First steps with the QRadar XDR API using python and Alienvault OTX
IBM QRadar XDR is a security information and event management (SIEM) platform used to monitor an organization’s network security and respond to security incidents as quickly and comprehensively as possible. While QRadar is already incredibly powerful and customizable on its own, there are several reasons why we might want to enhance it with Python scripting using its comprehensive API.
Getting started with the QRadar API
Let’s see an example of how you could use the QRadar API to get different information from its database (ArielDB) using Python. The first thing we need first is a token, which is created from Admin – > Authorized Services
Generating the python code for the QRadar API
Let’s start with something very simple, connect and retrieve the last 100 events detected by the platform.
import requests
import json
# Configura las credenciales y la URL del servidor QRadar
qradar_host = 'https://<your_qradar_host>'
api_token = '<your_api_token>'
# Define la URL de la API para obtener los eventos
url = f'{qradar_host}/api/ariel/searches'
# Define los encabezados de la solicitud
headers = {
'SEC': api_token,
'Content-Type': 'application/json',
'Accept': 'application/json'
}
# Define la consulta AQL (Ariel Query Language) para obtener los últimos 100 eventos
query_data = {
'query_expression': 'SELECT * FROM events LAST 100'
}
# Realiza la solicitud a la API de QRadar
response = requests.post(url, headers=headers, data=json.dumps(query_data))
# Verifica que la solicitud fue exitosa
if response.status_code == 201:
print("Solicitud de búsqueda enviada correctamente.")
search_id = response.json()['search_id']
else:
print("Error al enviar la solicitud de búsqueda:", response.content)
In this example, replace <your_qradar_host> with the host address of your QRadar server and <your_api_token> with the API token you obtained from your QRadar instance.
This code will prompt QRadar to run a search of the last 100 events. The response to this search request will include a ‘search_id’ which you can then use to retrieve the search results once they become available. You can change this query to any of the queries available in the
guide provided by IBM to get the most out of
to get the most out of QRadar’s Ariel Query Language
Detecting malicious IPs in QRadar using AlienVault OTX open sources
While in QRadar we have X-Force as a pre-defined module to perform malicious IP lookups and integrate them into our rules, for a multitude of reasons (including the end of the support / SWMA payment to IBM) we may want to use open sources to perform these types of functions. A fairly common example that we talk about in our courses and workshops is maintaining a series of data structures updated with “malicious” IPs obtained through open cybersecurity data sources.
Using the QRadar API, we can create python code to create a rule that constantly updates a reference_set that we will later use in different rules.
To achieve what you are asking for, you would need to break it down into two steps.
- First, you would need an open source security intelligence source that provides a list of malicious IPs. A commonly used example is the AlienVault Open Threat Exchange (OTX) malicious IP list just mentioned.
- Then, we will use the QRadar API to update a reference set with that list of IPs.
Programming it in Python is very simple:
First, download the malicious IPs from the open source security intelligence source (in this case, AlienVault OTX):
import requests
import json
otx_api_key = '<your_otx_api_key>'
otx_url = 'https://otx.alienvault.com:443/api/v1/indicators/export'
headers = {
'X-OTX-API-KEY': otx_api_key,
}
response = requests.get(otx_url, headers=headers)
if response.status_code == 200:
malicious_ips = response.json()
else:
print("Error al obtener las IPs maliciosas:", response.content)
We then use the QRadar API to update a reference set with those IPs:
qradar_host = 'https://<your_qradar_host>'
api_token = '<your_api_token>'
reference_set_name = '<your_reference_set_name>'
url = f'{qradar_host}/api/reference_data/sets/{reference_set_name}'
headers = {
'SEC': api_token,
'Content-Type': 'application/json',
'Accept': 'application/json'
}
for ip in malicious_ips:
data = {'value': ip}
response = requests.post(url, headers=headers, data=json.dumps(data))
if response.status_code != 201:
print(f"Error al agregar la IP {ip} al conjunto de referencia:", response.content)
The next and last step is to use this reference set in the rulers we need .
Want to know more about IBM QRadar XDR?
Consult our services of sales, deployment, consultingandofficial training.
