Apps overview
IBM QRadar apps are created by developers. After a developer creates an app, IBM® certifies and publishes it in the IBM Security App Exchange. QRadar administrators can then browse and download the apps and then install the apps into QRadar to address specific security requirements.
The IBM QRadar Assistant app helps you to manage and update your app and content extension inventory, view app and content extension recommendations, follow the QRadar Twitter feed, and get links to useful information. The app is automatically installed with QRadar V7.3.2 or later.
The following diagram shows the workflow for an app and the role who is typically responsible for the work.
FAQ
- What is an app?
-
Apps create or add new functions in QRadar by providing new tabs, API methods, dashboard items, menus, toolbar buttons, configuration pages, and more within the QRadar user interface. You download apps from the IBM Security App Exchange. Apps that are created by using the GUI Application Framework Software Development Kit integrate with the QRadar user interface to deliver new security intelligence capabilities or extend the current functions.
Every downloaded file from the IBM Security App Exchange is known as an extension. An extension can consist of an app or security product enhancement (content extension) that is packaged as an archive (.zip) file, which you can deploy on QRadar by using the Extensions Management tool on the Admin tab.
- Who can create an app?
-
You can use the GUI Application Framework Software Development Kit to create apps. For more information about the GUI Application Framework Software Development Kit, see the IBM Security QRadar® App Framework Guide.
You download (https://developer.ibm.com/qradar/) the SDK from IBM developerWorks®.
- How do I share my app?
-
Only certified content is shared in the IBM Security App Exchange, a new platform for collaborating where you can respond quickly and address your security and platform enhancement requirements. In the IBM Security App Exchange, you can find available apps, discover their purpose, and what they look like, and learn what other users say about the apps.
- How do I get an app that I downloaded into QRadar?
-
A QRadar administrator downloads an extension and imports it into QRadar by using the Extensions Management tool, which is used to upload the downloaded extension from a local source.
- Where do I get help for an app?
-
You can see information about an app in the overview section when you download the app from the IBM Security App Exchange. For apps developed solely by IBM, you can find information in the IBM Knowledge Center.
- How much memory does an app need?
- The combined memory requirements of all the apps that are installed on a QRadar
Console cannot exceed 10 per cent of
the total available memory. If you install an app that causes the 10 per cent memory limit to be
exceeded, the app does not work.
If your app requires a minimum memory allocation, you must specify this allocation as part of your app manifest. The default allocation is 200 MB.
- What is the difference between an app, a content extension, and a content pack?
- Extension
-
From within QRadar, an extension is a term that is used for everything that you download from the IBM Security App Exchange. Sometimes that extension contains individual content items, such as custom AQL functions or custom actions, and sometimes the extension contains an app that is developed by using the GUI App Framework Software Development Kit. You use the Extensions Management tool to install extensions.
- App
-
An app is content that is created when you use the GUI App Framework Software Development Kit. The app extends or creates new functions in QRadar.
- Content extension
-
A content extension is typically used to update QRadar security template information or add new content such as rules, reports, searches, logos, reference sets, custom properties. Content extensions are not created by using the GUI Application Framework Software Development Kit.
You download content packs from IBM Fix Central in RPM format.
Typically, content extensions differ from content packs because you download content packs (RPM files) from IBM Fix Central (www.ibm.com/support/fixcentral).