IBM TechXchange Security Technology Alliance Program User Group

 View Only

Take a REST from Protocol Apps - aka how to migrate your Protocol app to the Universal Cloud REST API

By Dan Schofield posted Wed August 30, 2023 04:16 AM


The Universal Cloud REST API protocol (uREST for short) allows you to define an arbitrary workflow to connect QRadar to any REST API and receive event data to be directed to a DSM. ideally suited for cloud-based JSON REST APIs. Previously of this kind of integration it was recommended to use the QRadar App Framework SDK to create a ‘Protocol App’ that would run code in a container on a QRadar instance to connect to the REST API which would then send the received event data to local syslog for QRadar to ingest as a standard supported protocol.  This was a neat solution at the time but has a number of drawbacks, not least due to added connectivity complexity.

These 'Protocol Apps' are typically not suitable for multi-tenant environments as used by large customers and Managed Security Services Providers. Architecturally using a built-in protocol for QRadar means it can be run like any other

And now with uREST -

The Universal Cloud Rest API protocol is built in to QRadar SIEM and QRadar Log Insights and is configured via an XML workflow file to interact with your REST API and retrieve event data at a defined interval. It can be used wherever you would use any other built in protocol and has none of the downsides a protocol app brings. As a built in protocol is it multi-tenant friendly and is fully supported by IBM.

Why replace your Protocol App with uREST?

  1. Configuring a built-in protocol is an order of magnitude easier than writing an application to maintain connectivity between your product and QRadar.
  2. IBM supports all built-in protocols, IBM only supports the QRadar Application Framework, you support all the rest of the connectivity code.
  3. REST API updates can be handled swiftly with uREST config updates rather than full App development and test cycles.
  4. Built in protocols can be used anywhere in the QRadar architecture, not just on App Hosts, this provides the best approach for large customers and MSSPs.
  5. Next Generation IBM Security products like QRadar Log Insights and future QRadar SIEM will not have App Frameworks, only built-in protocols will be supported so uREST integrations are future proof.

You Will Need:

QRadar 743 UP8+ or 750+ which you can retrieve from our TAP Software Download portal:

The log management app from AppExchange :

And the links below to get started and review some examples:

QRadar Universal Cloud REST API References

Official Docs:

Git Hub of existing integrations:

Intro Blog post with example:

Deeper dive blog post:

Submit to Github:

Optionally you can choose to submit your XML config for detailed review by the IBM QRadar subject matter experts, you can upload to github and initiate a Pull Request. IBM will review your config and make any necessary comments relating to best practices etc. Contact the Alliances team for more information.