ibm / api-samples Goto Github PK

Samples code that uses QRadar API's

License: Apache License 2.0

Python 99.93% Shell 0.02% Perl 0.04%

api-samples's Introduction

QRadar API Samples

This package contains sample Python code that demonstrates how to use the QRadar REST API. The API is accessed by sending specially crafted HTTP requests to specific URLs on the QRadar console. These URLs, known as "endpoints", each perform a specific function. Some endpoints perform different functions depending on whether you send a GET, POST, or DELETE request. By linking together calls to these endpoints you can implement you own custom business processes or integrate QRadar data with external systems.

The QRadar REST API contains endpoints not covered by these samples. Future releases of this sample package will be expanded to include examples of more API endpoints.

For a list of the endpoints that you can use along with the parameters they accept you can view the REST API interactive help page on your QRadar installation at https://<hostname>/api_doc You can retrieve a list of available endpoints from the API itself at the /help/endpoints endpoint.

You can also join the community on our forums at: https://www.ibm.com/developerworks/community/forums/html/forum?id=b02461a3-9a70-4d73-94e8-c096abe263ca

What's New

For the changes to the API's and the impacts those would have on the samples see What's new for developers in RESTful APIs in QRadar V7.2.8.

Package Contents

An introduction package that shows how to use the API at a low level.
A reference data package that demonstrates endpoints in the /reference_data category.
An Ariel package that demonstrates endpoints in the /ariel category.
An Offense package that demonstrates endpoints in the /siem/offenses category.
A Domain Management package that demonstrates endpoints in the /config/domain_management/domains category.
A Custom Actions package that demonstrates endpoints in the '/analytics/custom_actions' category.
An API CLI client that can be used to access the API from the command line.
A package containing shared modules.

Requirements

Python 3.3 or above
QRadar system 7.2.8 or higher

Instructions

The API samples should not be run directly on a QRadar appliance. The API samples are intended to run on an outside system to poll data from QRadar. QRadar does not run Python 3.3 and the requirements for Python 3.3 is intended for the outside host that is running the code samples. QRadar cannot be upgraded to Python 3.3 as this will cause system-wide issues. Adminsitrators should never be installing any RPMs on their QRadar Console, unless the files come from IBM Fix Central.

For the sample code to work without modifications, it is necessary that the folder structure does not change.

To run a sample script from the command line navigate to the directory the script is in and run python <script_name.py> replacing python with the name of your Python 3 binary if it is different on your system. You can also run these samples from your chosen Python development environment as you would run any other Python script. You may need to run one sample from the command line or set up you IDE's console to be interactive so that the configuration file can be created.

If this is your first time running any of the samples, you will be prompted for the configuration details. Configuration details include:

IP address or domain name of your QRadar install.
Credentials. Either username and password or an authorized service token.
Optional TLS certificate.

Authorization tokens can be generated in Authorized Services under the admin tab of the QRadar console.

The TLS certificate is optional, but must be provided if your system uses a self signed TLS certificate. See the [TLS Certificate][] section for more information.

After entering configuration details for the sample you will be prompted asking if you would like to save the configuration to disk. If you choose to store the configuration it will be stored in plain text unencrypted in a file called config.ini. IBM recommends that you do not store sensitive credentials in this file. If you choose not to save the configuration details in the file you will be prompted to enter the configuration details each time you run a sample. This configuration file is stored at the root level of the samples directory. From there all sample scripts, as well as the command line client, will be able to use it.

Some sample directories also contains a Cleanup.py script that you can use to remove the data created by the samples from your system. Some scripts include a line that you can uncomment to clean up the script's data as soon as it is run. Data created by scripts is left on the system by default so that you can see how it affects the system and so that you can experiment with it either through the API or through the main UI. IBM recommends that you clean up this sample data when you are done with it.

TLS Certificate

When entering the configuration details you have the option of providing a TLS certificate file. This is required when your QRadar system uses a self signed certificate. When prompted enter the path to the certificate stored in PEM format.

Use one of the following methods to obtain the certificate file:

Copy the certificate file from the QRadar box. The QRadar certificate is stored at /etc/httpd/conf/certs/cert.cert.
Export the certificate in PEM format from your browser.

When you manually obtain and specify the certificate file it is your responsibility to verify the certificate authenticity.

If you are using a CA with untrusted root or intermediate certificates, the file specified by certificate_file must contain the full chain. For more information, see the Python documentation.

Makeup of the config.ini file

[DEFAULT]
server_ip = {IP ADDRESS}
auth_token = {AUTH TOKEN} (Optional)
username = {USERNAME} (Optional)
password = {PASSWORD} (Optional)
certificate_file = {CERTIFICATE FILE} (Optional)

If you are using the shared module RestApiClient.py to experiment with writing your own API scripts there are several options available to you for loading configurations other than the default configuration. You can pass a different file name to have the Client load the configuration from that file instead of the default. You can create a new configuration section in the config.ini file and pass the name of that section.
For example you could add a section

[my_custom_config]
username = {my_other_username}
password = {my_other_password}

to the configuration file and load your setting from there. Any required setting not included in this custom section will be loaded from the default section. You can also create you own dictionary of setting from some other source and pass it directly to the RestApiClient.

These samples are provided for reference purposes on an "as is" basis, and are without warranties of any kind.

It is strongly advised that these samples are not run against production systems.

Any issues discovered using the samples should not be directed to QRadar support, but be reported on the Github issues tracker.

api-samples's People

Contributors

Stargazers

Watchers

Forkers

matticuscaesar mstuyt ruanmuller phieber devilcoder tvillevoije zdougherty18 amico1234 infosecfreek stephen-lee-ibm harrysk lu-chi manahan mkdev2015 cotaieandrei oliverhuangchao 4n6strider antonini execthis darkling2000 dizhaung iciubotarasu keerthu3196 robbot derduffy sharadmalmanchi vidudaya keremvatandas kgottholm n-olson abhatia2014 supto skrzypek92 aymansabri shamlikt onewhoburns kali-ren rahulreddyravipally kunair a110605 hunrai jonvassmer iqbmo04 dk26 hwave isamalrikabi 3v1lw1th1n blaku610 ledieu1990 s-janibekova mattsee il-mattone mister2tone williamdeve sankarshanarao mechatrohacker gustavoleo cwelt theichrist svarasada jgullotti phuxley an0moly nicolapi geekspeed thasrik1 roconakamura emanokun krouhana kgositshepo razornbv cormacio100 alexgammaro parayiv derek-hoogewerf akaritidubey gtsafeb ghas-results arnaudch42 itsvrl genrocker zepedroduartee

api-samples's Issues

Field requirements in Show offenses api

Hi Team,
In pulling the offense by ID using the scriptShowOffense.py, source IP and destination IP are not included in the results. Please let us know, what is the field that has to be included in the code to get source IP and destination IP details of the associated offense in the response

Can I have a simplest Api usage example

hi there,
I am working on an app.
I have tried to call an Api but this never authenticate the credentials provided in the code rather at console this asks for credentials like "what is the ip of qradar console required to make this Api call" and username password and stored these in a flat file at C:......\administrator.qradar_appfw.auth

Here is the code for calling an api
Username='ABC'
Pwd='cuz'
Ip='xxx.xxx.xxx.xxx'
userpass=username + ':' + pwd
Encodecred= b"Basic "+base64.b64encode(userpass.encode('ascii'))
headers = {'SEC': 'ABSBDHDJDJDJJDJDJDJ'}
headers = {'Authorization': Encodecred}
xurl = 'https://'+Ip+'api/endpoint'
reaponse=qpylib.Rest('GET', xurl, headers = headers)

Plz guide me about the problem so that I can verify credentials through code password or SEC but not from .qradar_appfw.auth.
Thanks in advance

Can you plz provide a simplest working example with a basic tutorial mentioning all the step (like getting authorization code, ssl certificate and all that) required before running that code?
I have done a lot of R&D but failed.

Thanks
PS- plz don't point any formatting errors as typed every bit here on mobile (didn't copy paste)

doesn't prompt to enter configs in first time

wanted to try the code but it didnt prompt for user and passwoord and all other configs
"C:\Users\Roy Barkay\AppData\Local\Programs\Python\Python38\python.exe" "C:/Users/Roy Barkay/Desktop/code/qradar sample api python/api-samples-7.2.8/apiclient.py"
Type 'python apiclient.py --help' for usage.

this is the output please help

Certificate verification failed

I have to log into Qradar using the API. I have a private root CA certificate. I get an error to certificate verification failed. why is this happening?

Traceback (most recent call last):
File "C:\Python36\lib\urllib\request.py", line 1318, in do_open
encode_chunked=req.has_header('Transfer-encoding'))
File "C:\Python36\lib\http\client.py", line 1239, in request
self._send_request(method, url, body, headers, encode_chunked)
File "C:\Python36\lib\http\client.py", line 1285, in _send_request
self.endheaders(body, encode_chunked=encode_chunked)
File "C:\Python36\lib\http\client.py", line 1234, in endheaders
self._send_output(message_body, encode_chunked=encode_chunked)
File "C:\Python36\lib\http\client.py", line 1026, in _send_output
self.send(msg)
File "C:\Python36\lib\http\client.py", line 964, in send
self.connect()
File "C:\Python36\lib\http\client.py", line 1400, in connect
server_hostname=server_hostname)
File "C:\Python36\lib\ssl.py", line 401, in wrap_socket
_context=self, _session=session)
File "C:\Python36\lib\ssl.py", line 808, in init
self.do_handshake()
File "C:\Python36\lib\ssl.py", line 1061, in do_handshake
self._sslobj.do_handshake()
File "C:\Python36\lib\ssl.py", line 683, in do_handshake
self._sslobj.do_handshake()
ssl.SSLError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:749)

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
File "01_Authentication.py", line 164, in
main()
File "01_Authentication.py", line 142, in main
response = urllib.request.urlopen(request)
File "C:\Python36\lib\urllib\request.py", line 223, in urlopen
return opener.open(url, data, timeout)
File "C:\Python36\lib\urllib\request.py", line 526, in open
response = self._open(req, data)
File "C:\Python36\lib\urllib\request.py", line 544, in _open
'_open', req)
File "C:\Python36\lib\urllib\request.py", line 504, in _call_chain
result = func(*args)
File "C:\Python36\lib\urllib\request.py", line 1361, in https_open
context=self._context, check_hostname=self._check_hostname)
File "C:\Python36\lib\urllib\request.py", line 1320, in do_open
raise URLError(err)
urllib.error.URLError: <urlopen error [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:749)>

Accessing QRadar

Can somebody guide me how will i pass my username password to QRadar through APIs to access it.?

Not following PEP8 for Python Code

Not sure if you guys are following an IBM spec for Python code - but generally people try to follow pep8.

https://www.python.org/dev/peps/pep-0008/
https://pypi.python.org/pypi/pep8

My biggest problem is the tabs. My editor settings expect spaces.

Please provide `/config/event_sources/log_source_management/log_sources` examples

In the latest versions of the QRadar REST API there's now the ability to manage log sources, however I've been unsuccessful in following the documentation and finding which set of possible parameters are required and which are optional in order to successfully create a log source via the REST API.

I keep getting "The request was well-formed but was unable to be followed due to semantic errors" and I'm unsure of how to proceed. Please advise.

Thank you!

Please, provide API Guidelines for QRadar 7.3.2

Hello,
Would it be great to have API usages/ best practices / guidelines to connect to a 7.3.2 QRadar from REST API in Python 3.6 / Python 3.7
Thanks.

Sample for /ariel/searches filter

I am looking for a working sample how to use the filter parameter in the /ariel/searches path.
I am trying to retrieve all searches which are neither "COMPLETED" nor "FAILED" without the need to query each search explicitly.

Using "Contains" for a list with no key/value pairs

I'm trying to GET log sources that are in a specific log source group in the interactive API (api_doc). I can't seem to figure out the syntax for the filter.

Endpoint: 9.0 - GET - /config/event_sources/log_source_management/log_sources
Example of the field:
{ "group_ids": [ 100001 ] },

I'm pretty sure the filter is supposed to start with "group_ids contains" but I can't figure out what to put after that.

Tags please!

Could you guys add tags for the various version of QRadar that the code works with? Much cleaner than putting it in a code comment.

414 Request-URI Too Large

I'm trying to bulkLoad a large set of data but I'm getting a 414 response.

I've dialed back the length of my posts, but what is the max length?

Thanks.

Edit:

Nevermind, I'm dumb. I wasn't sending the data in the body like I was supposed to.

WARNING: The version of the endpoint is deprecated

I see this message for the search endpoint when triggering script: ariel/03_ArielAPISearchWorkFlow.py

WARNING: The version of the endpoint is deprecated and will likely be removed in a future release. Please see the API documentation for any recommended alternatives

Is this referring to the API version in use itself or are other API endpoints recommended now?

Add Sample for updating an asset

I am trying to update an asset via the /asset_model/assets/<asset_id> interface but the documentation is pretty vague how the 'asset' data in the post request should look like and which fields can be updated and this should be reflected in the request.
I tried replying data from /asset_model/assets but without success (returned body is empty -> no valid json)
Thanks!

Update Asset Operating System

Hi,

i am looking for a way to set the operating system for an asset via the api.
I have an input with OS Strings like: LINUX SuSE Enterprise Server 11 64bit or Windows 2008 Standard R2 x64.
The first question is how can i retrieve the list of available operating systems,
the second is if there is a way to fuzzy-search the list or to simply override the OS name.

Script for integrating threat intelligence platform

Hi All,
I would like if we have any script for integrating threat intelligence platform (CyberInt) to qradar 7.2.8 using API, and also the procedure for it

Wroking version confirmation

Can you confirm that this script still works on 7.2.8 ? Also, will api-samples/siem/01_GetOffenses.py be able to give me the ability to get report of offenses per day ?