Adding multiple apps in an extension

Package and export multiple apps and other content in an extension so users can download related apps or content in one file.

About this task

You can include multiple apps or content types in an extension, which you export as a compressed (.zip) file.

Procedure

  1. Use SSH to log in to QRadar as the root user.
  2. To get a list of the content types and search parameters, type the following command:

    /opt/qradar/bin/contentManagement.pl -h export

    In the following example, you search for apps that are represented by the content type ID of 100, and the regex .*, which matches everything.

    /opt/qradar/bin/contentManagement.pl --action search -c 100 -r .*

    You must specify the content type (-c) and a search regex (-r).


    In the following example, you search for the custom content type "dashboard" that is represented by the content type ID of 4, and the regex .*, which matches everything for dashboards content.

    /opt/qradar/bin/contentManagement.pl --action search -c 4 -r .*

    Use regex to narrow your search, for example, you use the following search to find dashboards content that includes 'Threat' in the name.

    /opt/qradar/bin/contentManagement.pl --action search -c 4 -r Threat

     
  3. Add the content type IDs or string and the IDs of the apps or content in a text file. The content type can be represented by the string or ID. Use the following format: 
    <content_type_ID_or_string>,<Content_or_app_ID>
<content_type_ID_or_string>,<Content_or_app_ID>
    Use the following rules to create the package text file:
    • Use a separate line for each content type.
    • Make sure that the first value that you enter on a line is the content type.
    • Make sure that the value that follows the content type is the ID of the app or the content.
    • Use commas to separate values.

    Here's an example of packaging an app that has a content type of 100 and a dashboard that has a content type of 4.

    4,22
100,1051

    Here's the same example where the string is used instead of the content type ID to represent the content type.

    dashboard,22
installed_application,1051
    In the following example, strings are used for the content type, which are followed by the content IDs.
    installed_application,1001
customrule,1274,1275
dashboard,10
  4. Save the text file as <my_package>.txt
  5. Type the following command to assemble and export your content in an extension file:

    /opt/qradar/bin/contentManagement.pl -a export -c package -f <mypackage>.txt.

     
    The extension is created as a .zip file in the /opt/qradar/bin folder. The file name has the following format:
    <file_name>-ContentExport-YYYYMMDDhhmmss.zip

What to do next

Download the compressed (.zip) file from the /opt/qradar/bin folder on your QRadar® Console. You can then use QRadar Extensions Management on the Admin tab to install your extension on your QRadar Console.

For more information about using the contentManagement.pl script to export content, and about Extensions Management, see the QRadar SIEM Administration Guide.