Configuring the connection to QRadar on prem

Edit online

Users with an Administrator role for IBM® QRadar Proxy can connect to an IBM QRadar on prem deployment so that the platform can connect to QRadar® APIs and supported versions of QRadar apps from that deployment. After you enter the connection settings, you and your users can add your own authentication token, QRadar username and password, or both. Then, view QRadar SIEM dashboards and other dashboards with QRadar data, or access supported QRadar apps such as QRadar User Behavior Analytics.

Before you begin

To connect to QRadar from QRadar Proxy, you need the following information:

  • A public-facing management IP address or host name. To determine or change the QRadar hostname, use the qchange_netsetup command in Network settings management (https://www.ibm.com/docs/en/SS42VS_7.5/com.ibm.qradar.doc/c_siem_ntw_man_set.html).
  • Host port. For more information, see QRadar port usage (https://www.ibm.com/docs/en/SS42VS_7.5/com.ibm.qradar.doc/c_qradar_adm_common_ports.html).
  • QRadar SSL certificate (optional). For more information, see SSL certificates (https://www.ibm.com/docs/en/SS42VS_7.5/com.ibm.qradar.doc/c_qradar_adm_ssl.html).
  • Authentication token (required to populate dashboards). For more information, see Managing authorized services (https://www.ibm.com/docs/en/SS42VS_7.5/com.ibm.qradar.doc/c_qradar_adm_man_auth_service.html).
  • QRadar username and password (required to access supported apps). For more information, see Creating a user account (https://www.ibm.com/docs/en/SS42VS_7.5/com.ibm.qradar.doc/t_qradar_adm_create_user_acct.html).

About this task

The minimum supported version of QRadar is 7.4.3.

Important: The QRadar deployment and the platform deployment must be able to directly access each other on the network; make sure that any firewalls don't block one deployment from the other.

Only one QRadar or QRadar on Cloud deployment can be used per platform account. For example, if you're a managed service provider that manages several customer accounts, use a different platform account to access each QRadar deployment.

Procedure

  1. Go to Menu > Connections > QRadar Proxy, and select the IBM QRadar option.
  2. Add the connection details for the deployment.
    1. To access QRadar apps and APIs, specify a connection name and description for the connection.
    2. Specify the QRadar Management IP address or hostname and port for the data source or a supported QRadar app.
    3. To enable background services, such as the connection between IBM Detection and Response Center and QRadar, enter a Service Authentication Token. This token is also referred to as the SEC token. You create the token from the Authorized Services window in QRadar. For more information, see Adding an authorized service (https://www.ibm.com/docs/en/SS42VS_7.5/com.ibm.qradar.doc/t_qradar_adm_add_auth_serv.html).
  3. Add the QRadar authentication credentials for the deployment.
    1. Enter a user authentication token to use the QRadar APIs. If you are a QRadar Proxy Administrator, you can select the checkbox to use the Service Authentication Token that you entered in the Connection Details section instead of entering your own user token.
      Important: Your users must enter their own authentication token.
    2. If you want to access supported QRadar apps, such as QRadar User Behavior Analytics, provide your own QRadar username and password, regardless of the authentication token you entered in step 3a. (Your users must enter their own username and password.)
      Tip:
      • If QRadar uses SAML for authentication, you don't need to enter a username and password because you log in to QRadar through your SAML identity provider when you access the supported apps.
      • If you make too many login attempts with incorrect credentials, your account is locked out according to QRadar settings. Try logging in again later. For more information, see Preventing lockout from QRadar on prem.
  4. If the login message on the QRadar Console requires users to provide consent before they can log in, select the terms and conditions checkbox so that your users can log in to QRadar from the platform.
  5. If the connection is using a certificate that is signed by a trusted certificate authority, you do not need to add a certificate.
    Tip: A trusted certificate authority can be internal or public.
  6. To determine whether your certificate is self-signed, see Determining whether your certificate is internally signed or custom signed.
    Tip: If the decoded certificate shows the Common Name as localhost.localdomain or your local domain, then it is a self-signed certificate.
  7. To add a certificate, complete the following steps:
    1. In QRadar 7.4.3, download the certificate chain from http://<qradar_host_ip>:9381/intermediate-qradar-ca_ca.crt. Copy and paste all of the certificate content from the file into the certificate section.
    2. In earlier versions of QRadar that are supported by the QRadar Proxy app, download the root CA certificate from http://<qradar_host_ip>:9381/vault-qrd_ca.pem. Download the intermediate CA certificate from http://<qradar_host_ip>:9381/vault-qrd_ca_int.pem. Copy and paste all of the certificate content from the certificate content from both files into the certificate section.
  8. If your hostname or IP address does not match the common name, you must supply a Server Name Indicator (SNI).
    The SNI is used to provide a separate hostname to the TLS handshake of the resource connection.
  9. Click Save, and then verify that the connection is successful by checking the status in the navigation panel.

Results

If you no longer need the proxy connection, you can remove it on the QRadar Proxy page. Users cannot connect with the proxy until a new connection is configured.

If you encounter integration issues, see QRadar general health checklist (https://www.ibm.com/support/pages/node/876874).

What to do next

Adding a QRadar Proxy authentication token to access QRadar dashboards and Adding a QRadar username and password to access QRadar apps