Hey friends
Anyone have any experience pulling data from Qradar (API) to Splunk?? (for example. the siem/offenses )
Any Python script that would do the magic?? I tried to use the REST api modular input, but could not make it work
Any help would be much appreciated. thanks!
hi @asimagu,
Thanks for posting on Splunk Answers.
I'm glad to see that you are using the Karma bounty feature! However, it won't work if you don't engage with the user trying to answer your question. Please approve the question below so the user can receive their Karma points. Or, if the solution didn't help you, please explain why so that they — or someone else — can.
Thanks!
Hi @asimagu,
You can use script to get data from QRadar and send them to Splunk.
Here is how you get events from QRadar:
Send a POST request to curl -X GET -k -u username:password https://?qradar-url?/api/ariel/searches --data-urlencode "query_expression="
If response is 201, obtain search_id from response
Send a GET request to /ariel/searches/{search_id} to obtain the status of the search. While the response code is 200 and the status is not 'COMPLETED' or 'ERROR', loop.
If the status is 'ERROR', you can use the error_messages response to obtain information. If the status is 'COMPLETED', you can get the results via GET /ariel/searches/{search_id}/results
You can use python requests module instead of curl, if you want to code this script into python. Get more info about above steps: https://www.ibm.com/developerworks/community/forums/html/topic?id=d8d0c48b-825b-40b1-bedc-b3a08548c6...
You can use HEC to index these events into Splunk.
Here is the detail description how can you use HEC in Splunk and how can you generate HEC token from Splunk UI: http://docs.splunk.com/Documentation/Splunk/7.1.3/Data/UsetheHTTPEventCollector
@VatsalJagani thanks for your answer. I don´t have username and password, only a token.
Can you try adding -H "Authorization: Bearer <your_token>"
instead of username password?
I hope you will find out how we can do this in python or other script.