High level guide for developing IBM QRadar Apps

Following is a high level guide on how to develop your own QRadar App and get it published on IBM X-Force Exchange. You can find an App we created for a client here for reference

If you want assistance for developing QRadar App, please don’t hesitate to reach out to my company at contact@ctofriendly.com

Get in Touch with IBM

IBM has staff dedicated for helping developers develop Apps. Get in touch with them, validate your ideas and approaches. They really help you further during each step in development process and speedup everything.

Make sure your organisation signs up for IBM Security App Exchange Partner program. You’ll get free trial license for QRadar as part of this.

Setting up Development Environment

You may need to setup additional things, depending upon what you’re trying to build. Following covers most parts of everything you’ll need.

Installing QRadar

Make sure you install the All In One Console

Guide for setting up QRadar on Cloud -> Recommended

Guide for setting up QRadar using virtual appliance

Getting some logs into QRadar

This is useful for testing your app.

Start a nginx web server on another instance/VM. Route it’s logs to QRadar ingestor. See guide about this.

Installing QRadar Apps for development and validation

We need to install certain Apps which make it easy for deploying QRadar Apps. See this guide which shows how to install Apps.

The specific Apps to be installed are:

QRadar Pre-Validation App: This is used to validate the App before publishing it. It also outputs a report which is necessary to provide to X-Force Exchange team for publishing the App.

QRadar App Editor: This enables relatively quick deployment of Apps.

Setting up local development environment

Make sure you’ve the following installed.

• Python 3.6+
• Jarsigner. It’s bundled with JDKs like OpenJDK.
• Docker
• QRadar App SDK. See installation guide

Developing the App

Finally you can start writing code ! Following are some resources which would be helpful to bring your ideas to life.

• Framework Guide PDF. Especially read the “How an application runs and interacts with QRadar” section.
• Sample App Repo

Testing the App

There are several ways to do this. I find developing the App and testing it by deploying it on QRadar too time consuming. Fortunately Apps can be partially tested without deploying them to QRadar

Using SDK

The SDK has functionality to run the App on your development machine. You can run the following command in project root, to start the App

qapp run -d

However to test some functionality like GUI actions, you’d need to deploy the App on QRadar. There are two ways for doing this, let’s start with easiest and quickest one. We’ll see the second way in a later section of this article.

Using QRadar App Editor

1. Package the App in a zip file. To do so, from the project root, run the following commands. This will create an App.zip file in the current directory

 mkdir /tmp/package/  
 mkdir -p /tmp/final_package/App  

 cp -r ./app /tmp/package/  
 cp -r ./container /tmp/package/  
 cp ./manifest.json /tmp/package/  
 cd /tmp/package && zip -r /tmp/final_package/App/1125.zip ./  
 cp /tmp/final_package/App/1125.zip ./

1. Navigate to QRadar console on the browser. Open the QRadar App Editor App, which we installed earlier. Click on Existing App and upload the App.zip file.

2. Your App should be deployed on QRadar instance. Test it !

Publishing the App on IBM X-Force Exchange

Getting the Package Ready

Your app must be signed by certificates issued to you by IBM. The app also needs to be packaged in a certain way with few manifest files. Follow this guide on how to do this.

Continous Integration

If you’re hosting the App’s source code on Github, you can refer to this Workflow and Makefile we created for our client. Do note the secrets SIGNING_STORE and SIGNING_STORE_OLD are base64 encoded strings of certificate stores you’d obtain from previous step. The secret STORE_PASS is password of signing stores. We used same password for both stores to keep it simple.

Whenever you create a Github Release, a signed package ready to be published is obtained as part of release asset.

Getting Prevalidation Test Report

You can upload the signed package to QRadar Pre-Validation App, we previously installed. Make sure your app passes the tests. Download the report.

Publishing to IBM X-Force Exchange

Fill the forms and upload your package in the X-Force submission portal. Once you finish this step, IBM team would review, audit and hopefully publish your app.