IBM QRadar

IBM QRadar

Join this online user group to communicate across Security product users and IBM experts by sharing advice and best practices with peers and staying up to date regarding product enhancements.

 View Only
Back to discussions
Expand all | Collapse all

QRadar Network Hierarchy update via API

  • 1.  QRadar Network Hierarchy update via API

    Posted Wed February 10, 2021 08:46 PM

    Hello,

    I have created a fairly automated way of exporting all the IPAM network information from our Infoblox instance into a JSON export file which is then used to create an Excel spreadsheet with all the information needed to create a CSV in the exact format needed for import into QRadar.

    I was hoping to take the process one step further and automate the upload to QRadar via the API.

    I can pull Network hierarchy information via the API and I can manually update small amounts of Network Hierarchy via the API GUI and via the command line.

    This command line will update the Network Hierarchy via the API

    curl -s -X PUT -u admin -H 'Content-Type: application/json' -H 'Version: 12.0' -H 'Accept: application/json' --data-binary '[ { "name": "1J_Vmotion-L2ONLY", "description": "", "cidr": "10.0.0.0/24", "id": 1, "domain_id": 0, "group": "1J.Vmotion-L2ONLY.VLAN-777.City.St" }, { "name": "1P_DataCenter-Legacy", "description": "", "cidr": "10.1.0.0/21", "id": 2, "domain_id": 0, "group": "1P.DataCenter-Legacy.VLAN-Undefined.Undefined.Undefined" }, { "name": "X2_LANLegacy", "description": "", "cidr": "10.10.0.0/16", "id": 3, "domain_id": 0, "group": "X2.LANLegacy.VLAN-10.City.St" }, { "name": "X2_LANLegacy-NOTROUTED", "description": "", "cidr": "10.2.0.0/24", "id": 4, "domain_id": 0, "group": "X2.LANLegacy-NOTROUTED.VLAN-20.City.St" }, { "name": "DR_Undefined", "description": "", "cidr": "10.30.0.0/24", "id": 5, "domain_id": 0, "group": "DR.Undefined.VLAN-Undefined.Undefined.Undefined" }, { "name": "DR_Network-Management", "description": "", "cidr": "10.30.1.0/24", "id": 6, "domain_id": 0, "group": "DR.Network-Management.VLAN-1.Undefined.Undefined" }, { "name": "DR_Unix-Linux-DATA", "description": "", "cidr": "10.30.10.0/24", "id": 7, "domain_id": 0, "group": "DR.Unix-Linux-DATA.VLAN-10.Undefined.Undefined" }, { "name": "DR_Unix-Linux-MANAGEMENT", "description": "", "cidr": "10.30.11.0/24", "id": 8, "domain_id": 0, "group": "DR.Unix-Linux-MANAGEMENT.VLAN-11.Undefined.Undefined" }, { "name": "DR_FortigateUserVPNIPPool", "description": "", "cidr": "10.30.112.0/20", "id": 9, "domain_id": 0, "group": "DR.FortigateUserVPNIPPool.VLAN-Undefined.SpringGarden.Undefined" }, { "name": "DR_Windows", "description": "", "cidr": "10.30.12.0/24", "id": 10, "domain_id": 0, "group": "DR.Windows.VLAN-16.Undefined.Undefined" }, { "name": "DR_Windows-Exchange", "description": "", "cidr": "10.30.13.0/24", "id": 11, "domain_id": 0, "group": "DR.Windows-Exchange.VLAN-17.Undefined.Undefined" }, { "name": "DR_Windows-MANAGEMENT", "description": "", "cidr": "10.30.14.0/24", "id": 12, "domain_id": 0, "group": "DR.Windows-MANAGEMENT.VLAN-18.Undefined.Undefined" }, { "name": "DR_Windows-RESERVED", "description": "", "cidr": "10.30.15.0/24", "id": 13, "domain_id": 0, "group": "DR.Windows-RESERVED.VLAN-Undefined.Undefined.Undefined" }, { "name": "DR_CES-LAN", "description": "", "cidr": "10.30.16.0/24", "id": 14, "domain_id": 0, "group": "DR.CES-LAN.VLAN-24.Undefined.Undefined" }, { "name": "DR_CES-RESERVED", "description": "", "cidr": "10.30.17.0/24", "id": 15, "domain_id": 0, "group": "DR.CES-RESERVED.VLAN-Undefined.Undefined.Undefined" }, { "name": "DR_Environmental", "description": "", "cidr": "10.30.18.0/24", "id": 16, "domain_id": 0, "group": "DR.Environmental.VLAN-78.Undefined.Undefined" }, { "name": "DR_Network-VPN", "description": "", "cidr": "10.30.2.0/24", "id": 17, "domain_id": 0, "group": "DR.Network-VPN.VLAN-2.Undefined.Undefined" }, { "name": "DR_Storage-DATA", "description": "", "cidr": "10.30.20.0/24", "id": 18, "domain_id": 0, "group": "DR.Storage-DATA.VLAN-32.Undefined.Undefined" }, { "name": "DR_Storage-MANAGEMENT", "description": "", "cidr": "10.30.21.0/24", "id": 19, "domain_id": 0, "group": "DR.Storage-MANAGEMENT.VLAN-33.Undefined.Undefined" }, ]' 'https://192.168.0.94/api/config/network_hierarchy/staged_networks'

    That's just a few networks and that command line is already quite long!

    I have over 4000 networks defined and that number is growing all the time.

    My import file with all the networks is named InfoBloxNetworkExport-2021-02-09_api_import_ready.json

    Based on my research I should be able to use a curl command like this to put all that data into QRadar via the API

    curl -s -X PUT -u admin -H 'Content-Type: application/json' -H 'Version: 12.0' -H 'Accept: application/json' --data-binary -d @./InfoBloxNetworkExport-2021-02-09_api_import_ready.json 'https://192.168.0.94/api/config/network_hierarchy/staged_networks'

    I have tried numerous iterations of this basic command and none of them update the Network Hierarchy via the API. There is no error message, yet no update.

    Has anyone successfully updated a large number of networks via the QRadar API? If so how?

    Thanks very much,


    Robert



    ------------------------------
    Robert Strom
    ------------------------------


  • 2.  RE: QRadar Network Hierarchy update via API

    Posted Thu February 11, 2021 03:07 AM
    I managed it using python and the requests module. I'm calling the put method with the json encoded data passed to the data parameter.
    You're aware that you need to do a deploy after you've pushed your network hierarchy to staged_networks?

    ------------------------------
    Raphaël Langella
    SIEM Architect
    IMS Networks
    ------------------------------

    Original Message


  • 3.  RE: QRadar Network Hierarchy update via API

    Posted Thu February 11, 2021 01:51 PM

    I am aware that this requires a deployment after the update.

    Did you have to create your own python scripts to do this? Is the requests module that you are referring to a QRadar requests module or a python requests module?

    Would you be will to share an example of what you're doing?

    Thanks,

    Robert



    ------------------------------
    Robert Strom
    ------------------------------

    Original Message


  • 4.  RE: QRadar Network Hierarchy update via API

    Posted Fri February 12, 2021 01:31 PM
    I have written a python library to interact with the QRadar API. It relies heavily on pandas too. I will publish it soon to github. I'll let you know when it's available.

    ------------------------------
    Raphaël Langella
    SIEM Architect
    IMS Networks
    ------------------------------

    Original Message


  • 5.  RE: QRadar Network Hierarchy update via API

    Posted Fri February 12, 2021 11:52 PM
    Sounds great / Thanks very much!

    ------------------------------
    Robert Strom
    ------------------------------

    Original Message


  • 6.  RE: QRadar Network Hierarchy update via API

    Posted Mon February 15, 2021 10:15 AM
    Will you be sharing with the community once you have published? We are fighting the same issue and would be highly interested to see what you have been able to achieve.

    Thanks,
    Helmut

    ------------------------------
    Helmut Koers
    ------------------------------

    Original Message


  • 7.  RE: QRadar Network Hierarchy update via API

    Posted Thu February 18, 2021 05:17 PM
    Here is the python library I've written. You want the setNetworks method.



    ------------------------------
    Raphaël Langella
    SIEM Architect
    IMS Networks
    ------------------------------

    Original Message


  • 8.  RE: QRadar Network Hierarchy update via API

    Posted Fri February 19, 2021 05:40 AM
    Hi Raphael,
    thx a lot. You obviously put a lot of effort in your Github project.
    Will test it in my lab as it looks much more advanced that my sample scripts I use for training.
    I used XMLmind to have a 1st look. what is you preferred profram editor on Mac OS?
    BR
    Karl

    ------------------------------
    [Karl] [Jaeger] [Business Partner]
    [QRadar Specialist]
    [pro4bizz]
    [Karlsruhe] [Germany]
    [4972190981722]
    ------------------------------

    Original Message


  • 9.  RE: QRadar Network Hierarchy update via API

    Posted Fri February 19, 2021 12:58 PM
    Raphaël,

    Thanks for posting this. I have gone to the link and it doesn't look like everything is there. I see the README.md and the LICENSE and a qradar-api.py file but this files contents is essentially empty.

    This is what I see as the contents of that file

    ../qradar/lib/api.py

    Thanks, Robert

    ------------------------------
    Robert Strom
    ------------------------------

    Original Message


  • 10.  RE: QRadar Network Hierarchy update via API

    Posted Mon February 22, 2021 05:37 AM
    Indeed!
    Sorry, I tried to use a symlink but it didn't work as I expected. Now should be better.

    ------------------------------
    Raphaël Langella
    SIEM Architect
    IMS Networks
    ------------------------------

    Original Message


  • 11.  RE: QRadar Network Hierarchy update via API

    Posted Tue April 16, 2024 02:46 AM

    Hi Robert,

    I am also working on the same issue , can you please let me know how you could export data from Infoblox in the exact format needed for import into QRadar.

    Thanks Kalpa



    ------------------------------
    Kalpa Muniswamy
    ------------------------------

    Original Message


  • 12.  RE: QRadar Network Hierarchy update via API

    Posted Tue April 29, 2025 01:18 AM

    Hi,

    I'm very interested to learn the same! 



    ------------------------------
    Roman Russland
    ------------------------------

    Original Message


  • 13.  RE: QRadar Network Hierarchy update via API

    Posted Wed April 30, 2025 05:16 AM

    Hello, 

    please note, the "IBM QRadar Network Hierarchy App" is available from Expert Labs as a Premium App. 
    Functionality includes  
    - Import, Export, Backup, Restore of the Network Hierarchy from/to csv files
    - Support of Geolocation data
    - Allow to visualize differences between current and loaded data  
    - Allow to merge loaded data with the current
    - Support domains and tenants in the Network Hierarchy data
    Any inquiry, please send a mail to tels.apps@ibm.com



    ------------------------------
    Jens-Uwe Fimmen
    IBM Deutschland GmbH
    +49 171 22 32 880
    ------------------------------

    Original Message


  • 14.  RE: QRadar Network Hierarchy update via API

    Posted Wed April 30, 2025 09:20 AM

    We have one customer with over 7K networks.  We usually export the NH via API, match that with exports from the IPam and import using the API.  We do not reference a file however, it's all in the post body.  



    ------------------------------
    Frank Eargle
    Senior Information Security Architect
    GlassHouse Systems
    Columbia SC
    803-237-4497
    ------------------------------

    Original Message


Related Content