High level guide for developing IBM QRadar Apps
Following is a high level guide on how to develop your own QRadar App and get it published on IBM X-Force Exchange. You can find an App we created for a client here for reference
If you want assistance for developing QRadar App, please don’t hesitate to reach out to my company at contact@ctofriendly.com
Get in Touch with IBM
IBM has staff dedicated for helping developers develop Apps. Get in touch with them, validate your ideas and approaches. They really help you further during each step in development process and speedup everything.
Make sure your organisation signs up for IBM Security App Exchange Partner program. You’ll get free trial license for QRadar as part of this.
Setting up Development Environment
You may need to setup additional things, depending upon what you’re trying to build. Following covers most parts of everything you’ll need.
Installing QRadar
Make sure you install the All In One Console
Guide for setting up QRadar on Cloud -> Recommended
Guide for setting up QRadar using virtual appliance
Getting some logs into QRadar
This is useful for testing your app.
Start a nginx web server on another instance/VM. Route it’s logs to QRadar ingestor. See guide about this.
Installing QRadar Apps for development and validation
We need to install certain Apps which make it easy for deploying QRadar Apps. See this guide which shows how to install Apps.
The specific Apps to be installed are:
QRadar Pre-Validation App: This is used to validate the App before publishing it. It also outputs a report which is necessary to provide to X-Force Exchange team for publishing the App.
QRadar App Editor: This enables relatively quick deployment of Apps.
Setting up local development environment
Make sure you’ve the following installed.
- Python 3.6+
- Jarsigner. It’s bundled with JDKs like OpenJDK.
- Docker
- QRadar App SDK. See installation guide
Developing the App
Finally you can start writing code ! Following are some resources which would be helpful to bring your ideas to life.
- Framework Guide PDF. Especially read the “How an application runs and interacts with QRadar” section.
- Sample App Repo
Testing the App
There are several ways to do this. I find developing the App and testing it by deploying it on QRadar too time consuming. Fortunately Apps can be partially tested without deploying them to QRadar
Using SDK
The SDK has functionality to run the App on your development machine. You can run the following command in project root, to start the App
qapp run -d
However to test some functionality like GUI actions, you’d need to deploy the App on QRadar. There are two ways for doing this, let’s start with easiest and quickest one. We’ll see the second way in a later section of this article.
Using QRadar App Editor
- Package the App in a zip file. To do so, from the project root, run the following commands. This will create an App.zip file in the current directory
mkdir /tmp/package/
mkdir -p /tmp/final_package/App
cp -r ./app /tmp/package/
cp -r ./container /tmp/package/
cp ./manifest.json /tmp/package/
cd /tmp/package && zip -r /tmp/final_package/App/1125.zip ./
cp /tmp/final_package/App/1125.zip ./
2. Navigate to QRadar console on the browser. Open the QRadar App Editor App, which we installed earlier. Click on Existing App
and upload the App.zip file.
3. Your App should be deployed on QRadar instance. Test it !
Publishing the App on IBM X-Force Exchange
Getting the Package Ready
Your app must be signed by certificates issued to you by IBM. The app also needs to be packaged in a certain way with few manifest files. Follow this guide on how to do this.
Continous Integration
If you’re hosting the App’s source code on Github, you can refer to this Workflow and Makefile we created for our client. Do note the secrets SIGNING_STORE and SIGNING_STORE_OLD are base64 encoded strings of certificate stores you’d obtain from previous step. The secret STORE_PASS is password of signing stores. We used same password for both stores to keep it simple.
Whenever you create a Github Release, a signed package ready to be published is obtained as part of release asset.
Getting Prevalidation Test Report
You can upload the signed package to QRadar Pre-Validation App, we previously installed. Make sure your app passes the tests. Download the report.
Publishing to IBM X-Force Exchange
Fill the forms and upload your package in the X-Force submission portal. Once you finish this step, IBM team would review, audit and hopefully publish your app.