Connecting to an IBM Security Verify Analytics asset data source

The IBM Security Verify Analytics Connected Assets and Risk connector can be run in the IBM Security QRadar® Suite Software cluster. The connector incrementally synchronizes the contents of the IBM Security Verify Analytics asset databases with the data that is managed by the Connected Assets and Risk service.

Before you begin

To set up the IBM Security Verify Analytics Bridge and Security Verify Tenant for IAM data, complete the following steps.

  1. Create a tenant in IBM Security Verify Tenant with the Identity Analytics or CIA plan.
  2. Set up an IBM Security Verify Analytics bridge. For more information, see IBM Security Verify Analytics on dockerhub (https://hub.docker.com/r/ibmcom/ciabridge).
  3. To generate the data that is required for the Verify Connected Assets and Risk connector, when you set up ciabridge docker, pass the CLOUD_PAK_SECURITY="true" flag as an environment variable.
  4. Set tenant binding from the IBM Security Verify bridge to IBM Security Verify Tenant and enable replication.
  5. Configure the IBM Security and IDentity Manager, Identity Governance and Intelligence data source and run analysis.

    After analysis is complete, IBM Security Verify Tenant data is replicated in the Analytics tab dashboard of IBM Security Verify Tenant.

  6. to create an API ClientId and secret from IBM Security Verify tenant, go to Configuration > API Access under the Admin settings and select Manage API Clients.

    The ClientId and secret with the tenant URL are used to run the Verify Connected Assets and Risk connector.

About this task

The IBM Security QRadar Suite Software CAR connector for IBM Security Verify Analytics is designed to work with the /analytics-rp/api/v1.0 API endpoint.

The Security Verify Tenant uses analyzed data that is replicated from IBM Security Verify Analytics to bridge entities such as users, accounts, applications, and relationships like userAccount and accountApplication data.

For more information about the Security Verify Tenant, see IBM Security Verify Analytics Bridge (https://www.ibm.com/docs/en/SSCT62/com.ibm.iamservice.doc/concepts/cia_cpt_overview.html).

Procedure

  1. Log in to IBM Security QRadar Suite Software.
  2. From the menu, click Connections > Data sources.
  3. On the Assets tab, click Connect an asset.
  4. Click IBM Security Verify IAM, then click Next.
  5. Configure the connection to allow IBM Security QRadar Suite Software to connect to the data source.
    1. In the Connector name field, assign a name to uniquely identify the data source connection.
      Tip: Only alphanumeric characters and the following special characters are allowed: - . _
    2. In the Connector description field, write a description to indicate the purpose of the data source connection.
      Tip: Only alphanumeric characters and the following special characters are allowed: - . _
    3. In the Edge gateway (optional) field, specify which IBM Security Edge Gateway to use.

      To use the Edge Gateway to host the containers that are required for communication between the data sources and IBM Security QRadar Suite Software, select an Edge Gateway. The Edge Gateway must be version 1.6 or later. It can take up to 5 minutes to establish the connection to the Edge Gateway.

      Important: If you have a firewall between your IBM Security QRadar Suite Software cluster and the data source target, use the Edge Gateway to host the containers.

      For more information, see Edge Gateway.

    4. In the Frequency field, set how often the connector imports data from the data source, in minutes. The default is 15 minutes.
      The value must be an integer.
      For example, a value of 5 causes the connector to run every 5 minutes.
      If the data source doesn't have many assets, or you don't want to import data often, reduce the frequency.
    5. In the Management IP address or Hostname field, set the hostname or IP address of the data source so that IBM Security QRadar Suite Software can communicate with it.
  6. Click Add a Configuration.
  7. Configure identity and access.
    1. Click Edit access and choose which users can connect to the data source and the type of access.
    2. In the Configuration name field, enter a unique name to describe the access configuration and distinguish it from the other access configurations for this data source connection that you might set up. Only alphanumeric characters and the following special characters are allowed: - . _
    3. In the Configuration description field, enter a unique description to describe the access configuration and distinguish it from the other access configurations for this data source connection that you might set up. Only alphanumeric characters and the following special characters are allowed: - . _
    4. In the Client ID field, enter the client ID for your IBM Security Verify tenant (a UUID).
    5. In the Client Secret field, enter the client secret for your IBM Security Verify tenant.
    6. Is cloud, enable to activate the cloud setting.
    7. Click Add.
    8. To save your configuration and establish the connection, click Done.
  8. To edit your configurations, complete the following steps:
    1. On the Assets tab, select the data source connection that you want to edit.
    2. In the Configurations section, click Edit Configuration (Edit configuration icon).
    3. Edit the identity and access parameters and click Save.

Results

The connector imports data from the data source. The connector imports data again at the interval that you set in the Frequency field.

Tip: After the data source is connected, it takes some time for the initial data retrieval based on the frequency that is specified in the Frequency parameter. During this time, the data source appears as unavailable. After the data retrieval is complete, the data source shows as connected. To maintain the connection status, a polling mechanism is initiated to verify the connection periodically.

You can add other connection configurations for this data source that have different users and different data access permissions.

What to do next

Test the connection by searching for an IP address in IBM Security Data Explorer that matches an asset data source. In Data Explorer, click an IP address to view its associated assets and risk.

To use Data Explorer, you must have data sources that are connected so that the application can run queries and retrieve results across a unified set of data sources. The search results vary depending on the data that is contained in your configured data sources. For more information about how to build a query in Data Explorer, see Build a query.