IBM Security QRadar

 View Only
  • 1.  QRadar Python3 Custom Actions Configuration

    Posted Thu March 23, 2023 05:12 PM

    Hello, this there a setting to have QRadar 7.5.0 use Python3.x during a custom action?  I am assuming it is using Python2 and I would much rather write in version 3.

    [@qradar01 custom_action_scripts]# ls -a /usr/bin/python*
    /usr/bin/python  /usr/bin/python2  /usr/bin/python2.7  /usr/bin/python3  /usr/bin/python3.6  /usr/bin/python3.6m

    [@qradar01 custom_action_scripts]# python3 customaction_2.script QRadar
    Hello, QRadar.

    [@qradar01 custom_action_scripts]# cat customaction_2.script

    #!/usr/bin/python3.6
    import sys
    import requests
    import json
    
    name = sys.argv[1]
    
    message = f"Hello, {name}."
    print(message)

    [@qradar01 custom_action_scripts]# python2 customaction_2.script QRadar
      File "customaction_2.script", line 8
        message = f"Hello, {name}."
                                  ^
    SyntaxError: invalid syntax

    [root@qradar01 custom_action_scripts]# python customaction_2.script QRadar
      File "customaction_2.script", line 8
        message = f"Hello, {name}."
                                  ^
    SyntaxError: invalid syntax

    Thanks!



    ------------------------------
    Tom L
    ------------------------------


  • 2.  RE: QRadar Python3 Custom Actions Configuration

    Posted Thu March 23, 2023 06:27 PM

    No, I would recommend calling a BASH script as a CAS and then invoking your Python3 code from that BASH script.

    pfh



    ------------------------------
    Paul Ford-Hutchinson
    ------------------------------



  • 3.  RE: QRadar Python3 Custom Actions Configuration

    Posted Thu March 23, 2023 07:09 PM

    Thanks the for tip, @Paul Ford-Hutchinson !

    Ultimately, I'm trying to make an API call that would provide additional context to an event (query another security tool to correlate an ID field with a machine's name).  Can this output be used in an event's properties or as an annotation?

    Derived from Call Python script from bash with argument.

    #!/bin/bash
    n="$1"
    python3.6 - <<END
    name = "$n"
    message = f"Hello, {name}."
    print(message)
    END



    ------------------------------
    Tom L
    ------------------------------



  • 4.  RE: QRadar Python3 Custom Actions Configuration

    Posted Thu March 23, 2023 07:21 PM

    A Custom Action Script cannot set a property on a specific event, nor can it annotate a specific event.

    Typically, the 'lookup' capability you seem to want would be done by either a Custom AQL function or via Reference Data Lookup (Reference Set or Reference Table)

    pfh



    ------------------------------
    Paul Ford-Hutchinson
    ------------------------------



  • 5.  RE: QRadar Python3 Custom Actions Configuration

    Posted Thu March 23, 2023 08:03 PM

    Thanks, I will have to look into those.



    ------------------------------
    Tom L
    ------------------------------



  • 6.  RE: QRadar Python3 Custom Actions Configuration

    IBM Champion
    Posted Fri March 24, 2023 07:26 AM

    Tom,

    in addition to Pauls comment I have used AQL and Refsets (Refdata) in combination to enhance QRadar data from events shown.

    In my setup we had to enhance SQUID proxy categories coming in as numbers by cleartext category names. First you have to defines your data using ReferenceDataUtil CLI command or QRadar GUI. Your AQL query could look like shown below. column webcatname showing external refdata using corresponding key value, while column webproxycat showing event data.



    ------------------------------
    [Karl] [Jaeger] [Business Partner]
    [QRadar Specialist]
    [pro4bizz]
    [Karlsruhe] [Germany]
    [4972190981722]
    ------------------------------



  • 7.  RE: QRadar Python3 Custom Actions Configuration

    Posted Fri March 24, 2023 12:32 PM

    Good stuff @Karl Jaeger , I have a draft reference table that I can later use in an AQL Based Custom Event Property.  It will be much easier to pivot with the actual computer name than its id from another security product.  I now have to keep that reference table update to date with fresh data.



    ------------------------------
    Tom L
    ------------------------------