IBM QRadar Integration


Integration of AIR with IBM QRadar is possible via a feature called "Custom Actions".

  • When QRadar generates an alert for an incident, it runs a script provided in Custom Actions,

  • The properties of the alert alongside some fixed properties are then sent to the trigger URL provided in the bash script,

  • Upon receiving the URL request, AIR extracts the IP address or Hostname from the URL and automatically assigns an acquisition task to the endpoint in question. The acquisition profile that will be used for this task is provided when you create a trigger.


Steps to Integrate

Step 1: Create a Script File

Create a script file with the contents below and save it as "air-trigger.sh"

#!/bin/bash

# Define external variables
air_address=$1
trigger_name=$2
trigger_token=$3
endpoint=$4

# Make a GET request to AIR console API
output=$(curl http://$air_address/api/trigger/$trigger_name/$endpoint?token=$trigger_token)

# Print out the output
echo $output

Step 2: Create a Trigger for QRadar

  • Visit the Webhooks page in Binalyze AIR,

  • Click the "+ New Webhook" button on the upper right corner,

  • Provide a self-explanatory name (examples: RDP Brute Force Trigger, Phishing Detected Trigger, and etc.),

  • Select "QRadar: Read Endpoint Name or IP Address from URL Path" as the parser for this webhook,

  • Select an Acquisition Profile that will be used when this trigger is activated by QRadar,

  • Select the Ignore option or leave with its default value (defaults to 24 hours for recurrent alerts for a single endpoint),

  • Provide other settings such as Evidence Repository, CPU Limit, Compression & Encryption to use or let AIR configure them automatically based on the matching policy,

  • Click the "Save" button,

  • Hover your mouse over the link and double-click to copy (see below),

                                           Webhook URL to use for providing QRadar URI parameter

Step 3: Create a Custom Action in QRadar

  • Goto QRadar Admin > Define Action > Add > Custom Action Define

  • In the "Edit Custom Action" dialog, upload the script file created in the step above

  • Select "Bash" as the Interpreter value

  • In the "Script Parameters" section

    • Leave "Parameter Name" empty

    • Select the "Fixed Property" radio button and leave the "Value" field empty

    • Do *not* check the "Encrypt Value" option

    • Click the "Add" button and add the parameters listed in the below table

  • Click Save

Name Type Value
air_address Fixed Property TYPE-AIR-ADDRESS
trigger_name Fixed Property TYPE-TRIGGER-NAME
trigger_token Fixed Property TYPE-TRIGGER-TOKEN
endpoint Network Event Property sourceip

 

Please provide the values in the order they are listed above.

Fixed Property values can be retrieved from the Trigger URL (read more)

Network Event Property values are provided by the QRadar for each alert

 

Previous Article                                                                                                                     Next Article