IBM QRadar App Installation and Configuration

This section describes how to install and configure the IBM QRadar App for IntSights.

The following table shows the minimum version requirements:

ComponentVersion
IBM QRadar7.4.1 FP2 and later

Version updates

 
1
The following table shows version updates:
App versionChange description
1.2.0- Added a configurable option “Protocol” on the Account Config page to support TCP/UDP protocol for forwarding events.- Alignment to new TIP API routes.- Added a configurable option “Fetch Retired IOCs” on the Input Config page for each IOC type.
1.1.0- Migrated IntSights API endpoints to v2.- Added a configurable option “Fetch Retired IOCs” on the Input Config page for each IOC Type.
1.0.2- Fixed CEPs conflict for “IOC Value” and “IOC Type”.
1.01- Resolved the issue of Internal Server Error on configuration page in QRadar instances with version 7.4.3 FP3 or higher.

To integrate Threat Command data, you must have a valid Threat Command subscription to the TIP module.

Before you can use the external app with Rapid7 Threat Command you need to add the app.

Add external app

Before using an external app, you must add it. There are two parts to adding an app:

  • Your admin must enable the app for you to add.
  • After that, you add the external app.

To add an external app:

  1. From the main menu, select Automation > Integrations.
  2. From the Integrations page, click External.
    temporary placeholder
  1. Click Add new device.
  2. Select the Device type.
  • A default name is added. If the external device to add isn't displayed, ask your admin to enable it for you.
  1. Click Add.

The new device is added.

Installing the IntSights IBM QRadar App

The IBM QRadar app is installed from the IBM App Store. 

Prerequisites

  • You have the Threat Command account ID and API key, as described in API key and account ID.
  • This enables the IBM QRadar app to connect with your Threat Command instance.
  • You can access the IBM app store.
  • You must be able to authenticate with IBM QRadar as administrator.

To install the IntSights IBM QRadar App:

  1. From the IMB app store, download the IntSights App for QRadar from https://exchange.xforce.ibmcloud.com/hub/extension/f2f48af32f23ba6ee4e87dc97a29c690
  2. Log in to the IBM QRadar console at https://<QRadarconsole_IP_address>
  3. From the console menu, choose Admin > Extensions Management.
  4. Click Add, browse to the downloaded app file, then click Add.
  5. Click Install to confirm the QRadar list of changes to be made.
  6. Clear the browser cache and refresh the window.
  7. (Optional) To confirm installation, from the console menu, choose Admin > Extensions Management.
  • IntSights App for QRadar should show that it is installed.

The application is installed.

Configuring the IntSights App for IBM QRadar account and proxy

After installation, you must configure the account. You can also configure the proxy (optional).

Prerequisites

  • The IntSights App for IBM QRadar must be installed.
  • You need a QRadar authorized service token. 
  • You can get this from the Admin panel, in the Authorized Services section of the User Management section. The permissions for User Role and Security Profile must be set to Admin.

To configure the account, proxy, and logging:

  1. Log in to IBM QRadar.
  2. From the Apps section of the Admin panel, find IntSights App for QRadar.
    temporary placeholder
  1. Click IntSights App for QRadar Configuration Page.
  2. Configure the account:
    1. Click Account Config.
    2. Type the Threat Command Account ID and API Key and the QRadar Authorization Token.
    3. (Optional) By default, correlated IOCs are tagged for viewing in Threat Command. To disable tagging, clear Add IOC tags and comments.
    4. (Optional) To set up the proxy, proceed as follows:
      1. Click Enable Proxy.
      2. Type the proxy server IP address (or hostname) and port.
      3. To require proxy authentication select Require Authentication for Proxy.
    5. Click Save.
  3. Configure the inputs:
    1. Click Input Config.
    2. For each input type to collect, do the following:
  •  
    1
       | Field | Do this |
    2
       | --- | --- |
    3
       | Enable | Select this to enable the collection of this IOC type. |
    4
       | Interval | Enter the time (seconds) between collection intervals. The minimum is 1 hour (3,600 seconds) and the defaults are:- IP address - 2 weeks.- URL and email address - 2 months.- File hash and domains - 3 months. |
    5
       | Start Time | Set from when the first IOC should be imported. The time must be within the past six months. |
    6
       | Severity | Select the severity (High, medium, low, or all) of the IOCs to be collected. |
    7
       | Reporting Feeds | Select the Threat Command reporting feeds from which IOCs should be collected. |
    1. Click Save.

    After configuration is complete, IOC collection will begin. Data is saved in the Log activity and in the following Reference  sets:

The collected IOCs are presented in the Threat Command Dashboard IOC Overview page.

To configure correlation, see Configuring Correlation in the IBM QRadar App.