IBM QRadar SIEM helps your business by detecting anomalies, uncovering advanced threats and removing false positives. It consolidates log events and network flow data from thousands of devices, endpoints, and applications distributed throughout a network.
This document provides information about the IBM QRadar connector, which facilitates automated interactions, with a QRadar server using FortiSOAR™ playbooks. Add the IBM QRadar connector as a step in FortiSOAR™ playbooks and perform automated operations, such as automatically getting information about the offenses and details of the offenses from QRadar and also querying a QRadar device.
Connector Version: 1.5.0d
FortiSOAR™ Version Tested on: 5.1.0-464
IBM QRadar Version Tested on: 7.2.8
Authored By: Fortinet
Certified: Yes
Following enhancements have been made to the IBM QRadar connector in version 1.5.0:
Fetch Data Sample
screen in the FortiSOAR™ Data Ingestion Wizard. For information about data ingestion, see the Ingesting IBM QRadar data using the Data Ingestion Wizard section that is present later in this article and the "Data Ingestion" chapter in the FortiSOAR™ product documentation.From FortiSOAR™ 5.0.0 onwards, use the Connector Store to install the connector. For the detailed procedure to install a connector, click here.
You can also use the yum command to install connectors. Connectors provided by FortiSOAR™ are delivered using a FortiSOAR™ repository. Therefore, you must set up your FortiSOAR™ repository and run the yum command as a root user to install connectors:
yum install cyops-connector-qradar
/api/ariel/*
and /api/siem/*
APIs, therefore ensure that you have the appropriate access as required by these APIs.For the procedure to configure a connector, click here.
In FortiSOAR™, on the Connectors page, click the IBM QRadar connector row (if you are in the Grid view on the Connectors page) and in the Configurations tab enter the required configuration details:
Parameter | Description |
---|---|
Address | IP address of the QRadar server from where the connector gets offenses information and to which you connect and perform automated operations. |
API Token | API token to access the QRadar server to which you connect and perform automated operations. |
API Version | Version of the QRadar API to be used for performing automated operations. |
Verify SSL | Specifies whether the SSL certificate for the server is to be verified or not. Defaults to True. |
If you want to forward offenses to FortiSOAR™ from the QRadar UI directly, then you require to install the CyberSponse Application on the QRadar server. The extension zip file (CyberSponse_1.1.0.zip) is attached with this document. Upload and install the extension on the QRadar console following the steps described in the following IBM document: https://www.ibm.com/support/knowledgecenter/en/SS42VS_7.2.7/com.ibm.qradar.doc/t_cmt_importing_extensions.html.
After the installation, the CyberSponse Integration icon appears in the Plug-ins
section of the Admin tab.
Click the CyberSponse Integration icon to open the Server Configuration
dialog. Enter the details of the CyberSponse server to which you want to forward the offenses and then click Save.
Ensure that the QRadar server has connectivity to the FortiSOAR™ server and can send requests to the FortiSOAR™ instance on port 443. Now, you can forward offenses to FortiSOAR™ by using the Create CyOPs alert button in the Offense Summary Toolbar
as shown in the following image:
Clicking the Create CyOPs alert button sends a POST trigger to the https://<CyOPs>/api/triggers/1/qradar with the payload {“Offense_ID”: <id>}
URL.
The API - Push Offense From QRadar included playbook listens to this API trigger and fetches all the data related to the offense specified in the offense id and creates a FortiSOAR™ alert. You can verify the integration with the help of this playbook or make a copy of the playbook and update it as per your requirement. If you make a copy, deactivate the included playbook, to avoid two playbooks acting on the same API trigger.
The following automated operations can be included in playbooks, and you can also use the annotations to access operations from FortiSOAR™ release 4.10.0 onwards:
Function | Description | Annotation and Category |
---|---|---|
Get Offenses from QRadar | Retrieves a list of offenses from the QRadar server based on the filter string that you have specified. | get_offenses Investigation |
Get Events Related to an Offense | Retrieves details of events associated with a QRadar offense, from the QRadar server, based on the QRadar offense ID that you have specified. | get_events Investigation |
Make an Ariel Query to QRadar | Executes an Ariel query on the QRadar server. QRadar uses the Ariel Query Language (AQL) to search for offenses or events based on query parameters. | run_query Investigation |
Get Offense Closing Reasons | Retrieves a list of closing reasons associated with all offenses from the QRadar server. | get_offense_closing_reasons Remediation |
Close Offense | Closes an offense on the QRadar server based on the offense ID that you have specified. | close_offense Remediation |
Get Source IP Addresses | Retrieves IP address details associated with source address IDs from the QRadar server, based on the source address IDs that you have specified | ip_details Investigation |
Get Destination IP Addresses | Retrieves IP address details associated with a destination address IDs from the QRadar server, based on the destination address IDs that you have specified | ip_details Investigation |
Invoke QRadar REST API | Invokes a function to Get or Post an API endpoint on the QRadar server. | api_call Miscellaneous |
Get Offense Types | Retrieves a list containing IDs of all the offense types from the QRadar server. | get_offense_type Investigation |
Manipulate Reference Set Content | Adds or deletes the content that you have specified from a specified reference set on QRadar. | handle_reference_set_value Investigation |
Get Offense Notes | Retrieves a list of notes associated with a specified offense in QRadar based on the offense ID you have specified. | get_notes Remediation |
Create Note | Creates a note for a specified offense in QRadar based on the offense ID you have specified. | add_notes Remediation |
Parameter | Description |
---|---|
Filter String | Filter string based on which you want to retrieve the list of offenses from QRadar. For example, assigned_to="admin" . |
The JSON output contains a list of offenses retrieved from the QRadar server, based on the filter string that you have specified.
The output contains the following populated JSON schema:
{
"source_count": "",
"credibility": "",
"status": "",
"categories": [
""
],
"protected": "",
"offense_source": "",
"event_count": "",
"closing_user": "",
"closing_reason_id": "",
"policy_category_count": "",
"last_updated_time": 1501624285172,
"severity": "",
"username_count": "",
"description": "",
"assigned_to": "",
"destination_networks": [
""
],
"security_category_count": "",
"start_time": 1501624284334,
"id": "",
"offense_type": "",
"relevance": "",
"device_count": "",
"magnitude": "",
"domain_id": "",
"local_destination_address_ids": [
""
],
"inactive": "",
"source_address_ids": [
""
],
"category_count": "",
"source_network": "",
"local_destination_count": "",
"flow_count": "",
"follow_up": "",
"close_time": "",
"remote_destination_count": ""
}
Parameter | Description |
---|---|
QRadar Offense ID | Offense ID based on which you want to retrieve events from QRadar. |
Offense Start Time | Number of milliseconds since epoch from the offense was started. |
Offense Last Update Time | Number of milliseconds since epoch from the offense was last modified. |
Max Events to return | (Optional) Maximum number of events that this operation should return. |
A JSON output contains details of events associated with a QRadar offense, retrieved from the QRadar server, based on the QRadar offense ID that you have specified.
The output contains the following populated JSON schema:
{
"events": [
{
"starttime": "",
"category": "",
"username": "",
"logsourceid": "",
"eventcount": "",
"protocolid": "",
"identityip": "",
"sourceip": "",
"qid": "",
"destinationip": "",
"magnitude": "",
"sourceport": "",
"destinationport": ""
}
]
}
Parameter | Description |
---|---|
Ariel Search String | Ariel query that you want to be run on the QRadar server. |
The JSON output contains details of offenses or events depending on the query that you run on the QRadar server. QRadar uses the Ariel Query Language (AQL) to search for offenses or events based on query parameters.
The output contains a non-dictionary value.
None
The JSON output contains a list of closing reasons associated with all offenses retrieved from the QRadar server.
The output contains the following populated JSON schema:
{
"is_reserved": "",
"id": "",
"text": "",
"is_deleted": ""
}
Parameter | Description |
---|---|
Offense ID | ID of the offense that you want to close on the QRadar server. |
Offense Closing Reason - ID | ID of the offense closing reason using which you want to close the offense on the QRadar server. |
Closure Note | (Optional) Note that you want to associate with the offense that you want to close on the QRadar server. |
The JSON output contains the updated offense details, including the status (should be closed) of the specified offense retrieved from the QRadar server.
The output contains the following populated JSON schema:
{
"source_count": "",
"credibility": "",
"status": "",
"categories": [],
"protected": "",
"offense_source": "",
"event_count": "",
"closing_user": "",
"closing_reason_id": "",
"policy_category_count": "",
"last_updated_time": "",
"severity": "",
"username_count": "",
"description": "",
"assigned_to": "",
"destination_networks": [],
"security_category_count": "",
"start_time": "",
"id": "",
"offense_type": "",
"relevance": "",
"device_count": "",
"magnitude": "",
"domain_id": "",
"local_destination_address_ids": [],
"inactive": "",
"source_address_ids": [],
"category_count": "",
"source_network": "",
"local_destination_count": "",
"flow_count": "",
"follow_up": "",
"close_time": "",
"remote_destination_count": ""
}
The offense data provided by QRadar contains the IDs of the source addresses. Use this operation to fetch the IP address details for the specified source address IDs.
Parameter | Description |
---|---|
Source Address Ids | IDs of source addresses based on which you want to retrieve IP address details from the QRadar server. For example, [3,4,5] . |
The JSON output contains the IP address details associated with the specified source address IDs, retrieved from the QRadar server.
The output contains the following populated JSON schema:
{
"id": "",
"magnitude": "",
"source_ip": "",
"network": ""
}
The offense data provided by QRadar contains the IDs of the destination addresses. Use this operation to fetch the IP address details for the specified destination address IDs.
Parameter | Description |
---|---|
Destination Address Ids | IDs of destination addresses based on which you want to retrieve IP address details from the QRadar server. For example, [3,4,5] . |
The JSON output contains the IP address details associated with the specified destination address IDs, retrieved from the QRadar server.
The output contains the following populated JSON schema:
{
"local_destination_ip": "",
"id": "",
"magnitude": "",
"network": ""
}
If you require to invoke a QRadar API apart from the functions that we provide, you can use this function to directly invoke the QRadar API. Refer to IBM documentation for more information on the QRadar REST APIs: https://www.ibm.com/support/knowledgecenter/en/SSKMKU/com.ibm.qradar.doc_cloud/t_adm_restapi_using.html.
Parameter | Description |
---|---|
Endpoint | Specifies the REST endpoint. For example, siem or offenses. |
Request Method | Select the request method. You can choose between GET or POST.
|
Headers in json format | (Optional) Additional JSON formatted headers. Following headers are already added by the connector: 'Accept': 'application/JSON', 'Content-Type': 'application/JSON', 'SEC': <token> ,'Version': <api_version>, |
The JSON output contains the JSON response of the API invoked.
The output contains a non-dictionary value.
None
The JSON output contains a list containing IDs of all the offense types retrieved from the QRadar server. You can use the offense type IDs as a filter criterion in the Get Offenses operation.
The output contains the following populated JSON schema:
{
"id": "",
"property_name": "",
"database_type": "",
"name": "",
"custom": ""
}
Parameter | Description |
---|---|
Request Method | Select the request method option of the operation that you want to perform on the specified reference set in QRadar. You can choose from Retrieves Value, Add Value, or Delete Value. |
Reference Set Name | Name of the reference set in which you want to perform the operation based on the option you have specified in the Request Method.
|
Value | Value that you want to add or remove from the specified reference set. You must specify the value in this field if you have chosen Add Value or Delete Value as the Request Method. |
The output is conditional and based on the request method that you choose.
For example, if you choose Retrieves Value as the Request Method, then the output contains the following populated JSON schema:
{
"data": [
{
"first_seen": "",
"last_seen": "",
"source": "",
"value": ""
}
],
"message": "",
"element_type": "",
"timeout_type": "",
"name": "",
"number_of_elements": "",
"creation_time": "",
}
Or for example, if you choose Add Value or Delete Value as the Request Method, then the output contains the following populated JSON schema:
{
"message": "",
"element_type": "",
"timeout_type": "",
"name": "",
"number_of_elements": "",
"creation_time": "",
}
Parameter | Description |
---|---|
Offense ID | ID of the offense whose associated notes you want to retrieve from the QRadar server. |
The output contains the following populated JSON schema:
{
"username": "",
"id": "",
"create_time": "",
"note_text": ""
}
Parameter | Description |
---|---|
Offense ID | ID of the offense for which you want to create a note on the QRadar server. |
Closure Note | Text of the closure note that you want to create for the specified offense on the QRadar server. |
The output contains the following populated JSON schema:
{
"username": "",
"id": "",
"create_time": "",
"note_text": ""
}
The Sample - IBM QRadar - 1.5.0
playbook collection comes bundled with the IBM QRadar connector. This playbook contains steps using which you can perform all supported actions. You can see the bundled playbooks in the Automation > Playbooks section in FortiSOAR™ after importing the IBM QRadar connector.
Note: If you are planning to use any of the sample playbooks in your environment, ensure that you clone those playbooks and move them to a different collection since the sample playbook collection gets deleted during the connector upgrade and delete.
Use the Data Ingestion Wizard to easily ingest data into FortiSOAR™ by pulling offenses from IBM QRadar. For more information on the Data Ingestion Wizard, see the "Connectors Guide: in FortiSOAR™ product documentation.
Process of ingesting offenses from IBM QRadar using the Data Ingestion Wizard
Connectors
page, you will see the list of installed connectors, either in the card view or the grid/list view.Connector Configuration
pane, click Configure Data Ingestion to display the Data Ingestion Wizard.Fetch Sample Data
screen. status="Open"
in the Search Query field.UTC
.Field Mapping
screen displays the Sample Data on the right side and the Field Mapping (FortiSOAR™ fields) on the left side. The sample data is in the form of a Key-Value pair.{{vars.sourcedata["severity"]}}
is added in the Severity field.Scheduling
screen, you can specify the schedule for data ingestion from the connector into FortiSOAR™, i.e., you can specify the polling frequency to IBM QRadar, so that the content gets pulled from IBM QRadar into FortiSOAR™. By default, scheduling is set to pull data every 5 minutes.Summary
screen displays a brief summary of the mapping done and it also contains links to the modified playbooks.IBM QRadar > Post Create Alert > Fetch Events
playbook, in the Start step (Post-Create trigger) step, in the Resource field, update the resource from Alerts to the module based on which you want to fetch the data.> QRadar > Create Alert
playbook, in the Add a note of offense update step, in the "Correlations" section, you will see an Alerts field that is being set. If you are using a module other than "Alert", then you will see a field with that name and you will require to set that field. For example, if you are using the "Incidents" module, then you will see the Incidents field and you will need to set that to ["{{vars.steps.Create_Record['@id']}}"]
IBM QRadar > Post Create Alert > Fetch Events
playbook, in the Set Variable step, add custom fields to the event_query_params
variable. By default, this is set as starttime,sourceip,destinationip,username,QIDNAME(qid) as 'Event_Name',CATEGORYNAME(category) AS 'Category_Name',LOGSOURCENAME(logsourceid) as 'Log_Source'
IBM QRadar > Post Create Alert > Fetch Events
playbook that is located at: Settings > System Fixtures > Data Ingestion Playbooks.Issue: Using the Data Ingestion Wizard, in the Fetch Data screen, you specify the timezone to fetch events from IBM QRadar. This, in turn, creates a global variable named QRadarTimeZone. The value of this global variable does not get populated with the time zone you have specified. Due to this, the events that are fetched for the offense are not based on the specified timezone.
Resolution: To resolve this issue, open the >> IBM QRadar > Init
playbook in the playbook designer and click Options > Edit Parameters. In the Parameters
dialog, click Add Parameter and enter qradar_timezone
and click Submit. Then, open the > IBM QRadar > Fetch
playbook in the playbook designer and open the Environment Setup step. You will see the qradar_timezone parameter
in this step, in which you should enter {{vars.qradar_timezone}}
. This, in turn, passes the timezone value that you have specified in the Ingestion Wizard to the QRadarTimeZone
global variable. Thereby, events will be fetched for the offense based on the specified timezone.
IBM QRadar SIEM helps your business by detecting anomalies, uncovering advanced threats and removing false positives. It consolidates log events and network flow data from thousands of devices, endpoints, and applications distributed throughout a network.
This document provides information about the IBM QRadar connector, which facilitates automated interactions, with a QRadar server using FortiSOAR™ playbooks. Add the IBM QRadar connector as a step in FortiSOAR™ playbooks and perform automated operations, such as automatically getting information about the offenses and details of the offenses from QRadar and also querying a QRadar device.
Connector Version: 1.5.0d
FortiSOAR™ Version Tested on: 5.1.0-464
IBM QRadar Version Tested on: 7.2.8
Authored By: Fortinet
Certified: Yes
Following enhancements have been made to the IBM QRadar connector in version 1.5.0:
Fetch Data Sample
screen in the FortiSOAR™ Data Ingestion Wizard. For information about data ingestion, see the Ingesting IBM QRadar data using the Data Ingestion Wizard section that is present later in this article and the "Data Ingestion" chapter in the FortiSOAR™ product documentation.From FortiSOAR™ 5.0.0 onwards, use the Connector Store to install the connector. For the detailed procedure to install a connector, click here.
You can also use the yum command to install connectors. Connectors provided by FortiSOAR™ are delivered using a FortiSOAR™ repository. Therefore, you must set up your FortiSOAR™ repository and run the yum command as a root user to install connectors:
yum install cyops-connector-qradar
/api/ariel/*
and /api/siem/*
APIs, therefore ensure that you have the appropriate access as required by these APIs.For the procedure to configure a connector, click here.
In FortiSOAR™, on the Connectors page, click the IBM QRadar connector row (if you are in the Grid view on the Connectors page) and in the Configurations tab enter the required configuration details:
Parameter | Description |
---|---|
Address | IP address of the QRadar server from where the connector gets offenses information and to which you connect and perform automated operations. |
API Token | API token to access the QRadar server to which you connect and perform automated operations. |
API Version | Version of the QRadar API to be used for performing automated operations. |
Verify SSL | Specifies whether the SSL certificate for the server is to be verified or not. Defaults to True. |
If you want to forward offenses to FortiSOAR™ from the QRadar UI directly, then you require to install the CyberSponse Application on the QRadar server. The extension zip file (CyberSponse_1.1.0.zip) is attached with this document. Upload and install the extension on the QRadar console following the steps described in the following IBM document: https://www.ibm.com/support/knowledgecenter/en/SS42VS_7.2.7/com.ibm.qradar.doc/t_cmt_importing_extensions.html.
After the installation, the CyberSponse Integration icon appears in the Plug-ins
section of the Admin tab.
Click the CyberSponse Integration icon to open the Server Configuration
dialog. Enter the details of the CyberSponse server to which you want to forward the offenses and then click Save.
Ensure that the QRadar server has connectivity to the FortiSOAR™ server and can send requests to the FortiSOAR™ instance on port 443. Now, you can forward offenses to FortiSOAR™ by using the Create CyOPs alert button in the Offense Summary Toolbar
as shown in the following image:
Clicking the Create CyOPs alert button sends a POST trigger to the https://<CyOPs>/api/triggers/1/qradar with the payload {“Offense_ID”: <id>}
URL.
The API - Push Offense From QRadar included playbook listens to this API trigger and fetches all the data related to the offense specified in the offense id and creates a FortiSOAR™ alert. You can verify the integration with the help of this playbook or make a copy of the playbook and update it as per your requirement. If you make a copy, deactivate the included playbook, to avoid two playbooks acting on the same API trigger.
The following automated operations can be included in playbooks, and you can also use the annotations to access operations from FortiSOAR™ release 4.10.0 onwards:
Function | Description | Annotation and Category |
---|---|---|
Get Offenses from QRadar | Retrieves a list of offenses from the QRadar server based on the filter string that you have specified. | get_offenses Investigation |
Get Events Related to an Offense | Retrieves details of events associated with a QRadar offense, from the QRadar server, based on the QRadar offense ID that you have specified. | get_events Investigation |
Make an Ariel Query to QRadar | Executes an Ariel query on the QRadar server. QRadar uses the Ariel Query Language (AQL) to search for offenses or events based on query parameters. | run_query Investigation |
Get Offense Closing Reasons | Retrieves a list of closing reasons associated with all offenses from the QRadar server. | get_offense_closing_reasons Remediation |
Close Offense | Closes an offense on the QRadar server based on the offense ID that you have specified. | close_offense Remediation |
Get Source IP Addresses | Retrieves IP address details associated with source address IDs from the QRadar server, based on the source address IDs that you have specified | ip_details Investigation |
Get Destination IP Addresses | Retrieves IP address details associated with a destination address IDs from the QRadar server, based on the destination address IDs that you have specified | ip_details Investigation |
Invoke QRadar REST API | Invokes a function to Get or Post an API endpoint on the QRadar server. | api_call Miscellaneous |
Get Offense Types | Retrieves a list containing IDs of all the offense types from the QRadar server. | get_offense_type Investigation |
Manipulate Reference Set Content | Adds or deletes the content that you have specified from a specified reference set on QRadar. | handle_reference_set_value Investigation |
Get Offense Notes | Retrieves a list of notes associated with a specified offense in QRadar based on the offense ID you have specified. | get_notes Remediation |
Create Note | Creates a note for a specified offense in QRadar based on the offense ID you have specified. | add_notes Remediation |
Parameter | Description |
---|---|
Filter String | Filter string based on which you want to retrieve the list of offenses from QRadar. For example, assigned_to="admin" . |
The JSON output contains a list of offenses retrieved from the QRadar server, based on the filter string that you have specified.
The output contains the following populated JSON schema:
{
"source_count": "",
"credibility": "",
"status": "",
"categories": [
""
],
"protected": "",
"offense_source": "",
"event_count": "",
"closing_user": "",
"closing_reason_id": "",
"policy_category_count": "",
"last_updated_time": 1501624285172,
"severity": "",
"username_count": "",
"description": "",
"assigned_to": "",
"destination_networks": [
""
],
"security_category_count": "",
"start_time": 1501624284334,
"id": "",
"offense_type": "",
"relevance": "",
"device_count": "",
"magnitude": "",
"domain_id": "",
"local_destination_address_ids": [
""
],
"inactive": "",
"source_address_ids": [
""
],
"category_count": "",
"source_network": "",
"local_destination_count": "",
"flow_count": "",
"follow_up": "",
"close_time": "",
"remote_destination_count": ""
}
Parameter | Description |
---|---|
QRadar Offense ID | Offense ID based on which you want to retrieve events from QRadar. |
Offense Start Time | Number of milliseconds since epoch from the offense was started. |
Offense Last Update Time | Number of milliseconds since epoch from the offense was last modified. |
Max Events to return | (Optional) Maximum number of events that this operation should return. |
A JSON output contains details of events associated with a QRadar offense, retrieved from the QRadar server, based on the QRadar offense ID that you have specified.
The output contains the following populated JSON schema:
{
"events": [
{
"starttime": "",
"category": "",
"username": "",
"logsourceid": "",
"eventcount": "",
"protocolid": "",
"identityip": "",
"sourceip": "",
"qid": "",
"destinationip": "",
"magnitude": "",
"sourceport": "",
"destinationport": ""
}
]
}
Parameter | Description |
---|---|
Ariel Search String | Ariel query that you want to be run on the QRadar server. |
The JSON output contains details of offenses or events depending on the query that you run on the QRadar server. QRadar uses the Ariel Query Language (AQL) to search for offenses or events based on query parameters.
The output contains a non-dictionary value.
None
The JSON output contains a list of closing reasons associated with all offenses retrieved from the QRadar server.
The output contains the following populated JSON schema:
{
"is_reserved": "",
"id": "",
"text": "",
"is_deleted": ""
}
Parameter | Description |
---|---|
Offense ID | ID of the offense that you want to close on the QRadar server. |
Offense Closing Reason - ID | ID of the offense closing reason using which you want to close the offense on the QRadar server. |
Closure Note | (Optional) Note that you want to associate with the offense that you want to close on the QRadar server. |
The JSON output contains the updated offense details, including the status (should be closed) of the specified offense retrieved from the QRadar server.
The output contains the following populated JSON schema:
{
"source_count": "",
"credibility": "",
"status": "",
"categories": [],
"protected": "",
"offense_source": "",
"event_count": "",
"closing_user": "",
"closing_reason_id": "",
"policy_category_count": "",
"last_updated_time": "",
"severity": "",
"username_count": "",
"description": "",
"assigned_to": "",
"destination_networks": [],
"security_category_count": "",
"start_time": "",
"id": "",
"offense_type": "",
"relevance": "",
"device_count": "",
"magnitude": "",
"domain_id": "",
"local_destination_address_ids": [],
"inactive": "",
"source_address_ids": [],
"category_count": "",
"source_network": "",
"local_destination_count": "",
"flow_count": "",
"follow_up": "",
"close_time": "",
"remote_destination_count": ""
}
The offense data provided by QRadar contains the IDs of the source addresses. Use this operation to fetch the IP address details for the specified source address IDs.
Parameter | Description |
---|---|
Source Address Ids | IDs of source addresses based on which you want to retrieve IP address details from the QRadar server. For example, [3,4,5] . |
The JSON output contains the IP address details associated with the specified source address IDs, retrieved from the QRadar server.
The output contains the following populated JSON schema:
{
"id": "",
"magnitude": "",
"source_ip": "",
"network": ""
}
The offense data provided by QRadar contains the IDs of the destination addresses. Use this operation to fetch the IP address details for the specified destination address IDs.
Parameter | Description |
---|---|
Destination Address Ids | IDs of destination addresses based on which you want to retrieve IP address details from the QRadar server. For example, [3,4,5] . |
The JSON output contains the IP address details associated with the specified destination address IDs, retrieved from the QRadar server.
The output contains the following populated JSON schema:
{
"local_destination_ip": "",
"id": "",
"magnitude": "",
"network": ""
}
If you require to invoke a QRadar API apart from the functions that we provide, you can use this function to directly invoke the QRadar API. Refer to IBM documentation for more information on the QRadar REST APIs: https://www.ibm.com/support/knowledgecenter/en/SSKMKU/com.ibm.qradar.doc_cloud/t_adm_restapi_using.html.
Parameter | Description |
---|---|
Endpoint | Specifies the REST endpoint. For example, siem or offenses. |
Request Method | Select the request method. You can choose between GET or POST.
|
Headers in json format | (Optional) Additional JSON formatted headers. Following headers are already added by the connector: 'Accept': 'application/JSON', 'Content-Type': 'application/JSON', 'SEC': <token> ,'Version': <api_version>, |
The JSON output contains the JSON response of the API invoked.
The output contains a non-dictionary value.
None
The JSON output contains a list containing IDs of all the offense types retrieved from the QRadar server. You can use the offense type IDs as a filter criterion in the Get Offenses operation.
The output contains the following populated JSON schema:
{
"id": "",
"property_name": "",
"database_type": "",
"name": "",
"custom": ""
}
Parameter | Description |
---|---|
Request Method | Select the request method option of the operation that you want to perform on the specified reference set in QRadar. You can choose from Retrieves Value, Add Value, or Delete Value. |
Reference Set Name | Name of the reference set in which you want to perform the operation based on the option you have specified in the Request Method.
|
Value | Value that you want to add or remove from the specified reference set. You must specify the value in this field if you have chosen Add Value or Delete Value as the Request Method. |
The output is conditional and based on the request method that you choose.
For example, if you choose Retrieves Value as the Request Method, then the output contains the following populated JSON schema:
{
"data": [
{
"first_seen": "",
"last_seen": "",
"source": "",
"value": ""
}
],
"message": "",
"element_type": "",
"timeout_type": "",
"name": "",
"number_of_elements": "",
"creation_time": "",
}
Or for example, if you choose Add Value or Delete Value as the Request Method, then the output contains the following populated JSON schema:
{
"message": "",
"element_type": "",
"timeout_type": "",
"name": "",
"number_of_elements": "",
"creation_time": "",
}
Parameter | Description |
---|---|
Offense ID | ID of the offense whose associated notes you want to retrieve from the QRadar server. |
The output contains the following populated JSON schema:
{
"username": "",
"id": "",
"create_time": "",
"note_text": ""
}
Parameter | Description |
---|---|
Offense ID | ID of the offense for which you want to create a note on the QRadar server. |
Closure Note | Text of the closure note that you want to create for the specified offense on the QRadar server. |
The output contains the following populated JSON schema:
{
"username": "",
"id": "",
"create_time": "",
"note_text": ""
}
The Sample - IBM QRadar - 1.5.0
playbook collection comes bundled with the IBM QRadar connector. This playbook contains steps using which you can perform all supported actions. You can see the bundled playbooks in the Automation > Playbooks section in FortiSOAR™ after importing the IBM QRadar connector.
Note: If you are planning to use any of the sample playbooks in your environment, ensure that you clone those playbooks and move them to a different collection since the sample playbook collection gets deleted during the connector upgrade and delete.
Use the Data Ingestion Wizard to easily ingest data into FortiSOAR™ by pulling offenses from IBM QRadar. For more information on the Data Ingestion Wizard, see the "Connectors Guide: in FortiSOAR™ product documentation.
Process of ingesting offenses from IBM QRadar using the Data Ingestion Wizard
Connectors
page, you will see the list of installed connectors, either in the card view or the grid/list view.Connector Configuration
pane, click Configure Data Ingestion to display the Data Ingestion Wizard.Fetch Sample Data
screen. status="Open"
in the Search Query field.UTC
.Field Mapping
screen displays the Sample Data on the right side and the Field Mapping (FortiSOAR™ fields) on the left side. The sample data is in the form of a Key-Value pair.{{vars.sourcedata["severity"]}}
is added in the Severity field.Scheduling
screen, you can specify the schedule for data ingestion from the connector into FortiSOAR™, i.e., you can specify the polling frequency to IBM QRadar, so that the content gets pulled from IBM QRadar into FortiSOAR™. By default, scheduling is set to pull data every 5 minutes.Summary
screen displays a brief summary of the mapping done and it also contains links to the modified playbooks.IBM QRadar > Post Create Alert > Fetch Events
playbook, in the Start step (Post-Create trigger) step, in the Resource field, update the resource from Alerts to the module based on which you want to fetch the data.> QRadar > Create Alert
playbook, in the Add a note of offense update step, in the "Correlations" section, you will see an Alerts field that is being set. If you are using a module other than "Alert", then you will see a field with that name and you will require to set that field. For example, if you are using the "Incidents" module, then you will see the Incidents field and you will need to set that to ["{{vars.steps.Create_Record['@id']}}"]
IBM QRadar > Post Create Alert > Fetch Events
playbook, in the Set Variable step, add custom fields to the event_query_params
variable. By default, this is set as starttime,sourceip,destinationip,username,QIDNAME(qid) as 'Event_Name',CATEGORYNAME(category) AS 'Category_Name',LOGSOURCENAME(logsourceid) as 'Log_Source'
IBM QRadar > Post Create Alert > Fetch Events
playbook that is located at: Settings > System Fixtures > Data Ingestion Playbooks.Issue: Using the Data Ingestion Wizard, in the Fetch Data screen, you specify the timezone to fetch events from IBM QRadar. This, in turn, creates a global variable named QRadarTimeZone. The value of this global variable does not get populated with the time zone you have specified. Due to this, the events that are fetched for the offense are not based on the specified timezone.
Resolution: To resolve this issue, open the >> IBM QRadar > Init
playbook in the playbook designer and click Options > Edit Parameters. In the Parameters
dialog, click Add Parameter and enter qradar_timezone
and click Submit. Then, open the > IBM QRadar > Fetch
playbook in the playbook designer and open the Environment Setup step. You will see the qradar_timezone parameter
in this step, in which you should enter {{vars.qradar_timezone}}
. This, in turn, passes the timezone value that you have specified in the Ingestion Wizard to the QRadarTimeZone
global variable. Thereby, events will be fetched for the offense based on the specified timezone.