With IBM QRadar, administrators can invoke a custom script and pass data to a script that is based on a rule response.
This document describes a sample custom action script for Pure Storage FlashArray which can be used with QRadar. It provides details on the script's available action, inputs required for the script to run, and the configuration file to be created.
The configuration file needs to be created under /opt/qradar/bin/ca_jail/pure.conf with the following parameters on the QRadar SIEM server:
Click here and refer to the section Creating API Tokens for details on how to create an api_token.
Config file has only one entry per FlashArray. To incorporate a new Volume or Protection Group, you can perform an in-place edit on the corresponding array line within the file. The plugins automatically detect the changes for subsequent executions. When adding a new array, you must append a new line to the file and provide the required details as described in the following table:
| Name | Type | Description | Required |
|---|---|---|---|
| Array controller name | String | Name of the FlashArray | Yes |
| API Token | String | API token access the array | Yes |
| volume list | List | List of volumes to create snapshot | Yes |
| Protection group list | List | List of protection group to create snapshot | Yes |
Sample configuration file
pure-array-1:xxxxx-fffff-xccccc-ccceeee:aa_test_vol,testvol1:ps_1,pg_2
pure-array-2:xxxxx-fffff-xccccc-ccceeee:test_vol,pp_vol:pg_3,pgroup-auto
The custom script must be uploaded into IBM QRadar by using the Define Actions icon in the Admin tab of the IBM QRadar GUI. Download and save the python script to the same location on the local drive that is used to access IBM QRadar
This section explains how to create custom action scripts that can be associated with QRadar events. You have to complete the following steps:
- Download the python script.
- In the IBM QRadar GUI, open the Admin settings tab.
- Click the navigation menu, and then click Admin to open the Admin tab.
- Under Custom Actions, click Define Actions.
- To upload your scripts, click Add.
- Under Basic Information, type a name for the custom action.
- Scroll down to Script configuration and select Interpreter: Bash, python, perl.
- Click Browse and find the file that you created in step 1.
- Scroll down and click Save to save the changes made and select Deploy Changes.
Scripts parameters can be fixed property or network event property which is extacted from the event.
The python script supports following actions.
- Create single volume snapshot (action = vol_snapshot ).
- Create multiple volume snapshot (action = multivol_snapshot).
- Create a protection group snapshot (action = pg_snapshot).
- Remove a user (action = remove_user).
To test the script by using the Test Execution
- In the IBM QRadar GUI, open the Admin settings tab.
- Click the navigation menu and then click Admin to open the Admin tab.
- Scroll down to Custom Actions.
- Click Define Actions.
- Highlight the test script.
- Click Test Execution → Execute.