QRadar uses
a Secure Shell (SSH) to access a remote server (SSH export server)
to retrieve and interpret the scan data from nCircle IP360 appliances. QRadar supports
VnE Manager version IP360-6.5.2 to 6.8.2.8.
Before you begin
This configuration requires the target settings that you recorded when you exported
the XML2 scan data to the remote server.
About this task
If the scanner is configured to use a password, the SSH scanner server to which
QRadar connects must support password authentication. If it does not, SSH authentication
for the scanner fails. Make sure the following line is displayed in your
sshd_config file, which is typically found in the
/etc/ssh directory on the SSH server:
PasswordAuthentication yes. If your scanner server does not use
OpenSSH, the configuration can differ. For more information, see the vendor
documentation for your scanner.
Procedure
- Click the Admin tab.
- Click the VA Scanners icon.
- Click Add.
-
Configure the following nCircle IP360 parameters:
| Parameter |
Description |
|---|
| Scanner Name |
The name to identify your nCircle IP360 instance. |
| Managed Host |
From the Managed Host list, select an option that is based on one of the
following platforms:
- On the QRadar
Console, select the
managed host that is responsible for communicating with the scanner device.
- On QRadar on Cloud, if the scanner is
hosted in the cloud, the QRadar® Console can be
used as the managed host. Otherwise, select the data gateway that is responsible for communicating
with the scanner device.
|
| Type |
nCircle IP360 |
| SSH Server Host Name |
The IP address or host name of the remote server that hosts the scan
result files. |
| SSH Username |
The username that is used to login to the remote SSH server. |
| SSH Password |
The password that is used to login to the remote SSH server. It is not required when you use
SSH key. |
| SSH Port |
The port number to connect to the remote server. |
| Remote Directory |
The location of the scan result files. |
| File Max Age (days) |
The maximum age of a report to is retrieved during bulk data imports through file. |
| File Pattern |
The regular expression (regex) to filter the list of files that are
specified in the Remote Directory field. To list all XML2 format files that
end with XML, use the following entry: XML2.*\.xml |
| Enable Key Authentication |
Specifies that QRadar authenticates with a key-based authentication file. |
| Private Key Path |
The full path to the file that contains the private key. If a key file does not exist, you must
create the vis.ssh.key file. Important: The vis.ssh.key
file must have vis qradar ownership. For
example: # ls -al /opt/qradar/conf/vis.ssh.key
-rw------- 1 vis qradar 1679 Aug 7 06:24 /opt/qradar/conf/vis.ssh.key
|
| Enable Strict Hostkey Checking |
Enables the public key of the target host to match an entry in the Host Key list
parameter. |
| Host Key |
Provides Base64 encoded host keys to accept when connecting to the target host. The
supported host key type is ssh-rsa. This key can be obtained by running the OpenSSH
ssh-keyscan command in Linux® or
ssh-keyscan.exe in Windows or getting
the public key from the target system directly from location like
/root/.ssh/known_hosts or /etc/ssh/ssh_host_rsa_key.pub file path.
You must use the Base64 hash only and not the hostname or algorithm. |
-
Configure the remaining parameters.
- To configure a CIDR range for your scanner:
-
Type the CIDR range that you want this scanner to consider or click
Browse to select a CIDR range from the
network list.
- Click Add.
- Click Save.
- On the Admin tab, click Deploy
Changes.