You must configure the connection between IBM®
QRadar® and SOAR.
Before you begin
Ensure that you copied the CA certificates to the QRadar Console to allow access to the inbound
destinations for your SOAR
environment. For more information, see Configuring access to the inbound destinations.
You must create an authorized service token to authenticate the API
calls made by IBM Security SOAR. For more
information, see Creating an authorized service token.
Procedure
Log in to the QRadar Console as an
administrator.
On the Admin tab, in the IBM QRadar SOAR Plugin
section, click Configuration.
On the Access tab, provide the configuration information.
Configure the QRadar
destination name, service token, and SOAR URL.
Configuration setting
Description
QRadar Destination Name
A unique name for the destination location for this IBM
QRadar SOAR Plug-in integration.
As of QRadar SOAR Plug-in4.0, this field supports synchronization
of multiple QRadar instances
with a single SOAR platform. The
destination name must be unique for each QRadar instance.
Important: If you change the destination name, all existing open cases are updated to
store the new value.
Authorized Service Token
The authorized service token that is used to authenticate the API calls that are made by QRadar SOAR Plug-in.
Important: The
token must have full administrative permissions to configure the app with QRadar.
The URL string must start with http:// or https://.
If applicable, configure the connection parameters for SOAR for IBM Cloud Pak® for
Security.
When you select the CP4S mode checkbox, more fields are displayed to
configure the connection to SOAR for IBM Cloud Pak for
Security.
Configuration setting
Description
CP4S mode
Select this checkbox when you want to escalate QRadar offenses to SOAR for IBM Cloud Pak for
Security cases.
REST URL
The URL that is used to access the SOAR API.
The URL string must start with https:// and includes the
cases-rest affix. For example,
https:// CUSTOMER-INSTANCE .cases-rest.xdr.security.ibm.com.
STOMP Host
The hostname that is used to access the STOMP messaging protocol, including
cases-stomp affix. For example,
CUSTOMER-INSTANCE .cases-stomp.xdr.security.ibm.com.
STOMP Port
The port to use with the STOMP URL to access the SOAR for IBM Cloud Pak for
Security STOMP protocol.
OpenWire Host
The hostname that is used to access the OpenWire protocol, including the
cases-openwire affix.
QRadar uses the OpenWire protocol to promote offenses to SOAR for IBM Cloud Pak for
Security.
For example,
CUSTOMER-INSTANCE .cases-openwire.xdr.security.ibm.com
OpenWire Port
The port to use with the OpenWire
hostname.
Configure the SOAR API
key credentials to be used for authentication.
Configuration setting
Description
API Key ID
The ID of the SOAR API key
account that is used for authentication.
API Key Secret
The secret of the SOAR API key
account.
To create API keys in SOAR for IBM Cloud Pak for
Security, your global role must have
the API Keys permission. Make sure that the API key is created in the Application Settings > Case Management > Permissions and access > API Keys setting. Do not create the API key in General Settings > API keys.
If you are using SOAR with an MSSP configuration, make
sure that the API key is pushed to the child organizations and has appropriate access. For more
information, see Minimum system requirements.
If your deployment is configured for Managed Security Service Providers (MSSP), configure
the SOAR organization
settings.
Configuration setting
Description
Multiple Organization Support
Select this checkbox to support mapping between QRadar domains and multiple SOAR organizations.
This option is required in a SOAR for Managed Security Service
Providers deployment.
Organization Name
The name of your SOAR
organization.
If you are connecting to a SOAR Platform that is configured for Managed
Security Service Providers (MSSP), the Organization Name is the name of the
configuration organization. You can identify the configuration organization by the icon.
If you are connecting to SOAR for IBM Cloud Pak for
Security (CP4S), the
Organization Name might be different depending on which version you have
installed.
For SOAR for IBM Cloud Pak for
Security 1.10 or later,
you can set the Organization Name to use either the account ID or the account
name.
Using the account name can make it easier when you are mapping organizations to QRadar domains.
For earlier versions of CP4S, use the account ID.
Configure the app to use secure connections.
Configuration setting
Description
Connect Securely
Select this checkbox to verify CA-signed certificates.
For on-premises deployments that use self-signed SSL certificates, or deployments that have SSL
certificate problems, you might need to deselect Connect Securely to allow
the integration to make a successful but unverified connection.
Upload the trusted certificate into the persistent storage of the app.
The persistent storage
is located in
/store/docker/volumes/qapp-<app-id>/<cert_name.cer>.
To
find the app ID, type /opt/qradar/support/qappmanager and locate the IBM
QRadar SOAR Plug-in in the App
Definitions section.
In the app.config under the [resilient] section ,
set the cafile option to the absolute path to the certificate:
cafile=/opt/app-root/store/<cafile name here>.
Restart the QRadar SOAR Plug-in app by
using the QRadar API.
The
following example shows curl commands to restart the service by using API 19.0.
Depending
on your QRadar installation,
you might have a different API version. For more information about using API calls in other
versions, see the QRadar API
documentation.
Configure the remaining configuration settings.
Configuration setting
Description
SOAR Timeout (seconds)
The length of time that the QRadar SOAR Plug-in app tries to connect to SOAR before it times out.
The default value is 30 seconds.
Execution Threads
Defines the number of threads that can run simultaneously.
Increasing the number of execution threads can reduce the time that it takes for offenses to be
escalated from QRadar to SOAR. The default value is 25. If you
increase the number of execution threads, use increments of 25 and review the impact on your system
before you move to a higher thread count.
Enable loglevel DEBUG
Select this checkbox to enable DEBUG level logging for both the QRadar SOAR Plug-in app and
resilient-circuits.
Enable Configuring SOAR
Select this checkbox to enable the QRadar SOAR Plug-inapp to create the fields,
actions, and message destinations in SOAR.
These settings are required for the bidirectional communication between QRadar and the SOAR platform.
Proxy configuration
Select this checkbox when your configuration requires a connection through a proxy server.
When this checkbox is selected, more proxy settings are shown.
In the Host field, type the hostname as a URL address.
If the scheme
is not provided for the proxy host, https:// is used by default.
In the Port field, type the port that is to be used with hostname
URL.
If the proxy connection requires authentication, enter the username and password. The proxy
feature uses the basic authentication method to support authentication.
Click Verify and Configure.
The verification process checks the following settings:
A connection can be made to the SOAR Server URL.
A QRadar ID field is present in SOAR.
The authorized service token is valid.
The proxy connection, if configured, is valid.
When the verification process is finished, the following message appears at the end of the
configuration page. Connection and Configuration Verified Successfully
If Multiple Organization Support is enabled, configure the
mapping.
Click on the Mapping tab.
Map the QRadar
domains and SOAR child
organizations.
Click Configuration Push to push the configuration changes to the child
organizations.
In SOAR, you can go to the
Configuration Organization page to verify that the configuration push completed
successfully.
In QRadar, on the
Access tab of the QRadar SOAR Plug-in app configuration window,
click Save.
Results
The following objects are created to support the QRadar SOAR Plug-in app. The QRadar destination, appearing in
angle brackets, is determined by the value of the QRadar Destination Name
that you provided when you configured the app.
This destination is the unified message queue for all of the actions that are processed by the
QRadar SOAR Plug-in app.
Inbound destination
qrp_inbound_<QRadar_Destination>
The inbound destination is a queue for each organization that reads and writes messages from QRadar.
Rules
The following rules are created.
close_offense for <QRadar_Destination>
When
synchronization is enabled, this automated rule closes the related QRadar offense or SOAR case when either is
closed.
qradar_note for <QRadar_Destination>
When
synchronization is enabled, this automated rule synchronizes notes between the case and the
offense.
Add to QRadar reference set for
<QRadar_Destination>
This rule does not apply to MSSP deployments.
When custom actions are enabled, you can use this manual rule to send case artifacts to the
QRadar reference sets of the
QRadar instance that is
defined by the QRadar Destination Name field.
QRadar Ariel Query for <QRadar_Destination>
When custom
actions are enabled, you can use this manual rule to run Ariel queries on the case artifacts in the
QRadar instance that is
defined by the QRadar Destination Name field.