QRadar
Connector Category: Security Information and Event Management (SIEM)
About Integration
IBM QRadar is a Security Information and Event Management (SIEM) application that provides real-time visibility into your IT infrastructure and helps you accelerate threat detection and prioritization. This integration enables CTIX to update the Reference Sets in the QRadar application with CTIX data (as an internal application).
The QRadar internal application in Intel Exchange supports the following actions:
Action Name | Description |
|---|---|
Update Reference Set | This action updates the reference sets of the IBM QRadar application with the data retrieved from Intel Exchange. |
To configure QRadar as an internal application, do the following:
Configure QRadar as Internal Application
Before you Start
You must have the URL, username and password, or authentication token of your QRadar account to configure the QRadar app in CTIX.
You must have the view and update tool integration permissions.
Steps
Sign in to the CTIX application.
From Administration, open Integration Management, and select Internal Applications under Tool Integrations.
Select Security Information and Event Management System.
Look for QRadar and click on the app.
Click Add Instance.
Enter the instance name and base URL.
Choose from the following authentication types:
Choose Username/Password and enter the User Name, and Password.
Choose Authentication Token and enter the token value to connect to the Qradar instance.
To secure the connection between CTIX and QRadar server, select Verify SSL.
Click Save.
Enable Update Reference set
After configuring the Qradar application on CTIX, enable the actions to update Qradar reference sets.
From Administration, open Integration Management, and select Internal Applications under Tool Integrations.
Select Security Information and Event Management System.
Select QRadar and click the vertical ellipsis on the top right corner of the screen, and click Manage.
Click Manage Action(s).
Select the action to enable.
Enable the toggle to update the reference sets.
Click Save.
Create a Rule in CTIX to Update Reference Set in Qradar
From the Main Menu, select Rules under Actions.
Click New Rule.
Enter a rule name and a description.
Add any tags to easily identify and categorize components in the CTIX application.
Click Submit.
Set the following optional global conditions for a rule from Basic Details:
Allow All Conditions: Applies all available conditions on the selected threat data object. When selected, the system notifies that the previously selected conditions will be removed, and the Conditions under Components on the left side of the screen are removed.
Run Rule after Enrichment: Runs the rule only after data enrichment and confidence score evaluation are completed.
Triggers on Manual Update: Triggers the rule to run for any manual update made to the existing threat data object by an analyst. It will not execute the rule for any new threat data objects coming into the application. This option removes the previously selected sources and collections and prompts you to confirm to allow all sources and collections for the trigger to update the threat data object.
Exclude False Positive: Excludes the identified false positives to filter the data. By default, this option is selected and no false positives are included. This option ignores any conditions configured in the rule to remove false positive threat data objects.
Exclude Indicators Allowed: Excludes the identified allowed indicators to filter the data. By default, this option is selected and no allowed indicators are included. This option ignores any conditions configured in the rule to remove the allowed threat data objects.
Define the Sources and collections, Conditions, and Actions for this rule.
In Actions, choose the following:
Actions - Update Reference Set
Application - QRadar
Account - Choose the QRadar account.
Choose the reference data set from QRadar. You can only see 10,000 reference sets at any given moment.
Select Add or Remove as the Operation to retain or remove the IOC from the reference set.
Click Save.