Setting up QRadar Proxy

Edit online

IBM® QRadar Proxy provides communication between the platform and QRadar® on prem or QRadar on Cloud. The QRadar deployment must be directly accessible on the network from the platform deployment.

This communication uses APIs to pull QRadar data into the QRadar dashboards and other dashboards with QRadar data.

Administrators use the QRadar Proxy configuration to enter connection settings that enable the communication. QRadar authorized service tokens are used for pulling QRadar data into widgets such as dashboards.

Important:

Only one QRadar or QRadar on Cloud deployment can be used per platform account. For example, if you're a managed service provider that manages several customer accounts, use a different platform account to access each QRadar deployment.

For QRadar on Cloud, you must use the QRadar on Cloud Self-Serve app to allow the public IP address for the platform to access QRadar on Cloud. For more information, see Allowing an IP address (https://www.ibm.com/docs/en/SSKMKU/com.ibm.qradar.doc/t_qrocss_addwhitelist.html).

Authorized service tokens

The authorization token that you use in QRadar Proxy must be associated in QRadar with the appropriate user role and permissions.

The user roles that are assigned to an authorized service in QRadar determine the functions that each user can access in QRadar. For more information about QRadar user roles, see User roles (https://www.ibm.com/docs/en/SS42VS_7.5/com.ibm.qradar.doc/c_qradar_adm_role_mgmt.html).

The security profile in QRadar determines the networks and log sources that each user can access in QRadar. The security profile is associated with the domain, which determines tenant access. For more information about QRadar security profiles, see Security profiles (https://www.ibm.com/docs/en/SS42VS_7.5/com.ibm.qradar.doc/c_siem_ntw_man_set.html).

Important: If more than one user has the same combination of user role and security profile, they can share the token because the access is the same.

Communication process

The following process describes the steps and user roles to set up communication between the platform and QRadar.
  1. If you're connecting to QRadar on prem, administrators must change the default configuration in QRadar before they integrate the platform and QRadar. Otherwise, the QRadar Proxy app might be locked out for all platform users. See Preventing lockout from QRadar on prem.
  2. Administrators configure the connection to their QRadar deployment:
  3. Administrators and users add an authentication token so that they can access QRadar dashboards. See Adding a QRadar Proxy authentication token to access QRadar dashboards.
  4. For QRadar on prem only, administrators and users add their username and password so that they can access QRadar apps. See Adding a QRadar username and password to access QRadar apps.