Comments (5)
tosmun
commented on September 16, 2024
/ariel/searches produces a list of search IDs only; additional information from /ariel/searchesis not provided. filter in this case just filters on the ID of the search.
The steps you would need to follow to get those of a particular status are:
- Get list of search IDs from
/ariel/searches
For each ID:
i) Query via/ariel/searches/{search_id}
ii) If thestatusis notCOMPLETEDorFAILED, ignore it
Since REST APIs are stateless by nature, you should expect/allow 404 response in the event a search is deleted while you are looking through them.
from api-samples.
makefu
commented on September 16, 2024
I still do not understand what i can do with the filter, the sample text states:
field_one = "String" and field_two > 42 or not field_three in (1, 2, 3)
The details state:
Optional - This parameter is used to restrict the elements in a list base on the contents of various fields.
I tried a lot of combinations but i do not know what field names there are and what the primary use case was when spec'ing this functionality.
In the time being i already implemented exactly the same algo you proposed in an async fashion to speed up the process a bit. Besides COMPLETED and CANCELED i also had to check for Error 500 which happen to happen sometimes on the system.
from api-samples.
tosmun
commented on September 16, 2024
Like range, the filter parameter is something that is almost universally supported in the QRadar API framework where the response content contains a list. As a result, in some cases it is not as relevant as others. In all cases however, it applies directly to the response text that you receive from the endpoint to the nearest list structure (unless otherwise stated).
In this case (GET /ariel/searches) it just returns a list of Strings, so you can only filter on the String itself. You can target that field using the reserved name .. For example:
. in ("02562134-3455-4bbc-8a18-a323c6cef781", "02d10253-dc8c-4e98-b60d-e5dc0f619b50")
In a more realistic case, you can filter on field contents, for example on GET /ariel/searches/events:
name = "sourceip"
The result will contain the sourceip column only:
{
"columns": [
{
"indexable": true,
"name": "sourceip",
"argument_type": "JAVA_OBJECT"
}
]
}
from api-samples.
makefu
commented on September 16, 2024
Everything makes sense now!
I really hope this issue tracker becomes the universal source for all the undocumented Quirks in the Qradar API 👍
Regards
from api-samples.
K-Moss
commented on September 16, 2024
Hi makefu,
In addition to this issue tracker on the samples, there's also an API forum with various questions and answers over on developer works.. I also wanted to let you know that we are working on improving the API documentation available on the Knowledge Center for the next release to have improved content around filtering.
from api-samples.
Related Issues (17)
- Add Sample for updating an asset HOT 5
- Certificate verification failed HOT 7
- Wroking version confirmation HOT 1
- Accessing QRadar HOT 1
- Can I have a simplest Api usage example
- Field requirements in Show offenses api
- Using "Contains" for a list with no key/value pairs HOT 4
- Script for integrating threat intelligence platform
- Please, provide API Guidelines for QRadar 7.3.2
- Tags please! HOT 2
- Please provide `/config/event_sources/log_source_management/log_sources` examples HOT 1
- doesn't prompt to enter configs in first time
- WARNING: The version of the endpoint is deprecated
- Not following PEP8 for Python Code HOT 2
- 414 Request-URI Too Large
- Update Asset Operating System HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from api-samples.