Integrating with IBM Concert

You can integrate with IBM Concert to ingest application and environment data that Concert uses to build your topology and assess common vulnerabilities and exposures (CVEs) and other non-CVE vulnerabilities. After you integrate, you can review the Concert CVE assessment results from the Instana user interface (UI).

The CVE sensor polls the Concert APIs every 10 minutes to collect the vulnerability findings. These vulnerability findings are converted into CVE detections for each container, based on the associated container image.

See the following sections to learn how to integrate Concert with Instana:

Before you begin

  • Instana release 294 or later:
    • In the Instana Applications perspective, select an application from the list and confirm that you can see the Vulnerabilities tab.
    • An Instana host agent must be installed to collect data in your environment. For the purposes of this integration, the host agent does not require root privileges and the best practice is to install it as a non-root user.
  • Concert version 1.1.0 or later:
    • You can verify your version in the Concert UI by clicking Profile > About.
    • A vulnerability scan must be uploaded to Concert in a supported format. For more information, see Uploading a vulnerability scan in the Concert documentation.
    • Concert ingests vulnerability scan data from your third-party vulnerability scanning tools, such as Prisma Cloud, Aqua Security, Sysdig, and others. Generate a vulnerability scan file in one of the Concert-supported formats, then upload the file to Concert to assess and prioritize CVEs and non-CVE exposures that affect your applications and environments.
    • After you upload the scan, set Prioritized CVEs to on in the Concert Arena view and confirm that you can see the CVE vulnerabilities.

About this task

The Concert and Instana integration simplifies the management of application vulnerabilities. When you integrate, Concert automatically pulls in your Instana application components, Kubernetes clusters, namespaces, container image names, and their relationships. You can bypass the manual process of generating and uploading Concert-defined (ConcertDef) SBOM files, which can be time-consuming and error prone.

Concert uses these configurations to assess CVEs within the context of your application and environment topology, assigning scores based on their potential impact on your application delivery lifecycle. For example, a CVE in a testing tool in your test environment receives a lower risk score than one that affects multiple application images in your production environment.

To set up the integration, create a connection and an ingestion job for Instana from the Concert UI. Concert uses these configurations to pull in Instana-managed applications, environments, clusters, and namespaces for CVE assessments and to create visualizations in the Concert Arena view and Inventory. Then, configure the CVE sensor in Instana to view Concert CVE assessment data in the Instana UI.

Concert fetches data from Instana only about applications that specify kubernetes.cluster.name and kubernetes.namespace.name in their Instana application perspective definition. You can review this definition in Instana on the Configuration tab of the application dashboard. Also, Concert fetches data from Instana within a seven-day time frame. Therefore, only applications with live traffic over the past seven days are included in the data that Concert retrieves.

Step 1: Generate an Instana API token

  1. From the navigation menu in the Instana UI, click Settings > Security & Access > API Tokens.

  2. Click New API Token.

  3. Enter a unique name for your API token, such as Concert.

    For the Instana-Concert integration, the default token permissions are sufficient as Concert uses read-only APIs.

  4. Click Create.

  5. After the API token generates, copy it to a secure location. You need it when you create the connection in Concert.

Step 2: Establish a connection with Instana

In the Concert UI, establish a connection with Instana by completing the following steps:

  1. From the Concert navigation menu, go to Administration > Integrations.

  2. On the Connections tab, click Create connection.

  3. Select IBM Instana Observability. Use the search bar or scroll to find.

  4. On the Create IBM Instana Observability connection screen, enter a name and description for the connection.

  5. In the Endpoint field, enter the host URL of the Instana application endpoint in one of the following formats.

    • For SaaS instances of Instana: https://myname-instana.instana.io
    • For self-hosted instances of Instana: https://<unit-name>-<tenant-name>.<instance-url>. For example, https://unit0-tenant0.instana.cp4i-instance-xxx-xxx.containers.appdomain.cloud. To find the unit and tenant names for your self-hosted Instana instance, click the profile menu icon in the Instana UI.
  6. Enter the Instana API token that you generated in step 1.

  7. Click Validate connection.

  8. After the connection validates, click Create.

Step 3: Create a data ingestion job in Concert

To create an ingestion job to pull application and environment data from Instana to Concert, complete the following steps:

  1. In the Concert UI, click Administration > Integrations.

  2. On the Ingestion jobs tab, click Create ingestion job.

  3. Enter a name and description for the ingestion job.

  4. For Connection type, select Instana.

  5. For Connection, select the name of the connection that you created in the previous step.

  6. Select the Target environment that is defined in your Concert inventory.

  7. Click Create. The new ingestion job appears in the list.

  8. Click the overflow menu for the ingestion job you created and select Run now to start ingesting data from Instana.

When the ingestion job completes, you can see your Instana-managed applications, environments, clusters, and namespaces in the Concert Arena view and Inventory.

Step 4: Generate a Concert API key

  1. In the Concert UI, click Profile > API key.

  2. Click Generate API key.

  3. After the API key generates, copy it to a secure location. You need it when you configure the CVE sensor in Instana.

Step 5: Configure the CVE sensor in Instana

The Instana CVE sensor collects vulnerability data from Concert so you can view it in Instana.

Enable the CVE sensor by updating the agent configuration file (instana-agent-dir/etc/instana/configuration.yaml), as shown in the following example:

# CVE sensor
com.instana.plugin.cve:
 enabled: true
 concert:
  base_url: '<URL of your Concert instance in https://your.instance.com:1234 format>'
  instance_id: '<string in your base URL that follows the domain, for example 1234>'
  api_key: '<Concert API key that you generated in the previous step>'
  poll_rate: 10

Results

Your Instana and Concert instances are now integrated. Concert can assess CVEs and other vulnerabilities for Instana-managed entities in your environment. You can also view and interact with the CVE assessment data from Concert in your Instana Container or Applications dashboards.

What to do next

  • For more information about how you can view vulnerability data from Concert in the Instana UI, see Viewing IBM Concert data.
  • You can also use the data that Concert ingests from Instana to configure a Concert workflow that assesses your application resilience. For more information, see Importing resilience data from Instana in the Concert documentation.