IBM Support

QRadar Custom Action Script: Testing Scripts

Troubleshooting


Problem

In QRadar®, a Custom Action Script has been created and a Custom Rule has been configured to fire the Custom Action Script. When the Rule is triggered, however there is no indication that the Custom Action Script is running.

Resolving The Problem

Step 1. Create a test script

The purpose of the provided sample script is to write a file named test.txt each time all rule tests are matched in a sample rule.  
  1. Create a file with a .sh extension using the provided sample script:
      #!/bin/bash  
    datetime="$(date)"  echo "  Custom Action Script Test Time: $datetime" >> /home/customactionuser/test.txt  echo "Text written to /home/customactionuser/test.txt?"
  2. Click the Admin tab.
  3. Under Custom Action, click Define Custom Action.
  4. To upload your scripts, click Add.
  5. Type a descriptive name for the custom action.
  6. Scroll down to Script configuration and Select Interpreter: Bash.
  7. Click Browse and locate the .sh file.
  8. Scroll to the bottom of the Define Custom Action window > click Save.
  9. Click Deploy Changes.

Step 2. Edit or create a rule to trigger your custom action

  1. Log in to the QRadar user interface.
  2. Click Offense tab > Rules.
  3. Locate or create a Custom Rule in the Rule Wizard that can be triggered easily.
    Tip: An example rule to test a custom action might be to use an authentication event from your existing log sources or you could use a specific QID, such as the Offense Created QID (28250369) to test your custom action.
  4. Edit the Rule to add the Host IP and a criteria such as successful login.
    Example of a rule.
    image-20180713124028-1
  5.  Click Next to configure Rule Responses
  6. Check the box next to 'Execute Custom Action'
  7. Click the newly created Custom Action Script in the 'Custom Action to execute' drop down box.
    image-20180713124327-3

Step 3. Confirm your custom action script triggers

Either by using "Test Execution" in the Define Actions window, or by confirming the Custom Rule has been triggered, verify the test file is created or updated:


To test your custom action in the user interface

  1. Click the Admin tab.
  2. Scroll to down to Custom Actions.
  3. Click Define Actions.
  4. Highlight the test script.
  5. Click Test Execution > Execute.
    image-20180713125625-4

    Results
    The test results can confirm when the script runs successfully.

How to verify the test script in the command line

  1. Create an event to cause the custom rule to trigger. 
  2. Use SSH to log in to the Console as the root user.
  3. To enter the shell to see the folder customactionuser use the chroot command:
        chroot --userspec=customactionuser /opt/qradar/bin/ca_jail/
  4. Use the ls command to see if the file exists:
        ls -lh /home/customactionuser/
  5.  While in the chroot'ed shell, the file test.txt should be seen.
       chroot --userspec=customactionuser /opt/qradar/bin/ca_jail/  $ ls /home/customactionuser/  test.txt?
    Results
    The file test.txt should exist in the /home/customactionuser/ directory. The purpose of the sample script is to write test.txt each time the rule response is triggered by a rule.

[{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"Component":"","Platform":[{"code":"PF016","label":"Linux"}],"Version":"All Versions","Edition":"","Line of Business":{"code":"LOB24","label":"Security Software"}}]

Document Information

Modified date:
05 March 2024

UID

ibm10717233