IBM QRadar Integration
Integration of AIR with IBM QRadar is possible via a feature called "Custom Actions".
When QRadar generates an alert for an incident, it runs a script provided in Custom Actions,
The properties of the alert alongside some fixed properties are then sent to the trigger URL provided in the bash script,
Upon receiving the URL request, AIR extracts the IP address or Hostname from the URL and automatically assigns an acquisition task to the endpoint in question. The acquisition profile that will be used for this task is provided when you create a trigger.
Steps to Integrate
Step 1: Create a Script File
Create a script file with the contents below and save it as "air-trigger.sh"
Step 2: Create a Trigger for QRadar
Visit the Triggers page in Binalyze AIR
Click the "+ New Trigger" button on the upper right corner
Provide a self-explanatory name (examples: RDP Brute Force Trigger, Phishing Detected Trigger, and etc.)
Select "QRadar Read Endpoint Name or IP Address from URL Path" as the parser for this trigger
Select an Acquisition Profile that will be used when this trigger is activated by QRadar
Select the Ignore option or leave it with its default value (defaults to 24 hours for recurrent alerts for a single endpoint)
Provide other settings such as Compression, Encryption, Evidence Repository to use or let AIR configure them automatically based on the matching policy
Click the "Save" button
Hover your mouse over the link below the Trigger name and click to copy
Step 3: Create a Custom Action in QRadar
Go to QRadar Admin > Define Action > Add > Custom Action Define
In the "Edit Custom Action" dialog, upload the script file created in the step above
Select "Bash" as the Interpreter value
In the "Script Parameters" section
Leave "Parameter Name" empty
Select the "Fixed Property" radio button and leave the "Value" field empty
Do *not* check the "Encrypt Value" option
Click the "Add" button and add the parameters listed in the below table
Click Save
Name
Type
Value
air_address
Fixed Property
TYPE-AIR-ADDRESS
trigger_name
Fixed Property
TYPE-TRIGGER-NAME
trigger_token
Fixed Property
TYPE-TRIGGER-TOKEN
endpoint
Network Event Property
sourceip
Please provide the values in the order they are listed above.
Fixed Property values can be retrieved from the Trigger URL (read more).
Network Event Property values are provided by the QRadar for each alert.
Last updated