Add a QRadarDF - Githubissues

target / huntlib

A Python library to help with some common threat hunting data analysis operations

MIT License

138 stars 22 forks source link

Add a QRadarDF #11

Closed mpo-sec closed 1 month ago

mpo-sec commented 4 years ago

Is your feature request related to a problem? Please describe. Would be nice to add QRadar as a DF source

Describe the solution you'd like Simple QRadarDF that can take basic auth or an API token. Runs the search synchronously to get results.

Describe alternatives you've considered N/A

Additional context Constructors:

url - ip/hostname of QR system
username - for basic auth
password - for basic auth
api_token - if using authorized service token instead of basic auth

Search parameters:

aql - search string
priority - optional since time can just be in search string
start_time - date time object, optional since time can just be in search string
end_time - date time object, optional since time can just be in search string
limit - optional since time can just be in search string
days - number days to search, optional since time can just be in search string

DavidJBianco commented 4 years ago

Interesting idea. I don't really have any experience with QRadar, and I'm not entirely sure how many people would use this. I will put this on the idea backlog, though, so as not to lose it. Integrating with other common SIEM/log management platforms sounds like a good idea.

mpo-sec commented 4 years ago

Yeah I plan to contribute this myself actually :) I already have code to run a given QRadar search and load the results into a DF Plan to make something similar to the splunk/elastic DF modules

DavidJBianco commented 4 years ago

Oh, that'd be great! One thing I should mention up front, though, is that any PR with this will also need to supply automated tests, similar to what I've already set up for SplunkDF and ElasticDF (basically, run the search engine in a local docker instance, load known datasets and then search against those). The actual tests are pretty simple (you can copy the Splunk or Elastic ones), but the doing the magic to get QRadar working will probably take some effort.

Still, I'd love to see this!

mpo-sec commented 4 years ago

Unfortunately QRadar can't run in a docker container. I could use MagicMock or a simple web server to mock the API requests though for tests.

DavidJBianco commented 4 years ago

that's weird, since I think all deployments use Docker anyway. At least, if I understood their blog post correctly.

On Wed, Jun 17, 2020 at 8:30 AM Matthew Ouellette notifications@github.com wrote:

Unfortunately QRadar can't run in a docker container. I could use MagicMock or a simple web server to mock the API requests though for tests.

— You are receiving this because you commented. Reply to this email directly, view it on GitHub https://github.com/target/huntlib/issues/11#issuecomment-645344464, or unsubscribe https://github.com/notifications/unsubscribe-auth/ACFXQ7LAWVF75LYVEEHKCOTRXCZPLANCNFSM4N73DDCA .

mpo-sec commented 4 years ago

Yeah QRadar uses docker to run the appframework and some services but overall QRadar is a massive beast to run and needs an entire VM and a lot of resources. The smallest you could get away with is maybe setting up QRadar community edition, then saving a snapshot and reverting to it each time to run tests.

Another option is to use MagicMock or a simple web server to mock the API requests for tests.