/api-samples

Samples code that uses QRadar API's

Primary LanguagePythonApache License 2.0Apache-2.0

QRadar API Samples

This package contains sample Python code that demonstrates how to use the QRadar REST API. The API is accessed by sending specially crafted HTTP requests to specific URLs on the QRadar console. These URLs, known as "endpoints", each perform a specific function. Some endpoints perform different functions depending on whether you send a GET, POST, or DELETE request. By linking together calls to these endpoints you can implement you own custom business processes or integrate QRadar data with external systems.

The QRadar REST API contains endpoints not covered by these samples. Future releases of this sample package will be expanded to include examples of more API endpoints.

For a list of the endpoints that you can use along with the parameters they accept you can view the REST API interactive help page on your QRadar installation at https://<hostname>/api_doc You can retrieve a list of available endpoints from the API itself at the /help/endpoints endpoint.

You can also join the community on our forums at: https://www.ibm.com/developerworks/community/forums/html/forum?id=b02461a3-9a70-4d73-94e8-c096abe263ca

What's New

For the changes to the API's and the impacts those would have on the samples see What's new for developers in RESTful APIs in QRadar V7.2.8.

Package Contents

  • An introduction package that shows how to use the API at a low level.
  • A reference data package that demonstrates endpoints in the /reference_data category.
  • An Ariel package that demonstrates endpoints in the /ariel category.
  • An Offense package that demonstrates endpoints in the /siem/offenses category.
  • A Domain Management package that demonstrates endpoints in the /config/domain_management/domains category.
  • A Custom Actions package that demonstrates endpoints in the '/analytics/custom_actions' category.
  • An API CLI client that can be used to access the API from the command line.
  • A package containing shared modules.

Requirements

  • Python 3.3 or above
  • QRadar system 7.2.8 or higher

Instructions

The API samples should not be run directly on a QRadar appliance. The API samples are intended to run on an outside system to poll data from QRadar. QRadar does not run Python 3.3 and the requirements for Python 3.3 is intended for the outside host that is running the code samples. QRadar cannot be upgraded to Python 3.3 as this will cause system-wide issues. Adminsitrators should never be installing any RPMs on their QRadar Console, unless the files come from IBM Fix Central.

For the sample code to work without modifications, it is necessary that the folder structure does not change.

To run a sample script from the command line navigate to the directory the script is in and run python <script_name.py> replacing python with the name of your Python 3 binary if it is different on your system. You can also run these samples from your chosen Python development environment as you would run any other Python script. You may need to run one sample from the command line or set up you IDE's console to be interactive so that the configuration file can be created.

If this is your first time running any of the samples, you will be prompted for the configuration details. Configuration details include:

  • IP address or domain name of your QRadar install.
  • Credentials. Either username and password or an authorized service token.
  • Optional TLS certificate.

Authorization tokens can be generated in Authorized Services under the admin tab of the QRadar console.

The TLS certificate is optional, but must be provided if your system uses a self signed TLS certificate. See the [TLS Certificate][] section for more information.

After entering configuration details for the sample you will be prompted asking if you would like to save the configuration to disk. If you choose to store the configuration it will be stored in plain text unencrypted in a file called config.ini. IBM recommends that you do not store sensitive credentials in this file. If you choose not to save the configuration details in the file you will be prompted to enter the configuration details each time you run a sample. This configuration file is stored at the root level of the samples directory. From there all sample scripts, as well as the command line client, will be able to use it.

Some sample directories also contains a Cleanup.py script that you can use to remove the data created by the samples from your system. Some scripts include a line that you can uncomment to clean up the script's data as soon as it is run. Data created by scripts is left on the system by default so that you can see how it affects the system and so that you can experiment with it either through the API or through the main UI. IBM recommends that you clean up this sample data when you are done with it.

TLS Certificate

When entering the configuration details you have the option of providing a TLS certificate file. This is required when your QRadar system uses a self signed certificate. When prompted enter the path to the certificate stored in PEM format.

Use one of the following methods to obtain the certificate file:

  • Copy the certificate file from the QRadar box. The QRadar certificate is stored at /etc/httpd/conf/certs/cert.cert.
  • Export the certificate in PEM format from your browser.

When you manually obtain and specify the certificate file it is your responsibility to verify the certificate authenticity.

If you are using a CA with untrusted root or intermediate certificates, the file specified by certificate_file must contain the full chain. For more information, see the Python documentation.

Makeup of the config.ini file

[DEFAULT]
server_ip = {IP ADDRESS}
auth_token = {AUTH TOKEN} (Optional)
username = {USERNAME} (Optional)
password = {PASSWORD} (Optional)
certificate_file = {CERTIFICATE FILE} (Optional)

If you are using the shared module RestApiClient.py to experiment with writing your own API scripts there are several options available to you for loading configurations other than the default configuration. You can pass a different file name to have the Client load the configuration from that file instead of the default. You can create a new configuration section in the config.ini file and pass the name of that section.
For example you could add a section

[my_custom_config]
username = {my_other_username}
password = {my_other_password}

to the configuration file and load your setting from there. Any required setting not included in this custom section will be loaded from the default section. You can also create you own dictionary of setting from some other source and pass it directly to the RestApiClient.

These samples are provided for reference purposes on an "as is" basis, and are without warranties of any kind.

It is strongly advised that these samples are not run against production systems.

Any issues discovered using the samples should not be directed to QRadar support, but be reported on the Github issues tracker.