Original Message:
Sent: Fri March 24, 2023 07:26 AM
From: Karl Jaeger
Subject: QRadar Python3 Custom Actions Configuration
Tom,
in addition to Pauls comment I have used AQL and Refsets (Refdata) in combination to enhance QRadar data from events shown.
In my setup we had to enhance SQUID proxy categories coming in as numbers by cleartext category names. First you have to defines your data using ReferenceDataUtil CLI command or QRadar GUI. Your AQL query could look like shown below. column webcatname showing external refdata using corresponding key value, while column webproxycat showing event data.
------------------------------
[Karl] [Jaeger] [Business Partner]
[QRadar Specialist]
[pro4bizz]
[Karlsruhe] [Germany]
[4972190981722]
Original Message:
Sent: Thu March 23, 2023 08:03 PM
From: Tom L
Subject: QRadar Python3 Custom Actions Configuration
Thanks, I will have to look into those.
------------------------------
Tom L
Original Message:
Sent: Thu March 23, 2023 07:21 PM
From: Paul Ford-Hutchinson
Subject: QRadar Python3 Custom Actions Configuration
A Custom Action Script cannot set a property on a specific event, nor can it annotate a specific event.
Typically, the 'lookup' capability you seem to want would be done by either a Custom AQL function or via Reference Data Lookup (Reference Set or Reference Table)
pfh
------------------------------
Paul Ford-Hutchinson
Original Message:
Sent: Thu March 23, 2023 07:09 PM
From: Tom L
Subject: QRadar Python3 Custom Actions Configuration
Thanks the for tip, @Paul Ford-Hutchinson !
Ultimately, I'm trying to make an API call that would provide additional context to an event (query another security tool to correlate an ID field with a machine's name). Can this output be used in an event's properties or as an annotation?
Derived from Call Python script from bash with argument.
#!/bin/bashn="$1"python3.6 - <<ENDname = "$n"message = f"Hello, {name}."print(message)END
------------------------------
Tom L
Original Message:
Sent: Thu March 23, 2023 06:27 PM
From: Paul Ford-Hutchinson
Subject: QRadar Python3 Custom Actions Configuration
No, I would recommend calling a BASH script as a CAS and then invoking your Python3 code from that BASH script.
pfh
------------------------------
Paul Ford-Hutchinson
Original Message:
Sent: Thu March 23, 2023 05:11 PM
From: Tom L
Subject: QRadar Python3 Custom Actions Configuration
Hello, this there a setting to have QRadar 7.5.0 use Python3.x during a custom action? I am assuming it is using Python2 and I would much rather write in version 3.
[@qradar01 custom_action_scripts]# ls -a /usr/bin/python*
/usr/bin/python /usr/bin/python2 /usr/bin/python2.7 /usr/bin/python3 /usr/bin/python3.6 /usr/bin/python3.6m
[@qradar01 custom_action_scripts]# python3 customaction_2.script QRadar
Hello, QRadar.
[@qradar01 custom_action_scripts]# cat customaction_2.script
#!/usr/bin/python3.6import sysimport requestsimport jsonname = sys.argv[1]message = f"Hello, {name}."print(message)
[@qradar01 custom_action_scripts]# python2 customaction_2.script QRadar
File "customaction_2.script", line 8
message = f"Hello, {name}."
^
SyntaxError: invalid syntax
[root@qradar01 custom_action_scripts]# python customaction_2.script QRadar
File "customaction_2.script", line 8
message = f"Hello, {name}."
^
SyntaxError: invalid syntax
Thanks!
------------------------------
Tom L
------------------------------