IBM Security QRadar

 View Only
Expand all | Collapse all

QRadar Network Hierarchy update via API

  • 1.  QRadar Network Hierarchy update via API

    Posted Wed February 10, 2021 08:46 PM

    Hello,

    I have created a fairly automated way of exporting all the IPAM network information from our Infoblox instance into a JSON export file which is then used to create an Excel spreadsheet with all the information needed to create a CSV in the exact format needed for import into QRadar.

    I was hoping to take the process one step further and automate the upload to QRadar via the API.

    I can pull Network hierarchy information via the API and I can manually update small amounts of Network Hierarchy via the API GUI and via the command line.

    This command line will update the Network Hierarchy via the API

    curl -s -X PUT -u admin -H 'Content-Type: application/json' -H 'Version: 12.0' -H 'Accept: application/json' --data-binary '[ { "name": "1J_Vmotion-L2ONLY", "description": "", "cidr": "10.0.0.0/24", "id": 1, "domain_id": 0, "group": "1J.Vmotion-L2ONLY.VLAN-777.City.St" }, { "name": "1P_DataCenter-Legacy", "description": "", "cidr": "10.1.0.0/21", "id": 2, "domain_id": 0, "group": "1P.DataCenter-Legacy.VLAN-Undefined.Undefined.Undefined" }, { "name": "X2_LANLegacy", "description": "", "cidr": "10.10.0.0/16", "id": 3, "domain_id": 0, "group": "X2.LANLegacy.VLAN-10.City.St" }, { "name": "X2_LANLegacy-NOTROUTED", "description": "", "cidr": "10.2.0.0/24", "id": 4, "domain_id": 0, "group": "X2.LANLegacy-NOTROUTED.VLAN-20.City.St" }, { "name": "DR_Undefined", "description": "", "cidr": "10.30.0.0/24", "id": 5, "domain_id": 0, "group": "DR.Undefined.VLAN-Undefined.Undefined.Undefined" }, { "name": "DR_Network-Management", "description": "", "cidr": "10.30.1.0/24", "id": 6, "domain_id": 0, "group": "DR.Network-Management.VLAN-1.Undefined.Undefined" }, { "name": "DR_Unix-Linux-DATA", "description": "", "cidr": "10.30.10.0/24", "id": 7, "domain_id": 0, "group": "DR.Unix-Linux-DATA.VLAN-10.Undefined.Undefined" }, { "name": "DR_Unix-Linux-MANAGEMENT", "description": "", "cidr": "10.30.11.0/24", "id": 8, "domain_id": 0, "group": "DR.Unix-Linux-MANAGEMENT.VLAN-11.Undefined.Undefined" }, { "name": "DR_FortigateUserVPNIPPool", "description": "", "cidr": "10.30.112.0/20", "id": 9, "domain_id": 0, "group": "DR.FortigateUserVPNIPPool.VLAN-Undefined.SpringGarden.Undefined" }, { "name": "DR_Windows", "description": "", "cidr": "10.30.12.0/24", "id": 10, "domain_id": 0, "group": "DR.Windows.VLAN-16.Undefined.Undefined" }, { "name": "DR_Windows-Exchange", "description": "", "cidr": "10.30.13.0/24", "id": 11, "domain_id": 0, "group": "DR.Windows-Exchange.VLAN-17.Undefined.Undefined" }, { "name": "DR_Windows-MANAGEMENT", "description": "", "cidr": "10.30.14.0/24", "id": 12, "domain_id": 0, "group": "DR.Windows-MANAGEMENT.VLAN-18.Undefined.Undefined" }, { "name": "DR_Windows-RESERVED", "description": "", "cidr": "10.30.15.0/24", "id": 13, "domain_id": 0, "group": "DR.Windows-RESERVED.VLAN-Undefined.Undefined.Undefined" }, { "name": "DR_CES-LAN", "description": "", "cidr": "10.30.16.0/24", "id": 14, "domain_id": 0, "group": "DR.CES-LAN.VLAN-24.Undefined.Undefined" }, { "name": "DR_CES-RESERVED", "description": "", "cidr": "10.30.17.0/24", "id": 15, "domain_id": 0, "group": "DR.CES-RESERVED.VLAN-Undefined.Undefined.Undefined" }, { "name": "DR_Environmental", "description": "", "cidr": "10.30.18.0/24", "id": 16, "domain_id": 0, "group": "DR.Environmental.VLAN-78.Undefined.Undefined" }, { "name": "DR_Network-VPN", "description": "", "cidr": "10.30.2.0/24", "id": 17, "domain_id": 0, "group": "DR.Network-VPN.VLAN-2.Undefined.Undefined" }, { "name": "DR_Storage-DATA", "description": "", "cidr": "10.30.20.0/24", "id": 18, "domain_id": 0, "group": "DR.Storage-DATA.VLAN-32.Undefined.Undefined" }, { "name": "DR_Storage-MANAGEMENT", "description": "", "cidr": "10.30.21.0/24", "id": 19, "domain_id": 0, "group": "DR.Storage-MANAGEMENT.VLAN-33.Undefined.Undefined" }, ]' 'https://192.168.0.94/api/config/network_hierarchy/staged_networks'

    That's just a few networks and that command line is already quite long!

    I have over 4000 networks defined and that number is growing all the time.

    My import file with all the networks is named InfoBloxNetworkExport-2021-02-09_api_import_ready.json

    Based on my research I should be able to use a curl command like this to put all that data into QRadar via the API

    curl -s -X PUT -u admin -H 'Content-Type: application/json' -H 'Version: 12.0' -H 'Accept: application/json' --data-binary -d @./InfoBloxNetworkExport-2021-02-09_api_import_ready.json 'https://192.168.0.94/api/config/network_hierarchy/staged_networks'

    I have tried numerous iterations of this basic command and none of them update the Network Hierarchy via the API. There is no error message, yet no update.

    Has anyone successfully updated a large number of networks via the QRadar API? If so how?

    Thanks very much,


    Robert



    ------------------------------
    Robert Strom
    ------------------------------


  • 2.  RE: QRadar Network Hierarchy update via API

    Posted Thu February 11, 2021 03:07 AM
    I managed it using python and the requests module. I'm calling the put method with the json encoded data passed to the data parameter.
    You're aware that you need to do a deploy after you've pushed your network hierarchy to staged_networks?

    ------------------------------
    Raphaël Langella
    SIEM Architect
    IMS Networks
    ------------------------------



  • 3.  RE: QRadar Network Hierarchy update via API

    Posted Thu February 11, 2021 01:51 PM

    I am aware that this requires a deployment after the update.

    Did you have to create your own python scripts to do this? Is the requests module that you are referring to a QRadar requests module or a python requests module?

    Would you be will to share an example of what you're doing?

    Thanks,

    Robert



    ------------------------------
    Robert Strom
    ------------------------------



  • 4.  RE: QRadar Network Hierarchy update via API

    Posted Fri February 12, 2021 01:31 PM
    I have written a python library to interact with the QRadar API. It relies heavily on pandas too. I will publish it soon to github. I'll let you know when it's available.

    ------------------------------
    Raphaël Langella
    SIEM Architect
    IMS Networks
    ------------------------------



  • 5.  RE: QRadar Network Hierarchy update via API

    Posted Fri February 12, 2021 11:52 PM
    Sounds great / Thanks very much!

    ------------------------------
    Robert Strom
    ------------------------------



  • 6.  RE: QRadar Network Hierarchy update via API

    Posted Mon February 15, 2021 10:15 AM
    Will you be sharing with the community once you have published? We are fighting the same issue and would be highly interested to see what you have been able to achieve.

    Thanks,
    Helmut

    ------------------------------
    Helmut Koers
    ------------------------------



  • 7.  RE: QRadar Network Hierarchy update via API

    Posted Thu February 18, 2021 05:17 PM
    Here is the python library I've written. You want the setNetworks method.



    ------------------------------
    Raphaël Langella
    SIEM Architect
    IMS Networks
    ------------------------------



  • 8.  RE: QRadar Network Hierarchy update via API

    IBM Champion
    Posted Fri February 19, 2021 05:40 AM
    Hi Raphael,
    thx a lot. You obviously put a lot of effort in your Github project.
    Will test it in my lab as it looks much more advanced that my sample scripts I use for training.
    I used XMLmind to have a 1st look. what is you preferred profram editor on Mac OS?
    BR
    Karl

    ------------------------------
    [Karl] [Jaeger] [Business Partner]
    [QRadar Specialist]
    [pro4bizz]
    [Karlsruhe] [Germany]
    [4972190981722]
    ------------------------------



  • 9.  RE: QRadar Network Hierarchy update via API

    Posted Fri February 19, 2021 12:58 PM
    Raphaël,

    Thanks for posting this. I have gone to the link and it doesn't look like everything is there. I see the README.md and the LICENSE and a qradar-api.py file but this files contents is essentially empty.

    This is what I see as the contents of that file

    ../qradar/lib/api.py

    Thanks, Robert


    ------------------------------
    Robert Strom
    ------------------------------



  • 10.  RE: QRadar Network Hierarchy update via API

    Posted Mon February 22, 2021 05:37 AM
    Indeed!
    Sorry, I tried to use a symlink but it didn't work as I expected. Now should be better.

    ------------------------------
    Raphaël Langella
    SIEM Architect
    IMS Networks
    ------------------------------