Categorías: cybersecurityNews

First steps with the QRadar XDR API using python and Alienvault OTX

IBM QRadar XDR is a security information and event management (SIEM) platform used to monitor an organization’s network security and respond to security incidents as quickly and comprehensively as possible. While QRadar is already incredibly powerful and customizable on its own, there are several reasons why we might want to enhance it with Python scripting using its comprehensive API.

Getting started with the QRadar API

Let’s see an example of how you could use the QRadar API to get different information from its database (ArielDB) using Python. The first thing we need first is a token, which is created from Admin – > Authorized Services

Generating the python code for the QRadar API

Let’s start with something very simple, connect and retrieve the last 100 events detected by the platform.

import requests
import json

# Configura las credenciales y la URL del servidor QRadar
qradar_host = 'https://<your_qradar_host>'
api_token = '<your_api_token>'

# Define la URL de la API para obtener los eventos
url = f'{qradar_host}/api/ariel/searches'

# Define los encabezados de la solicitud
headers = {
'SEC': api_token,
'Content-Type': 'application/json',
'Accept': 'application/json'
}

# Define la consulta AQL (Ariel Query Language) para obtener los últimos 100 eventos
query_data = {
'query_expression': 'SELECT * FROM events LAST 100'
}

# Realiza la solicitud a la API de QRadar
response = requests.post(url, headers=headers, data=json.dumps(query_data))

# Verifica que la solicitud fue exitosa
if response.status_code == 201:
print("Solicitud de búsqueda enviada correctamente.")
search_id = response.json()['search_id']
else:
print("Error al enviar la solicitud de búsqueda:", response.content)

In this example, replace <your_qradar_host> with the host address of your QRadar server and <your_api_token> with the API token you obtained from your QRadar instance.

This code will prompt QRadar to run a search of the last 100 events. The response to this search request will include a ‘search_id’ which you can then use to retrieve the search results once they become available. You can change this query to any of the queries available in the
guide provided by IBM to get the most out of
to get the most out of QRadar’s Ariel Query Language

Detecting malicious IPs in QRadar using AlienVault OTX open sources

While in QRadar we have X-Force as a pre-defined module to perform malicious IP lookups and integrate them into our rules, for a multitude of reasons (including the end of the support / SWMA payment to IBM) we may want to use open sources to perform these types of functions. A fairly common example that we talk about in our courses and workshops is maintaining a series of data structures updated with “malicious” IPs obtained through open cybersecurity data sources.

Using the QRadar API, we can create python code to create a rule that constantly updates a reference_set that we will later use in different rules.

To achieve what you are asking for, you would need to break it down into two steps.

First, you would need an open source security intelligence source that provides a list of malicious IPs. A commonly used example is the AlienVault Open Threat Exchange (OTX) malicious IP list just mentioned.
Then, we will use the QRadar API to update a reference set with that list of IPs.

Programming it in Python is very simple:

First, download the malicious IPs from the open source security intelligence source (in this case, AlienVault OTX):

import requests
import json

otx_api_key = '<your_otx_api_key>'
otx_url = 'https://otx.alienvault.com:443/api/v1/indicators/export'

headers = {
'X-OTX-API-KEY': otx_api_key,
}

response = requests.get(otx_url, headers=headers)

if response.status_code == 200:
malicious_ips = response.json()
else:
print("Error al obtener las IPs maliciosas:", response.content)

We then use the QRadar API to update a reference set with those IPs:

qradar_host = 'https://<your_qradar_host>'
api_token = '<your_api_token>'
reference_set_name = '<your_reference_set_name>'

url = f'{qradar_host}/api/reference_data/sets/{reference_set_name}'

headers = {
'SEC': api_token,
'Content-Type': 'application/json',
'Accept': 'application/json'
}

for ip in malicious_ips:
data = {'value': ip}
response = requests.post(url, headers=headers, data=json.dumps(data))

if response.status_code != 201:
print(f"Error al agregar la IP {ip} al conjunto de referencia:", response.content)

The next and last step is to use this reference set in the rulers we need .

Want to know more about IBM QRadar XDR?

Consult our services of sales, deployment, consultingandofficial training.

sixe

Siguiente FW update required due to vulnerability in IBM PowerVM (Power9 and Power10) »

Anterior « IBM QRadar SIEM/XDR courses updated to version 7.5.2! Including SOAR, NDR and EDR features of QRadar Suite

Publicado por

sixe

2 years hace

Seize the True Power of CI/CD with Tekton and Kubernetes Pipelines
The introduction of Kubernetes (Tekton) Pipelines has made a revolution in the way we handle CI/CD…
Everything you need to know about Rancher – enterprise Kubernetes management
One of the most valuable innovations that have happened in cloud computing is the use…
Red Hat OpenShift Platform Plus: What’s new?
Openshift Platform Plus is the latest member of the OpenShift family. Red Hat's PaaS solution…