Interactions between IBM QRadar and HCL BigFix

Before you configure the integration between IBM QRadar and HCL BigFix, it's important to understand how they interact with each other.

Important: The IBM QRadar Vulnerability Manager scanner is end of life (EOL) in 7.5.0 Update Package 6, and is no longer supported in any version of IBM QRadar. For more information, see QRadar Vulnerability Manager: End of service product notification (https://www.ibm.com/support/pages/node/6853425). BigFix continues to show your existing QRadar Vulnerability Manager scanner data. In QRadar 7.5.0 Update Package 6 and later, you can continue to use third-party scanners with your QRadar Vulnerability Manager platform.

The following diagram shows a high-level overview of some interactions between QRadar and BigFix from the initial scan of assets, to remediation of vulnerabilities on the scanned assets.

Figure 1. QRadar Vulnerability Manager and BigFix interactions
An overview of the QRadar Vulnerability Manager and BigFix working together.
The following list describes a broad outline of interactions between QRadar and BigFix from the initial scan for vulnerabilities to the remediation of those vulnerabilities:
  1. QRadar Vulnerability Manager scanner completes an authenticated scan of assets to discover vulnerabilities. Only the vulnerabilities from assets that are configured in scan profiles that use Full, Patch, or PCI scan policies are eligible for processing by BigFix.
  2. If a BigFix agent is installed on an asset QRadar Vulnerability Manager retrieves the BES agent ID from the asset when it detects vulnerabilities on the asset. The BES agent ID is the unique identifier that is used by BigFix to identify the asset and to remediate vulnerabilities on that asset. BigFix refers to QRadar assets as computers.
  3. The scan results are updated in the QRadar asset model, which includes the BES agent ID from any assets that have a BigFix agent. When the scan status in the scan profile displays a status of progress=100%, then the asset model is updated, and vulnerability data is sent to BigFix within 15 minutes by default.
  4. When the asset model is updated with the scan data, the BigFix adapter that is installed on the QRadar Console receives the updated vulnerability data with risk scores from the asset model. The data contains the BES agent ID. The BigFix adapter processes only vulnerability information from assets when a BES agent ID is included.
  5. The vulnerability data that is sent to BigFix is filtered on the risk-score parameters that are configured in the adapter properties file (/opt/qvm/adaptor/config/adaptor.properties) on the QRadar Console. The default risk score is 0.0, which means that all vulnerabilities are sent to BigFix.
  6. The BigFix adapter uses the BigFix REST API to send the vulnerability information to BigFix and it correlates vulnerability CVEs with Fixlets. By default, data is sent to BigFix in 15-minute intervals.
  7. The vulnerability information that is sent by the REST API is viewable on the BigFix Manage Vulnerable Computers dashboard. You can deploy Fixlets to the assets with high-risk vulnerabilities from the BigFix Manage Vulnerable Computers dashboard. BigFix uses the BES agent ID as the unique reference for the asset when it applies Fixlets directly to the asset.
  8. BigFix applies Fixlets to the assets that have vulnerabilities.
  9. The SOAP API (Web Reports) is used to get vulnerability patch status from BigFix. Use saved searches, and filters from the Vulnerabilities tab to view this updated vulnerability information.

    You must rescan the patched assets to update the asset model with the revised vulnerability status of your assets.