The QRadar APP Framework SDK provides utilities to develop, package and deploy an application for QRadar. Apps and content extensions are only usable on QRadar 7.2.6+ Console appliances after they have been developed. QRadar support suggests that all users be at QRadar 7.2.6 Patch 4 or later before running apps on their Console. This is due to a framework issue that resolved a reinstall issue.
This page contains the following sections:
Download the SDKThe QRadar SDK must be downloaded from the IBM Security X-Force App Exchange and requires an IBM ID. IBM IDs are free for any user who registers, which provides users access to our apps, forums to ask QRadar or development questions, X-Force Exchange Malware and URL lookup, and more.
Installation & requirementsA Python 2 version of 2.7.9 or later is required. Python 3 is not supported. If you are developing on a Mac, do not use the macOS version of python. Instead, install the latest Python 2 version using, for example, the Homebrew package manager.
*nix systemsExtract the contents of the SDK zip archive, then run the
install.shscript as root:
- You must run this script within its own folder.
- This SDK has been tested on Red Hat Enterprise 6.6 and 6.7 only.
Windows systemsExtract the contents of the SDK zip archive and run the
install.batscript as Administrator.
SDK WorkflowOnce installed, the SDK is accessed using the
qradar_app_creatorcommand, which should be available on your path.
Create an appFirst, create a folder to contain your app, e.g.
myapp. Generate a template app within the folder by running this command:
qradar_app_creator create -w <path to myapp>Note:
- This operation might take several minutes to execute on a Windows system.
app– contains source files for the app
manifest.json– JSON manifest file that describes the app
qradar_appfw_venv– Python virtual environment for running your app locally
run.py– default Python script for running your app locally
Run an app locallyTo test your app locally before deploying it to a QRadar system, run this command:
qradar_app_creator run -w <path to myapp>Your app should now be running at
http://127.0.0.1:5000). If your app has REST endpoints you can call them at this URL. You will be prompted for QRadar user credentials when running the app. You will also be given the option to store those credentials for convenience. Credentials are stored in clear text at
manifest.jsonthere is an entry called
dev_optswhich you can use to specify a
console_ipvalue to be used locally.
Package an appWhen your app is ready for deployment to a QRadar instance, use this command to package it into a zip file:
qradar_app_creator package -w <path to myapp> -p com.mycompany.myapp.zip
Deploy an appTo deploy your app to the QRadar console, run this command:
qradar_app_creator deploy -q <QRadar console IP address> -u <QRadar user> -p com.mycompany.myapp.zipDeployment will assign a unique numeric identifier to your app, e.g.
1001. Remember, you should always test how users install apps to ensure that everything works as intended. QRadar administrators are required to install apps as .zip files via the Admin tab > Extension Management user interface.
Check app statusTo check the status of your app, run this command:
qradar_app_creator status -q <QRadar console IP address> -u <QRadar user> -a <app ID>
Delete an appYou can delete an app using this command:
qradar_app_creator delete -q <QRadar console IP address> -u <QRadar user> -a <app ID>