Question & Answer
Question
This lab focuses on the integration of IBM Security Resilient SOAR Platform and IBM Security QRadar SIEM products.
The
IBM QRadar SIEM solution helps you monitor and detect security threats.
Based on the QRadar correlation rule engine (CRE), the product can
generate offenses that require the attention of a security analyst.
Then,
to conduct a more comprehensive investigation, you can bring offenses
to the Resilient platform as incidents to take advantage of the
Resilient playbooks and, if needed, make corrections in QRadar. Also,
the integration keeps notes that are related to offenses and incidents
in sync on both products, including the closing of offenses and
incidents.
Thus, the integration is bidirectional, and according to the previous diagram, it has two components:
- The IBM Resilient QRadar Integration app
The app is installed on QRadar. It is responsible for sending the offense, offense details, owner, and artifacts to Resilient as well as synchronizing notes, and synchronizing closure of the incident or the offense on the both platforms. - The QRadar Functions for Resilient app
The app installs on the Resilient App Host. The app can run the searches of QRadar data by using QRadar Ariel Query Language (AQL) and API calls to perform updates of QRadar configuration such as manipulation of the data in the QRadar reference sets.
Some of the topics covered in the lab are:
- Install QRadar app for Resilient
- Configure QRadar app for Resilient
- Customize the Resilient configuration
- Customize the Jinja templates
- Configure Custom Actions and synchronization
- Install QRadar functions for Resilient
- Create table with artifacts by using the QRadar functions
- Create action to search QRadar for file hashes from a log source
- Test the apps integration and customization using the QRadar offenses
Duration: 1 Hour 30 Minutes
Follow the link in related information to view the course on the IBM Security Learning Academy
[{"Type":"MASTER","Line of Business":{"code":"LOB77","label":"Automation Platform"},"Business Unit":{"code":"BU048","label":"IBM Software"},"Product":{"code":"SSBRUQ","label":"IBM Resilient Security Orchestration, Automation and Response Platform"},"Version":"All Versions"}]
Log InLog in to view more of this document
This document has the abstract of a technical article that is available to authorized users once you have logged on. Please use Log in button above to access the full document. After log in, if you do not have the right authorization for this document, there will be instructions on what to do next.
Was this topic helpful?
Document Information
Modified date:
25 July 2022
UID
ibm16460225