huntlib icon indicating copy to clipboard operation
huntlib copied to clipboard

Published 20 hours ago verified publisher icon target

Add a QRadarDF

Open mpo-sec opened this issue 4 years ago • 6 comments

Is your feature request related to a problem? Please describe. Would be nice to add QRadar as a DF source

Describe the solution you'd like Simple QRadarDF that can take basic auth or an API token. Runs the search synchronously to get results.

Describe alternatives you've considered N/A

Additional context Constructors:

  • url - ip/hostname of QR system
  • username - for basic auth
  • password - for basic auth
  • api_token - if using authorized service token instead of basic auth

Search parameters:

  • aql - search string
  • priority - optional since time can just be in search string
  • start_time - date time object, optional since time can just be in search string
  • end_time - date time object, optional since time can just be in search string
  • limit - optional since time can just be in search string
  • days - number days to search, optional since time can just be in search string

mpo-sec avatar Jun 16 '20 17:06 mpo-sec

Interesting idea. I don't really have any experience with QRadar, and I'm not entirely sure how many people would use this. I will put this on the idea backlog, though, so as not to lose it. Integrating with other common SIEM/log management platforms sounds like a good idea.

DavidJBianco avatar Jun 16 '20 21:06 DavidJBianco

Yeah I plan to contribute this myself actually :) I already have code to run a given QRadar search and load the results into a DF Plan to make something similar to the splunk/elastic DF modules

mpo-sec avatar Jun 16 '20 21:06 mpo-sec

Oh, that'd be great! One thing I should mention up front, though, is that any PR with this will also need to supply automated tests, similar to what I've already set up for SplunkDF and ElasticDF (basically, run the search engine in a local docker instance, load known datasets and then search against those). The actual tests are pretty simple (you can copy the Splunk or Elastic ones), but the doing the magic to get QRadar working will probably take some effort.

Still, I'd love to see this!

DavidJBianco avatar Jun 16 '20 21:06 DavidJBianco

Unfortunately QRadar can't run in a docker container. I could use MagicMock or a simple web server to mock the API requests though for tests.

mpo-sec avatar Jun 17 '20 12:06 mpo-sec

that's weird, since I think all deployments use Docker anyway. At least, if I understood their blog post correctly.

On Wed, Jun 17, 2020 at 8:30 AM Matthew Ouellette [email protected] wrote:

Unfortunately QRadar can't run in a docker container. I could use MagicMock or a simple web server to mock the API requests though for tests.

— You are receiving this because you commented. Reply to this email directly, view it on GitHub https://github.com/target/huntlib/issues/11#issuecomment-645344464, or unsubscribe https://github.com/notifications/unsubscribe-auth/ACFXQ7LAWVF75LYVEEHKCOTRXCZPLANCNFSM4N73DDCA .

DavidJBianco avatar Jun 17 '20 13:06 DavidJBianco

Yeah QRadar uses docker to run the appframework and some services but overall QRadar is a massive beast to run and needs an entire VM and a lot of resources. The smallest you could get away with is maybe setting up QRadar community edition, then saving a snapshot and reverting to it each time to run tests.

Another option is to use MagicMock or a simple web server to mock the API requests for tests.

mpo-sec avatar Jun 18 '20 12:06 mpo-sec