Threat Response - Integration with QRadar

The QRadar SIEM platform serves as a log repository, and allows administrator’s to build correlation rules to generate alerts when suspicious activity is detected in the logs. These alerts can be forwarded to Threat Response, and managed through the Threat Response incident management workflow. This document covers all aspects of Threat Response integration with IBM’s QRadar Security Intelligence Platform.

Forwarding Alerts to Threat Response

QRadar can forward alerts to the Threat Response platform to be managed using Threat Response’s incident management workflow. The steps below detail the process of creating a QRadar alert source in Threat Response, and configuring QRadar to send the alerts to Threat Response. With this configuration completed, QRadar will begin sending alerts to Threat Response via syslog to generate incidents in the Threat Response platform.

Note

In order for QRadar to send event data to Threat Response, port UDP/514 must be open on any firewalls between QRadar and Threat Response.

Creating an Alert Source in Threat Response

You must first create an event source in Threat Response to receive alerts from the QRadar system. The steps below outline the source creation process.

  1. Log in to Threat Response
  2. Navigate to the Sources page
  3. Click the blue Add (+) button next to Sources to bring up the New Source panel
  4. Set the following fields:
    • Type: IBM QRadar
    • Name: <alert_source_name>
    • Description: <description>
    • Link Events: <checked>
  5. Save changes.

Configuring QRadar to Log Alerts for Security Rules

QRadar routes alerts to Threat Response by way of its local syslog service. To forward alerts to Threat Response, you must edit your security rules in QRadar, and configure them to log to the local syslog when triggered.

To enable logging for your existing QRadar rules:

  • Log in to QRadar’s web interface.
  • Navigate to the Offenses > Rules page.
  • Create or edit a rule that you would like to forward to Threat Response.
  • In the Rule Response section of the rule creation wizard, check the box to Send to Local SysLog.

small

  • Click Finish to save your rule settings.

Enabling Syslog Forwarding in QRadar

With QRadar logging alets to its local syslog, we can configure syslog-ng to forward the alerts to Threat Response. The following steps outline the process for updating the syslog-ng configuration file to monitor for relevant alerts, and forward them to Threat Response.

Note

The steps below must be performed on all QRadar consoles and collectors in your environment.

To enable syslog forwarding in QRadar:

  • SSH into QRadar as a user with elevated permissions (Example: root)
  • Use a text editor to modify /etc/syslog-ng/syslong-ng.conf.default.
# vi /etc/syslog-ng/syslog-ng.conf.default
  • Create a new section at the end of the configuration file for Threat Response and input the following:
# Threat Response Alert Forwarding

filter threatresponse  { facility(local1) and level(info) and match("<pattern>" value("MESSAGE")) };

destination PTR_appliance { udp(ptr.example.com port(514)); };

log { source(local); filter(threatresponse); destination(PTR_appliance); };

Note

Replace <pattern> with a RegEx that matches the QRadar rule name(s), and ptr.example.comwith the IP or hostname of Threat Response.

  • Save the configuration changes.
  • Restart syslog-ng.
# /etc/init.d/syslog-ng restart

Upon completion of the configuration, QRadar will begin forwarding alerts to Threat Response. It is recommended to test the configuration by triggering one of the rules, and confirming that the alert is routed to Threat Response.