QRadar app development overview

Use the IBM® QRadar® GUI Application Framework to develop new application modules that integrate with QRadar and provide new capabilities.

Applications or apps are small plug-in modules to the GUI Application Framework. Apps serve endpoints from within a secure container to inject the content directly into the QRadar web interface.

Each app has its own dedicated memory allocation and a defined amount of CPU resources that are allocated to it.

The main web language that is used to author an application is Python, and the Flask framework is integrated and available for use by the application.

Note: If an app is running in an IPV6 environment and the app sends log messages to the QRadar host's Syslog (e.g. via the qpylib.log function), then the app container must be configured to use Python 2.7 in order for the Python SysLogHandler to successfully send the messages. For more information, see Use Python 2.7 in your app.

How an application runs and interacts with QRadar

QRadar applications run inside an isolated Python Flask environment that is independent of the QRadar user interface.

The application can also use static images, scripts, and HTML pages.

All interaction with the application is proxied through the QRadar user interface. No direct access to network ports or web services is usually permitted.

Figure 1. Application Framework
Application Framework
Note: The combined memory requirements of all the apps that are installed on a QRadar Console cannot exceed 10 per cent of the total available memory. If you install an app that causes the 10 per cent memory limit to be exceeded, the app does not work.

If your app requires a minimum memory allocation, you must provide information about it in your app's documentation.

Apps that require internet access

If the app that you develop requires internet access, you must implement proxy support in your app. Apps can't use the proxy support that is built into QRadar.

Types of app

The QRadar GUI Application Framework supports the following app types that are described in the following table.

Table 1. Types of app
App Type Description
Areas (or visualizations) New screen that is presented in a new tab.
Right-click menus New right click menu options available with the QRadar GUI.
Toolbar buttons New toolbar buttons, with the enabling code that runs from the confines of the app.
Dashboard/Dashboard widgets New dashboard widgets, with the HTML served from a particular app.
Administrative screens New Admin tab, configuration, and setup screens.
Hover Over metadata Injection of hover over metadata into existing hover over areas.
JavaScript page scripts Injected browser JavaScript functionality specific to an existing QRadar GUI screen area.
Resource Bundles Partial support of Java style key value pair properties files to provide some level of globalization support.
Custom fragments Inject custom HTML fragments into the QRadar UI.
Custom columns Add columns with custom content to tables in the QRadar

The app type content is dynamically injected back into the GUI display.

Apps are packaged as compressed archives (.zip), within the extension archive. You can install and uninstall apps by using RESTful endpoints. More RESTful endpoints exist to control the lifecycle of an app within QRadar.

Note: As a best practice, store your app configuration and data in /store because data in this directory is protected during app upgrades.

For more information about QRadar application framework REST API endpoints, see GUI Application Framework REST API endpoints.