IBM QRadar: Developing QRadar Applications: Difference between revisions

From Wiki
 
(16 intermediate revisions by the same user not shown)
Line 1: Line 1:
Some QRadar applications require additional dependencies to be installed.


= Setup your environment =
Before starting, ensure your system has the following installed:


== Install Docker ==
* Python 3.x and pip
* Docker (preferably Docker-CE)
* QRadar App SDK v2 — '''Current version: 2.2.3'''


1) Install Docker-CE on RHEL/CentOS 8
You can check the QRadar App SDK compatibility here [https://ibmsecuritydocs.github.io/qradar_appfw_v2/docs/documentation/qradar_app_base_image_changelog.html QRadar App Base Images]


sudo subscription-manager repos --enable codeready-builder-for-rhel-8-$(arch)-rpms
== Preparing Your Environment ==
sudo dnf install https://dl.fedoraproject.org/pub/epel/epel-release-latest-8.noarch.rpm
sudo dnf install pass


Important: If you already have Podman/ContainerD, you must remove
=== Installing Docker on RHEL/CentOS 8 ===


sudo dnf uninstall podman runc
1) Enable required repositories and install dependencies:


2) Start Docker-CE
<pre>
sudo subscription-manager repos --enable codeready-builder-for-rhel-8-$(arch)-rpms
sudo dnf install https://dl.fedoraproject.org/pub/epel/epel-release-latest-8.noarch.rpm
sudo dnf install pass
</pre>


sudo systemctl enable docker
for other versions check here [https://docs.docker.com/get-started/get-docker/ Get Docker]
sudo systemctl start docker


3) Check Do
2) Remove Podman or ContainerD if already installed (they conflict with Docker):


sudo usermod -aG docker <MY USER>
<pre>
sudo dnf -y remove podman runc
</pre>


== Install QRadar SDK ==
3) Install Docker-CE:


Download SDK from XForce
<pre>
sudo dnf -y install docker-ce docker-ce-cli containerd.io
</pre>


4) Enable and start the Docker service:


<pre>
sudo systemctl enable docker
sudo systemctl start docker
</pre>


== Cloning sample repository ==
5) Add your user to the docker group:


Let's get some examples
<pre>
sudo usermod -aG docker &lt;YOUR_USER&gt;
</pre>


1) Clone the repository and go to HelloWorld application
''Note: You must log out and log back in for this change to take effect.''


git clone https://github.com/IBM/qradar-sample-apps.git
=== Installing the QRadar App SDK ===
cd qradar-sample-apps/HelloWorld


2) Change manifest.json
1) Download the SDK from IBM X-Force Exchange:


Let's change the default image, with a new one.
:[https://exchange.xforce.ibmcloud.com/hub/extension/517ff786d70b6dfa39dde485af6cbc8b QRadar App SDK]


"image": "qradar-app-base:4.0.0",
Current version is 2.2.3


3) Run HelloWorld
2) Extract the SDK package:


qapp run
<pre>
mkdir SDK
cd SDK
unzip QRadarAppSDK-2.2.3.zip
</pre>


== Deploy on QRadar ==
3) Run the installer script:


1) Create a package
<pre>
sudo ./install.sh
</pre>


This script installs the `qapp` CLI tool to `/usr/local/bin/`.
Verify the installation:
<pre>
qapp --version
</pre>
== Cloning Sample Applications ==
1) Clone IBM’s sample applications repository:
<pre>
git clone https://github.com/IBM/qradar-sample-apps.git
cd qradar-sample-apps/HelloWorld
</pre>
2) Update the '''manifest.json''' file to change the base image, if necessary:
<pre>
"image": "qradar-app-base:4.0.0",
</pre>
== Running the Application Locally ==
Run the HelloWorld app in a local Docker container:
<pre>
qapp run
</pre>
This will start the application locally for testing purposes.
The output must provide a url, in my case <nowiki>http://localhost:32768/</nowiki>, open your browser and access it.
====Tip====
if this previous step work, you can check if container is running
<small><nowiki>$ docker ps
CONTAINER ID  IMAGE              COMMAND    CREATED      STATUS      PORTS                  NAMES
ad02f6d95922  helloworld        "sh /opt"  2 hours ago  Up 2 hours  0.0.0.0:32768->5000/tcp qradar-helloworld</nowiki></small>
And check images
<small><nowiki>$ docker images
REPOSITORY                                                    TAG      IMAGE ID      CREATED        SIZE
helloworld                                                    latest    1a55448eb20d  2 hours ago    388MB
icr.io/qradar-siem-release/gaf/qradar-app-base                4.0.9    69c0c5539b12  4 months ago    388MB
docker-release.secintel.intranet.ibm.com/gaf/qradar-app-base  2.1.23    36e712cf0105  12 months ago  358MB</nowiki></small>
== Packaging and Deploying to QRadar ==
1) Create a deployment package:
<pre>
  qapp package -p app.zip
  qapp package -p app.zip
</pre>
2) Deploy the application to a QRadar instance:
<pre>
qapp deploy -p app.zip -q &lt;QRADAR_IP&gt; -u &lt;USERNAME&gt;
</pre>


2) Deploy on QRadar
Example:


qapp deploy -p app.zip -q 192.168.42.150 -u admin
<pre>
qapp deploy -p app.zip -q 192.168.42.150 -u admin
</pre>


= Ver também =
= Ver também =

Latest revision as of 14:31, 28 July 2025

Some QRadar applications require additional dependencies to be installed.

Before starting, ensure your system has the following installed:

  • Python 3.x and pip
  • Docker (preferably Docker-CE)
  • QRadar App SDK v2 — Current version: 2.2.3

You can check the QRadar App SDK compatibility here QRadar App Base Images

Preparing Your Environment

Installing Docker on RHEL/CentOS 8

1) Enable required repositories and install dependencies: 

sudo subscription-manager repos --enable codeready-builder-for-rhel-8-$(arch)-rpms
sudo dnf install https://dl.fedoraproject.org/pub/epel/epel-release-latest-8.noarch.rpm
sudo dnf install pass

for other versions check here Get Docker

2) Remove Podman or ContainerD if already installed (they conflict with Docker): 

sudo dnf -y remove podman runc

3) Install Docker-CE: 

sudo dnf -y install docker-ce docker-ce-cli containerd.io

4) Enable and start the Docker service: 

sudo systemctl enable docker
sudo systemctl start docker

5) Add your user to the docker group: 

sudo usermod -aG docker <YOUR_USER>

Note: You must log out and log back in for this change to take effect.

Installing the QRadar App SDK

1) Download the SDK from IBM X-Force Exchange:

QRadar App SDK

Current version is 2.2.3

2) Extract the SDK package: 

mkdir SDK
cd SDK
unzip QRadarAppSDK-2.2.3.zip

3) Run the installer script: 

sudo ./install.sh

This script installs the `qapp` CLI tool to `/usr/local/bin/`.

Verify the installation: 

qapp --version

Cloning Sample Applications

1) Clone IBM’s sample applications repository: 

git clone https://github.com/IBM/qradar-sample-apps.git
cd qradar-sample-apps/HelloWorld

2) Update the manifest.json file to change the base image, if necessary: 

"image": "qradar-app-base:4.0.0",

Running the Application Locally

Run the HelloWorld app in a local Docker container: 

qapp run

This will start the application locally for testing purposes.

The output must provide a url, in my case http://localhost:32768/, open your browser and access it.

Tip

if this previous step work, you can check if container is running 

$ docker ps

 CONTAINER ID   IMAGE              COMMAND     CREATED       STATUS       PORTS                   NAMES
 ad02f6d95922   helloworld         "sh /opt"   2 hours ago   Up 2 hours   0.0.0.0:32768->5000/tcp qradar-helloworld

And check images 

$ docker images

 REPOSITORY                                                     TAG       IMAGE ID       CREATED         SIZE
 helloworld                                                     latest    1a55448eb20d   2 hours ago     388MB
 icr.io/qradar-siem-release/gaf/qradar-app-base                 4.0.9     69c0c5539b12   4 months ago    388MB
 docker-release.secintel.intranet.ibm.com/gaf/qradar-app-base   2.1.23    36e712cf0105   12 months ago   358MB

Packaging and Deploying to QRadar

1) Create a deployment package: 

 qapp package -p app.zip

2) Deploy the application to a QRadar instance: 

qapp deploy -p app.zip -q <QRADAR_IP> -u <USERNAME>

Example: 

qapp deploy -p app.zip -q 192.168.42.150 -u admin

Ver também

Retrieved from "https://ebasso.net/wiki/index.php?title=IBM_QRadar:_Developing_QRadar_Applications&oldid=9593"