IBM QRadar Integration

Integration of AIR with IBM QRadar is possible via a feature called "Custom Actions".

  • When QRadar generates an alert for an incident, it runs a script provided in Custom Actions,

  • The properties of the alert alongside some fixed properties are then sent to the trigger URL provided in the bash script,

  • Upon receiving the URL request, AIR extracts the IP address or Hostname from the URL and automatically assigns an acquisition task to the endpoint in question. The acquisition profile that will be used for this task is provided when you create a trigger.

Steps to Integrate

Step 1: Create a Script File

Create a script file with the contents below and save it as "air-trigger.sh"

#!/bin/bash

# Define external variables
air_address=$1
trigger_name=$2
trigger_token=$3
endpoint=$4

# Make a GET request to AIR console API 
output=$(curl -k http://$air_address/api/webhook/$trigger_name/$endpoint?token=$trigger_token)

# Print out the output
echo $output

Step 2: Create a Trigger for QRadar

  • Visit the Triggers page in Binalyze AIR

  • Click the "+ New Trigger" button on the upper right corner

  • Provide a self-explanatory name (examples: RDP Brute Force Trigger, Phishing Detected Trigger, and etc.)

  • Select "QRadar Read Endpoint Name or IP Address from URL Path" as the parser for this trigger

  • Select an Acquisition Profile that will be used when this trigger is activated by QRadar

  • Select the Ignore option or leave it with its default value (defaults to 24 hours for recurrent alerts for a single endpoint)

  • Provide other settings such as Compression, Encryption, Evidence Repository to use or let AIR configure them automatically based on the matching policy

  • Click the "Save" button

  • Hover your mouse over the link below the Trigger name and click to copy

Step 3: Create a Custom Action in QRadar

  • Go to QRadar Admin > Define Action > Add > Custom Action Define

  • In the "Edit Custom Action" dialog, upload the script file created in the step above

  • Select "Bash" as the Interpreter value

  • In the "Script Parameters" section

    • Leave "Parameter Name" empty

    • Select the "Fixed Property" radio button and leave the "Value" field empty

    • Do *not* check the "Encrypt Value" option

    • Click the "Add" button and add the parameters listed in the below table

  • Click Save

Name

Type

Value

air_address

Fixed Property

TYPE-AIR-ADDRESS

trigger_name

Fixed Property

TYPE-TRIGGER-NAME

trigger_token

Fixed Property

TYPE-TRIGGER-TOKEN

endpoint

Network Event Property

sourceip

Please provide the values in the order they are listed above.

Fixed Property values can be retrieved from the Trigger URL (read more).

Network Event Property values are provided by the QRadar for each alert.

Last updated