Writing QRadar apps isn’t always the most straightforward task. I learned a lot of stuff the hard way. Here’s the most important things.
I’m going to start this off with a warning: I link to some IBM documentation in this post. I make no guartunees that the links work. IBM changes their links so often and so randomly that it’s impossible to keep up with. Google is your friend, even if IBM isn’t.
It’s just Python
If you know Python, you’re golden. Bonus points if you know how to use the Flask framework. But you can find some boilerplate which really helps get around that.
The App Editor
Seriously if you’re developing a QRadar app casually, you should be looking at the App Editor. And by “casually”, I mean you’re not planning on putting the app on the official X-Force App Exchange, you’re not writing it on behalf of a major vendor for distribution to clients, you don’t need version control or CI/CD, etc. Use the App Editor and select one of the template apps and work from there.
In most cases with the App Editor, you can save your code and just pop to the other tab (or whatever you’re working on) and refresh just that tab without needing to re-deploy the code. This saves a ton of time. (And if you didn’t know, clicking an active tab in the QRadar interface reloads just that one tab… very handy).
Deploying the app
If you’re developing this app on your production QRadar instance, your app is actually kinda already deployed. But the App Editor tab does take up some space, so if you want that to go away you can choose Deploy –> Production. This mainly just makes the App Editor tab disappear. Make sure you download a ZIP of your app before doing this!
If you want that App Editor window back afterwards, you can re-import that ZIP file into a new App Editor page.
Exporting the app
Unfortunately the ZIP you get from the App Editor can’t be installed on another QRadar system, it can only be imported back into the App Editor. You’ll need to export the app from the command line with the following command, replacing “1234” with your app’s ID:
/opt/qradar/bin/contentManagement.pl --action export --content-type 100 --id 1234 -t "ZIP"
If you don’t know your app’s ID, click the hamburger menu in the top left and at the bottom click on Interactive API for Developers. From there, find “guiappframework” and then inside of there, find “applications”. Scroll to the bottom and click “Try It Out!”, which will return a list of all your installed applications, including the one you’re writing. There’s your app ID.
Be aware that if you export the app without selecting “deploy –> production” it will export the App Editor tab as well. You might want this (for instance, it lets you keep editing the app even on QRoC, very handy) or you might not (if you’re sending it to another system). Deploy to production first if you want to hide the App Editor tab on your other system.
Installing an app
Once you have the app exported from the command line, you can install it somewhere else using the normal Extensions Management from the Admin tab. This even works on IBM’s hosted QRadar on Cloud (QRoC). The App Editor doesn’t work on QRoC but you can export from a QRadar CE test environment and install it on a QRoC system no problem.
Dependencies and versions
As of QRadar 7.3.3 (the latest version as of writing this), QRadar ships with Python 2.6. This is a pretty big problem because a lot of stuff doesn’t work with 2.6. You can force it to use 2.7 with a simple manifest.json change as shown in the documentation here.
Dependencies and packages are also a challenge in the App Editor, it seems like the official way to install Python packages just doesn’t work with the App Editor. Luckily if you don’t need too many packages, I’ve found a hack to work around it. Basically at runtime we just add a check to see if a package is installed, and if not we dynamically break to an OS process, install the dependency, then go back to executing the code. This can be slow but if you need one or two simple packages it’s the only way.
In this example I needed authlib. So we’re going to import the standard library package
imp and use it to determine if
authlib is already installed. If it’s not, we’ll break into a subprocess, use
pip to install
authlib, then once that’s done, import the library like normal.
found = True
subprocess.call([sys.executable, “-m”, “pip”, “install”, “authlib”])
from authlib.client import AssertionSession
Like I said, kind of a hack, but it works.
When to not use the App Editor
The App Editor also really sucks if you need version control or CI/CD, since getting the code out of the editor window is either a ZIP download or a copy and paste.
And lastly, if you need to develop for QRoC (or any QRadar system that doesn’t give you command line access), you’ll either want a QRadar CE lab environment or use the SDK to write and package your app.