IBM Support

QRadar: How to integrate Cloudflare by using HTTP Receiver protocol

How To


Summary

This article provides steps for preparation to integrate QRadar® with Cloudflare® service through HTTP Receiver protocol.

Objective

QRadar administrators are able to integrate QRadar with Cloudflare service through HTTP Receiver protocol
Before you begin
  • This article is applicable only to QRadar SIEM (on-premises) or QRadar on Cloud (Data Gateway appliance).
  • HTTP Receiver shares certificates with the Default TLS Syslog and WinCollect config server. The administrator needs to carefully validate the design.

Environment

Integration Cloudflare with QRadar can be explained by using the four steps in the example. Use the number steps to follow the Cloudflare process:
  1. Registration
  2. Verification
  3. Response
  4. Completion
Cloudflare-QRadar-Integration
Figure 1 The integration process for Cloudflare events includes four steps starting with registration, step 1 and ending with completion step 4. 
  1. Registration: register a LogPush from administrator's workstation by running a curl command with necessary parameters as described at Configure Cloudflare to send events to IBM QRadar when you use the HTTP Receiver protocol. (QRadar Console or managed host can be used instead).
    The most important registration parameter is "destination_conf": "<QRadar_URL:LogSource_Port>"
  2. Verification: Cloudflare checks the accessibility of the IP address, port, and validates the certificate of the HTTP Receive log source.  
  3. Response: If the endpoint is not accessible, the following error is returned: 
    • Context deadline exceeded
      {"errors":[{"code":1002,"message":"error validating destination: error writing object: Post \"https://a.b.c.d:12469\": context deadline exceeded"}],"messages":[],"result":null,"success":false}

      If the endpoint is accessible, Cloudflare then checks the certificate of the HTTP Receiver log source. If the default TLS Syslog certificate is used, the following error is returned:

    • Cannot validate certificate
      {"errors":[{"code":1002,"message":"error validating destination: error writing object: Post \"https://a.b.c.d:12469\": x509: cannot validate certificate for a.b.c.d because it doesn't contain any IP SANs"}],"messages":[],"result":null,"success":false}

      Even if the administrator has a self-signed certificate with proper public IP address in "Subject Alternative Name" session, Cloudflare still complains that the certificate must be commercially signed:

    • Certificate signed by unknown authority
      {"errors":[{"code":1002,"message":"error validating destination: error writing object: Post \"https://a.b.c.d:12469\": x509: certificate signed by unknown authority"}],"messages":[],"result":null,"success":false}

      However, many CA providers do not support public IP address in the CN. Therefore, the recommended way is to have an FQDN in the CN. Any included IP address must be put in the SAN session.

  4. Completion: If all parameters are valid, a LogPush is created, and starts to send events to HTTP Receiver log source

Steps

The following steps are recommended to ensure successful integration QRadar with Cloudflare:
 
  1. Configure a DNS record that points to the public IP address used to receive events from Cloudflare in the company public DNS server. Note the FQDN.
  2. Create a private key and Certificate Signing Request (CSR) with the FQDN in CN as described at article Creating SSL certificate signing request. If a public IP address need to be included, administrator needs to create a multi-domain (SAN) CSR as described at Creating a multi-domain (SAN) SSL certificate signing request.
  3. Provide CSR to CA provider and get a signed certificate.
  4. Replace the TLS Syslog default certificate with new certificate as described at QRadar: How to replace a TLS Syslog certificate.
  5. Create an HTTP Receiver protocol log source.
  6. Configure the firewall to open HTTP Receiver port to be accessible from Cloudflare.
  7. Register a LogPush with Cloudflare as described at Configure Cloudflare to send events to IBM QRadar when you use the HTTP Receiver protocol.
The results
 If the registration succeeded, the administrator is able to see events coming in to QRadar.

Additional Information

Document Location

Worldwide

[{"Type":"MASTER","Line of Business":{"code":"LOB24","label":"Security Software"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"ARM Category":[{"code":"a8m0z000000cwsyAAA","label":"Admin Tasks"},{"code":"a8m0z000000cwt0AAA","label":"Log Source"}],"ARM Case Number":"","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"All Versions"}]

Document Information

Modified date:
16 November 2022

UID

ibm16831663