About Client

CrowdSec is a hyper growth Cybersecurity Company with 300k+ installations. According to G2 it’s a market leader in 8+ categories.

Problem Statement

CrowdSec offers CTI data through their API. Lot of their enterprise customers want to consume this data using their own cybersecurity tools. IBM QRadar is one the most common tools used by enterprises.

QRadar Architecture

QRadar Architecture

QRadar is a complex tool. It performs a lot of tasks like all SIEMs do. We had to find a way to integrate CrowdSec CTI data into QRadar which would be applicable to most of the existing workflows. This is supposed to be the first iteration of the app. CrowdSec wanted to add more features in the future according to the feedback from their customers.

Solution

After extensive research about how teams use QRadar, we decided to create a QRadar App for CrowdSec. We decided to create an app, which would allow users to query CrowdSec CTI data for a particular IP, by right clicking on the IP in QRadar. The app would then query the CrowdSec API and return the CTI data for the IP in a popup.

QRadar Apps need the publisher to be technology partner of IBM to have the “IBM Validated” badge. This is a must for enterprise users as it adds credibility. We first made CrowdSec become a partner of Technology IBM by help from our IBM contacts.

Implementation

QRadar Apps are essentially Docker containers of a web service. The official SDK for QRadar Apps is available in Python. It’s syntax is very similar to Flask. We used this SDK to implement the app. The popup is designed to resemble the UI of CrowdSec’s Console.

We designed an interface for users to securely configure the app with CrowdSec credentials. The app would then use these configurations to query the CrowdSec API. This is how the configuration UI looks like:

QRadar App Configuration

This is how the app’s right click menu looks like: Right Click Menu

This is how the popup looks like:

Popup 1

Popup 2

QRadar Apps need to be signed by certificates issued by IBM. We completed the process to obtain these for CrowdSec.

We also wrote a Github Action to automate the build process. The action would build the app and sign it.

Challenges

Setting up the development environment for QRadar Apps was a bit challenging. The documentation was not very clear and is scattered all over. We’ve documented the process here

Results

The App successfully passed IBM QRadar’s Security and QA Review. It’s available in the X-Force Exchange

Source code is available on at CrowdSec’s GitHub

Documentation is available at CrowdSec’s doc site