Reference Data 类型
| 类型 | 结构 | 用途 |
|---|---|---|
| Reference Set | 元素 + TTL | IP 黑名单、白名单 |
| Reference Map | Key → Value | IP → 部门 |
| Reference Map of Sets | Key → Set | 用户 → 权限列表 |
| Reference Table | 多列表格 | 复杂关联数据 |
创建与管理
# GUI: Admin > Reference Data Management
# CLI 示例(通过 API)
curl -k -X POST \
-H "SEC: $TOKEN" \
-H "Content-Type: application/json" \
https://qradar/api/reference_data/sets/Blocked_IPs \
-d '{"value": "192.168.1.100", "source": "Threat Intel"}'在规则中使用
when any of Source IP are contained in any of Reference Set [Blocked_IPs]
在 AQL 中使用
SELECT * FROM flows
WHERE destinationip NOT IN REFERENCESET('Internal_Networks')
LAST 1 HOURSPython API 管理
import requests
url = "https://qradar/api/reference_data/sets/Blocked_IPs"
headers = {"SEC": "<token>", "Content-Type": "application/json"}
# 添加元素
data = {"value": "192.168.1.100", "source": "Threat Intel Feed"}
requests.post(url, headers=headers, json=data, verify=False)
# 批量导入
ips = ["1.2.3.4", "5.6.7.8", "9.10.11.12"]
for ip in ips:
requests.post(url, headers=headers, json={"value": ip}, verify=False)上一章:06 - 报告与搜索 下一章:08 - 用户行为分析 UBA