QRadar XDR

  • 1.  Custom action and Python

    Posted Tue August 24, 2021 09:55 AM
    Hi 
    I Creat a rule and custom action
    think to if rule fired then trigger custom action
    the custom action  i set 3 ~ 5 script parameter
    just like devicetime   computer   username   eveentid .... 
    but i build the python  script
    i use function  like
    DeviceTime = sys.argv[1]

    but  when i got the message  
    the message  DeviceTime is  unix time
    how can i do to transform  unix time


    ------------------------------
    Hung-Ting Chou
    ------------------------------


  • 2.  RE: Custom action and Python

    Posted Wed August 25, 2021 12:14 PM
    You can use the date.strftime(format) method from the datetime library.

    https://docs.python.org/3/library/datetime.html

    DeviceTime = time.strftime("%Y-%m-%d %H:%M:%S", time.localtime(DeviceTime))

    ------------------------------
    Moises Monge
    ------------------------------



  • 3.  RE: Custom action and Python

    Posted Wed August 25, 2021 09:11 PM
    Hi
    Thanks for reply
    i try to use
    devicetime = time.strftime("%Y-%m-%d %H:%M:%S", time.localtime(sys.argv[1]))
    but message show
    TypeError: a float is required

    in qradar  custom action  script parameter  first  i set devicetime
    so last i use devicetime = sys.argv[1]  but  out put message  is  unix time



    ------------------------------
    Hung-Ting Chou
    ------------------------------



  • 4.  RE: Custom action and Python

    Posted Thu August 26, 2021 06:07 AM
    Thanks a lot

    i use the code 

    devicetime = sys.argv[1]
    devicetime = time.strftime("%Y-%m-%d %H:%M:%S", time.localtime())

    is success exchange the unix time 
    but i have a question i use time.localtime()
    when i in qradar os command line execute this python  the out put message show is right local time
    but when to custom action  page run execute the out put message is show  Coordinated Universal Time (UTC)
    no my local time   ,  my local time is UTC +8



    ------------------------------
    Hung-Ting Chou
    ------------------------------



  • 5.  RE: Custom action and Python

    Posted Thu August 26, 2021 10:18 PM

    Thanks a lot

    i use the code 

    devicetime = sys.argv[1]
    devicetime = time.strftime("%Y-%m-%d %H:%M:%S", time.localtime())

    is success exchange the unix time 
    but i have a question i use time.localtime()
    when i in qradar os command line execute this python  the out put message show is right local time
    but when to custom action  page run execute the out put message is show  Coordinated Universal Time (UTC)
    no my local time   ,  my local time is UTC +8

    and other question 
    custom action  i set 3 ~ 5 script parameter
    but some one i set  Network Event Property  EVENT_NAME
    when the tirgger the rule  script run show result the EVENT_NAME is null
    but my mail notification have some information like Failure Audit: An account failed to log on
    how can i do 




    ------------------------------
    Hung-Ting Chou
    ------------------------------