I want to walk through how to write a QRadar app, specifically to collect logs from a log source that only allows the use of an API and that QRadar does not natively support. Examples at the time of writing include Duo Security and Trend Micro Apex Central, but there are potentially thousands of others you might run into.
No, I’m not talking about QRadar on Cloud (QRoC) or even running QRadar in a cloud environment. I’m talking about how to manage a QRadar system when a number of your log sources are sitting in the cloud.
Writing QRadar apps isn’t always the most straightforward task. I learned a lot of stuff the hard way. Here’s the most important things.