All Apps and Add-ons

Does anyone have any experience pulling data from Qradar (API) to Splunk??

asimagu
Builder

Hey friends

Anyone have any experience pulling data from Qradar (API) to Splunk?? (for example. the siem/offenses )

Any Python script that would do the magic?? I tried to use the REST api modular input, but could not make it work

Any help would be much appreciated. thanks!

0 Karma

mstjohn_splunk
Splunk Employee
Splunk Employee

hi @asimagu,

Thanks for posting on Splunk Answers.

I'm glad to see that you are using the Karma bounty feature! However, it won't work if you don't engage with the user trying to answer your question. Please approve the question below so the user can receive their Karma points. Or, if the solution didn't help you, please explain why so that they — or someone else — can.

Thanks!

0 Karma

VatsalJagani
SplunkTrust
SplunkTrust

Hi @asimagu,
You can use script to get data from QRadar and send them to Splunk.
Here is how you get events from QRadar:

  • Send a POST request to curl -X GET -k -u username:password https://?qradar-url?/api/ariel/searches --data-urlencode "query_expression="

  • If response is 201, obtain search_id from response

  • Send a GET request to /ariel/searches/{search_id} to obtain the status of the search. While the response code is 200 and the status is not 'COMPLETED' or 'ERROR', loop.

  • If the status is 'ERROR', you can use the error_messages response to obtain information. If the status is 'COMPLETED', you can get the results via GET /ariel/searches/{search_id}/results

You can use python requests module instead of curl, if you want to code this script into python. Get more info about above steps: https://www.ibm.com/developerworks/community/forums/html/topic?id=d8d0c48b-825b-40b1-bedc-b3a08548c6...

You can use HEC to index these events into Splunk.

  • curl -k https://?splunk-url?:8088/services/collector/event -H "Authorization: Splunk HEC-token" -d '{"event": }'

Here is the detail description how can you use HEC in Splunk and how can you generate HEC token from Splunk UI: http://docs.splunk.com/Documentation/Splunk/7.1.3/Data/UsetheHTTPEventCollector

asimagu
Builder

@VatsalJagani thanks for your answer. I don´t have username and password, only a token.

0 Karma

VatsalJagani
SplunkTrust
SplunkTrust

Can you try adding -H "Authorization: Bearer <your_token>" instead of username password?
I hope you will find out how we can do this in python or other script.

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...