IBM QRadar: Developing QRadar Applications

From Wiki

Some QRadar applications require additional dependencies to be installed.

Before starting, ensure your system has the following installed:

  • Python 3.x and pip
  • Docker (preferably Docker-CE)
  • QRadar App SDK v2 — Current version: 2.2.3

You can check the QRadar App SDK compatibility here QRadar App Base Images

Preparing Your Environment

Installing Docker on RHEL/CentOS 8

1) Enable required repositories and install dependencies: 

sudo subscription-manager repos --enable codeready-builder-for-rhel-8-$(arch)-rpms
sudo dnf install https://dl.fedoraproject.org/pub/epel/epel-release-latest-8.noarch.rpm
sudo dnf install pass

for other versions check here Get Docker

2) Remove Podman or ContainerD if already installed (they conflict with Docker): 

sudo dnf -y remove podman runc

3) Install Docker-CE: 

sudo dnf -y install docker-ce docker-ce-cli containerd.io

4) Enable and start the Docker service: 

sudo systemctl enable docker
sudo systemctl start docker

5) Add your user to the docker group: 

sudo usermod -aG docker <YOUR_USER>

Note: You must log out and log back in for this change to take effect.

Installing the QRadar App SDK

1) Download the SDK from IBM X-Force Exchange:

QRadar App SDK

Current version is 2.2.3

2) Extract the SDK package: 

mkdir SDK
cd SDK
unzip QRadarAppSDK-2.2.3.zip

3) Run the installer script: 

sudo ./install.sh

This script installs the `qapp` CLI tool to `/usr/local/bin/`.

Verify the installation: 

qapp --version

Cloning Sample Applications

1) Clone IBM’s sample applications repository: 

git clone https://github.com/IBM/qradar-sample-apps.git
cd qradar-sample-apps/HelloWorld

2) Update the manifest.json file to change the base image, if necessary: 

"image": "qradar-app-base:4.0.0",

Running the Application Locally

Run the HelloWorld app in a local Docker container: 

qapp run

This will start the application locally for testing purposes.

The output must provide a url, in my case http://localhost:32768/, open your browser and access it.

Tip

if this previous step work, you can check if container is running 

$ docker ps

 CONTAINER ID   IMAGE              COMMAND     CREATED       STATUS       PORTS                   NAMES
 ad02f6d95922   helloworld         "sh /opt"   2 hours ago   Up 2 hours   0.0.0.0:32768->5000/tcp qradar-helloworld

And check images 

$ docker images

 REPOSITORY                                                     TAG       IMAGE ID       CREATED         SIZE
 helloworld                                                     latest    1a55448eb20d   2 hours ago     388MB
 icr.io/qradar-siem-release/gaf/qradar-app-base                 4.0.9     69c0c5539b12   4 months ago    388MB
 docker-release.secintel.intranet.ibm.com/gaf/qradar-app-base   2.1.23    36e712cf0105   12 months ago   358MB

Packaging and Deploying to QRadar

1) Create a deployment package: 

 qapp package -p app.zip

2) Deploy the application to a QRadar instance: 

qapp deploy -p app.zip -q <QRADAR_IP> -u <USERNAME>

Example: 

qapp deploy -p app.zip -q 192.168.42.150 -u admin

Ver também

Retrieved from "https://ebasso.net/wiki/index.php?title=IBM_QRadar:_Developing_QRadar_Applications&oldid=9593"