I'm trying to make an IBM Qradar app framework.
I want to know it is possible to pass the event log as a python script variable.
The way the app works is as follows.
Yes, it is possible to pass the log events to a Python script.
In the QRadar App Framework, you can set up a Flask based web application that listens to certain RESTful API requests. When a log event occurs QRadar will hit these API endpoints with the relevantt data. From there, the data can be saved in a file, databases, or processed immediately by the script before storing.
Here's an example of how you could implement:
from flask import Flask, request
app = Flask(__name__)
@app.route('/handle_log', methods=['POST'])
def handle_log():
log = request.json # assuming QRadar sends a json payload
# Process log here or just save it
# save_log(log) # function you could define to save the log to DB.
return "Log Received", 200
if __name__ == '__main__':
app.run(host='0.0.0.0', port=8080) # replace with your appropriate IP and PORT
In this example, QRadar is expected to send a POST request to http://your_ip:8080/handle_log with the log details as JSON format as the payload.
The app can then retrieve this data using log = request.json and process it like required by the logic of your application.
IP and port are important too. When you run Flask App, it’s running on your localhost by default. However, as QRadar will need to access it, you’ll need to specify an IP that's visible on the network where QRadar is deployed.
if __name__ == '__main__':
app.run(host='0.0.0.0', port=8080) # replace with your appropriate IP and PORT
This line of code makes your Flask app visible on your network at the port 8080.