IBM Security QRadar

Hello All,

Anybody knows about some way to implement a rule test that need to do a query in some DB as conditional in rule?

Regards,

------------------------------
Alexandre Gammaro
------------------------------

This is the purpose of Custom Action Scripts in QRadar. Custom actions can run as a rule response in QRadar and take values from the event payload to run within the script parameters you create. Custom actions run within a jail shell, meaning that they cannot interact with QRadar directly, but can make API calls and do outside functions for non-QRadar systems, like opening tickets, passing data, pretty much anything. Basically, the jail shell can only modify or alter files on QRadar within the shell itself, but actions outside of QRadar are possible for whatever function you need to complete.

For review: https://www.ibm.com/docs/en/qsip/7.5?topic=actions-passing-parameters-custom-action-script

------------------------------
Jonathan Pechta
QRadar Support Content Lead
Support forums: ibm.biz/qradarforums
jonathan.pechta1@ibm.com
------------------------------

Original Message:
Sent: Wed October 19, 2022 11:02 AM
From: Alexandre Gammaro
Subject: Query in rule tests

Hello All,

Anybody knows about some way to implement a rule test that need to do a query in some DB as conditional in rule?

Regards,

------------------------------
Alexandre Gammaro
------------------------------

Hello Jonathan,

Great...
Yeah... I was imagining just that.
But.. Do you know if I can upload Custom Action script in QRadar on Cloud?

@Jonathan Pechta, Do you know how I set Python3 as default in QRadar SIEM?

Kind Regards,

------------------------------
Alexandre Gammaro
------------------------------

Original Message:
Sent: Tue October 25, 2022 09:23 AM
From: Jonathan Pechta
Subject: Query in rule tests

This is the purpose of Custom Action Scripts in QRadar. Custom actions can run as a rule response in QRadar and take values from the event payload to run within the script parameters you create. Custom actions run within a jail shell, meaning that they cannot interact with QRadar directly, but can make API calls and do outside functions for non-QRadar systems, like opening tickets, passing data, pretty much anything. Basically, the jail shell can only modify or alter files on QRadar within the shell itself, but actions outside of QRadar are possible for whatever function you need to complete.

For review: https://www.ibm.com/docs/en/qsip/7.5?topic=actions-passing-parameters-custom-action-script

------------------------------
Jonathan Pechta
QRadar Support Content Lead
Support forums: ibm.biz/qradarforums
jonathan.pechta1@ibm.com

Original Message:
Sent: Wed October 19, 2022 11:02 AM
From: Alexandre Gammaro
Subject: Query in rule tests

Hello All,

Anybody knows about some way to implement a rule test that need to do a query in some DB as conditional in rule?

Regards,

------------------------------
Alexandre Gammaro
------------------------------
​

Jonathan is right about the test itself. Of course you need a second rule that checks the conditions set by your first rule and triggers offense if conditions are met. Reference sets are ideal for that purpose .

------------------------------
[Karl] [Jaeger] [Business Partner]
[QRadar Specialist]
[pro4bizz]
[Karlsruhe] [Germany]
[4972190981722]
------------------------------

Original Message:
Sent: Wed October 19, 2022 11:02 AM
From: Alexandre Gammaro
Subject: Query in rule tests

Hello All,

Anybody knows about some way to implement a rule test that need to do a query in some DB as conditional in rule?

Regards,

------------------------------
Alexandre Gammaro
------------------------------

Hello Karl,

Excellent idea about Reference Set.

Kind Regards,

------------------------------
Alexandre Gammaro
------------------------------

Original Message:
Sent: Wed October 26, 2022 03:30 AM
From: Karl Jaeger
Subject: Query in rule tests

Jonathan is right about the test itself. Of course you need a second rule that checks the conditions set by your first rule and triggers offense if conditions are met. Reference sets are ideal for that purpose .

------------------------------
[Karl] [Jaeger] [Business Partner]
[QRadar Specialist]
[pro4bizz]
[Karlsruhe] [Germany]
[4972190981722]

Original Message:
Sent: Wed October 19, 2022 11:02 AM
From: Alexandre Gammaro
Subject: Query in rule tests

Hello All,

Anybody knows about some way to implement a rule test that need to do a query in some DB as conditional in rule?

Regards,

------------------------------
Alexandre Gammaro
------------------------------

Hello @Jonathan Pechta and @Karl Jaeger,

Great news!
But I created a script using Python3.
Do you know some way to use python3 as default in QRadar?

Regards,
​​

------------------------------
Alexandre Gammaro
------------------------------

Original Message:
Sent: Wed October 26, 2022 03:30 AM
From: Karl Jaeger
Subject: Query in rule tests

Jonathan is right about the test itself. Of course you need a second rule that checks the conditions set by your first rule and triggers offense if conditions are met. Reference sets are ideal for that purpose .

------------------------------
[Karl] [Jaeger] [Business Partner]
[QRadar Specialist]
[pro4bizz]
[Karlsruhe] [Germany]
[4972190981722]

Original Message:
Sent: Wed October 19, 2022 11:02 AM
From: Alexandre Gammaro
Subject: Query in rule tests

Hello All,

Anybody knows about some way to implement a rule test that need to do a query in some DB as conditional in rule?

Regards,

------------------------------
Alexandre Gammaro
------------------------------

Alexandre,
dont change python version, this is bad. You have got three options.

1. Execute your python3 script externally an access Qradar via API.
2. Check for features and libraries used in python 2.7.5 and 3.0. Downgrade your script in a 2.7.5 environment. Remove libs not needed.
3. Install python 3 in a container environment as Qradar already does. You can use the app developers kit for that and install your python version inside.

Regards

------------------------------
[Karl] [Jaeger] [Business Partner]
[QRadar Specialist]
[pro4bizz]
[Karlsruhe] [Germany]
[4972190981722]
------------------------------

Original Message:
Sent: Mon November 07, 2022 10:49 AM
From: Alexandre Gammaro
Subject: Query in rule tests

Hello @Jonathan Pechta and @Karl Jaeger,

Great news!
But I created a script using Python3.
Do you know some way to use python3 as default in QRadar?

Regards,
​​

------------------------------
Alexandre Gammaro

Original Message:
Sent: Wed October 26, 2022 03:30 AM
From: Karl Jaeger
Subject: Query in rule tests

Jonathan is right about the test itself. Of course you need a second rule that checks the conditions set by your first rule and triggers offense if conditions are met. Reference sets are ideal for that purpose .

------------------------------
[Karl] [Jaeger] [Business Partner]
[QRadar Specialist]
[pro4bizz]
[Karlsruhe] [Germany]
[4972190981722]

Original Message:
Sent: Wed October 19, 2022 11:02 AM
From: Alexandre Gammaro
Subject: Query in rule tests

Hello All,

Anybody knows about some way to implement a rule test that need to do a query in some DB as conditional in rule?

Regards,

------------------------------
Alexandre Gammaro
------------------------------