Contents x
      QRadar 3.2.0
      • 14 Dec 2022
      • 3 Minutes to read
      • Dark
        Light
      • PDF
      Contents

      QRadar 3.2.0

      • Updated on 14 Dec 2022
      • 3 Minutes to read
      • Dark
        Light
      • PDF
      Article summary

      tags: python | SIEM | Security Analytics | Automate Intelligence | Automate Containment

      Description

      Integration with IBM QRadar supports CDC users by providing the extraction of logs and observables from the QRadar platform. This enables CDC users to make informed decisions regarding incident response.

      IBM QRadar Security Information and Event Management (SIEM) helps Security teams accurately detect and prioritize threats across the enterprise. By consolidating log events and network flow data from thousands of devices, endpoints, and applications distributed throughout your network, QRadar correlates this information and aggregates related events into single alerts, to accelerate incident analysis and remediation.

      IBM QRadar has provided CyberProof with a REST API, which is integrated with the CDC. The CDC receives new offenses as alerts from the QRadar offense service.

      All the read information is passed on to the CDC in the form of an alert, with information stored as raw information and observables.

      Integration Type:SIEM
      Information read:Logs from IBM QRadar based on defined criteria.
      API Supported:7.4
      Input:N/A
      Output:Detailed logs that lead to the creation of observables in the CDC.

      Customer Configuration

      1. Navigate to 'Admin' pane -> 'Authorized Services'.
      2. Click on 'Add Authorized Service'.
      3. Enter a meaningful service name; e.g., CDC_API,
        User Role: Admin,
        Security Profile: Admin
      4. Expiry date – Check the 'No Expiry' tab.
        Note: If an expiry date will be set for this API token, please make sure to document the date and create a new API token and send it to a CyberProof representative prior to the old key expiration date, as this can cause the API to expire and will break the QRadar - CDC integration.
      5. Click 'Create Service'.
      6. Highlight the new Authorized Services we've just created and copy the token from the top row.
      7. Provide the QRadar instance URL/IP, Port and API Token in a secure way with the CDC deployment team, for further configuration of the pack.
      ParameterRequired
      Base URL / IPTrue
      PortTrue
      API TokenTrue

      CDC Command Lines

      * **add_and_replace_custom_events_fields_cli**
      Replaces/adds custom events fields to Azure Blob. Custom fields take precedence over dynamic fields. Only unique custom fields will be stored. A dynamic field will be removed if it is added as a custom field.

      CLI Example: add_and_replace_custom_events_fields_cli --fields="API Path, CATEGORYNAME(category) AS 'Category name', URL". 
Aggregate Fields Examples: 
QIDDESCRIPTION(qid) as 'Event Description' 
QIDNAME(qid) as 'Event Name' 
ASSETPROPERTY('Location',sourceip) AS source_asset_location 
ASSETPROPERTY('Location',destinationip) AS destination_asset_location 
LOGSOURCENAME(logsourceid) as 'Log Source' 
DOMAINNAME(domainid) AS 'Domain name'
      OptionTypeDescriptionRequired
      fieldsstringCustom events fieldsTrue

      * **clear_custom_events_fields_cli**
      Clears custom events fields from Azure Blob.

      OptionTypeDescriptionRequired

      * **extend_custom_events_fields_cli**
      Extends custom events fields to Azure Blob. Only unique custom fields will be stored. Example: extend_custom_events_fields_cli --fields="qid,location"

      OptionTypeDescriptionRequired
      fieldsstringCustom events fields.True

      * **get_custom_events_fields_cli**
      Gets events fields from Azure Blob.

      OptionTypeDescriptionRequired

      Workflows

      * **add_update_replace_custom_events_fields**
      Replace/adds events fields to Azure Blob.

      * **clear_custom_events_fields**
      Clears custom events fields from Azure Blob.

      * **close_alert**
      Close the alert in QRadar.

      * **execute_query**
      Execute the AQL query in QRadar.

      * **get_custom_events_fields**
      Gets events fields from Azure Blob.

      * **inject_qradar_alert_to_cdc**
      Enrich QRadar alerts and push them to the CDC.

      * **push_qradar_alerts_to_redis**
      Enrich QRadar alerts and push them to the CDC.

      * **update_dynamic_events_fields**
      Fetch and update the non-empty fields of events tables.

      Rules

      * **new_offense**
      Triggered when a new offense is created.

      * **close_alert**
      Close alerts (i.e. offenses) in QRadar.

      * **update_dynamic_events_fields_trigger**
      Triggered at poll intervals to fetch and update the non-empty fields from the QRadar events table to Azure Storage/Redis.

      Sensors

      * **OffensesSensor**
      Sensor to pull all offenses details from QRadar and auto-update non-empty fields from the QRadar events table to Azure Storage/Redis.

      Poll interval - 30s

      Triggers

      * **update_dynamic_events_fields_trigger**
      Auto-updates non-empty fields from the QRadar events table to Azure Storage/Redis.

      Known Issues

      No known issues

      Was this article helpful?
      What's Next