Create AQLsearch.py

[tvillevoije]

AQL search making use of the rest api.
This makes it possible to run searches and get the output in csv format

[RyPeck]

This is probably not the right place for the question - but is it possible to open up the result of these searches in QRadar?

[tvillevoije]

Just wondering why you would want to do that. As you can do the advanced searches in QRadar. This is just a program that gives the search output in csv.

[JasonKeirstead]

Hi Thijs, did you know that this ability already exists in QRadar using the command line client that ships on the box?

[root@X ~]# /opt/qradar/bin/api_client --quiet --api /ariel/searches --method POST --params query_expression="select * from events"
201
{
"status":"WAIT",
"record_count":0,
"query_execution_time":0,
"index_total_size":0,
"processed_record_count":0,
"compressed_data_file_count":0,
"compressed_data_total_size":0,
"save_results":false,
"data_total_size":0,
"index_file_count":0,
"data_file_count":0,
"cursor_id":null,
"progress":0,
"search_id":"accc7a72-c119-4116-b668-640a8162ef70",
"desired_retention_time_msec":432000000
}

[root@X ~]# /opt/qradar/bin/api_client --quiet --api /ariel/searches/accc7a72-c119-4116-b668-640a8162ef70/results --method GET --response_format "application/csv" | head -n 3
200
sourceip,destinationip,eventcount,sourceport,protocolid,username,logsourceid,starttime,category,destinationport,qid,magnitude,identityip
10.100.50.71,172.16.60.101,140,0,255,NULL,72,1425906110002,4002,0,3503209,5,0.0.0.0
10.100.50.58,212.58.240.145,3,0,255,NULL,72,1425906110004,4002,0,3503209,5,0.0.0.0
10.100.50.64,65.205.8.60,28,0,255,NULL,72,1425906110005,4002,0,3503209,5,0.0.0.0

[RyPeck]

@ibmthijsvillevoije I have scripts that return the results in CSV using the REST API - but sometimes I wish I could just view the results in the web view and surf around them there. The scripts generate more complex queries than I'd care to type in myself. Also makes it easier to share.