Configuring the connection to QRadar

Users with an Administrator role for IBM® QRadar® Proxy can connect to an IBM QRadar deployment so that IBM Security QRadar Suite Software can connect to QRadar APIs and supported versions of QRadar apps from that deployment. After you enter the connection settings, you and your users can add your own authentication token, QRadar username and password, or both. Then, view QRadar SIEM dashboards and other dashboards with QRadar data, or access supported QRadar apps such as QRadar User Behavior Analytics.

Before you begin

To connect to QRadar from QRadar Proxy, you need the following information:

Management IP address or host name. To determine or change the QRadar hostname, use the qchange_netsetup command in Network settings management.
Host port. For more information, see QRadar port usage.
QRadar SSL certificate (optional). For more information, see SSL certificates.
Authentication token (required to populate dashboards). For more information, see Managing authorized services.
QRadar username and password (required to access supported apps). For more information, see Creating a user account.

About this task

QRadar Proxy is supported on QRadar 7.4 or later.

In QRadar Suite Software 1.4 or later, only one QRadar deployment can be used per QRadar Suite Software account. For example, if you're a managed service provider that manages several customer accounts, use a different QRadar Suite Software account to access each QRadar deployment.

Procedure

From the home page, click Menu> Connections> QRadar Proxy, and select the deployment to which you want to connect.
Add the connection details for the deployment.
1. To access QRadar apps and APIs, specify a connection name and description for the connection.
2. Specify the QRadar Management IP address or hostname and port for the data source or a supported QRadar app.
3. To enable background services, such as the connection between IBM Detection and Response Center and QRadar, enter a Service Authentication Token. This token is also referred to as the SEC token. You create the token from the Authorized Services window in QRadar. For more information, see Adding an authorized service.
Add the QRadar authentication credentials for the deployment.
1. Enter a user authentication token to use the QRadar APIs. If you are a QRadar Proxy Administrator, you can select the checkbox to use the Service Authentication Token that you entered in the Connection Details section instead of entering your own user token.
  
  Important: Your users must enter their own authentication token.
2. If you want to access supported QRadar apps, such as QRadar User Behavior Analytics, provide your own QRadar username and password, regardless of the authentication token you entered in step 3a. (Your users must enter their own username and password.)
  Tip:
  - If QRadar uses SAML for authentication, you don't need to enter a username and password because you log in to QRadar through your SAML identity provider when you access the supported apps.
  - If you make too many login attempts with incorrect credentials, your account is locked out according to QRadar settings. Try logging in again later. For more information, see Preventing lockout from QRadar.
If the login message on the QRadar Console requires users to provide consent before they can log in, select the terms and conditions checkbox so that your users can log in to QRadar from QRadar Suite Software.
If the connection is using a certificate that is signed by a trusted certificate authority, you do not need to add a certificate.

Tip: A trusted certificate authority can be internal or public.
To determine whether your certificate is self-signed, see Determining whether your certificate is internally signed or custom signed.

Tip: If the decoded certificate shows the Common Name as localhost.localdomain or your local domain, then it is a self-signed certificate.
To add a certificate, complete the following steps:
- In QRadar 7.5 or later, download the root CA certificate from http://<qradar_host_ip>:9381/root-qradar-ca_ca.crt. Then download the intermediate CA certificate from http://<qradar_host_ip>:9381/intermediate-qradar-ca_ca.crt. Copy and paste the certificate content from both files into the certificate section on this page.
  Note: The certificate content is the content between and including the -----BEGIN CERTIFICATE----- and -----END CERTIFICATE-----.
- In QRadar 7.4.3, download the certificate chain from http://<qradar_host_ip>:9381/intermediate-qradar-ca_ca.crt. Copy and paste the certificate content from the file into the certificate section.
- In earlier versions of QRadar that are supported by the QRadar Proxy app, download the root CA certificate from http://<qradar_host_ip>:9381/vault-qrd_ca.pem. Download the intermediate CA certificate from http://<qradar_host_ip>:9381/vault-qrd_ca_int.pem. Copy and paste the certificate content from the certificate content from both files into the certificate section.
Click Save, and then verify that the connection is successful by checking the status in the navigation panel.

Results

If you no longer need the proxy connection, you can remove it on the QRadar Proxy page. Users cannot connect with the proxy until a new connection is configured.

If you encounter integration issues, see QRadar general health checklist.

What to do next

Adding a QRadar Proxy authentication token to access QRadar dashboards and Adding a QRadar username and password to access QRadar apps