Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add a QRadarDF #11

Open
mpo-sec opened this issue Jun 16, 2020 · 6 comments
Open

Add a QRadarDF #11

mpo-sec opened this issue Jun 16, 2020 · 6 comments
Labels
enhancement New feature or request

Comments

@mpo-sec
Copy link

mpo-sec commented Jun 16, 2020
edited

Is your feature request related to a problem? Please describe.
Would be nice to add QRadar as a DF source

Describe the solution you'd like
Simple QRadarDF that can take basic auth or an API token. Runs the search synchronously to get results.

Describe alternatives you've considered
N/A

Additional context
Constructors:

  • url - ip/hostname of QR system
  • username - for basic auth
  • password - for basic auth
  • api_token - if using authorized service token instead of basic auth

Search parameters:

  • aql - search string
  • priority - optional since time can just be in search string
  • start_time - date time object, optional since time can just be in search string
  • end_time - date time object, optional since time can just be in search string
  • limit - optional since time can just be in search string
  • days - number days to search, optional since time can just be in search string
@DavidJBianco
Copy link
Contributor

Interesting idea. I don't really have any experience with QRadar, and I'm not entirely sure how many people would use this. I will put this on the idea backlog, though, so as not to lose it. Integrating with other common SIEM/log management platforms sounds like a good idea.

@DavidJBianco DavidJBianco added the enhancement New feature or request label Jun 16, 2020
@mpo-sec
Copy link
Author

mpo-sec commented Jun 16, 2020

Yeah I plan to contribute this myself actually :)
I already have code to run a given QRadar search and load the results into a DF
Plan to make something similar to the splunk/elastic DF modules

@DavidJBianco
Copy link
Contributor

Oh, that'd be great! One thing I should mention up front, though, is that any PR with this will also need to supply automated tests, similar to what I've already set up for SplunkDF and ElasticDF (basically, run the search engine in a local docker instance, load known datasets and then search against those). The actual tests are pretty simple (you can copy the Splunk or Elastic ones), but the doing the magic to get QRadar working will probably take some effort.

Still, I'd love to see this!

@mpo-sec
Copy link
Author

mpo-sec commented Jun 17, 2020

Unfortunately QRadar can't run in a docker container. I could use MagicMock or a simple web server to mock the API requests though for tests.

@DavidJBianco
Copy link
Contributor

DavidJBianco commented Jun 17, 2020 via email

@mpo-sec
Copy link
Author

mpo-sec commented Jun 18, 2020

Yeah QRadar uses docker to run the appframework and some services but overall QRadar is a massive beast to run and needs an entire VM and a lot of resources. The smallest you could get away with is maybe setting up QRadar community edition, then saving a snapshot and reverting to it each time to run tests.

Another option is to use MagicMock or a simple web server to mock the API requests for tests.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement New feature or request
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@DavidJBianco @mpo-sec