topic Re: Does anyone have any experience pulling data from Qradar (API) to Splunk?? in All Apps and Add-ons

Does anyone have any experience pulling data from Qradar (API) to Splunk??

asimagu — Wed, 03 Oct 2018 14:20:13 GMT

Hey friends

Anyone have any experience pulling data from Qradar (API) to Splunk?? (for example. the siem/offenses )

Any Python script that would do the magic?? I tried to use the REST api modular input, but could not make it work

Any help would be much appreciated. thanks!

Re: Does anyone have any experience pulling data from Qradar (API) to Splunk??

VatsalJagani — Tue, 29 Sep 2020 21:25:39 GMT

Hi @asimagu,
You can use script to get data from QRadar and send them to Splunk.
Here is how you get events from QRadar:

Send a POST request to curl -X GET -k -u username:password https://?qradar-url?/api/ariel/searches --data-urlencode "query_expression="
If response is 201, obtain search_id from response
Send a GET request to /ariel/searches/{search_id} to obtain the status of the search. While the response code is 200 and the status is not 'COMPLETED' or 'ERROR', loop.
If the status is 'ERROR', you can use the error_messages response to obtain information. If the status is 'COMPLETED', you can get the results via GET /ariel/searches/{search_id}/results

You can use python requests module instead of curl, if you want to code this script into python. Get more info about above steps: https://www.ibm.com/developerworks/community/forums/html/topic?id=d8d0c48b-825b-40b1-bedc-b3a08548c695

You can use HEC to index these events into Splunk.

curl -k https://?splunk-url?:8088/services/collector/event -H "Authorization: Splunk HEC-token" -d '{"event": }'

Here is the detail description how can you use HEC in Splunk and how can you generate HEC token from Splunk UI: http://docs.splunk.com/Documentation/Splunk/7.1.3/Data/UsetheHTTPEventCollector

Re: Does anyone have any experience pulling data from Qradar (API) to Splunk??

asimagu — Thu, 04 Oct 2018 09:48:40 GMT

@VatsalJagani thanks for your answer. I don´t have username and password, only a token.

Re: Does anyone have any experience pulling data from Qradar (API) to Splunk??

VatsalJagani — Thu, 04 Oct 2018 10:15:37 GMT

Can you try adding -H "Authorization: Bearer <your_token>" instead of username password?
I hope you will find out how we can do this in python or other script.

Re: Does anyone have any experience pulling data from Qradar (API) to Splunk??

mstjohn_splunk — Fri, 19 Oct 2018 18:54:59 GMT

hi @asimagu,

Thanks for posting on Splunk Answers.

I'm glad to see that you are using the Karma bounty feature! However, it won't work if you don't engage with the user trying to answer your question. Please approve the question below so the user can receive their Karma points. Or, if the solution didn't help you, please explain why so that they — or someone else — can.

Thanks!