Didn't see this when it originally came in so sorry for the delay! When building your integration I would point you to 2 different places where I have documented a lot of this. First would be my YouTube series on app development. That can be found here: https://www.youtube.com/playlist?list=PLTLN10cI6swBa6sQp16rMyBLcitbNBYwO
That being said the video series is over a year old and new features have been added to this process. In these videos I am following a document that I have made available on my GitHub. The link to that is found here: https://github.com/TheIRGurus/Documentation/blob/main/SOAR%20Installation%20Guides/Resilient%20API%20and%20App%20Creation.md I keep this up to date as much as I can so even if the video doesn't have the new feature, check out the document and you will have the latest and greats knowledge that I currently have! If you think I am missing something feel free to leave a comment or hit me up in this post!
Original Message:
Sent: Tue February 20, 2024 01:58 PM
From: Cyble Dev
Subject: Need help with packaging the QRadar app
Hello @Dan Schofield,
Thank you so much for the detailed reply.
As you mentioned above, I wish to create an integration app and publish it to IBM Security App Exchange.
Please let me know when and how we can connect at your earliest convenience, as I have some immediate queries regarding the development process of the app.
Thanks once again.
------------------------------
Cyble Dev
Original Message:
Sent: Tue February 20, 2024 03:17 AM
From: Dan Schofield
Subject: Need help with packaging the QRadar app
Hi,
You will get better help in the QRadar SIEM forum, the folks here will be able to help with SOAR only. If you are creating an app to connect QRadar to a REST API then you should take a look at the built in Universal Cloud REST API connector (uREST). Apps like you describe are known as 'protocol apps' and will only work on QRadar Classic, but uREST is supported on all variants of QRadar SIEM (Cloud Native, QRoC, QRadar Classic). We are strongly encouraging developers port their existing protocol apps to uREST and discouraging anyone building new ones.
https://community.ibm.com/community/user/security/blogs/dan-schofield/2023/08/30/urest-migration
If you are looking to build an integration to QRadar and publish it to the IBM Security App Exchange then my team can provide you with free technical assistance, please reach out to me directly if that applies to this situation.
Cheers,
Dan -
IBM Security Technology Alliances
QRadar App SDK Download and docs:
https://www.ibm.com/support/pages/qradar
QRadar REST API
https://www.ibm.com/docs/en/qsip/7.5?topic=api-endpoint-documentation-supported-versions
https://github.com/IBM/api-samples/tree/master
Getting data into QRadar - a.k.a Develop a DSM (Device Support Module)
https://www.ibm.com/support/pages/develop-dsm/
QRadar Built-in Protocols
https://www.ibm.com/docs/en/dsm?topic=configuration-protocol-options
QRadar Universal Cloud REST API
https://www.ibm.com/docs/en/dsm?topic=configuration-universal-cloud-rest-api-protocol
https://github.com/ibm-security-intelligence/IBM-QRadar-Universal-Cloud-REST-API
https://community.ibm.com/community/user/security/blogs/wendy-willner/2021/07/07/beyondthedsmguide
QRadar Partner license request form
https://ibm.box.com/v/QRadarPartnerLicenseReq
Getting an extension signed for QRadar
https://www.ibm.com/support/pages/node/6442125
Ways to prepare for a smooth validation process
https://community.ibm.com/community/user/security/blogs/joel-violette1/2022/10/07/7-ways-to-prepare-your-app-for-a-smooth-validation
QRadar Pre-Validation App
https://www.ibm.com/docs/en/qradar-common?topic=apps-qradar-pre-validation-app
https://www.ibm.com/docs/en/qradar-common?topic=app-configuring-qradar-pre-validation
https://exchange.xforce.ibmcloud.com/hub/extension/95fa6eeeea165cf8700c48930cc2d1f3
How to get your extension .zip file ready for validation
https://www.ibm.com/support/pages/node/6442125
------------------------------
Dan Schofield
Original Message:
Sent: Mon February 19, 2024 11:34 PM
From: Cyble Dev
Subject: Need help with packaging the QRadar app
Please help.
@Juan Paulo @Mark Scherfling @Manuel Schwennen @John Quirke @Priya Sapra @Nick Mumaw @Andy Su @Khaled Nasr
------------------------------
Cyble Dev
Original Message:
Sent: Tue February 13, 2024 06:48 AM
From: Cyble Dev
Subject: Need help with packaging the QRadar app
Hello,
I need help asap.
I have created an app to integrate with QRadar using QRadar App SDK. I am fetching events from an API via the app, to QRadar. The app is currently in my system in a directory as I was writing the code in my code editor. Here is what I need help with:
1. How do I package this app so it can be installed in a QRadar instance. I tried the command: `qapp package -p <app_name.zip>` but it only creates a zip file for the entire app and when I try to install it on QRadar instance, it says "Unable to successfully validate supplied extension file".
The instructions to package the app in documentation are not clear and doesn't seem to work. What am I missing?
2. The app has `qenv.ini` file with QRADAR_CONSOLE_FQDN, QRADAR_CONSOLE_IP, QRADAR_REST_PROXY, SEC_ADMIN_TOKEN. DO I need supply these fields in my code or does QRadar fills them automatically. If I need to supply it, what value do I need to put?
3. Currently I am trying to send events to QRadar by this the following code and syslog. Is it correct and will work or not. If not, how can I configure the app to send events to QRadar?
...
for key, value in event_data.items():
if value is None:
continue
message += u"{0}={1} ".format(key, value)
qpylib.log("WAFGSFDV : Messages RECEIVED")
syslog(hostaddress, message, event_name)
...
def syslog(hostname, content, event_name):
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((hostname, 514))
message = process_event_message(content, event_name) + '\n'
s.send(message.encode('utf-8'))
s.shutdown(socket.SHUT_WR)
s.close()
Please help me with the above queries.
Thanks in Advance.
------------------------------
Cyble Dev
------------------------------