Topic
  • 3 replies
  • Latest Post - ‏2015-11-10T01:13:11Z by cloudminer
cloudminer
cloudminer
4 Posts

Pinned topic QRadar / External System Integration

‏2015-11-06T17:51:31Z |

I need to have certain events in QRadar trigger the creation of a ticket in an external ticketing system.  What is the cleanest way to do this?

  • thloeber
    thloeber
    11 Posts
    ACCEPTED ANSWER

    Re: QRadar / External System Integration

    ‏2015-11-09T13:02:45Z  

    One option is you can use a rule response to send an SNMP Trap to another system like your ticketing system when certain conditions are met, See this section in the administration guide

    http://www-01.ibm.com/support/knowledgecenter/SS42VS_7.2.5/com.ibm.qradar.doc_7.2.5/c_qradar_adm_snmp_config.html

    Another option is to use a rule response to forward an event to a forwarding destination when certain condition are met, See this section in the administration guide.

    http://www-01.ibm.com/support/knowledgecenter/SS42VS_7.2.5/com.ibm.qradar.doc_7.2.5/c_qradar_adm_frwd_event_data.html

    We used the second option to forward an event to our ticketing system which listens on a certain port for forwarded events. The events contain the information required to open a ticket on our system.

    In either option you need a QRadar incoming event to trigger a response based on event or anomaly tests. 

    A great enhancement for QRadar would be a rule response which would provide an exit to execute a user supplied script to do additional processing not available in the QRadar functionality.

  • DietgerBahn
    DietgerBahn
    2 Posts
    ACCEPTED ANSWER

    Re: QRadar / External System Integration

    ‏2015-11-09T22:37:05Z  

    There's an addtl. integration (usually called 'northbound' integration) option via QRadar's RESTful API. For example search results, events as well as Offenses can be accessed via this API. Most clients integrate and forward generated Offenses to their Incident Management solution generating Incidents based on forwarded Offenses. You'd require a component triggering the RESTful API via a HTTPS GET request after authenticating against QRadar and gathering Offense details. The Offense Magnitude for example would be a good value for mapping with the Incident Severity. You can even HTTPS POST updates from the Incident Mangement solution back to the Offense.

    One component providing such a northbound integration option would be for example the so called SDI - Security Directory Integrator aka TDI - Tivoli Directory Integrator. It provides multiple integration capabilities: QRadar <=> SDI <=> Service Management solution.

     

    Regards,

    Dietger Bahn

  • thloeber
    thloeber
    11 Posts

    Re: QRadar / External System Integration

    ‏2015-11-09T13:02:45Z  

    One option is you can use a rule response to send an SNMP Trap to another system like your ticketing system when certain conditions are met, See this section in the administration guide

    http://www-01.ibm.com/support/knowledgecenter/SS42VS_7.2.5/com.ibm.qradar.doc_7.2.5/c_qradar_adm_snmp_config.html

    Another option is to use a rule response to forward an event to a forwarding destination when certain condition are met, See this section in the administration guide.

    http://www-01.ibm.com/support/knowledgecenter/SS42VS_7.2.5/com.ibm.qradar.doc_7.2.5/c_qradar_adm_frwd_event_data.html

    We used the second option to forward an event to our ticketing system which listens on a certain port for forwarded events. The events contain the information required to open a ticket on our system.

    In either option you need a QRadar incoming event to trigger a response based on event or anomaly tests. 

    A great enhancement for QRadar would be a rule response which would provide an exit to execute a user supplied script to do additional processing not available in the QRadar functionality.

  • DietgerBahn
    DietgerBahn
    2 Posts

    Re: QRadar / External System Integration

    ‏2015-11-09T22:37:05Z  

    There's an addtl. integration (usually called 'northbound' integration) option via QRadar's RESTful API. For example search results, events as well as Offenses can be accessed via this API. Most clients integrate and forward generated Offenses to their Incident Management solution generating Incidents based on forwarded Offenses. You'd require a component triggering the RESTful API via a HTTPS GET request after authenticating against QRadar and gathering Offense details. The Offense Magnitude for example would be a good value for mapping with the Incident Severity. You can even HTTPS POST updates from the Incident Mangement solution back to the Offense.

    One component providing such a northbound integration option would be for example the so called SDI - Security Directory Integrator aka TDI - Tivoli Directory Integrator. It provides multiple integration capabilities: QRadar <=> SDI <=> Service Management solution.

     

    Regards,

    Dietger Bahn

  • cloudminer
    cloudminer
    4 Posts

    Re: QRadar / External System Integration

    ‏2015-11-10T01:13:11Z  
    • thloeber
    • ‏2015-11-09T13:02:45Z

    One option is you can use a rule response to send an SNMP Trap to another system like your ticketing system when certain conditions are met, See this section in the administration guide

    http://www-01.ibm.com/support/knowledgecenter/SS42VS_7.2.5/com.ibm.qradar.doc_7.2.5/c_qradar_adm_snmp_config.html

    Another option is to use a rule response to forward an event to a forwarding destination when certain condition are met, See this section in the administration guide.

    http://www-01.ibm.com/support/knowledgecenter/SS42VS_7.2.5/com.ibm.qradar.doc_7.2.5/c_qradar_adm_frwd_event_data.html

    We used the second option to forward an event to our ticketing system which listens on a certain port for forwarded events. The events contain the information required to open a ticket on our system.

    In either option you need a QRadar incoming event to trigger a response based on event or anomaly tests. 

    A great enhancement for QRadar would be a rule response which would provide an exit to execute a user supplied script to do additional processing not available in the QRadar functionality.

    great info thanks to both of you