Skip to main content

Cyware Threat Intelligence eXchange

QRadar

Connector Category: API Feed Source

About Integration

IBM QRadar is a Security Information and Event Management (SIEM) application that provides real-time visibility into your IT infrastructure and helps you accelerate threat detection and prioritization. This integration enables CTIX to receive Offence data from QRadar.

Using this integration, the CTIX application can constantly receive real-time threat intelligence feeds. Once you have the data in CTIX, you can use the many features of the CTIX application to enhance, share, or define relationships for the IOCs received from QRadar.

QRadar is available as an out-of-the-box integration in the CTIX application.

To configure QRadar as an integration tool, do the following:

  1. Configure Rules in QRadar

  2. Configure QRadar as an Integration Tool

  3. Configure Feed Channels for QRadar Integration

  4. Poll Offense Data Manually

Configure Rules in QRadar

Configure rules in the QRadar application to create offenses.

Steps:

  1. Sign in to the QRadar application as an administrator.

  2. Click Offenses and select Rules.

  3. Click Actions and select New Offense Rule.

  4. Select the conditions for offenses and click Finish to complete building the rule.

Configure QRadar as an Integration Tool

Use the following steps to configure the app in the CTIX application and get started:

Before you Start

You must have the URL, username, and password or authentication token of your QRadar account to configure the QRadar app in CTIX. The user configuring the integration should have View & Update Tool Integration permission.

Steps

  1. Sign in to the CTIX application.

  2. Navigate to the Integration Management module and select the APIs section. This section displays the list of all available apps.

  3. Click Add API source.

  4. Use the search bar to locate QRadar and click on the app to open the configuration page.

  5. Click Add Instance to add a QRadar instance.

  6. Enter the base URL.

  7. Choose from the following authentication types:

    • Username/Password: Enter the associated username and password.

    • Authentication Token: Enter the associated token.

  8. To secure the connection between CTIX and QRadar server, select Verify SSL.

  9. Click Save.

Configure Feed Channels for QRadar Integration

After configuring your QRadar app, you have to configure and enable the feed available for this integration.

For QRadar integration, you can configure the Retrieve Offenses feed channel.

Steps:

  1. From Administration, open Integration Management and select APIs under FEED SOURCES.

  2. Use the search bar to locate QRadar and click on the app.

  3. Click the ellipses on the top right corner of the screen and select Manage.

  4. On the Manage Instance page, click Manage Feed Channel(s).

  5. Select Retrieve Offenses feed channel.

  6. Enable the feed channel and enter a name for a collection that will have the feed data. The system creates this collection and puts all the QRadar offenses data into this collection.

  7. Enter the last polled date. You can choose the start date only within the last 15 days.

  8. Select the Polling Cron Schedule to specify the poll type your QRadar account for data.

    • Select Manual if you want to manually poll for threat data from QRadar.

    • Select Auto to automatically pool for the feeds. Enter a frequency in seconds for the automatic polling.

  9. Select a default TLP that you want to assign for the feeds.

  10. Set a default confidence score for the data.

  11. Select any tags that you may want to associate with the data from QRadar.

  12. Enable Broken connection Retry Policy to allow the CTIX application to re-attempt any failed connection attempts to your QRadar account.

    1. You can enter the retry interval units in minutes, days, or weeks and also specify the retry interval and the retry count.

    2. Enable Exponential Backoff Entry to progressively extend the wait time between retries for consecutive error responses.

      Note

      You need to have View and Update Tool Integrations permissions to receive failed connection notifications.

  13. Click Save.

You can configure multiple instances of this integration by clicking Manage and Add More on the Manage Instance screen.

Poll Offense Data Manually

If you enable Auto polling while configuring feed channels, the polling will be done automatically. However, if you want to poll for offenses manually, use the following process.

Steps:

  1. Sign in to the CTIX application.

  2. Navigate to the Integration Management module and select the APIs section.

  3. Select QRadar.

  4. Select Retrieve Offense feed channel.

  5. Click the vertical ellipsis and choose Poll Now.