QRadar

[Mike Riforgiate]

In QRadar

1. Open the Admin settings:

• In IBM Security QRadar V7.3.0 or earlier, click the Admin tab.
• In IBM Security QRadar V7.3.1 and later, click the navigation menu (), and then click Admin to open the admin tab.

2. In the User Management section, click Authorized Services.
3. On the Manage Authorized Services window, click Add Authorized Service.
4. Add the relevant information in the following fields and click Create Service for each service (Admin and Limited) you want to create:

• In the Service Name field, type a name for this authorized service. The name can be up to 255 characters in length. Recommend using WitFoo
• From the User Role list, select the Admin role for the user type.
• From the Security Profile list, select the security profile that you want to assign to this authorized service. The security profile determines the networks and log sources that this service can access on the QRadar user interface.
• In the Expiry Date list, type or select a date that you want this service to expire. If an expiry date is not necessary, select No Expiry.

5. Click the row that contains the service you created, select and copy the token string from the Selected Token field in the menu bar, and close the Manage Authorized Services window.
6. Deploy changes for the new authorized service tokens to take effect.

 

PRECINCT CONFIGURATION

• Go to Admin > SOAR > IBM QRadar > Config
• Click the checkbox for Enable the QRadar Integration
• Paste the API Server(Hostname or IP Address) and QRadar API Token
• Click the disk icon (Save)
• Click Jobs and go to Artifacts from QRadar.
• Select Triggers, expanding Manual Trigger and Interval Trigger. 
  • Toggle both to State: ENABLED
• The Interval Trigger is set to 2 hours by default, but you can update it to what best suits your organization. (Recommended: 10 minutes)
• Click the disk icon (Save)

[Author]

Posts