QRadar platform setup process

Edit online

There are several applications and connectors that an administrator must set up to ingest the data sources that you need for successful security threat investigations. Complete the application and connector setup before you begin ingesting data sources.

Before you begin

Read QRadar platform setup overview for a full description of the available applications and data source connectors.

Procedure

  1. Optional: If you have at least one data source for federated search or an asset import that is inaccessible from the internet, install and configure an Edge Gateway. Otherwise, go to step 2.
    You install an Edge Gateway on a VM or bare metal machine to enable QRadar platform to connect with those data sources. See Setting up Edge Gateway.
  2. Set up Threat Intelligence Insights to prioritize your threat feed and configure external data sources. See Setting up Threat Intelligence Insights.
  3. On a VM or bare metal machine, install and register a Data Collector to send alerts from a private network or within your cloud environment to QRadar platform. See Setting up Data Collector.
  4. Optional: If you have QRadar® in your environment, complete the following tasks. Otherwise, go to step 5.
    1. On a QRadar console, install and configure the QRadar Offenses Forwarder app so that QRadar can send offense alerts to QRadar platform. See QRadar Offenses Forwarder app.
    2. Optional: If you have QRadar on Cloud in your environment, configure QRadar Proxy to connect to it so that you can view your QRadar detection rules in IBM® Detection and Response Center (Beta). QRadar rules are applied to events, flows, or offenses to search for or detect anomalies in QRadar. See Setting up QRadar Proxy.
  5. Enable federated search, case investigation, and analytics across your security products by configuring the Universal Data Insights service. See Universal Data Insights connectors.
  6. Configure your data sources by completing the following tasks.
    Tip: The platform can ingest data sources from various third-party devices. To see which sources you can use to fully augment your automated or analyst investigations, see Supported third-party data sources.
    1. To enable federated search and analytics across your security products, configure the Universal Data Insights service. See Universal Data Insights connectors.
    2. To import asset and risk data, configure the Connected Assets and Risk service. See Connected Assets and Risk connectors.
    3. To ingest alerts from third-party devices, complete configuration tasks on the third-party device and add a data source in QRadar platform. See Ingesting logs and alerts.
  7. Configure Threat Investigator to run automatic investigations and exclude any data sources that you don't want queried for automatic investigations. See Configuring Threat Investigator.