Contents x
      QRadar 3.0.0
      • 06 Apr 2025
      • 3 Minutes to read
      • Dark
        Light
      • PDF
      Contents

      QRadar 3.0.0

      • Updated on 06 Apr 2025
      • 3 Minutes to read
      • Dark
        Light
      • PDF
      Article summary

      QRadar - 3.0.0

      tags: python | SIEM | Security Analytics | Automate Intelligence | Automate Containment

      Table of Contents

      Description

      Integration with IBM QRadar supports CDC users by providing the extraction of logs and observables from the QRadar platform. This enables CDC users to make informed decisions regarding incident response.

      IBM QRadar Security Information and Event Management (SIEM) helps Security teams accurately detect and prioritize threats across the enterprise. By consolidating log events and network flow data from thousands of devices, endpoints, and applications distributed throughout your network, QRadar correlates this information and aggregates related events into single alerts, to accelerate incident analysis and remediation.

      IBM QRadar has provided CyberProof with a REST API, which is integrated with CDC. CDC receives new offenses as alerts from the QRadar offense service.

      All the read information is passed on to CDC in the form of an alert, with information stored as raw information and observables.

      Integration Type:SIEM
      Information read:Logs from IBM QRadar based on Criteria defined
      API Supported:7.4
      Input:N/A
      Output:Detailed logs which lead to creation of Observables on CDC.

      Customer Configuration

      1. Navigate to 'Admin' pane -> 'Authorized Services'.
      2. Click on 'Add Authorized Service'.
      3. Enter a meaningful service name e.g. CDC_API,
        User Role: Admin,
        Security Profile: Admin
      4. Expiry date – Check the 'No Expiry' tab.
        Note: If an expiry date will be set for this API token, please make sure to document the date and create a new API token and send it to CyberProof representative prior the old key expiration date as this can cause the API to expire and it will break the QRadar - CDC integration.
      5. Click on 'Create Service'.
      6. Highlight the new Authorized Services we've just created and copy the token from the top row.
      7. Provide the QRadar instance URL/IP, Port and API Token in a secure way with CDC deployment team for the further configuration of the pack.
      ParameterRequired
      Base URL / IPTrue
      PortTrue
      API TokenTrue

      CDC Command Lines

      * **add_and_replace_custom_events_fields_cli**
      Replaces/adds custom events fields to azure blob. Custom fields takes precedence over dynamic fields. Only unique custom fields will be stored. A dynamic field will be removed if it is added as a custom fields.

      CLI Example: add_and_replace_custom_events_fields_cli --fields="API Path, CATEGORYNAME(category) AS 'Category name', URL". 
Aggregate Fields Examples: 
QIDDESCRIPTION(qid) as 'Event Description' 
QIDNAME(qid) as 'Event Name' 
ASSETPROPERTY('Location',sourceip) AS source_asset_location 
ASSETPROPERTY('Location',destinationip) AS destination_asset_location 
LOGSOURCENAME(logsourceid) as 'Log Source' 
DOMAINNAME(domainid) AS 'Domain name'
      OptionTypeDescriptionRequired
      fieldsstringCustom events fieldsTrue

      * **clear_custom_events_fields_cli**
      Clears custom events fields from azure blob.

      OptionTypeDescriptionRequired

      * **extend_custom_events_fields_cli**
      Extends custom events fields to azure blob. Only unique custom fields will be stored. Example: extend_custom_events_fields_cli --fields="qid,location"

      OptionTypeDescriptionRequired
      fieldsstringCustom events fieldsTrue

      * **get_custom_events_fields_cli**
      Gets events fields from azure blob.

      OptionTypeDescriptionRequired

      Workflows

      * **add_update_replace_custom_events_fields**
      Replace/adds events fields to azure blob.

      * **clear_custom_events_fields**
      Clears custom events fields from azure blob.

      * **close_alert**
      Close the alert in QRadar

      * **execute_query**
      Execute AQL query in QRadar.

      * **get_custom_events_fields**
      Gets events fields from azure blob.

      * **inject_qradar_alert_to_cdc**
      Enrich QRadar alerts and push them to the CDC

      * **push_qradar_alerts_to_redis**
      Enrich QRadar alerts and push them to the CDC

      * **update_dynamic_events_fields**
      Fetch and update the non empty fields of events tables

      Rules

      * **new_offense**
      Triggered when a new offense is created.

      * **close_alert**
      Close alerts (i.e. offenses) in QRadar

      * **update_dynamic_events_fields_trigger**
      Triggered at poll intervals to fetch and update the non-empty fields from qradar events table to azure storage/redis

      Sensors

      * **OffensesSensor**
      Sensor to pull all offenses details from QRadar and auto update non-empty fields from qradar events table to azure storage/redis

      Poll interval - 30s

      Triggers

      * **update_dynamic_events_fields_trigger**
      Auto updates non-empty fields from qradar events table to azure storage/redis

      Known Issues

      Was this article helpful?
      What's Next