IBM QRadar

IBM QRadar

Join this online user group to communicate across Security product users and IBM experts by sharing advice and best practices with peers and staying up to date regarding product enhancements.

 View Only
Back to discussions
Expand all | Collapse all

Python Script to save offenses to csv/db file and monitoring for new ones for data analytics

  • 1.  Python Script to save offenses to csv/db file and monitoring for new ones for data analytics

    Posted Mon September 26, 2022 09:39 AM
    Hello everyone!

    A few days ago the need arose to create a dashboard for my manager where he could see the behavior of offenses, rules and domains over time, all this without accessing Qradar.
    To do this I must extract the data and then analyze it in a service like PowerBi, Tableau or some custom dashboard with python libraries.

    If you want, you can modify this script in some ways:
    • Change the filter in URL_Prefix to obtain the offenses you in the status want.
    • Change the output to excel, sql, mysql, etc.
    • Divide the script in two parts: one for only get all the offenses and one for monitoring the creation of new ones.

    Must check

    • Have an authorized service token with admin privileges. Variable=SEC_TOKEN
    • Network connectivity with the Qradar console through port 433. Variable=URL_base

    Output:

    Index(['description', 'event_count', 'source_count', 'inactive',
       'destination_networks', 'source_network', 'remote_destination_count',
       'start_time', 'magnitude', 'credibility', 'id', 'categories',
       'severity', 'offense_type', 'relevance', 'domain_id', 'offense_source',
       'log_source', 'rule_id', 'domain_name', 'offense_type_name',
       'rule_name', 'owner', 'origin', 'identifier'],
      dtype='object')

    API Reference - Functions:

    get_old_offenses

      GET /siem/offenses/{status}
    Parameter Type Description
    status (optional) string The status of the offense. One of "OPEN", "HIDDEN", or "CLOSED".

    change_domain_id

      GET - /config/domain_management/domains/{offense_id}
    Parameter Type Description
    domain_id num Required. Number - The ID of the domain.

    change_offense_type_id

      GET - /siem/offense_types/{offense_type}
    Parameter Type Description
    offense_type num Required. Number - The offense type.

    change_rule_id

      GET - /analytics/rules/{rule_id}
    Parameter Type Description
    rule_id num Required. Number - The rule ID.


    The step by step of how to use the script is on github in jupyter notebook format, I have tried to explain everything there. Qradar-Scripts/get_offenses.ipynb at main · chmedinap/Qradar-Scripts

    This is a screenshot of an automatic report made with Power Bi, you can use the data analysis tool you prefer and with the aesthetic adjustments you wish.
    sample offenses en power bi

    I hope it works for you!

    Carlos


    ------------------------------------
    Documentation


    ------------------------------
    Carlos Medina
    ------------------------------