QRadar Technical Blog: Using Custom Scripts
In 7.2.6 Qradar introduced the concept of a custom script that executes as part of a rule response.
The use of such scripts is limited and very structured. There are three options for scripting, Bash, Perl and Python. The script must be uploaded into QRadar using the ‘Define Actions’ icon in the admin tab. The script is first created using a standard editor and saved to the PC being used to access QRadar.
Then open the Define Actions icon which displays a list of existing scripts and allow the addition of a new script. Click on Add in the menu bar and in the resulting pop-up enter a name and description, the script interpreter and then chose the script by clicking Browse and selecting the file name.
QRadar uploads the script and provides options to apply parameters to the script. For example, a network event property such as source IP can be taken from the event payload and passed to the script for further processing. The script is now stored in QRadar under a specific directory/opt/qradar/bin/ca_jail. Using this directory allows QRadar to control the processing and prevent poorly formed scripting from damaging the system. Note that when the script is executed if there has been no activity for 15 seconds the script is flushed.
If the script needs to produce output then it will be stored in the directory/opt/qradar/bin/ca_jail/home/customactionuser.
Some use cases for custom actions:
Need to automate responses to actions:
Triggered custom action scripts will execute in parallel
Example: Change firewall rule via API
Want to extend rules from QRadar to external security devices or systems
Communicate to all hosts via TCP/IP
Communicate to the QRadar Host locally on port 443
Run REST-API commands
Want to store information on the filesystem in /home/customactionuser
Remember after uploading your script to QRadar the script must be deployed before it can be used.