This page is obsolete. For current content, see the following pages:

Obsolete content

QRadar provides you the ability to add extensions. These extensions can provide QRadar with the ability to extend its functionality via your customization(s). You can provide additional security data and context, via security events, custom properties and reference maps and sets. This can be done via a Device Support Module (DSM) and Content Packages. You can also provide extended visualization and add to QRadar’s Graphical User Interface via building a QRadar Application. See the cards below for more information on how to develop a QRadar extension.

QRadar can collect events from security products by using a plugin file that is called a Device Support Module (DSM). You can create a DSM using the DSM Editor which was introduced in QRadar Version 7.2.8.

QRadar Applications extend the QRadar Graphical User Interface. An SDK is provided to help you build, test and package your application. We have also provided samples, within the SDK as well as on this web site, of the various types of extensions that can be created. Finally, we have created videos that walk through the SDK and the QRadar capabilities that can be built.

New to the IBM Security X-Force App Exchange?

See this overview on QRadar to better understand its capabilities.

More Information on App Development

There are several development tools for creating content for QRadar. These are posted on the IBM Security App Exchange.

QRadar App Editor

The QRadar App Editor is an easy-to-use editor that any app developer can use. When you use the App Editor to develop a new app or import an existing app, the App Editor is on the app development tab. The App Editor is a ready-made workspace for you to manage the development of your app. You can easily deploy your changes and view the app live in QRadar

QRadar SDK

The IBM Security QRadar application framework has its own software development kit (SDK) that is downloadable from the IBM Security App Exchange. All users interested in extending QRadar to use the SDK and the IBM QRadar GUI Application Framework can develop new extensions that integrate with QRadar and provide new capabilities. The software development kit (SDK) can be used to create a development workspace, run apps locally for QA test purposes, or package your app to create an archive (.zip file) that contains your extension files. The IBM QRadar SDK is intended to help users develop and deploy apps to your QRadar Console.

The following sections provide additional content for creating workspaces, testing, troubleshooting, and more.

QRadar supports a set of RESTful APIs

The DSM Editor, introduced in Version 7.2.8, can be used to develop a DSM

Using the App framework to build your own Protocol

A protocol is the mechanism that is used as part of a log source to get data into QRadar. Common examples of this are our Syslog, Log File, and WinCollect protocols. Modern services and applications often allow users to retrieve events or subscribe to event feeds via a REST API. You can create an App that acts as an API connector to get events via your REST API.

Running Background Services in QRadar Apps

The QRadar Application Framework allows you to run complex applications within a QRadar environment. By default, the framework creates and manages a Flask web application instance for you. For a lot of apps, that is all that is required to build a rich and fully-functional QRadar integration. Sometimes, you want to run background services in your application. Maybe it’s a database, a background processing script, or a complex machine learning engine. Getting your application set up to install those services is pretty easy once you get the hang of it!

How to execute JavaScript in a dashboard item

Some App developers will want to execute JavaScript within a dashboard item. Due to the way the HTML in a dashboard item is handled this has to be done a specific way. See the link for details on how to accomplish this.

Memory limits when developing apps

One of the challenges we ran into when developing apps was the memory limit on the docker containers in the App Framework. As you develop your apps, it pays to think about how you write your code to keep your memory foot small. Follow the link for recommendations and how to monitor your apps memory usage.

Ensuring Your QRadar Application is Secure

Each application undergoes an individual security review as part of the submission process. The tips and discussion in this article are intended to guide users to the types of items we review and take questions about frequently to reduce the chance of an app submissions from being rejected based off of common issues.

Want your application to run on QRadar On Cloud (QROC)?

QRadar on Cloud (QRoC) is a completely managed QRadar instance in IBM Cloud that is maintained by an internal IBM ops team. When building integrations for QRadar, if you would like it to be available to our QRoC customers there are a few things you should keep in mind.