IBM Security Randori REST API protocol configuration options

To receive events from IBM Security Randori, configure a log source to communicate with the IBM Security Randori REST API protocol.

The IBM Security Randori REST API protocol is an active outbound protocol that provides alerts about changes in an organizations attack surface. For example, new targets that are discovered.

Important: Before you can configure a log source for Randori, you must obtain your API Key from the Randori web portal.

For more information about obtaining this value, see How to Add an API token (https://www.ibm.com/docs/en/SSD5I5K/intapi_api_AddAPIToken.html).

The following table describes the protocol-specific parameters for the IBM Security Randori REST API protocol:

Table 1. IBM Security Randori REST API protocol parameters
Parameter Description
Protocol Configuration IBM Security Randori REST API
Log Source Identifier

Type a unique name for the log source.

The Log Source Identifier can be any valid value and does not need to reference a specific server. It can also be the same value as the Log Source Name. If you have more than one configured IBM Security Randori log source, ensure that you give each one a unique name.

Instance

The Instance value is the URL that you use to access Randori, such as app2.randori.io. The structure for the Instance value is:

app[#].randori.io

where [#] is a number that might be required to access your Randori instance.

API Key The API key that is used to access the IBM Security Randori REST API.

For more information about obtaining this value, see How to Add an API token (https://www.ibm.com/docs/en/SSD5I5K/intapi_api_AddAPIToken.html).

Minimum Priority Score Filters new targets by using the priority score that you select.
  • Low - All new targets
  • Medium - New targets with a priority greater than 20
  • High - New targets with a priority of 30 or greater
Minimum Temptation Filters existing targets that have a modified temptation value. This filter is based on the temptation value that you select.
  • Low - All targets with a modified temptation value
  • Medium - Targets with a temptation value greater than 14
  • High - Targets with a temptation value greater than 29
  • Critical - Targets with a temptation value greater than 39
Use Proxy If the API is accessed by using a proxy, select this checkbox.

Configure the Proxy IP or Hostname, Proxy Port, Proxy Username, and Proxy Password fields. If the proxy does not require authentication, you can leave the Proxy Username and Proxy Password fields blank.

Recurrence Specify how often the log collects data. The value can be in Minutes (M), Hours (H), or Days (D). The default is 1 minute.
EPS Throttle

The maximum number of events per second that QRadar ingests.

If your data source exceeds the EPS throttle, data collection is delayed. Data is still collected and then it is ingested when the data source stops exceeding the EPS throttle.

The default is 5000.

Enable Advanced Options

Select this checkbox to enable the following configuration options: Allow Untrusted and Override Workflow.

These parameters are only visible if you select this checkbox.

Initial Days of Historical Data Enter the number of days before the current date to collect historical data. When you configure a new log source, IBM QRadar generates New Target events for existing targets that have a first-seen date within the number of days that you enter. This value is used only before the log source runs for the first time.
Allow Untrusted If you enable this parameter, the protocol can accept self-signed and otherwise untrusted certificates that are located within the /opt/qradar/conf/trusted_certificates/ directory. If you disable the parameter, the scanner trusts only certificates that are signed by a trusted signer.

The certificates must be in PEM or RED-encoded binary format and saved as a .crt or .cert file.

If you modify the workflow to include a hardcoded value for the Allow Untrusted Certificates parameter, the workflow overrides your selection in the UI. If you do not include this parameter in your workflow, then your selection in the UI is used.

Override Workflow Enable this option to customize the workflow. When you enable this option, the Workflow and Workflow Parameters parameters appear.
Workflow

The XML document that defines how the protocol instance collects events from the target API.

For more information about the default workflow, see IBM Security Randori REST API protocol workflow.

Workflow Parameters

The XML document that contains the parameter values used directly by the workflow.

For more information about the default workflow parameters, see IBM Security Randori REST API protocol workflow.