Skip to content

Commit

Permalink
[Qradar] Adding an new environment variable (#2189)
Browse files Browse the repository at this point in the history
  • Loading branch information
@Megafredo
Megafredo authored May 31, 2024
1 parent 8084ef2 commit 7809388
Show file tree
Hide file tree
Showing 4 changed files with 35 additions and 21 deletions.
39 changes: 20 additions & 19 deletions stream/qradar/README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -13,22 +13,23 @@ It will be better to build a use case for each type.

### Configuration

| Parameter | Docker envvar | Mandatory | Description |
|-----------------------------------------|-----------------------------------------| ------------ |------------------------------------------------------------------------------------------|
| `opencti_url` | `OPENCTI_URL` | Yes | The URL of the OpenCTI platform. |
| `opencti_token` | `OPENCTI_TOKEN` | Yes | The default admin token configured in the OpenCTI platform parameters file. |
| `connector_id` | `CONNECTOR_ID` | Yes | A valid arbitrary `UUIDv4` that must be unique for this connector. |
| `connector_name` | `CONNECTOR_NAME` | Yes | The name of the qradar instance, to identify it if you have multiple qradar connectors. |
| `connector_scope` | `CONNECTOR_SCOPE` | Yes | Must be `qradar`, not used in this connector. |
| `connector_confidence_level` | `CONNECTOR_CONFIDENCE_LEVEL` | Yes | The default confidence level for created sightings (a number between 1 and 4). |
| `connector_log_level` | `CONNECTOR_LOG_LEVEL` | Yes | The log level for this connector, could be `debug`, `info`, `warn` or `error` (less verbose). |
| `connector_consumer_count` | `CONNECTOR_CONSUMER_COUNT` | No | Number of consumer/worker that will push data to qradar. |
| `connector_live_stream_start_timestamp` | `CONNECTOR_LIVE_STREAM_START_TIMESTAMP` | No | Start timestamp used on connector first start. |
| `qradar_url` | `QRADAR_URL` | Yes | The qradar instances REST API URLs as array |
| `qradar_token` | `QRADAR_TOKEN` | Yes | The qradar login users as array (same order as URLs) |
| `qradar_ssl_verify` | `QRADAR_SSL_VERIFY` | Yes | Enable the SSL certificate check for all instances (default: `true`) |
| `qradar_reference_name` | `QRADAR_REFERENCE_NAME` | Yes | The name of the reference set base name Ex Opencti. |
| `qradar_ignore_types` | `QRADAR_IGNORE_TYPES` | Yes | The list of entity types to ignore. |
| `metrics_enable` | `METRICS_ENABLE` | No | Whether or not Prometheus metrics should be enabled. |
| `metrics_addr` | `METRICS_ADDR` | No | Bind IP address to use for metrics endpoint. |
| `metrics_port` | `METRICS_PORT` | No | Port to use for metrics endpoint. |
| Parameter | Docker envvar | Mandatory | Description |
|-----------------------------------------|-----------------------------------------|-----------|---------------------------------------------------------------------------------------------------------------------|
| `opencti_url` | `OPENCTI_URL` | Yes | The URL of the OpenCTI platform. |
| `opencti_token` | `OPENCTI_TOKEN` | Yes | The default admin token configured in the OpenCTI platform parameters file. |
| `connector_id` | `CONNECTOR_ID` | Yes | A valid arbitrary `UUIDv4` that must be unique for this connector. |
| `connector_name` | `CONNECTOR_NAME` | Yes | The name of the qradar instance, to identify it if you have multiple qradar connectors. |
| `connector_scope` | `CONNECTOR_SCOPE` | Yes | Must be `qradar`, not used in this connector. |
| `connector_confidence_level` | `CONNECTOR_CONFIDENCE_LEVEL` | Yes | The default confidence level for created sightings (a number between 1 and 4). |
| `connector_log_level` | `CONNECTOR_LOG_LEVEL` | Yes | The log level for this connector, could be `debug`, `info`, `warn` or `error` (less verbose). |
| `connector_consumer_count` | `CONNECTOR_CONSUMER_COUNT` | No | Number of consumer/worker that will push data to qradar. |
| `connector_live_stream_start_timestamp` | `CONNECTOR_LIVE_STREAM_START_TIMESTAMP` | No | Start timestamp used on connector first start. |
| `qradar_url` | `QRADAR_URL` | Yes | The qradar instances REST API URLs as array |
| `qradar_url_reference` | `QRADAR_URL_REFERENCE` | No | The qradar REST API URL for reference data collections endpoints (default `/api/reference_data_collections/sets`). |
| `qradar_token` | `QRADAR_TOKEN` | Yes | The qradar login users as array (same order as URLs) |
| `qradar_ssl_verify` | `QRADAR_SSL_VERIFY` | Yes | Enable the SSL certificate check for all instances (default: `true`) |
| `qradar_reference_name` | `QRADAR_REFERENCE_NAME` | Yes | The name of the reference set base name Ex Opencti. |
| `qradar_ignore_types` | `QRADAR_IGNORE_TYPES` | Yes | The list of entity types to ignore. |
| `metrics_enable` | `METRICS_ENABLE` | No | Whether or not Prometheus metrics should be enabled. |
| `metrics_addr` | `METRICS_ADDR` | No | Bind IP address to use for metrics endpoint. |
| `metrics_port` | `METRICS_PORT` | No | Port to use for metrics endpoint. |
1 change: 1 addition & 0 deletions stream/qradar/docker-compose.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -13,6 +13,7 @@ services:
- CONNECTOR_SCOPE=qradar
- CONNECTOR_LOG_LEVEL=error
- QRADAR_URL=https://QRADAR1.changeme.com
- QRADAR_URL_REFERENCE=ChangeMe # Default /api/reference_data_collections/sets
- QRADAR_TOKEN=Token1
- QRADAR_SSL_VERIFY=true
- QRADAR_REFERENCE_NAME=opencti
Expand Down
1 change: 1 addition & 0 deletions stream/qradar/src/config.yml.sample
View file
Original file line number Diff line number Diff line change
Expand Up @@ -14,6 +14,7 @@ connector:

qradar:
url: 'https://QRADAR1.ChangeMe.com'
url_reference: '/api/reference_data_collections/sets'
ssl_verify: true
token: 'ChangeMe' # Token for bearer auth (if set, will ignore basic auth params)
reference_name: 'OpenCTI'
Expand Down
15 changes: 13 additions & 2 deletions stream/qradar/src/qradar.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -22,19 +22,23 @@ def __init__(
self,
helper,
qradar_url: str,
qradar_url_reference: str,
qradar_token: str,
qradar_reference_name: str,
qradar_ssl_verify: bool,
) -> None:
self.helper = helper
self.qradar_url = qradar_url
self.qradar_url_reference = qradar_url_reference
self.qradar_token = qradar_token
self.qradar_reference_name = qradar_reference_name
self.qradar_ssl_verify = qradar_ssl_verify

@property
def collection_url(self) -> str:
return f"{self.qradar_url}/api/reference_data_collections/sets/{self.qradar_reference_name}"
return (
f"{self.qradar_url}{self.qradar_url_reference}/{self.qradar_reference_name}"
)

@property
def headers(self) -> dict:
Expand All @@ -59,7 +63,7 @@ def create(self, id: str, payload: dict, create_alphanumeric: bool = False):
url_request = (
f"{self.collection_url}_{self.get_type(payload)}"
if not create_alphanumeric
else f"{self.qradar_url}/api/reference_data_collections/sets?element_type=ALN&name={self.qradar_reference_name}_{self.get_type(payload)}"
else f"{self.qradar_url}{self.qradar_url_reference}?element_type=ALN&name={self.qradar_reference_name}_{self.get_type(payload)}"
)
payload["_key"] = id

Expand Down Expand Up @@ -315,6 +319,12 @@ def check_helper(helper: OpenCTIConnectorHelper) -> None:
"QRADAR_IGNORE_TYPES", ["qradar", "ignore_types"], config
).split(",")
qradar_url = get_config_variable("QRADAR_URL", ["qradar", "url"], config)
qradar_url_reference = get_config_variable(
"QRADAR_URL_REFERENCE",
["qradar", "url_reference"],
config,
default="/api/reference_data_collections/sets",
)
qradar_token = get_config_variable("QRADAR_TOKEN", ["qradar", "token"], config)
qradar_ssl_verify = get_config_variable(
"QRADAR_SSL_VERIFY", ["qradar", "ssl_verify"], config, False, True
Expand Down Expand Up @@ -347,6 +357,7 @@ def check_helper(helper: OpenCTIConnectorHelper) -> None:
reference_set = QradarReference(
helper,
qradar_url,
qradar_url_reference,
qradar_token,
qradar_reference_name,
qradar_ssl_verify,
Expand Down

0 comments on commit 7809388

Please sign in to comment.