Developing and integrating new solutions for QRadar SIEM using the QRadar App SDK
The QRadar App Software Development Kit (SDK) is a command-line tool that enables developers to build, test, package and deploy apps for QRadar. You can use this SDK to develop apps that create new visualizations, work with external data sources, or add new features for teams or customers, leveraging the data provided by QRadar on cybersecurity threat management.
You can find more information and documentation about the QRadar App SDK directly from App Exchange.
About Build Lab
From Ecosystem Engineering Build Lab we collaborate with IBM Business Partners to develop new solutions that through the integration of QRadar and third-party solutions from our partners can offer enhanced value to their end customers.
Build Lab establishes technical eminence with partners accelerating the development cycles by proving out early MVPs of partner driven use-cases in the Ecosystem BUILD Market, or across markets where partners are embedding IBM Software.
In this post we are going to address how to develop new applications that integrate QRadar and third-party solutions and how to integrate them with QRadar following the architecture below:
SDK Requirements
-
Python 3 is required for the SDK’s runtime environment.
-
A container manager is needed for the SDK to build and run an app locally (Docker Engine).
-
If you are using Mac, and can't use Docker Desktop, you can use Colima as a runtime.
Download and install the SDK
-
To install the SDK: unzip the downloaded folder, and cd inside it. Now, run the following command: sh install.sh
-
And the installation should begin.
QRadar SDK Documentation
A locally installed documentation file should open after installation, or you can open it at any time using the following command: qapp -d
Within this document you will find information regarding the following useful items:
- App development best practices
Additionally, you can find useful information about developing apps with the QRadar App Framework documentation.
Overview: manifest.json
-
This file is used to set up the app inside the Console.
-
First, it configures some basic information about the app, like its name, or description. You can also change the resources it is going to use.
-
In the image property, you can change the image the SDK uses to create the container. Here you can change to change the version of the SDK from v2 to v3, or even v4, by incrementing the base image version, for example changing from qradar-app-base:2.1.16 to qradar-app-base:3.0.5. The v4 image is recommended for new app development.
-
In the section areas, you can modify the configuration of the tab, for example, you can change its name or description.
-
The uuid is the unique identifier of the app. It is recommended to leave as it is created when using qapp create, but it is possible to use a different one.
-
In the section rest_methods you need to add all the endpoints of the application, so that QRadar can detect them.
Creating, developing and deploying an application
-
Activate SDK virtual environment:
source ~/qradarappsdk/env/bin/activate
-
Install dependencies you will use, for example:
pip install flask flask_cors python-dotenv
-
Create project folder:
mkdir yourProject
From this point on, all commands should be executed inside the project folder.
cd yourProject
-
Create template app:
qapp create
A “Hello World!” app template will be created with the following structure:
Note: You can find more information about the directory structure and description of each file/folder in the App Framework documentation.
-
Once created, develop your Python app inside app folder following the proper structure.
-
Set the environment variables with your data in the qenv.ini for running locally:
QRADAR_CONSOLE_FQDN= <QRADAR_CONSOLE>
SEC_ADMIN_TOKEN= <TOKEN>
-
Update routes:
The QRadar Console searches for the backend endpoints in /console/plugins/<AppID>/app_proxy/, so you need to append this before the actual route in the frontend. One way to know which is the AppID, is deploying the app; during the deploy the application ID is shown. Another way is to use qpylib helper functions.
-
Sending the dependencies to the Console:
-
For QRadar Console to install dependencies, you need to send them in a .whl or compressed file. This dependencies should be inside the container directory. For example, Python dependencies should go inside container/pip directory. To install the dependencies inside the requirements.txt file, you can execute (from inside container/pip directory):
pip download --platform linux_x86_64 –r ../../requirements.txt --no-deps
so that all dependencies inside the requirements.txt file are stored as a .whl file. This downloads the dependencies as a .whl for the architecture specified in the platform parameter, and it should be the same as the architecture being used by the QRadar server.
-
The SDK's v2 uses Python 3.6, so all dependencies should be compatible with this version of Python. If there is the need to use a dependency that needs a higher version of Python, you can use the SDK's v3 or v4, by changing the base image being used to create the container. For example, the v2 base image qradar-app-base:2.1.16, uses Python 3.6.8, but with v3 you can use Python 3.8, and with v4 you can use Python 3.11. The v4 image is recommended for new app development. You can change this in the manifest.json file.
-
Serving the React front-end:
To be able to see the React application in the QRadar Console, it is needed to serve it first. It is possible to use the same Flask to serve the frontend.
To do this, you can build the React app with npm run build, and then move the files created inside the build directory to the Flask application.
More specifically, change the backend app/static directory for the one in the build, change the index.html inside the directory app/templates for the index.html generated, and move all the other files to the app/static directory.
-
To build the application using the SDK run:
qapp build
-
To create and start a container based on the previously created image:
qapp run
-
To deploy the app against a QRadar console, use the following commands:
qapp package -p app.zip
qapp deploy -p app.zip -q <ConsoleIP> -u <User>
It will request for authentication data, once all the data is entered, the deployment will begin.
Note: The application will start deploying with an App ID. Save this ID.
-
Check the deployed app in your console.
-
To delete the deployed App from your QRadar console:
qapp delete -q <CONSOLEIP> -u <User> -a <AppID>
Using QRadar APIs
Authorized Services
In order to get the QRadar information you need through APIs, you must obtain a token through Authorized Services.
- In the Admin tab, go to
Authorized Services.
2. Click Add
3. Complete the fields for the new service, and click Save, for example:
4. Now you can copy the token for your service, that you will need for your SEC_ADMIN_TOKEN.
QRadar Interactive API for Developers
You can access to it from the dropdown menu as follows:
A new window will open with the interactive API documentation for developers.
Use the left navigation to access the documentation for the various API endpoints. This documentation provides information on the endpoints, their parameters, and responses.
For example, if you want to get offense information, you have to go to siem -> offenses.
From where you can see the whole endpoint structure details.
Now you can use the following endpoint to get all the offenses data:
https://<QRADAR_CONSOLE>/api/siem/offenses
If you want to get all the offenses id, for example, the endpoint should be the following:
https://<QRADAR_CONSOLE>/api/siem/offenses/id
Troubleshooting
-
To see the application logs after it is deployed, you need to enter inside the container that is running within the QRadar instance, with docker exec -it <ContainerID> /bin/bash, and once inside the container go to the directory /opt/app-root/store/log.
If at any point in time, you have any questions, have any comments or want to discuss this further, feel free to get in touch with IBM Build Lab: