QRadar platform setup overview

Before security analysts can start investigating cases and security threats, an administrator must set up various applications and connections. These connections provide the capability to ingest alerts, add asset data, and enable federated search. You must also configure Threat Intelligence Insights to prepare data for the security analyst to review, and configure Threat Investigator to enable automatic investigations.

Edge Gateway

If you are connecting to data sources in a private network that is unreachable from the internet (either on-prem or a private cloud infrastructure), set up an Edge Gateway to provide connections for federated search data sources and for asset data sources. The Edge Gateway can deploy the Universal Data Insights and Connected Assets and Risk services to reach on-prem data sources, and is deployed on a dedicated VM or bare metal machine. Install as many Edge Gateways as you need in your deployment. For example, if your data centers are located around the world, you can install an Edge Gateway in each data center and connect to QRadar platform. Then, connect your data sources to that Edge Gateway.

Threat Intelligence Insights

IBM® Threat Intelligence Insights identifies and prioritizes threats based on your organization's profile and relevant threat feeds. Prioritize threat intelligence data that is relevant to you by monitoring the latest threats from your choice of industries and locations. Configure threat intelligence feeds from external sources (requires premium license keys from each vendor).

Threat Investigator

IBM® Threat Investigator automatically analyzes and investigates cases to help you make more informed decisions. Threat Investigator shows potential threats and the assets that are impacted, helping you determine the criticality of exposure, how many systems are at risk, and the level of remediation effort required. By viewing the timeline of threats within your organization, you can better understand dwell times and the stage of the threat. Configure Threat Investigator to enable automatic investigations.

Data Collector

Use a Data Collector to send alerts from a private network or within your Cloud environment to IBM Security QRadar® SOAR. The Data Collector is an agent that you install on a Red Hat® Enterprise Linux® (RHEL) or CentOS system.

The Data Collector buffers incoming alerts during times when it is disconnected from IBM Security QRadar SOAR and sends them when the connection is restored. Install and register as many Data Collectors throughout your deployment as you need to collect the data you want. Then, configure your data sources to send events to the Data Collector you choose.

QRadar Offenses Forwarder app

If you have QRadar in your environment, you must install the QRadar Offenses Forwarder app to collect QRadar offense alerts. The platform collects QRadar offense alerts from the IBM QRadar Offenses Forwarder via a Data Collector. Along with other alert data sources, these offense alerts contribute to the cases that your security analysts investigate to protect your organization from security threats.

QRadar Offenses Forwarder forwards offense alerts from a QRadar instance over Universal Cloud REST API or the TLS Syslog protocol. It queries the QRadar API to fetch the event and flow data for each offense. The query includes a list of custom event properties that are useful to analyze the offense alert. The application can dynamically choose the custom event properties that are present in the QRadar instance and return the offense alert.

QRadar Proxy app

If you have QRadar on Cloud in your environment, you can configure the IBM QRadar Proxy to provide communication between QRadar platform and QRadar or QRadar on Cloud. This communication uses APIs to pull QRadar data into the QRadar dashboards and other dashboards.

QRadar on Cloud must be visible on the network from QRadar platform. Only one QRadar on Cloud deployment can be used per platform account. For example, if you are a managed service provider that manages several customer accounts, use a different platform account to access each QRadar on Cloud deployment.

You must use the QRadar on Cloud Self-Serve app to allow the public IP address for the platform to access QRadar on Cloud.

Universal Data Insights connectors

Use the Universal Data Insights service to enable your applications and dashboards to enrich and augment alert data as it is ingested, without moving your data. Query and combine security data from any data source, either in the cloud or on premises, by using a query language and syntax that complies with either STIX 2 or AQL standards. Access data and insights across all data lakes and ponds by using a simple STIX 2 or AQL API.

Connected Assets and Risk connectors

The Connected Assets and Risk service collects information about assets, users, and their risk profile. The service is used to share asset and risk information across the platform. The Connected Assets and Risk service can store any asset-related information, such as details about an asset, hostname, user, IP address, or application. Each asset is represented as an entity, and shows how the asset is related to other assets and the risk that is associated with them. The service uses the Connected Assets and Risk API to push the data to the platform graph database.

By linking all tenant asset and user information in a common database, the insights can be shared and used with other applications to provide a better understanding of the environment and the overall risk posture. For example, you can run queries against the connected asset and risk data in Data Explorer. The data is also used by Threat Investigator during a case investigation to show the assets that might be affected by a potential threat.

Alert ingestion connectors

Ingestion connectors provide the capability to collect a set of data files by using various connection options. These connections pull the data back or passively receive data into the event pipeline in the platform. Then, the corresponding data source type parses and normalizes the data.

A data source type, such as QRadar, ReaQta, or Crowdstrike, is used to classify data that comes from common hardware or has the same data format and operates under the same processing rules. It is a code module that parses received events from multiple data sources and converts them to a standard taxonomy format that can be displayed. Each type of alert data source has a corresponding data source type.