Configuring the Cyber Adversary Framework Mapping Application

You must create an authorized service token to authenticate the background services that the app uses to request data from your local instance of IBM® QRadar®.

Before you begin

With 2.6.0, the QRadar Use Case Manager is installed with QRadar Advisor with Watson™ and the QRadar Use Case Manager version is updated to 2.3.1. The QRadar Use Case Manager includes MITRE ATT&CK mapping and visualization. You should follow the instructions for the QRadar Use Case Manager. For more information, see QRadar Use Case Manager.
Attention: If you are using QRadar Advisor with Watson 2.5.3 or earlier, then you can use the Cyber Adversary Framework Mapping Application app that is included with QRadar Advisor with Watson. Do not use both the QRadar Use Case Manager and the Cyber Adversary Framework Mapping Application at the same time or you will encounter out of sync issues.

You must have QRadar administrator privileges to create authorized service tokens.

The following instructions apply to the Cyber Adversary Framework Mapping Application and not the QRadar Use Case Manager.

About this task

You must create an authorized service token for the Cyber Adversary Framework Mapping Application to get the latest Cyber Adversary Framework Mapping Application content.
Note: The QRadar Advisor with Watson app automatically maps MITRE ATT&CK tactics to CRE rules. With the Cyber Adversary Framework Mapping Application, you can map your custom rules to specific tactics.

Procedure

  1. On the navigation menu ( Navigation menu icon ), click Admin.
  2. In QRadar 7.3.3 or later, click Apps > Cyber Adversary Framework Mapping Application > Configuration.
    Tactics app
  3. Click the Settings icon.
  4. On the Authorization Token tab, click the Manage Authorized Services link.
  5. On the Manage Authorized Services window, click Add Authorized Service.
  6. Add the relevant information in the following fields and click Create Service.
    1. In the Service Name field, type a name for this authorized service. The name can be up to 255 characters in length.
    2. From the User Role list, select the appropriate role for the user type.
    3. From the Security Profile list, select the security profile that you want to assign to this authorized service. The security profile determines the networks and log sources that this service can access on the QRadar user interface.
    4. In the Expiry Date list, type or select a date that you want this service to expire. If an expiry date is not necessary, select No Expiry.
  7. Click the row that contains the service you created, select and copy the token string from the Selected Token field in the menu bar, and close the Manage Authorized Services window.
  8. Paste the Admin token string into the Admin Token field.
  9. Click Save Token.
  10. If you have a proxy, click the Proxy settings tab, select the Use proxy checkbox.
  11. Select the type of secure protocol you want to use for your proxy:
    • HTTPS
    • SOCKS5
  12. If your proxy server does not require a username and password, select the Disable Authentication checkbox.
    • In the Proxy server field, type the URL for the proxy server. The proxy server is required if the application server uses a proxy server to connect to the internet.
    • In the Proxy port field, type the port number for the proxy server.
    • In the Proxy username field, type the username for the proxy server. A username is required if you are using an authenticated proxy.
    • In the Proxy password field, type the password for the proxy server. A password is required if you are using an authenticated proxy.
  13. If you have a custom SSL certificate for proxy communication between your QRadar instance and the X-Force® Exchange, select the Enable Custom SSL Certificate Validation checkbox.
  14. Click the file upload icon Custom SSL Certificate file upload icon and select your custom SSL certificate. Only .pem files are supported.
  15. Click Save Configuration.

Example

Proxy Configuration screen