2021 Call for Code Awards: Live from New York, with SNL’s Colin Jost! Learn more

Automate L1 security activities


L1 security personnel have lots of manual work, which can be significantly automated to minimize effort and increase efficiency. One such L1 activity is to check whether the offense triggered on QRadar® is valid by using rule-based validation. Robotic process automation (RPA) is software that helps automate the highly repetitive tasks many security employees perform, often at the expense of creative problem-solving and customer-centric work. In this developer code pattern, we have developed a methodology to determine if the offense is valid or invalid. Applying this pattern can significantly bring down the time L1 security personnel spends on manual validation.


We will demonstrate the automation with the following use case. A vehicle has been assigned a speed limit of 100 kph. If the speed of the vehicle exceeds 100 kph, it is a violation. If the vehicle’s speed exceeds 100 kph twice within 15 min, an offense will be generated on QRadar. In this code pattern, we will manually send speed violation events and generate an offense on QRadar. Once the offense shows up on QRadar, the offenses watch application will automatically detect the offense and trigger the validation bot. This bot will run the validation application to validate the detected offense and tell us if it is valid or invalid.

When you have completed this code pattern, you will understand how to:

  • Automate using RPA
  • Extract offenses from QRadar using REST APIs
  • Automate security L1 activities
  • Create a universal Device Support Module (DSM) log source in QRadar
  • Create a rule to detect the offense in QRadar


rpa for l1 security

  1. Trigger the rules extraction bot.
  2. The bot will extract the necessary rules.
  3. The bot will store the rules in rules.txt.
  4. Run the offenses watch application, which will look for new offenses showing up in QRadar.
  5. Run the offenses application.
  6. The offenses application will send speed violation events/logs to QRadar. This will generate the offense in QRadar.
  7. The offense generated in QRadar gets detected by the offences watch application.
  8. The watch application triggers the validation bot.
  9. The validation bot extracts required information from QRadar.
  10. The bot stores the extracted information in validation.txt and runs the validation application.
  11. The validation application validates and determines whether the offense triggered is valid or invalid.


Ready to give it a try? Check out the README for step-by-step instructions.