IBM Security QRadar EDR REST API protocol configuration options
To receive events from IBM Security QRadar EDR, configure a log source to communicate with the IBM Security QRadar EDR REST API protocol.
The IBM Security QRadar EDR REST API protocol is an active outbound protocol that provides alerts about confirmed incidents of malware that are actively communicating or exfiltrating information.
- Log in to your IBM Security QRadar EDR console.
- On the Administration tab, select API Applications, and then click Create Application.
- In the Application Name field, type a unique name for the application. Then, click Create.
- Copy and save the App ID and Secret Key values. You must have these values to add a log source for IBM Security QRadar EDR.
The following table describes the protocol-specific parameters for the IBM Security QRadar EDR REST API protocol:
| Parameter | Description |
|---|---|
| Protocol Configuration | IBM Security QRadar EDR REST API |
| Log Source Identifier |
Type a unique name for the log source. The Log Source Identifier can be any valid value and does not need to reference a specific server. It can also be the same value as the Log Source Name. If you have more than one configured IBM Security QRadar EDR log source, ensure that you give each one a unique name. |
| Server Address | The IP address or hostname of the IBM Security QRadar EDR server. |
| App ID | The App ID value that you copied and saved from the IBM Security QRadar EDR application configuration. |
| Secret Key | The Secret Key value that you copied and saved from the IBM Security QRadar EDR application configuration. |
| Use Proxy | If the API is accessed by using a proxy, select this checkbox.
Configure the Proxy IP or Hostname, Proxy Port, Proxy Username, and Proxy Password fields. If the proxy does not require authentication, you can leave the Proxy Username and Proxy Password fields blank. |
| Recurrence | Specify how often the log collects data. The value can be in Minutes (M), Hours (H), or Days (D). The default is 1 minute. |
| EPS Throttle |
The maximum number of events per second that QRadar ingests. If your data source exceeds the EPS throttle, data collection is delayed. Data is still collected and then it is ingested when the data source stops exceeding the EPS throttle. The default is 5000. |
| Enable Advanced Options |
Select this checkbox to enable the following configuration options: Allow Untrusted, Override Workflow, Workflow, and Workflow Parameters. These parameters are only visible if you select this checkbox. |
| Allow Untrusted | If you enable this parameter, the protocol can accept self-signed and
otherwise untrusted certificates that are located within the
/opt/qradar/conf/trusted_certificates/ directory. If you disable the parameter,
the scanner trusts only certificates that are signed by a trusted signer. The certificates must be in PEM or RED-encoded binary format and saved as a .crt or .cert file. If you modify the workflow to include a hardcoded value for the Allow Untrusted Certificates parameter, the workflow overrides your selection in the UI. If you do not include this parameter in your workflow, then your selection in the UI is used. |
| Override Workflow | Enable this option to customize the workflow. When you enable this option, the Workflow and Workflow Parameters parameters appear. |
| Workflow |
The XML document that defines how the protocol instance collects events from the target API. For more information about the default workflow, see IBM Security QRadar EDR REST API protocol workflow. |
| Workflow Parameters |
The XML document that contains the parameter values used directly by the workflow. For more information about the default workflow parameters, see IBM Security QRadar EDR REST API protocol workflow. |