IBM QRadar Integration

Integration of AIR with IBM QRadar is possible via a feature called "".

When QRadar generates an alert for an incident, it runs a script provided in Custom Actions,
The properties of the alert alongside some fixed properties are then sent to the trigger URL provided in the bash script,
Upon receiving the URL request, AIR extracts the IP address or Hostname from the URL and automatically assigns an acquisition task to the endpoint in question. The acquisition profile that will be used for this task is provided when you create a trigger.

Steps to Integrate

Step 1: Create a Script File

Create a script file with the contents below and save it as "air-trigger.sh"

#!/bin/bash

# Define external variables
air_address=$1
trigger_name=$2
trigger_token=$3
endpoint=$4

# Make a GET request to AIR console API 
output=$(curl -k http://$air_address/api/webhook/$trigger_name/$endpoint?token=$trigger_token)

# Print out the output
echo $output

Step 2: Create a Trigger for QRadar

Visit the Triggers page in Binalyze AIR
Click the "+ New Trigger" button on the upper right corner
Provide a self-explanatory name (examples: RDP Brute Force Trigger, Phishing Detected Trigger, and etc.)
Select "QRadar Read Endpoint Name or IP Address from URL Path" as the parser for this trigger
Select an Acquisition Profile that will be used when this trigger is activated by QRadar
Select the Ignore option or leave it with its default value (defaults to 24 hours for recurrent alerts for a single endpoint)
Provide other settings such as Compression, Encryption, Evidence Repository to use or let AIR configure them automatically based on the matching policy
Click the "Save" button
Hover your mouse over the link below the Trigger name and click to copy

Step 3: Create a Custom Action in QRadar

Go to QRadar Admin > Define Action > Add > Custom Action Define
In the "Edit Custom Action" dialog, upload the script file created in the step above
Select "Bash" as the Interpreter value
In the "Script Parameters" section
- Leave "Parameter Name" empty
- Select the "Fixed Property" radio button and leave the "Value" field empty
- Do *not* check the "Encrypt Value" option
- Click the "Add" button and add the parameters listed in the below table
Click Save

Name

Type

Value

air_address

Fixed Property

TYPE-AIR-ADDRESS

trigger_name

Fixed Property

TYPE-TRIGGER-NAME

trigger_token

Fixed Property

TYPE-TRIGGER-TOKEN

endpoint

Network Event Property

sourceip

Please provide the values in the order they are listed above.

Fixed Property values can be retrieved from the Trigger URL.

Network Event Property values are provided by QRadar for each alert.

PreviousSplunk Integration NextWazuh Integration

Last updated 5 days ago

Was this helpful?

#!/bin/bash # Define external variables air_address=$1 trigger_name=$2 trigger_token=$3 endpoint=$4 # Make a GET request to AIR console API output=$(curl -k http://$air_address/api/webhook/$trigger_name/$endpoint?token=$trigger_token) # Print out the output echo $output