The other week we got QRadarCE running as a prerequisite for future blog posts. Ive been a fan of Ansible automation for a long time and have always wondered if I could trigger an ansible playbook from a Qradar event.

TL;DR You can't run ansible directly but I've come up with a workaround bellow.

So in In this blog I'm going to walk you through my discovery of how to use ansible from Qradar by  developing a custom action script to write ansible "seed" files. We will use an action script to write a Ansible host file and playbook name, then run a cronjob to check for the seed files and run the playbook on the hosts in the inventory file.

In Qradar you can use custom actions in rules to do specific actions in response to events. You use the custom action configuration in the admin tab to select or define the value that is passed to the script and the resulting action.  Ansible is a clientless automation tool with batteries included, meaning it comes with modules you can use in playbooks to run tasks on remote systems. Because it is agentless, it's a particularly good candidate for working with all kinds of remote systems, including network equipment.

https://www.ansible.com/overview/it-automation

Qradar custom scripts are run in a chroot jail, content in the jail directory can be modified and written to by scripts. But getting ansible to run from the jailed environment proved to be quite difficult. Action scripts can run only from inside the jail so that they dont interfere with the QRadar run environment.

Scripts are run by the user "customactionuser" who's home is /home/customactionuser but its Jailed home is /opt/qradar/bin/ca_jail/home/customactionuser.

On QCE I could use yum ton install Ansible but that wouldn't be available on a QRadar appliance so Ill install it from the git repo into the action user's home directory. 

Once I saw what It would take to setup my ansible environment and seeing that the action user is not allowed login. I created a ansible_run.scr  to setup the environment so that I wasn't messing with root's profile scripts.

I now have a working ansible environment running out of the action users's home directory. According to documentation I should be safe modifying files here and my ansible_runs.scr keeps me from stepping on Qradar's environment.

Time to move on setting up my custom action.

Define custom action

Parameters (order of parameters from top to bottom sets order passed to script)

Action script:

Once I had uploaded my action script I  went to the cmd line and tried to find where QCE stored it. Although the location of action scripts is documented it my surprised me the script is not load it as named but up loaded it to a custom script file.

• /opt/qradar/bin/ca_jail/custom_action_scripts/customaction_1.script

I was able to edit the script using vim saving me the effort of re-deploying every time but obviously in a distributed environment you will want to deploy the script to all nodes.

Note: If you created your script in a windows file editor you may need to make sure the file is in uinx format.

The script upload process did not convert my file to unix format and editing the script with vi did not catch some syntax errors that where causing files to be written with hidden question marks at the end or just other weirdness. On QCE we have the dos2unix executable to do the conversion.

I was able to find the name of the file by running a "test execution"

At this point I had action script that created 2 seed files in the customactionuser's jailed home.

• /opt/qradar/bin/ca_jail/home/customactionuser
• ansible-host
• playbook.yml

I can now add to my ansible_run.scr to have it check for my seed files and run ansible modules on the hosts in the playbook.

So that’s the outline with lessons learned. Obviously there is work to be done, such as calling the defined playbook and translating it to a Qradar appliance but I hope you found this exercise as interesting as I did and Id like to hear your thoughts on where to take this next.