IBM Support

QRadar: Recommended practices for running vulnerability scans to QRadar SIEM

Question & Answer


Question

What needs to be considered for running vulnerability scans against QRadar?

Answer

In QRadar, a security bulletin is published when a vulnerability is found. The security bulletins contain the CVE (Common Vulnerabilities and Exposures) ID, the category assessment, X-Force Database details and which version of the product is vulnerable.
When a vulnerability is found, the vulnerabilities are patched through Fix Packs or interim fixes.
Requirements
Administrators that want to perform vulnerability scans to QRadar must consider the following requirements:
  1. Have the root user credentials of the Console.
  2. Ensure the vulnerability scanner can connect to the Console by using SSH and port 22.
  3. Configure the scanner tests to use the previously gather credentials.
    1. Administrators that use QRadar Vulnerability Manager, can refer to the product documentation to configure the scanner tests.
    2. Administrators that use third-party scanners must refer to the specific vendor product documentation to configure the connection and the scanner tests.
      Note: Third-party scanners are integrated with QRadar and include HCL BigFix®, Guardium®, AppScan®, Nessus, nCircle, and Rapid 7.
Considerations on managed hosts
Usually, scanning managed hosts is not required. In QRadar deployments, all hosts must have the same patch version (including interim fixes) and RHEL OS version. When a scan to the Console reports a vulnerability, the patch that fixes the security vulnerability is applied on all managed hosts.
Administrators that require scanning managed hosts because internal or compliance policies, must consider the following requirements:
  1. Gather the root user credentials of each managed host in the deployment.
  2. Configure IP Tables on each managed host to allow connections from the scanner. See How to edit iptables rules in QRadar for examples.
  3. Ensure the vulnerability scanner can connect to each managed host by using SSH and port 22.
  4. Configure the scanner tests to use the previously gather credentials.
    1. Administrators that use QRadar Vulnerability Manager, can refer to the product documentation to configure the scanner tests.
    2. Administrators that use third-party scanners must refer to the specific vendor product documentation to configure the connection and the scanner tests.
      Note: Third-party scanners are integrated with QRadar and include HCL BigFix®, Guardium®, AppScan®, Nessus, nCircle, and Rapid 7.

[{"Type":"MASTER","Line of Business":{"code":"LOB24","label":"Security Software"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"ARM Category":[{"code":"a8m0z000000cwtjAAA","label":"Vulnerabilities"}],"ARM Case Number":"","Platform":[{"code":"PF016","label":"Linux"}],"Version":"All Versions"}]

Document Information

Modified date:
04 May 2022

UID

ibm16578529

Page Feedback