Adding custom actions

Attach scripts to custom rules to do specific actions in response to network events. Use the Custom Action window to manage custom action scripts.

Use custom actions to select or define the value that is passed to the script and the resulting action.

For example, you can write a script to create a firewall rule that blocks a source IP address from your network in response to a rule that is triggered by a defined number of failed login attempts.

The following examples are custom actions that are the outcomes of passing values to a script:

  • Block users and domains.
  • Initiate work flows and updates in external systems.
  • Update TAXI servers with a STIX representation of a threat.

Custom actions work best with low volume custom rule events and with custom rules that have a low response limiter value.

  1. On the navigation menu ( Navigation menu icon ), click Admin.
  2. In the Custom Actions section, click Define Actions.
  3. To upload your scripts, click Add. Programming language versions that the product supports are listed in the Interpreter list.

    For the security of your deployment, QRadar® does not support the full range of scripting functionality that is provided by the Python, Perl, or Bash languages.

  4. Specify the parameters that you want to pass to the script that you uploaded.
    Table 1. Custom action parameters
    Parameter Description
    Fixed property Values that are passed to the custom action script.

    These properties are not based on the events or flow themselves, but cover other defined values that you can use the script to act on. For example, pass the fixed properties username and password for a third-party system to a script to send an SMS alert.

    Encrypt fixed properties by selecting the Encrypt value check box.
    Network event property Dynamic Ariel properties that are generated by events. Select from the Property list.

    For example, the network event property sourceip provides a parameter that matches the source IP address of the triggered event.

    For more information about Ariel properties, see the IBM QRadar Ariel Query Language Guide.

Parameters are passed into your script in the order in which you added them in the Custom Actions window.

When custom action scripts are run, a chroot jail is set up in the /opt/qradar/bin/ca_jail/ directory. Any content in the /opt/qradar/bin/ca_jail/ directory can be modified and written to by scripts. The custom action user's home directory (/home/customactionuser) can also be modified.

A script can run only from inside the jail environment so that it does not interfere with the QRadar run environment. All file access during custom action execution is relative to the /opt/qradar/bin/ca_jail/ directory.

The custom action user account might not have permission to run follow-up commands, such as logging into a firewall and blocking an IP address. Test whether your script runs successfully before you associate it with a rule.

Note: The type of custom action that you implement depends on your network infrastructure and its components. For example, you can configure REST APIs on Cisco devices to block suspect IP addresses. Other third-party vendors might not provide a REST interface, so you might need to develop your own web services solution to run custom actions.

You must run the dos2unix utility on scripts that originate from a Windows or DOS system. Windows or DOS systems typically add control characters. To successfully test custom action scripts by using the script Test Execution function in QRadar, you must remove the control characters.