IBM TechXchange Security Technology Alliance Program User Group

 View Only

QRadar App Development 101

By ASHISH KOTHEKAR posted Tue February 27, 2024 03:27 AM

  

Getting started with TAP

IBM’s Tech Alliance Program(TAP) is designed to help business partners to build QRadar Applications for integrating security products with QRadar SIEM. To explain the process of building the QRadar apps, you may start by contacting the TAP team.  Email - IBMSecurityAlliances@wwpdl.vnet.ibm.com. TAP team will provide you with the access to the QRadar ISO which you can use to build QRadar SIEM locally on a VM. A 12 month license can also be requested, so that you can have ample time to develop the application.

Fetching data 

Once QRadar is set up, the next phase is to use a protocol  on QRadar to fetch data from the endpoint. We strongly suggest that you use Universal REST API Protocol (UREST Protocol) to fetch the data. Information on UREST in following links. 

UREST Protocol documentation 

UREST Protocol Github Examples

Parsing data using DSM Editor

When you use UREST, the events are received in JSON format. Use DSM Editor to parse the events. More information on DSM Editor.

DSM Editor Documentation


Implementing security use cases

For the integration, you may have a few security use cases that you would like to implement. Once events are received, you may create QRadar Rules which map the security use cases.There are other QRadar features like Reference Data, Saved Searches, Reports that you may further use.

Packaging the customization in App

You may then export the customisation viz parsing logic, rules, searches, reports etc. using CMT tool or via API.

IBM also provides Software Development Kit(SDK) so that you could further write code to work with available data on QRadar. There is detailed literature on how to use SDK and setup the environment.

QRadar App Framework SDK 

The custom code, along with the customisation export can be packaged as a zip file. You may run the application using Pre-validation app available on IBM Exchange Portal. This helps you provide feedback on the developed app and changes can be implemented.


Submit the App

The zip file along with sample data can then be submitted to the IBM Exchange Portal. Validation team will check the developed app and provide feedback if necessary. The app finally goes through the Secure coding  team to check for any vulnerabilities. Once the app is through Security team, it will be published on the IBM Exchange Portal.



Below are few important points to note:

  • Do NOT use QRadar Community Edition for developing QRadar apps. A free QRadar Enterprise ISO will be made available.
  • Get in touch with TAP team before planning the development of app or integration. Email  IBMSecurityAlliances@wwpdl.vnet.ibm.com.


#QRadar
#Free  #SDK

0 comments
23 views

Permalink