QRadar App Editor

Writing QRadar apps isn’t always the most straightforward task. I learned a lot of stuff the hard way. Here’s the most important things.

I’m going to start this off with a warning: I link to some IBM documentation in this post. I make no guartunees that the links work. IBM changes their links so often and so randomly that it’s impossible to keep up with. Google is your friend, even if IBM isn’t.

It’s just Python

If you know Python, you’re golden. Bonus points if you know how to use the Flask framework. But you can find some boilerplate which really helps get around that.

The App Editor

Seriously if you’re developing a QRadar app casually, you should be looking at the App Editor. And by “casually”, I mean you’re not planning on putting the app on the official X-Force App Exchange, you’re not writing it on behalf of a major vendor for distribution to clients, you don’t need version control or CI/CD, etc. Use the App Editor and select one of the template apps and work from there.

In most cases with the App Editor, you can save your code and just pop to the other tab (or whatever you’re working on) and refresh just that tab without needing to re-deploy the code. This saves a ton of time. (And if you didn’t know, clicking an active tab in the QRadar interface reloads just that one tab… very handy).

Deploying the app

If you’re developing this app on your production QRadar instance, your app is actually kinda already deployed. But the App Editor tab does take up some space, so if you want that to go away you can choose Deploy –> Production. This mainly just makes the App Editor tab disappear. Make sure you download a ZIP of your app before doing this!

If you want that App Editor window back afterwards, you can re-import that ZIP file into a new App Editor page.

Exporting the app

Unfortunately the ZIP you get from the App Editor can’t be installed on another QRadar system, it can only be imported back into the App Editor. You’ll need to export the app from the command line with the following command, replacing “1234” with your app’s ID:

/opt/qradar/bin/contentManagement.pl --action export --content-type 100 --id 1234 -t "ZIP"

If you don’t know your app’s ID, click the hamburger menu in the top left and at the bottom click on Interactive API for Developers. From there, find “guiappframework” and then inside of there, find “applications”. Scroll to the bottom and click “Try It Out!”, which will return a list of all your installed applications, including the one you’re writing. There’s your app ID.

Be aware that if you export the app without selecting “deploy –> production” it will export the App Editor tab as well. You might want this (for instance, it lets you keep editing the app even on QRoC, very handy) or you might not (if you’re sending it to another system). Deploy to production first if you want to hide the App Editor tab on your other system.

Installing an app

Once you have the app exported from the command line, you can install it somewhere else using the normal Extensions Management from the Admin tab. This even works on IBM’s hosted QRadar on Cloud (QRoC). The App Editor doesn’t work on QRoC but you can export from a QRadar CE test environment and install it on a QRoC system no problem.

Dependencies and versions

As of QRadar 7.3.3 (the latest version as of writing this), QRadar ships with Python 2.6. This is a pretty big problem because a lot of stuff doesn’t work with 2.6. You can force it to use 2.7 with a simple manifest.json change as shown in the documentation here.

Dependencies and packages are also a challenge in the App Editor, it seems like the official way to install Python packages just doesn’t work with the App Editor. Luckily if you don’t need too many packages, I’ve found a hack to work around it. Basically at runtime we just add a check to see if a package is installed, and if not we dynamically break to an OS process, install the dependency, then go back to executing the code. This can be slow but if you need one or two simple packages it’s the only way.

In this example I needed authlib. So we’re going to import the standard library package imp and use it to determine if authlib is already installed. If it’s not, we’ll break into a subprocess, use pip to install authlib, then once that’s done, import the library like normal.

import imp try: imp.find_module(‘authlib.client’) found = True except ImportError: import subprocess import sys subprocess.call([sys.executable, “-m”, “pip”, “install”, “authlib”]) from authlib.client import AssertionSession

Like I said, kind of a hack, but it works.

When to not use the App Editor

If you need a substantial amount of dependencies or packages, don’t do this. Use the official SDK. For example, a lot of IBM’s official QRadar apps only use Python to load Node and React, then the rest of the logic and interface are done in Javascript. You can’t (or at least shouldn’t) do that in the App Editor.

The App Editor also really sucks if you need version control or CI/CD, since getting the code out of the editor window is either a ZIP download or a copy and paste.

And lastly, if you need to develop for QRoC (or any QRadar system that doesn’t give you command line access), you’ll either want a QRadar CE lab environment or use the SDK to write and package your app.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.