Hi! We using QRadar 7.4.1 which have Python 3.6.8 installed. We create a script for pull IOCs (and want write some scripts for custom actions)  on the same Python version 3.6.8 and need run this script on Console. Script use requests module which is missing in Console.

Can we install this module required for the script to work and will it not cause problems in the system?

------------------------------
Serhii Barabash
------------------------------

Hi,
custom action scripts are beeing executed in jail as you are probably being aware of. Jail based execution is using python version 2.7.5 and 3.6.8 depending on your code. Library is limited to what qradar will allow you inside jail.


------------------------------
[Karl] [Jaeger] [Business Partner]
[QRadar Specialist]
[pro4bizz]
[Karlsruhe] [Germany]
[4972190981722]
------------------------------

Original Message:
Sent: Wed March 03, 2021 05:28 AM
From: Serhii Barabash
Subject: Adding python modelus to QRadar

Hi! We using QRadar 7.4.1 which have Python 3.6.8 installed. We create a script for pull IOCs (and want write some scripts for custom actions)  on the same Python version 3.6.8 and need run this script on Console. Script use requests module which is missing in Console.

Can we install this module required for the script to work and will it not cause problems in the system?

------------------------------
Serhii Barabash
------------------------------

Thank you. But I would like to explain my implementation plan: I would like to use the work of scripts to enrich data when considering offenses or performing an action by an analyst to block the indicator on the firewall by pressing the right mouse button and selecting the appropriate menu item.Using scripts allows me to process the data before sending it to the remote system and very flexible building API requests. For example: I place the scripts in a specific folder on the console and run them using the right button from the QRadar interface.  I can use simple http query from right-click becouse i need use json and API parameters in header... I try using curl it but didn't work for me. I try this:
<contextMenu>
<menuEntry name="X-Force Exchange Lookup" url="https://exchange.xforce.ibmcloud.com/#/ip/%IP%" />
<menuEntry name="MISP IP lookup" exec="python MISP_LOOKUP_IP.py %IP%" />
</contextMenu>

Simply from ssh python MISP_LOOKUP_IP.py some_IP works.

Am I doing it wrong or am I going the wrong way?

------------------------------
Serhii Barabash
------------------------------

Original Message:
Sent: Mon March 08, 2021 12:19 PM
From: Karl Jaeger
Subject: Adding python modelus to QRadar

Hi,
custom action scripts are beeing executed in jail as you are probably being aware of. Jail based execution is using python version 2.7.5 and 3.6.8 depending on your code. Library is limited to what qradar will allow you inside jail.

Even if you manage to add your module to the jailed lib, you will most probably run into limitations. So pls dont even try. If you need to execute your specific py lib calls, execute your existing script outside qrdadar on a separate vm using the full 3.6.8 lib and REST API to access console. Use external auth to access qradar from outside. Store parameters and values you need inside your code using ref data.
BR
Karl

------------------------------
[Karl] [Jaeger] [Business Partner]
[QRadar Specialist]
[pro4bizz]
[Karlsruhe] [Germany]
[4972190981722]

Original Message:
Sent: Wed March 03, 2021 05:28 AM
From: Serhii Barabash
Subject: Adding python modelus to QRadar

Hi! We using QRadar 7.4.1 which have Python 3.6.8 installed. We create a script for pull IOCs (and want write some scripts for custom actions)  on the same Python version 3.6.8 and need run this script on Console. Script use requests module which is missing in Console.

Can we install this module required for the script to work and will it not cause problems in the system?

------------------------------
Serhii Barabash
------------------------------

Serhii, thanks for the explanation of your concept. You mentioned "scripts for custom action". This works as outlined above.
When you are trying to execute scripts from the context menu, please follow inctructions given here
https://www.ibm.com/support/knowledgecenter/SS42VS_7.3.2/com.ibm.qradar.doc/t_CUSTOMIZING_THE_RIGHT_CLICK_MENU.html
In your script environment be advised that QRadar has limitations regarding python library as being outlined before. Even if your script is running outside jail, you will probably run into other limitations, e.g. calling ssh from within your python script being one of them. Ran into same problem years ago and implemented something as described above.
X-Force web page recommends curl, e.g. curl -X GET --header 'Accept: application/json' -u {API_KEY:API_PASSWORD} 'https://exchange.xforce.ibmcloud.com/api/ipr/10.20.30.40' Why this didnt work in your environment I dont know. The context menu for x-change lookup does exist already, so start testing using something that does not differ too much from original code.
BR Karl

------------------------------
[Karl] [Jaeger] [Business Partner]
[QRadar Specialist]
[pro4bizz]
[Karlsruhe] [Germany]
[4972190981722]
------------------------------

Original Message:
Sent: Tue March 09, 2021 02:08 AM
From: Serhii Barabash
Subject: Adding python modelus to QRadar

Thank you. But I would like to explain my implementation plan: I would like to use the work of scripts to enrich data when considering offenses or performing an action by an analyst to block the indicator on the firewall by pressing the right mouse button and selecting the appropriate menu item.Using scripts allows me to process the data before sending it to the remote system and very flexible building API requests. For example: I place the scripts in a specific folder on the console and run them using the right button from the QRadar interface.  I can use simple http query from right-click becouse i need use json and API parameters in header... I try using curl it but didn't work for me. I try this:
<contextMenu>
<menuEntry name="X-Force Exchange Lookup" url="https://exchange.xforce.ibmcloud.com/#/ip/%IP%" />
<menuEntry name="MISP IP lookup" exec="python MISP_LOOKUP_IP.py %IP%" />
</contextMenu>

Simply from ssh python MISP_LOOKUP_IP.py some_IP works.

Am I doing it wrong or am I going the wrong way?

------------------------------
Serhii Barabash

Original Message:
Sent: Mon March 08, 2021 12:19 PM
From: Karl Jaeger
Subject: Adding python modelus to QRadar

Hi,
custom action scripts are beeing executed in jail as you are probably being aware of. Jail based execution is using python version 2.7.5 and 3.6.8 depending on your code. Library is limited to what qradar will allow you inside jail.

Even if you manage to add your module to the jailed lib, you will most probably run into limitations. So pls dont even try. If you need to execute your specific py lib calls, execute your existing script outside qrdadar on a separate vm using the full 3.6.8 lib and REST API to access console. Use external auth to access qradar from outside. Store parameters and values you need inside your code using ref data.
BR
Karl

------------------------------
[Karl] [Jaeger] [Business Partner]
[QRadar Specialist]
[pro4bizz]
[Karlsruhe] [Germany]
[4972190981722]

Original Message:
Sent: Wed March 03, 2021 05:28 AM
From: Serhii Barabash
Subject: Adding python modelus to QRadar

Hi! We using QRadar 7.4.1 which have Python 3.6.8 installed. We create a script for pull IOCs (and want write some scripts for custom actions)  on the same Python version 3.6.8 and need run this script on Console. Script use requests module which is missing in Console.

Can we install this module required for the script to work and will it not cause problems in the system?

------------------------------
Serhii Barabash
------------------------------