An app adds new functionality to the QRadar GUI such as dashboard items, menu buttons, pages, and more. Apps are developed using the QRadar GUI Application Framework.
QRadar provides APIs, an SDK, and an App Editor.
QRadar supports a set of RESTful APIs.
The QRadar App Framework SDK provides utilities to develop, package and deploy an application for QRadar.
Using the SDK
The QRadar App Editor is a simpler alternative to the SDK.Introduction
Using the App Editor
Some topics that every developer should know are covered below.
Overview of a QRadar Application
Troubleshoot your app
If your app is not working as expected, you can troubleshoot by reviewing the app logs.
Memory limits when developing apps
One of the challenges we ran into when developing apps was the memory limit on the docker containers in the App Framework. As you develop your apps, it pays to think about how you write your code to keep your memory foot small. Follow the link for recommendations and how to monitor your apps memory usage.
Ensuring Your QRadar Application is Secure
Each application undergoes an individual security review as part of the submission process. The tips and discussion in this article are intended to guide users to the types of items we review and take questions about frequently to reduce the chance of an app submissions from being rejected based off of common issues.
Some applicables have specialized requirements, like running a background service. This topic and other specialized topics are covered below.
Using the App framework to build your own Protocol
A protocol is the mechanism that is used as part of a log source to get data into QRadar. Common examples of this are our Syslog, Log File, and WinCollect protocols. Modern services and applications often allow users to retrieve events or subscribe to event feeds via a REST API. You can create an App that acts as an API connector to get events via your REST API.
Running Background Services in QRadar Apps
The QRadar Application Framework allows you to run complex applications within a QRadar environment. By default, the framework creates and manages a Flask web application instance for you. For a lot of apps, that is all that is required to build a rich and fully-functional QRadar integration. Sometimes, you want to run background services in your application. Maybe it’s a database, a background processing script, or a complex machine learning engine. Getting your application set up to install those services is pretty easy once you get the hang of it!
Want your application to run on QRadar On Cloud (QROC)?
QRadar on Cloud (QRoC) is a completely managed QRadar instance in IBM Cloud that is maintained by an internal IBM ops team. When building integrations for QRadar, if you would like it to be available to our QRoC customers there are a few things you should keep in mind.