IBM Security Randori REST API protocol configuration options
To receive events from IBM Security Randori, configure a log source to communicate with the IBM Security Randori REST API protocol.
The IBM Security Randori REST API protocol is an active outbound protocol that provides alerts about changes in an organizations attack surface. For example, new targets that are discovered.
For more information about obtaining this value, see How to Add an API token (https://www.ibm.com/docs/en/SSD5I5K/intapi_api_AddAPIToken.html).
The following table describes the protocol-specific parameters for the IBM Security Randori REST API protocol:
Parameter | Description |
---|---|
Protocol Configuration | IBM Security Randori REST API |
Log Source Identifier |
Type a unique name for the log source. The Log Source Identifier can be any valid value and does not need to reference a specific server. It can also be the same value as the Log Source Name. If you have more than one configured IBM Security Randori log source, ensure that you give each one a unique name. |
Instance |
The Instance value is the URL that you use to access Randori, such as app2.randori.io. The structure for the Instance value is: app[#].randori.io where [#] is a number that might be required to access your Randori instance. |
API Key | The API key that is used to access the IBM Security
Randori REST API. For more information about obtaining this value, see How to Add an API token (https://www.ibm.com/docs/en/SSD5I5K/intapi_api_AddAPIToken.html). |
Minimum Priority Score | Filters new targets by using the priority score that you select.
|
Minimum Temptation | Filters existing targets that have a modified temptation value. This filter is
based on the temptation value that you select.
|
Use Proxy | If the API is accessed by using a proxy, select this checkbox.
Configure the Proxy IP or Hostname, Proxy Port, Proxy Username, and Proxy Password fields. If the proxy does not require authentication, you can leave the Proxy Username and Proxy Password fields blank. |
Recurrence | Specify how often the log collects data. The value can be in Minutes (M), Hours (H), or Days (D). The default is 1 minute. |
EPS Throttle |
The maximum number of events per second that QRadar ingests. If your data source exceeds the EPS throttle, data collection is delayed. Data is still collected and then it is ingested when the data source stops exceeding the EPS throttle. The default is 5000. |
Enable Advanced Options |
Select this checkbox to enable the following configuration options: Allow Untrusted and Override Workflow. These parameters are only visible if you select this checkbox. |
Initial Days of Historical Data | Enter the number of days before the current date to collect historical data. When you configure a new log source, IBM QRadar generates New Target events for existing targets that have a first-seen date within the number of days that you enter. This value is used only before the log source runs for the first time. |
Allow Untrusted | If you enable this parameter, the protocol can accept self-signed and
otherwise untrusted certificates that are located within the
/opt/qradar/conf/trusted_certificates/ directory. If you disable the parameter,
the scanner trusts only certificates that are signed by a trusted signer. The certificates must be in PEM or RED-encoded binary format and saved as a .crt or .cert file. If you modify the workflow to include a hardcoded value for the Allow Untrusted Certificates parameter, the workflow overrides your selection in the UI. If you do not include this parameter in your workflow, then your selection in the UI is used. |
Override Workflow | Enable this option to customize the workflow. When you enable this option, the Workflow and Workflow Parameters parameters appear. |
Workflow |
The XML document that defines how the protocol instance collects events from the target API. For more information about the default workflow, see IBM Security Randori REST API protocol workflow. |
Workflow Parameters |
The XML document that contains the parameter values used directly by the workflow. For more information about the default workflow parameters, see IBM Security Randori REST API protocol workflow. |