Minimum system requirements

Before you install the IBM QRadar SOAR Plug-in 5.x app, ensure that your deployment meets the following requirements.
System requirement Description

QRadar

You must have QRadar 7.5.0 UP7 installed to use the IBM QRadar SOAR Plug-in 5.x app.

If you are using earlier versions of QRadar, search the IBM Security App Exchange to find a compatible version of the IBM QRadar SOAR Plug-in.

Earlier versions of the app are not available in IBM QRadar Assistant. You must download them from the IBM Security App Exchange.

SOAR Platform

You must have SOAR Platform v46 or later installed.

QRadar SOAR Plug-in 5.x does not support multi-tenant configurations. If your deployment is configured for multi-tenancy, do not upgrade the app.

Content pack

New in 5.0

The IBM QRadar SOAR Plug-in 5.x content pack contains the rules that are used to send events to SOAR inbound destinations.

Download the content pack from IBM Security App Exchange and use the Extension Management tool to install it.

Port access

QRadar must have access to the following ports:
  • SOAR Platform: 443, 65000, 65001
  • Cloud Pak for Security: 443
  • Port 443

    Allows QRadar to connect to the SOAR platform by using the REST API. The connection is inbound-only from QRadar to the SOAR Platform.

    Allows for communication with the Cloud Pak for Security by using ActiveMQ OpenWire. The connection is bidirectional.

  • Port 65000

    Allows for communication with the SOAR Platform by using ActiveMQ OpenWire. The connection is bidirectional.

QRadar memory

Ensure that QRadar has at least 800 MB of memory available to run the app.

Restriction: The combined memory requirements of all apps that are installed on a QRadar Console cannot exceed 10 percent of the total available memory. If you exceed the 10 percent memory allocation, the apps do not run.

If your QRadar Console does not have enough memory available to install the app, you can install it on an App Host. For more information, see App Hosts in the QRadar Administration Guide.

For more information about how to calculate the amount of memory that is used by apps that are installed on the QRadar Console, see the Apps and Resource Limitation technote (https://www.ibm.com/support/pages/qradar-apps-and-memory-resource-limitation).

SOAR Platform User Account

You must have a dedicated SOAR Platform account. You must know the account username and password.

The account must have permissions to create cases, and view and modify administrator and customization settings.

If you are using the MSSP add-on, the account must also have permissions to access the configuration, global dashboard, and all child organizations.

Tip: If you change your SOAR Platform account, make sure that the new account has the same permissions.

If you are using SOAR for IBM Cloud Pak® for Security, click Case Management > Permissions and Access > API Keys to create the API key.

SOAR API key account

You must have a dedicated SOAR API key account.

The account must have the following permissions:
  • Incidents: Read, Create
  • Edit Incidents: Fields, Owner, Members, Status, Notes, Workspace
  • Simulation Permissions: Create Simulations
  • Administration Permissions: Manage API Keys
  • Org Data: Read, Edit
  • Other Permissions: Read Incident Action Invocations
  • Artifacts: Read, Create

API key accounts in an MSSP configuration

If SOAR is configured for Managed Security Service Providers (MSSP), the API key account must have access to ALL of the child organizations. If you change the API key permissions, you must push the configuration to all child organizations.

You can push the API key permissions to the child organizations from the SOAR product interface.

  1. Go to the configuration organization, which is identified by the icon.
  2. Select Administrator Settings > Configuration Push and click Push Configuration.

    Wait a few minutes for the configuration push to complete. You can view the status of the configuration push in the table. Clicking the Status column provides details about the state of the push for each organization.

New information Learn more about creating API key accounts...