IBM Security QRadar

 View Only
Expand all | Collapse all

Python Script to save offenses to csv/db file and monitoring for new ones for data analytics

  • 1.  Python Script to save offenses to csv/db file and monitoring for new ones for data analytics

    Posted Mon September 26, 2022 09:39 AM
    Hello everyone!

    A few days ago the need arose to create a dashboard for my manager where he could see the behavior of offenses, rules and domains over time, all this without accessing Qradar.
    To do this I must extract the data and then analyze it in a service like PowerBi, Tableau or some custom dashboard with python libraries.

    If you want, you can modify this script in some ways:
    • Change the filter in URL_Prefix to obtain the offenses you in the status want.
    • Change the output to excel, sql, mysql, etc.
    • Divide the script in two parts: one for only get all the offenses and one for monitoring the creation of new ones.

    Must check

    • Have an authorized service token with admin privileges. Variable=SEC_TOKEN
    • Network connectivity with the Qradar console through port 433. Variable=URL_base

    Output:

    Index(['description', 'event_count', 'source_count', 'inactive',
       'destination_networks', 'source_network', 'remote_destination_count',
       'start_time', 'magnitude', 'credibility', 'id', 'categories',
       'severity', 'offense_type', 'relevance', 'domain_id', 'offense_source',
       'log_source', 'rule_id', 'domain_name', 'offense_type_name',
       'rule_name', 'owner', 'origin', 'identifier'],
      dtype='object')

    API Reference - Functions:

    get_old_offenses

      GET /siem/offenses/{status}
    Parameter Type Description
    status (optional) string The status of the offense. One of "OPEN", "HIDDEN", or "CLOSED".

    change_domain_id

      GET - /config/domain_management/domains/{offense_id}
    Parameter Type Description
    domain_id num Required. Number - The ID of the domain.

    change_offense_type_id

      GET - /siem/offense_types/{offense_type}
    Parameter Type Description
    offense_type num Required. Number - The offense type.

    change_rule_id

      GET - /analytics/rules/{rule_id}
    Parameter Type Description
    rule_id num Required. Number - The rule ID.


    The step by step of how to use the script is on github in jupyter notebook format, I have tried to explain everything there. Qradar-Scripts/get_offenses.ipynb at main · chmedinap/Qradar-Scripts

    This is a screenshot of an automatic report made with Power Bi, you can use the data analysis tool you prefer and with the aesthetic adjustments you wish.
    sample offenses en power bi

    I hope it works for you!

    Carlos


    ------------------------------------
    Documentation


    ------------------------------
    Carlos Medina
    ------------------------------