200 The bonded network interface was updated.
404 1002 The requested server with the given server ID cannot be found.
409 1004 The ip address has been used by another network interface.
422 1005 One or more parameters are invalid in request.
500 1020 An error occurred while trying to update the specified bonded
interfaces on the server with the given ID.
500 1022 Timeout while performing the task.

Response Description

The updated bonded network interface that contains the following fields:
v device_name - String - The name of the network interface.
v role - String - The role of the network interface. One of: regular, management, hacrossover,
hacrossover_disabled, monitor, disabled.
v ipversion - String - The verson of the IP address that is configured on the network interface. one of:
ipv4, ipv6
v ip - String - The IP address that is configured on the network interface.
v mask - String - The netmask that is configured on the network interface.
v is_auto_ip - Boolean - Is the IP address auto-configured?
v is_moving_config_with_active_ha - Boolean - Applies the same settings to a new active HA server
during failover.
v bonding_opts - String - The bonding options that are configured on the bonded network interface.
v slaves - Array - The slave ethernet interfaces of the bonded interface. Each slave interface has two
fields: device_name and role. The role is slave or slave_disabled.

Response Sample
{
"bonding_opts": "String",
"desc": "String",
"device_name": "String",
"hacrossover_params": {
"String": "String"
},
"ip": "String",
"ipversion": "String <one of: ipv4,
ipv6>",
"is_auto_ip": true,
"is_cable_linked": "String <one of: true,
false,
unknown>",
"is_moving_config_with_active_ha": true,
"mask": "String",
"role": "String <one of: regular,
management,
hacrossover,
hacrossover_disabled,
monitor,
disabled,
slave,
slave_disabled>",
"slaves": [
{
"desc": "String",

1596 QRadar API Reference Guide

 "device_name": "String",
"is_cable_linked": "String <one of: true,
false,
unknown>",
"role": "String <one of: regular,
management,
hacrossover,
hacrossover_disabled,
monitor,
disabled,
slave,
slave_disabled>"
}
]
}

DELETE /system/servers/{server_id}/network_interfaces/bonded/{device_name}
DEPRECATED
Removes a bonded network interface.
Table 3612. DELETE /system/servers/{server_id}/network_interfaces/bonded/{device_name} resource details
MIME Type
text/plain

Table 3613. DELETE /system/servers/{server_id}/network_interfaces/bonded/{device_name} request parameter details

Parameter Type Optionality Data Type MIME Type Description
server_id path Required Number text/plain Required - The ID of the
(Integer) server.
device_name path Required String text/plain Required - The device name
of the bonded network
interface.

Table 3614. DELETE /system/servers/{server_id}/network_interfaces/bonded/{device_name} response codes

HTTP Response Code Unique Code Description
200 The bonded network interface was removed.
404 1002 The requested server with the given server ID or the bonded
network interface cannot be found.
422 1005 One or more parameters are invalid in request.
500 1020 An error occurred while trying to remove the bonded interface on
the server with the given ID.
500 1022 Timeout while performing the task.

Response Description

Response Sample

GET /system/servers/{server_id}/network_interfaces/ethernet DEPRECATED

Retrieves a list of the ethernet network interfaces based on the supplied server ID.
Table 3615. GET /system/servers/{server_id}/network_interfaces/ethernet resource details
MIME Type
application/json

7 Previous REST API versions 1597

Table 3616. GET /system/servers/{server_id}/network_interfaces/ethernet request parameter details
Parameter Type Optionality Data Type MIME Type Description
server_id path Required Number text/plain Required - The id of the
(Integer) server.
fields query Optional String text/plain Optional - Use this parameter
to specify which fields you
would like to get back in the
response. Fields that are not
named are excluded. Specify
subfields in brackets and
multiple fields in the same
object are separated by
commas.
filter query Optional String text/plain Optional - This parameter is
used to restrict the elements in
a list base on the contents of
various fields.
Range header Optional String text/plain Optional - Use this parameter
to restrict the number of
elements that are returned in
the list to a specified range.
The list is indexed starting at
zero.

Table 3617. GET /system/servers/{server_id}/network_interfaces/ethernet response codes

HTTP Response Code Unique Code Description
200 A list of the ethernet network interfaces were retrieved.
404 1002 The requested server with the given server ID cannot be found.
422 1005 One or more parameters are invalid in request.
500 1020 An error occurred while trying to retrieve the ethernet interfaces on
the server with the given ID.
500 1022 Timeout while performing the task.

Response Description

A list of the ethernet network interfaces. Each ethernet network interface contains the following fields:
v device_name - String - The name of the network interface.
v desc - String - The description of the network interface.
v role - String - The role of the network interface. One of: regular, management, hacrossover,
hacrossover_disabled, monitor, disabled.
v ipversion - String - The verson of the IP address that is configured on the network interface. One of:
ipv4, ipv6.
v ip - String - The IP that is configured on the network interface.
v mask - String - The netmask that is configured on the network interface
v is_auto_ip - Boolean - Is the IP auto-configured?
v is_cable_linked - String - Is the network interface cable linked? One of: true, false, unknown.
v is_moving_config_with_active_ha - Boolean -Applies the same settings to a new active HA server
during failover.
v hacrossover_params - String - A map of key-value pairs of HA crossover parameters if the network
interface is used for HA crossover.

1598 QRadar API Reference Guide

Response Sample
[
{
"desc": "String",
"device_name": "String",
"hacrossover_params": {
"String": "String"
},
"ip": "String",
"ipversion": "String <one of: ipv4,
ipv6>",
"is_auto_ip": true,
"is_cable_linked": "String <one of: true,
false,
unknown>",
"is_moving_config_with_active_ha": true,
"mask": "String",
"role": "String <one of: regular,
management,
hacrossover,
hacrossover_disabled,
monitor,
disabled,
slave,
slave_disabled>"
}
]

POST /system/servers/{server_id}/network_interfaces/ethernet/{device_name}
DEPRECATED
Updates an ethernet network interface based on the suppied server_Id and device_name.
Table 3618. POST /system/servers/{server_id}/network_interfaces/ethernet/{device_name} resource details
MIME Type
application/json

Table 3619. POST /system/servers/{server_id}/network_interfaces/ethernet/{device_name} request parameter details

Parameter Type Optionality Data Type MIME Type Description
server_id path Required Number text/plain Required - The ID of the
(Integer) server.
device_name path Required String text/plain Required - The name of an
existing ethernet network
interface. The interface
cannot be the management
interface, HA crossover
interface or a slave of a
bonded interface. The
interface must be cable
linked.

7 Previous REST API versions 1599

Table 3620. POST /system/servers/{server_id}/network_interfaces/ethernet/{device_name} request body details
Parameter Data Type MIME Type Description Sample
details Object application/json Required - An ethernet network interface { "ip": "String", "ipversion": "String <one of: ipv4, ipv6>",
record containing the following fields: "is_auto_ip": true, "is_moving_config_with_active_ha": true,
"mask": "String", "role": "String <one of: regular, management,
v role - String - The role of the network
hacrossover, hacrossover_disabled, monitor, disabled, slave,
interface. One of: regular, monitor,
slave_disabled>" }
disabled.
v ipversion - String - The verson of the
IP address that is configured on the
network interface. One of: ipv4, ipv6.
v ip - String - The IP address that is
configured on the network interface.
Required when ipversion is ipv4 or
(ipversion is ipv6 and is_auto_ip is
false). The subnet that is computed
from the IP address and the mask
must not be the same subnet that is
configured on the management
interface.
v mask - String - The netmask that is
configured on the network interface.
This parameter is required when
ipversion is ipv4. The subnet that is
computed from the IP address and the
mask must not be the same subnet
that is configured on the management
interface.
v is_auto_ip - Boolean - Is the IP
auto-configured. Required.
v is_moving_config _with_active_ha -
Boolean - Applies the same settings to
a new active HA server during
failover. This parameter can be true
only when the server host is an active
HA server host.

Table 3621. POST /system/servers/{server_id}/network_interfaces/ethernet/{device_name} response codes

HTTP Response Code Unique Code Description
200 The network interface has been updated.
404 1002 The requested server with the given server ID cannot be found.
409 1004 The ip address has been used by another network interface.
422 1005 One or more parameters are invalid in request.
500 1020 An error occurred while trying to update the specified ethernet
interfaces on the server with the given ID.
500 1022 Timeout while performing the task.

Response Description

The updated ethernet network interface containing the following fields:

v device_name - String - The name of the network interface.
v role - String - The role of the network interface. One of: regular, management, hacrossover,
hacrossover_disabled, monitor, disabled.
v ipversion - String - The verson of the that is IP address that is configured on the network interface.
One of: ipv4, ipv6.
v ip - String - The IP address that is configured on the network interface.
v mask - String - The netmask configured on the network interface.
v is_auto_ip - Boolean - Is the IP address auto-configured.
v is_moving_config_with_active_ha - Boolean - Applies the same settings to a new active HA server
during failover.

1600 QRadar API Reference Guide

Response Sample
{
"desc": "String",
"device_name": "String",
"hacrossover_params": {
"String": "String"
},
"ip": "String",
"ipversion": "String <one of: ipv4,
ipv6>",
"is_auto_ip": true,
"is_cable_linked": "String <one of: true,
false,
unknown>",
"is_moving_config_with_active_ha": true,
"mask": "String",
"role": "String <one of: regular,
management,
hacrossover,
hacrossover_disabled,
monitor,
disabled,
slave,
slave_disabled>"
}

7 Previous REST API versions 1601

1602 QRadar API Reference Guide
Notices
This information was developed for products and services offered in the U.S.A.

IBM may not offer the products, services, or features discussed in this document in other countries.
Consult your local IBM representative for information on the products and services currently available in
your area. Any reference to an IBM product, program, or service is not intended to state or imply that
only that IBM product, program, or service may be used. Any functionally equivalent product, program,
or service that does not infringe any IBM intellectual property right may be used instead. However, it is
the user's responsibility to evaluate and verify the operation of any non-IBM product, program, or
service.

IBM may have patents or pending patent applications covering subject matter described in this
document. The furnishing of this document does not grant you any license to these patents. You can send
license inquiries, in writing, to:

IBM Director of Licensing

IBM Corporation
North Castle Drive
Armonk, NY 10504-1785 U.S.A.

For license inquiries regarding double-byte character set (DBCS) information, contact the IBM Intellectual
Property Department in your country or send inquiries, in writing, to:

Intellectual Property Licensing

Legal and Intellectual Property Law
IBM Japan Ltd.
19-21, Nihonbashi-Hakozakicho, Chuo-ku
Tokyo 103-8510, Japan

INTERNATIONAL BUSINESS MACHINES CORPORATION PROVIDES THIS PUBLICATION "AS IS"

WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESS OR IMPLIED, INCLUDING, BUT NOT
LIMITED TO, THE IMPLIED WARRANTIES OF NON-INFRINGEMENT, MERCHANTABILITY OR
FITNESS FOR A PARTICULAR PURPOSE. Some jurisdictions do not allow disclaimer of express or
implied warranties in certain transactions, therefore, this statement may not apply to you.

This information could include technical inaccuracies or typographical errors. Changes are periodically
made to the information herein; these changes will be incorporated in new editions of the publication.
IBM may make improvements and/or changes in the product(s) and/or the program(s) described in this
publication at any time without notice.

Any references in this information to non-IBM websites are provided for convenience only and do not in
any manner serve as an endorsement of those websites. The materials at those websites are not part of
the materials for this IBM product and use of those websites is at your own risk.

IBM may use or distribute any of the information you provide in any way it believes appropriate without
incurring any obligation to you.

Licensees of this program who wish to have information about it for the purpose of enabling: (i) the
exchange of information between independently created programs and other programs (including this
one) and (ii) the mutual use of the information which has been exchanged, should contact:

© Copyright IBM Corp. 2014, 2017 1603

IBM Director of Licensing
IBM Corporation
North Castle Drive, MD-NC119
Armonk, NY 10504-1785
US

Such information may be available, subject to appropriate terms and conditions, including in some cases,
payment of a fee.

The licensed program described in this document and all licensed material available for it are provided
by IBM under terms of the IBM Customer Agreement, IBM International Program License Agreement or
any equivalent agreement between us.

The performance data and client examples cited are presented for illustrative purposes only. Actual
performance results may vary depending on specific configurations and operating conditions..

Information concerning non-IBM products was obtained from the suppliers of those products, their
published announcements or other publicly available sources. IBM has not tested those products and
cannot confirm the accuracy of performance, compatibility or any other claims related to non-IBM
products. Questions on the capabilities of non-IBM products should be addressed to the suppliers of
those products.

Statements regarding IBM's future direction or intent are subject to change or withdrawal without notice,
and represent goals and objectives only.

All IBM prices shown are IBM's suggested retail prices, are current and are subject to change without
notice. Dealer prices may vary.

This information contains examples of data and reports used in daily business operations. To illustrate
them as completely as possible, the examples include the names of individuals, companies, brands, and
products. All of these names are fictitious and any similarity to actual people or business enterprises is
entirely coincidental.

Trademarks
IBM, the IBM logo, and ibm.com® are trademarks or registered trademarks of International Business
Machines Corp., registered in many jurisdictions worldwide. Other product and service names might be
trademarks of IBM or other companies. A current list of IBM trademarks is available on the Web at
"Copyright and trademark information" at www.ibm.com/legal/copytrade.shtml.

UNIX is a registered trademark of The Open Group in the United States and other countries.

Java™ and all Java-based trademarks and logos are trademarks or registered trademarks of Oracle and/or
its affiliates.

Terms and conditions for product documentation

Permissions for the use of these publications are granted subject to the following terms and conditions.

Applicability

These terms and conditions are in addition to any terms of use for the IBM website.

1604 QRadar API Reference Guide

Personal use

You may reproduce these publications for your personal, noncommercial use provided that all
proprietary notices are preserved. You may not distribute, display or make derivative work of these
publications, or any portion thereof, without the express consent of IBM.

Commercial use
You may reproduce, distribute and display these publications solely within your enterprise provided that
all proprietary notices are preserved. You may not make derivative works of these publications, or
reproduce, distribute or display these publications or any portion thereof outside your enterprise, without
the express consent of IBM.

Rights
Except as expressly granted in this permission, no other permissions, licenses or rights are granted, either
express or implied, to the publications or any information, data, software or other intellectual property
contained therein.

IBM reserves the right to withdraw the permissions granted herein whenever, in its discretion, the use of
the publications is detrimental to its interest or, as determined by IBM, the above instructions are not
being properly followed.

You may not download, export or re-export this information except in full compliance with all applicable
laws and regulations, including all United States export laws and regulations.

IBM MAKES NO GUARANTEE ABOUT THE CONTENT OF THESE PUBLICATIONS. THE

PUBLICATIONS ARE PROVIDED "AS-IS" AND WITHOUT WARRANTY OF ANY KIND, EITHER
EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED TO IMPLIED WARRANTIES OF
MERCHANTABILITY, NON-INFRINGEMENT, AND FITNESS FOR A PARTICULAR PURPOSE.

IBM Online Privacy Statement

IBM Software products, including software as a service solutions, (“Software Offerings”) may use cookies
or other technologies to collect product usage information, to help improve the end user experience, to
tailor interactions with the end user or for other purposes. In many cases no personally identifiable
information is collected by the Software Offerings. Some of our Software Offerings can help enable you to
collect personally identifiable information. If this Software Offering uses cookies to collect personally
identifiable information, specific information about this offering’s use of cookies is set forth below.

Depending upon the configurations deployed, this Software Offering may use session cookies that collect
each user’s session id for purposes of session management and authentication. These cookies can be
disabled, but disabling them will also eliminate the functionality they enable.

If the configurations deployed for this Software Offering provide you as customer the ability to collect
personally identifiable information from end users via cookies and other technologies, you should seek
your own legal advice about any laws applicable to such data collection, including any requirements for
notice and consent.

For more information about the use of various technologies, including cookies, for these purposes, See
IBM’s Privacy Policy at http://www.ibm.com/privacy and IBM’s Online Privacy Statement at
http://www.ibm.com/privacy/details the section entitled “Cookies, Web Beacons and Other
Technologies” and the “IBM Software Products and Software-as-a-Service Privacy Statement” at
http://www.ibm.com/software/info/product-privacy.

Notices 1605
1606 QRadar API Reference Guide
IBM®

Printed in USA