Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 

QID Map Overview

 

Use the JSA Identifier (QID) map utility to create, export, import, or modify user-defined QID map entries.

The QID map associates an event on an external device to a (QID).

See the following tasks for QID management:

To run the utility, use the following syntax:

qidmap_cli.sh [-l|-c|-m|-i[-f <filename>]|-e[-f <filename>]|-d]

The following table describes the command-line options for the QID map utility.

Table 1: QID Map Utility Options

Options

Description

-l

Lists the low-level category.

-c

Creates a QID map entry

-m

Modifies an existing user-defined QID map entry.

-i

Imports QID map entries.

-e

Exports existing user-defined QID map entries.

-f <filename>

If you include the -i or -e option, specifies a file name to import or export QID map entries.

-d

If you include the -i or -e option, specifies a delimiter for the import or export file. The default is a comma.

-h

Displays the help options.

Creating a QID Map Entry

Create a JSA Identifier (QID) Map Entry to map an event of an external device to QID.

  1. Using SSH, log in to JSA as the root user.
  2. To locate the low-level category for the QID map entry that you want to create, type the following command:

    /opt/qradar/bin/qidmap_cli.sh -l

    If you want to search for a particular low-level category, you can use the grep command to filter the results:

    /opt/qradar/bin/qidmap_cli.sh -l | grep <text>

  3. Type the following command:

    qidmap_cli.sh -c --qname <name> --qdescription <description> --severity <severity> --lowlevelcategoryid <ID>

    The following table describes the command-line options for the QID map utility:

    Options

    Description

    -c

    Creates a QID map entry.

    --qname <name>

    The name that you want to associate with this QID map entry. The name can be up to 255 characters in length.

    If you include spaces in the name, enclose the name value in double quotation marks.

    --qdescription <description>

    The description for this QID map entry. The description can be up to 2048 characters in length.

    If you include spaces in the description, enclose the description value in double quotation marks.

    --severity <severity>

    The severity level that you want to assign to this QID map entry. The valid range is 1 - 10.

    --lowlevelcategoryid <ID>

    The low-level category ID you want to assign to this QID map entry. For more information, see the Juniper Secure Analytics Administration Guide.

Modifying a QID Map Entry

Modify an existing user-defined JSA Identifier (QID) map entry.

  1. Using SSH, log in to JSA as the root user.
  2. Type the following command:

qidmap_cli.sh -m --qid<QID> --qname <name> --qdescription <description> --severity <severity>

The following table describes the command-line options for the QID map utility:

Options

Description

-m

Modifies an existing user-defined QID map entry.

--qid <QID>

The QID that you want to modify.

--qname <name>

The name that you want to associate with this QID map entry. The name can be up to 255 characters in length with no spaces.

--qdescription <description>

The description for this QID map entry. The description can be up to 2048 characters in length with no spaces.

--severity <severity>

The severity level that you want to assign to this QID map entry. The valid range is 0 - 10.

Importing Qid Map Entries

Using the JSA Identifier (QID) map utility, you can import QID map entries from a .txt file.

  1. Create a .txt file that includes the user-defined QID map entries that you want to import. Ensure that each entry in the file is separated with a comma. Choose one of the following options:
    • If you want to import a new list of user-defined QID map entries, create the file with the following format for each entry:

      ,buffer,buffer_QID,7,18401 ,malware,malware_misc,8,18403

    • If you want to import an existing list of user-defined QID map entries, create the file with the following format for each entry:

      2000002,buffer,buffer_QID,7 2000001,malware,malware_misc

    The following table describes the command-line options of the QID utility.

    Options

    Description

    <qid>

    The existing QID for the entry. This option is required if you want to import an existing exported list of QID entries.

    To import new QID entries, do not use this option. The QID map utility assigns an identifier (QID) for each entry in the file.

    --qname <name>

    The name that you want to associate with this QID map entry. The name can be up to 255 characters in length with no spaces.

    --qdescription <description>

    The description for this QID map entry. The description can be up to 2048 characters in length with no spaces.

    --severity <severity>

    The severity level that you want to assign to this QID map entry. The valid range is 0 - 10.

    --lowlevelcategoryid <ID>

    The low-level category ID that you want to assign to this QID map entry.

    This option is only necessary if you want to import a new list of QID entries.

  2. Save and close the file.
  3. Using SSH, log in to JSA as the root user:
  4. To import the QID map file, type the following command:

    /opt/qradar/bin/qidmap_cli.sh -i -f <filename.txt>

    The <filename.txt> option is the directory path and name of the file that contains the QID map entries. If any of the entries in the file cause an error, no entries in the file are enforced.

Exporting QID Map Entries

View the mappings between the events of external devices and their unique identifiers by exporting your QID entries.

For QID map entries that you created, use the QID map utility to export the entries to a .txt file.

For an entire QID map that includes the default system QID entries, use the idlist.sh command.

  1. Using SSH, log in to JSA as the root user.
  2. To export the QID map file of user-defined entries, type the following command:

    /opt/qradar/bin/qidmap_cli.sh -e -f <filename.txt>

    The <filename.txt> option is the directory path and name of the file that you want to contain your QID map entries.

  3. To export the entire QID map, type the following command:

    /opt/qradar/bin/idlist.sh -e qid > <filename.txt>

  4. To determine the last modified date of your QID map, run an SQL query.

    For example, if a QID has the identification number 64250088, type the following SQL query to retrieve its last modified date:

    psql -U qradar -c "select qid,to_timestamp(serial/1000) as date from qidmap_serial where qid = 64250088;"