All Apps and Add-ons

Does anyone have any experience pulling data from Qradar (API) to Splunk??

asimagu
Builder

Hey friends

Anyone have any experience pulling data from Qradar (API) to Splunk?? (for example. the siem/offenses )

Any Python script that would do the magic?? I tried to use the REST api modular input, but could not make it work

Any help would be much appreciated. thanks!

0 Karma

mstjohn_splunk
Splunk Employee
Splunk Employee

hi @asimagu,

Thanks for posting on Splunk Answers.

I'm glad to see that you are using the Karma bounty feature! However, it won't work if you don't engage with the user trying to answer your question. Please approve the question below so the user can receive their Karma points. Or, if the solution didn't help you, please explain why so that they — or someone else — can.

Thanks!

0 Karma

VatsalJagani
SplunkTrust
SplunkTrust

Hi @asimagu,
You can use script to get data from QRadar and send them to Splunk.
Here is how you get events from QRadar:

  • Send a POST request to curl -X GET -k -u username:password https://?qradar-url?/api/ariel/searches --data-urlencode "query_expression="

  • If response is 201, obtain search_id from response

  • Send a GET request to /ariel/searches/{search_id} to obtain the status of the search. While the response code is 200 and the status is not 'COMPLETED' or 'ERROR', loop.

  • If the status is 'ERROR', you can use the error_messages response to obtain information. If the status is 'COMPLETED', you can get the results via GET /ariel/searches/{search_id}/results

You can use python requests module instead of curl, if you want to code this script into python. Get more info about above steps: https://www.ibm.com/developerworks/community/forums/html/topic?id=d8d0c48b-825b-40b1-bedc-b3a08548c6...

You can use HEC to index these events into Splunk.

  • curl -k https://?splunk-url?:8088/services/collector/event -H "Authorization: Splunk HEC-token" -d '{"event": }'

Here is the detail description how can you use HEC in Splunk and how can you generate HEC token from Splunk UI: http://docs.splunk.com/Documentation/Splunk/7.1.3/Data/UsetheHTTPEventCollector

asimagu
Builder

@VatsalJagani thanks for your answer. I don´t have username and password, only a token.

0 Karma

VatsalJagani
SplunkTrust
SplunkTrust

Can you try adding -H "Authorization: Bearer <your_token>" instead of username password?
I hope you will find out how we can do this in python or other script.

0 Karma
Get Updates on the Splunk Community!

Introduction to Splunk Observability Cloud - Building a Resilient Hybrid Cloud

Introduction to Splunk Observability Cloud - Building a Resilient Hybrid Cloud  In today’s fast-paced digital ...

Observability protocols to know about

Observability protocols define the specifications or formats for collecting, encoding, transporting, and ...

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...