SIRP provides point integrations with a number of cybersecurity, IT, and OT products. Each product’s integration is supported by its own app. Each app is individually configured and has its own set of actions. Currently, SIRP integrates with more than 120 technologies supporting 600+ actions.

Ingestion Sources

An ingestion source is used to populate the data into SIRP instances in various forms. For instance, a phishing playbook might be applied to an email-based ingestion source while an incident playbook might be applied to a SIEM-alert ingestion source.

To manage the ingestion sources and logs, go to the Main Menu and select Administration.

Once the Administration section is displayed, select the Applications tab at the top of the page, and then Ingestion Sources under that.

Main Menu > Administration > Automation> Ingestion Sources

This page displays the list of Ingestion Sources.

To create Ingestion Source, click Add Source. This will display a pop-up.

Fill the fields in the popup form as shown in the image above.

Example: For QRadar specific ingestion source.

  • Name: QRadar (This can be any name to distinguish this ingestion source)

  • Ingestion Method: API

  • Ingestion Type: Incident (Because we want to ingest alerts into our Incident Management module)

  • Widget Name: Leave blank

  • Frequency: Every 5 min (SIRP will call QRadar API every 5 minutes to check for new offenses)

  • Opened By: Select a user from the dropdown

  • Applications: Select the QRadar application

  • Actions: Select get_offences

  • Format: JSON

Click Create button to create the new ingestion source.

The last step after creating an ingestion source is mapping the data fields ingested from QRadar with the fields available in SIRP.

Field Mapping

After you create the ingestion source, you will get a new configuration icon under the Actions column. Click on the icon to configure the fields.

Configure the field mapping as shown in the following screenshot and click Save.

After enabling the ingestion source, SIRP will start to call IBM QRadar’s API every 5 minutes to check for any new offenses. If SIRP finds any offenses, it will start ingesting the records within its database.

The results will be visible in the Incident Management module. The Alerts tab will list all the ingested alerts.

Did this answer your question?