0

I'm new to Qradar and facing difficulties in understanding filter parameter in Qradar REST api /siem/offenses. Can anyone suggest me how to use filter based on offense 'rules' field? As rules is a list of JSON objects, i'm finding it difficult to write filter.

sample offense with rules field

{
    "username_count": 1,
    "description": "String",
    "rules": [
      {
        "id": 1,
        "type": "String <one of: ADE_RULE, BUILDING_BLOCK_RULE, CRE_RULE>"
      }```
    ]
}
shravan kusuma
  • 109
  • 1
  • 2
  • 9

1 Answers1

2

We experienced a similar issue and find a way out, you can use 'contains' keyword to access list elements. For example, to filter rules[0]["id"] you could use: 

rules contains (id = 42)
סטנלי גרונן
  • 2,917
  • 23
  • 46
  • 68
init ramfs
  • 21
  • 2