close
keyboard_arrow_left
Table of Contents
- play_arrow QRadar Use Case Manager
- play_arrow What's New in QRadar Use Case Manager
- play_arrow Known Issues
- play_arrow Video Demonstrations
- play_arrow Supported Environments for QRadar Use Case Manager
- play_arrow Installation and Configuration Checklist
- Installation and Configuration Checklist
- Installing QRadar Use Case Manager
- Creating an Authorized Service Token
- Configuring the Use Case Explorer in QRadar Use Case Manager
- Assigning User Permissions for QRadar Use Case Manager
- Customizing User Preferences
- Predefined Report Content Templates
- Customizing Report Content Templates
- Custom Rule Attributes
- Creating Custom Rule Attributes
- Exporting and Importing Custom Rule Attributes
- Upgrading QRadar Use Case Manager
- Uninstalling QRadar Use Case Manager
- play_arrow MITRE ATT&CK Mapping and Visualization
- MITRE ATT&CK Mapping and Visualization
- Editing MITRE Mappings in a Rule or Building Block
- Editing MITRE Mappings in Multiple Rules or Building Blocks
- Sharing MITRE-mapping Files
- Visualizing MITRE Tactic and Technique Coverage in Your Environment
- Visualizing MITRE Coverage Summary and Trends
- Visualizing MITRE Tactics and Techniques that are Detected in a Specific Timeframe
- MITRE Heat Map Calculations
- play_arrow Investigating QRadar Rules and Building Blocks
- Investigating QRadar Rules and Building Blocks
- Filtering Rules and Building Blocks by their Properties
- Identifying Gaps in QRadar Rule Coverage from Content Extensions
- Investigating User Behavior Analytics Rules
- Duplicating Rules for Further Customization
- Exporting Rules
- Deleting Rules
- Rule Report Presentation
- Visualizing Rules and Building Blocks
- Visualizing Log Source Type Coverage per Rule
- play_arrow QRadar Tuning
list Table of Contents
Example API Workflow Script
date_range
05-Aug-21
Use the script in this example to download a Use Case Explorer report in CSV format.
Note:
Due to formatting issues, paste the script into a text editor and then remove any carriage return or line feed characters.
You can replace the filters code with other filter details. In the following line, replace the bolded content with other filter content that is described in Use Case Explorer Filters.
content_copy zoom_out_map
--data-raw '{"filters": [{"name":"rule","type":"ATTRIBUTE","recursive":true,"matchCriteria":"PARTIAL","values":[true],"attributeName":"",valueType":"EXCLUSIVE_COMMON"}],"columns":["N","GR","RC","T","RO","EN","RE","CD","MD"]}' content_copy zoom_out_map
/* Begin by initiating the report generation with POST/api/use_case_explorer. */
curl --user admin --location --request POST 'https://{qradar ip}/console/plugins/{UCM App ID}/app_proxy/api/use_case_explorer' \
--header 'Content-Type: application/json' \
--data-raw '{"filters":[{"name":"rule","type":"ATTRIBUTE","recursive":true,"matchCriteria":"PARTIAL","values":[true],"attributeName":"",valueType":"EXCLUSIVE_COMMON"}],"columns":["N","GR","RC","T","RO","EN","RE","CD","MD"]}'
/* Return the current status of report generation from POST/api/use_case_explorer by calling GET /api/use_case_explorer/{reportId}/status. */
curl --user admin --location --request GET 'https://{qradar ip}/console/plugins/{UCM App ID}/app_proxy/api/use_case_explorer/{report id}/status' \
--header 'Cookie: csrfToken=DG0pShPY-Ks59qGwW_nraLhvdl1zzyQua9Tg;
/* To download the report in CSV format, once GET /api/use_case_explorer/{reportId}/status
returns a status of COMPLETED, use POST /api/use_case_explorer/{reportId}/download_csv
to initiate the job to generate a CSV report */
curl --user admin --location --request POST 'https://{qradar ip}/console/plugins/{UCM App ID}/app_proxy/api/use_case_explorer/{report id}/download_csv' \
--header 'Content-Type: application/json' \
--data-raw '{"columns":"N,GR,RC,T,RO,EN,RE,CD,MD"}'
/* Return the current status of CSV report generation from POST /api/use_case_explorer/{reportId}/download_csv by calling GET /api/use_case_explorer/download_csv/{jobId}/status */
curl --user admin --location --request GET 'https://{qradar ip}/console/plugins/{UCM App ID}/app_proxy/api/use_case_explorer/download_csv/{download csv job id}/status' \
--header 'Content-Type: application/json' \
--data-raw '{"columns":"N,GR,RC,T,RO,EN,RE,CD,MD"}'
/* Finally, when GET /api/use_case_explorer/download_csv/{jobId}/status
returns a status of COMPLETED, call GET /api/use_case_explorer/download_csv/{jobId}/result
to download your generated report in CSV file format */
curl --user admin --location --request GET 'https://{qradar ip}/console/plugins/{UCM App ID}/app_proxy/api/use_case_explorer/download_csv/{download csv job id}/result?csvName=test.csv' \
--header 'Content-Type: application/json' \
--data-raw '{"columns":"N,GR,RC,T,RO,EN,RE,CD,MD"}'