About IBM QRadar
IBM QRadar is an enterprise security information and event management (SIEM) product. It collects log data from an enterprise, its network devices, host assets, operating systems, applications, vulnerabilities, and user activities.
Combining QRadar with SIRP provides a powerful integration of real-time data ingestion, enabling security analysts to quickly detect threats and provide risk-based prioritization.
Supported Actions
SIRP’s QRadar integration app allows you to execute the following actions:
1 | Get Offences | Pulls Offenses from Qradar |
2 | Push Domain To Refset | Pushes Domain in SIRP-dedicated reference set in Qradar |
3 | Push Ip To Refset | Pushes IP in SIRP-dedicated reference set in Qradar |
4 | Get Log Sources | Pulls log sources information from Qradar |
5 | Get Offense Status | Queries offense status from Qradar |
6 | Close Qradar Offense | Closes offense on Qradar |
7 | Get Events For Query | Pulls events for an AQL query from Qradar |
8 | Push Email To Refset | Pushes Email to SIRP-dedicated reference set in Qradar |
9 | Push Hash To Refset | Pushes hash to SIRP-Dedicated reference set in Qradar |
10 | Push Url To Refset | Pushes URL to SIRP-Dedicated reference set in Qradar |
11 | Add Offense Note | Adds not to Offense in Qradar |
12 | Get Offences With Events | Pulls Offenses with its events from Qradar |
13 | Assign User To Offense | Assigns offense to user in Qradar |
14 | Remove Domain From Refset | Removes Domain from SIRP-dedicated reference set in Qradar |
15 | Remove Ip From Refset | Removes IP from SIRP-dedicated reference set in Qradar |
16 | Remove Email From Refset | Removes email from SIRP-dedicated reference set in Qradar |
17 | Remove Hash From Refset | Removes hash from SIRP-dedicated reference set in Qradar |
18 | Remove Url From Refset | Removes URl from SIRP-dedicated reference set in Qradar |
19 | Push Username To Refset | Pushes username to SIRP-dedicated reference set in Qradar |
20 | Remove Username From Refset | Removes username from SIRP-dedicated reference set in Qradar |
21 | Get Log Source Stats By Status | Pulls log source integration stats for widget in SIRP |
22 | Get Log Source Stats By Group | Pulls log source group stats for widget in SIRP |
23 | Push Domain To Custom Refset | Pushes Domain to a custom reference set in Qradar |
24 | Push Ip To Custom Refset | Pushes IP to a custom reference set in Qradar |
25 | Push Email To Custom Refset | Pushes Email to a custom reference set in Qradar |
26 | Push Hash To Custom Refset | Pushes hash to a custom reference set in Qradar |
27 | Push Url To Custom Refset | Pushes URL to a custom reference set in Qradar |
28 | Remove Domain From Custom Refset | Removes domain from custom reference set in Qradar |
29 | Remove Ip From Custom Refset | Removes IP from custom reference set in Qradar |
30 | Remove Email From Custom Refset | Removes email from custom reference set in Qradar |
31 | Remove Hash From Custom Refset | Removes hash from custom reference set in Qradar |
32 | Remove Url From Custom Refset | Removes URL from custom reference set in Qradar |
33 | Push Username To Custom Refset | Pushes username to custom reference set in Qradar |
34 | Remove Username From Custom Refset | Removes username from custom reference set in Qradar |
35 | Get Offences & Query Events | Gets Offenses and with query-specific events |
36 | Get Users Against Url | Queries Users against custom AQL queries that uses URL artefact. |
Enable and Configure QRadar App
1. Login to the QRadar web console and go to the Admin tab from the left navigation bar.
2. Click on the “Authorized services” icon.
3. Copy “Authentication Token”
1. Next, login to SIRP, then go to Apps from the left navigation bar
2. Locate the app named QRadar
3. Enable the QRadar app by clicking on the toggle button under the Status column. Make sure the token is set to never expire.
4. As soon as you enable the App, you will get an option to add the configuration details.
Add the following details:
Configuration Name: <Name of Configuration>
Host: <IP address of QRadar>
Auth Token: <Authentication token copied from QRadar>
Update QRadar Reference Set from SIRP
In order to update QRadar Reference Set from SIRP, follow the steps given in the next section.
1. In the System Configuration section, click Reference Set Management.
2. Select the reference set that you want to add the elements to, and click View Contents.
3. Click the Content tab.
4. Next, create the Reference Set with SIRP_IP, SIRP_Domain in the top navigation from within QRadar for automatic ingestion.
Create and Configure QRadar Ingestion
There are two ways to ingest alerts and offenses from QRadar into SIRP.
1. API-based ingestion: In this method SIRP connects with QRadar through its API and fetches the newly triggered offenses. This method is simple and quick to implement.
2. Email-based ingestion: In this method, offenses and alerts are configured to be sent to a particular email address, whereas SIRP is configured to read that email inbox, fetch the alerts and then ingest within its database.
Enablement of QRadar API-based Offense Ingestion
In order to start ingesting offenses from QRadar through API, you need to create a new ingestion source and enable it.
1. Go to Administration section from the left-hand navigation bar
2. Go to Apps > Ingestion Sources
3. Click on Add Source
4 . Fill the fields in the popup form as shown in the image above:
Name: QRadar (This can be any name to distinguish this ingestion source)
Ingestion Method: API
Ingestion Type: Incident (Because we want to ingest alerts into our Incident Management module)
Widget Name: Leave blank
Frequency: Every 5 min (SIRP will call QRadar API every 5 minutes to check for new offenses)
Opened By: Not Mandatory
Applications: Select QRadar application
Configuration: Select configuration name
Actions: Select get_offences_with_events
Format: JSON
9. Click Create button to create the new ingestion source
10. The last step after creating an ingestion source is mapping the data fields ingested from QRadar with the fields available in SIRP. After you create the ingestion source, you will get a new configuration icon under the Actions column. Click on the icon to configure the fields.
11. Configure the field mapping as shown in the following screenshot and click Save.
After enabling the ingestion source, SIRP will start to call IBM QRadar’s API every 5 minutes to check for any new and offenses. If SIRP finds any offenses, it will start ingesting the records within its database.
The results will be visible in the Incident Management module. The Alerts tab will list all the ingested alerts.
Another way to ingest alerts and offenses from QRadar into SIRP is mentioned below:
Customise QRadar Email Templates
You can create templates for email notifications that are triggered for custom alerts. Customize the content that is included in the email notification by editing the alert-config.xml file.
Note: You must create a temporary directory where you can safely edit your copy of the files, without the risk of overwriting the default files. After you edit and save the alert-config.xml file, you must run a script that validates your changes. The validation script automatically applies your changes to a staging area. You must deploy the full configuration to rebuild the configuration files for all appliances
Step 1: Using SSH, log in to the QRadar Console as the rootuser.
Step 2: Create a new temporary directory to use to safely edit copies of the default files.
Step 3: To copy the files that are stored in the custom_alerts directory to the temporary directory, type the following command: The <directory_name> option is the name of the temporary directory that you created.
Confirm that the files were copied successfully:
To list the files in the directory, type the following command:
ls -lah
Verify the following file is listed:
alert-config.xml
Step 4: Open the alert-config.xml file for editing and paste the attached document. Step 5: Save and close the file.
Step 6: To validate your changes, type the following command
/opt/qradar/bin/runCustAlertValidator.sh <directory_name>
If the script validates the changes successfully, the following message is displayed:
File alert-config.xml was deployed successfully to staging!
Step 7: Log in to QRadar.
Step 8: Click the Admin tab.
Step 9: Select Advanced > Deploy Full Configuration.
When you deploy the full configuration, QRadar restarts all services. Data collection for events and flows stops until the deployment completes.
Your custom email notifications are now complete. Rules that have an email notification set as the rule response will generate emails using the custom parameters you specified. Using custom parameters, you can customize your email notifications.
Enable Microsoft Exchange in SIRP
1. Go to Apps from the left navigation bar.
2. Locate the app named Microsoft Exchange.
3. Enable the Microsoft Exchange app by clicking on the toggle button under the Status column.
4. As soon as you enable the App, you will get an option to add the configuration details.
Add the following details:
Host: <IP address of Microsoft Exchange>
Port: <port number>
Email: <Insert a designated email address of SIRP account>
Password: <Insert password of SIRP Account>
Username: <Insert username>
Enablement of QRadar Email-based Alerts Ingestion
In order to start ingesting custom alerts from QRadar through Email, you need to create a new ingestion source and enable it.
1. Go to Administration section from the left-hand navigation bar.
2. Go to Apps > Ingestion Sources
3. Click on Add Source
4. Fill the fields in the popup form as shown in the image above:
Name: QRadar (This can be any name to distinguish this ingestion source)
Ingestion Method: Email
Ingestion Type: Incident (Because we want to ingest alerts into our Incident Management module)
Frequency: Every 5 min (SIRP will call Microsoft Exchange Email every 5 minutes to check for new custom alerts)
Opened By: Select a user from the dropdown
Applications: Select the Microsoft Exchange application
Actions: Select parse_json_format_emails
Format: JSON
5. Click the Create button to create the new ingestion source.
6. The last step after creating an ingestion source is mapping the data fields ingested from Microsoft Exchange with the fields available in SIRP.
7. After you create the ingestion source, you will get a new configuration icon
under the Actions column. Click on the icon to configure the fields
1. Configure the field mapping as shown in the following screenshot and click Save.
After enabling the ingestion source, SIRP will start to call Microsoft Exchange Email every 5 minutes to check for any new and custom alerts. If SIRP finds any custom alerts, it will start ingesting the records within its database.
The results will be visible in the Incident Management module. The Alerts tab will list all the ingested alerts.