The QRadar APP Framework SDK provides utilities to develop, package and deploy an application for QRadar. Apps and content extensions are only usable on QRadar 7.2.6+ Console appliances after they have been developed. QRadar support suggests that all users be at QRadar 7.2.6 Patch 4 or later before running apps on their Console. This is due to a framework issue that resolved a reinstall issue.

This page contains the following sections:

Download the SDK

The QRadar SDK must be downloaded from the IBM Security X-Force App Exchange and requires an IBM ID. IBM IDs are free for any user who registers, which provides users access to our apps, forums to ask QRadar or development questions, X-Force Exchange Malware and URL lookup, and more.

Installation & requirements

A Python 2 version of 2.7.9 or later is required. Python 3 is not supported. If you are developing on a Mac, do not use the macOS version of python. Instead, install the latest Python 2 version using, for example, the Homebrew package manager.

*nix systems

Extract the contents of the SDK zip archive, then run the install.sh script as root: sudo ./install.sh Note:
  • You must run this script within its own folder.
  • This SDK has been tested on Red Hat Enterprise 6.6 and 6.7 only.

Windows systems

Extract the contents of the SDK zip archive and run the install.bat script as Administrator.

SDK Workflow

Once installed, the SDK is accessed using the qradar_app_creator command, which should be available on your path.

Create an app

First, create a folder to contain your app, e.g. myapp. Generate a template app within the folder by running this command: qradar_app_creator create -w <path to myapp> Note:
  • This operation might take several minutes to execute on a Windows system.
On completion, the entries in the folder will include:
  • app – contains source files for the app
  • manifest.json – JSON manifest file that describes the app
  • qradar_appfw_venv – Python virtual environment for running your app locally
  • run.py – default Python script for running your app locally
To customize your app, edit the manifest and add/update files in the app folder.

Run an app locally

To test your app locally before deploying it to a QRadar system, run this command: qradar_app_creator run -w <path to myapp> Your app should now be running at http://0.0.0.0:5000 (or http://127.0.0.1:5000). If your app has REST endpoints you can call them at this URL. You will be prompted for QRadar user credentials when running the app. You will also be given the option to store those credentials for convenience. Credentials are stored in clear text at <HOME>/.qradar_appfw.auth. In manifest.json there is an entry called dev_opts which you can use to specify a console_ip value to be used locally.

Package an app

When your app is ready for deployment to a QRadar instance, use this command to package it into a zip file: qradar_app_creator package -w <path to myapp> -p com.mycompany.myapp.zip

Deploy an app

To deploy your app to the QRadar console, run this command: qradar_app_creator deploy -q <QRadar console IP address> -u <QRadar user> -p com.mycompany.myapp.zip Deployment will assign a unique numeric identifier to your app, e.g. 1001. Remember, you should always test how users install apps to ensure that everything works as intended. QRadar administrators are required to install apps as .zip files via the Admin tab &gt Extension Management user interface.

Check app status

To check the status of your app, run this command: qradar_app_creator status -q <QRadar console IP address> -u <QRadar user> -a <app ID>

Delete an app

You can delete an app using this command: qradar_app_creator delete -q <QRadar console IP address> -u <QRadar user> -a <app ID>

For more information