Connecting to an IBM Security QRadar data source

Connect the IBM Security QRadar data source to IBM Cloud Pak® for Security platform to enable your applications and dashboards to collect and analyze QRadar security data. Universal Data Insights connectors enable federated search across your security products.

Before you begin

Collaborate with a QRadar administrator who can install the software on the QRadar Console, obtain security token, IP address, and other required information.

The IBM Cloud Pak for Security platform connector for IBM QRadar is designed to work with the Ariel event and flow data from QRadar 7.3.3 or newer. Both event and flow data must be enabled on QRadar. The connector requires that the following content extensions are installed on your QRadar environment:

If you have the previous versions of these content extensions, you must install the new versions to update the extensions. If you have a firewall between your cluster and the data source target, use the IBM Security Edge Gateway to host the containers. The Edge Gateway must be V1.6 or later. For more information, see Setting up Edge Gateway.

To conduct a federated search for domain names, you must add the DNS Request Domain custom event property to the appropriate DSMs in QRadar. For more information, see Adding the DNS Request Domain custom event property to your DSMs.

About this task

Structured Threat Information eXpression (STIX) is a language and serialization format that organizations use to exchange cyberthreat intelligence. The connector uses STIX patterning to query QRadar data and returns results as STIX objects. For more information about how the QRadar data schema maps to STIX, see QRadar stix-shifter repository (https://github.com/opencybersecurityalliance/stix-shifter/tree/develop/stix_shifter_modules/qradar).

Procedure

  1. Go to Menu > Connections > Data sources.
  2. On the Data Sources tab, click Connect a data source.
  3. Click IBM QRadar and QRadar On Cloud, then click Next.
  4. Configure the connection to the data source.
    1. In the Data source name field, assign a name to uniquely identify the data source connection.
      You can create multiple connection instances to a data source so it would be good to clearly set them apart by name. Only alphanumeric characters and the following special characters are allowed: - . _
    2. In the Data source description field, write a description to indicate the purpose of the data source connection.
      You can create multiple connection instances to a data source, so it is useful to clearly indicate the purpose of each connection by description. Only alphanumeric characters and the following special characters are allowed: - . _
    3. If you have a firewall between your cluster and the data source target, use the Edge Gateway to host the containers. In the Edge gateway (optional) field, specify which Edge Gateway to use.
      Select an Edge Gateway to host the connector. It can take up to five minutes for the status of newly deployed data source connections on the Edge Gateway to show as being connected.
    4. In the Management IP or hostname field, set the IP address of the data source so that IBM Cloud Pak for Security platform can communicate with it. This information is required and corresponds to the Management IP address value in the QRadar console.
    5. In the Host port field, set the port number that is associated with the data source host. The port is 443 by default.
  5. Set the query parameters to control the behavior of the search query on the data source.
    1. In the Concurrent search limit field, set the number of simultaneous connections that can be made to the data source. The default limit for the number of connections is 4. The value must not be less than 1 and must not be greater than 100.
    2. In the Query search timeout limit field, set the time limit in minutes for how long the query is run on the data source. The default time limit is 30. When the value is set to zero, there is no timeout. The value must not be less than 1 and must not be greater than 120.
    3. In the Result size limit field, set the maximum number of entries or objects that are returned by search query. The default result size limit is 10,000. The value must not be less than 1 and must not be greater than 500,000.
    4. In the Query time range field, set the time range in minutes for the search, represented as the last X minutes. The default is 5 minutes. The value must not be less than 1 and must not be greater than 10,000.
    Important: If you increase the concurrent search limit and the result size limit, a greater amount of data can be sent to the data source, which increases the strain on the data source. Increasing the query time range also increases the amount of data.
  6. Optional: If QRadar is configured with a privately signed Security Sockets Layer (SSL) certificate, add a connection certificate.
    1. To determine whether QRadar is configured with a privately signed SSL certificate, use ssh to connect to your QRadar Console as the root user, and type the following command:
      openssl x509 -in /etc/httpd/conf/certs/cert.cert -noout -issuer
      If the output if that command is issuer= /CN=QRadar Local CA, QRadar is configured with a privately signed SSL certificate.
    2. To determine whether the privately signed SSL certificate uses the same hostname or IP address that you use to access your QRadar Console, type the following command:
      openssl x509 -in /etc/httpd/conf/certs/cert.cert -noout -text | grep -A1 "X509v3 Subject Alternative Name"

      The following output is an example of the output from this command:

      X509v3 Subject Alternative Name: 
                      DNS:example.com, DNS:192.0.2.0, IP Address:192.0.2.0

      If the output includes a hostname or an IP address that you use to access your QRadar Console, don't enter anything in the Server name indicator (optional) field.

      If the output does not match the hostname or IP address that you use to access your QRadar Console, and the output includes a hostname, enter the hostname from the output in the Server name indicator (optional) field. Otherwise enter the IP address in the Server name indicator (optional) field.

    3. In the IBM QRadar Certificate (optional) field, enter your certificates.
      In QRadar 7.4.0 or later, your privately signed certificates are at:
      • /opt/qradar/ca/www/root-qradar-ca_ca.crt
      • /opt/qradar/ca/www/intermediate-qradar-ca_ca.crt
      In QRadar 7.4.0 or later, if you did not customize your http certificates, your default privately signed certificates are at:
      • http://<consoleip>:9381/root-qradar-ca_ca.crt
      • http://<consoleip>:9381/intermediate-qradar-ca_ca.crt

    If you changed your default QRadar certificates, you must specify the certificates that you imported. If you changed your QRadar SSL certificates, your new Root and Intermediate Certificates are typically at /etc/pki/ca-trust/source/anchors/<file_name>.crt.

    For more information about QRadar certificates, see Determining whether your certificate is internally signed or custom signed and SSL certificates (https://www.ibm.com/docs/en/qsip/7.5?topic=tasks-ssl-certificates).

  7. Optional: If you need to customize the STIX attributes mapping, click Customize attribute mapping and edit the JSON blob to map new or existing properties to their associated target data source fields.
  8. Configure identity and access.
    1. Click Add a Configuration.
    2. In the Configuration name field, enter a unique name to describe the access configuration and distinguish it from the other access configurations for this data source connection that you might set up. Only alphanumeric characters and the following special characters are allowed: - . _
    3. In the Configuration description field, enter a unique description to describe the access configuration and distinguish it from the other access configurations for this data source connection that you might set up. Only alphanumeric characters and the following special characters are allowed: - . _
    4. Click Edit access and choose which users can connect to the data source and the type of access.
    5. In the Authentication Token field, enter the unique identifier of the data source that you want to establish the connection with. The same authorized service token can be used for different connectors in IBM Cloud Pak for Security platform.
      To obtain an authentication token, complete the following steps:
      1. Open the Admin tab on the QRadar Console.
      2. Go to Authorized Services.
      3. Select Add new Authorized Service.
      4. Create a user role.

        The user role must have Event and Flow viewing permissions, specifically, Offenses, Log Activity, and Network Activity. If you want to use the same authentication token when you configure the QRadar Connected Assets and Risk connector, the token must also have the Assets permission.

      5. Copy and paste the authentication token after it is created.
      6. Deploy QRadar.
    6. Click Add.
    7. To save your configuration and establish the connection, click Done.
    You can see the data source connection configuration that you added under Connections on the data source settings page. A message on the card indicates connection with the data source.
    When you add a data source, it might take a few minutes before the data source shows as being connected.
    Tip: After you connect a data source, it might take up to 30 seconds to retrieve the data. Before the full data set is returned, the data source might display as unavailable. After the data is returned, the data source shows as being connected, and a polling mechanism occurs to validate the connection status. The connection status is valid for 60 seconds after every poll.

    You can add other connection configurations for this data source that have different users and different data access permissions.

  9. To edit your configurations, complete the following steps:
    1. On the Data Sources tab, select the data source connection that you want to edit.
    2. In the Configurations section, click Edit Configuration (Edit configuration icon).
    3. Edit the identity and access parameters and click Save.

What to do next