IBM QRadar

by Elvis Hovor

Introduction

The TruSAR - QRadar App allows users to utilize context of TruSTAR’s IOCs and incidents within their QRadar workflow. This user guide will provide overall App Specification for the QRadar app, It contains details of app specification and the functionality supported as part of this integration.

TruSTAR - QRadar Workflow

App Installation

The following bundles are required for successful install of the TruSTAR app. 

You can direct download all of the app files required from here.

#

Bundle Name

Description

1

TrustarAppForQradar-R-1.0.0-1.zip - trustar.xml

This XML file contains all the actions required to support TruSTAR actions for QRadar.

2

TrustarAppForQradar-R-1.0.0-1.zip - manifest.txt


System Requirements

Below is list of requirements needed to run TruSTAR app
  • TruSTAR App Bundle
  • QRadar version: 7.2.8 +
  • TruSTAR  API Endpoint
  • TruSTAR API Secret Key
  • QRadar User Roles with Admin, TruSTAR Application, and IP Right Click Menu Extension Capabilities
  • QRadar Authorization Token (Admin-> Authorized Services)
To retrieve the authorization token: Follow steps below in Qradar
  1. Navigate to Admin-> Authorized Services
  2. Click Add Authorized Service
  3. Enter service name
  4. Select “Admin” as User Role and “Admin” as security profile, check No Expiry.
  5. Click on Create Service.
  6. Click on “Deploy Change” on Admin Page toolbar.
Role Matrix: 

The table depicts the capabilities required for the role of the user to access a particular feature.

Feature

Capabilities

Configuration Page

Admin

TruSTAR Application

Auto Submit Offense


TruSTAR Application

IOC Feed

Admin

TruSTAR Application

Submit Offense

(GUI Action)


TruSTAR Application

Submit Event

(GUI Action)


TruSTAR Application

Hunt IP (GUI Action)


TruSTAR Application,

IP Right Click Menu Extension

Manual Installation

To manually install the TruSTAR app for QRadar

  1. Navigate to Admin Tab
  2. Select Extension Management
  3. Click on Add and navigate to the TruSTAR App bundle
  4. Click on “Install Immediately”
  5. Select OK to install.

Once the app is successfully installed the TruSTAR App Settings becomes visible on the admin page, and shows additional GUI action buttons.

Installing from the IBM App Exchange

TruSTAR is yet to get the QRadar app in the IBM -Xforce app exchange. Upon acceptance into the app exchange, a user can download the app installation bundle from the exchange for easy install

Configuration

Users need to configure the TruSTAR app to start leveraging its features fully. Below is a list of parameters which needs to be configured. 

User needs admin privileges to configure the TruStar integration.
Users can to create QRadar Authorized token from Admin->Authorized Service --> “Deploy Change” from admin Tab.
    1. Authorized Service Token: After generating Token, copy token and into Authorized Service Token field in configuration.
    2. TruSTAR Server URL: User need to configure TruSTAR API Endpoint
    3. Access Key: User need to insert TruSTAR Access key
    4. Secret Key: User need to insert TruSTAR Secret key
    5. Enclave IDs: User need to insert TruSTAR Enclave IDs (comma separated)
    6. Max Events per Offense: User can configure max no of events to process per Offense.
    7. Enable Auto Submission: User need to Enable this feature if he wants to star Auto-Submission of Offense.
      • Poll Interval: User needs to configure no of minutes or hours to set as poll interval
      • Max Offense to Process: User needs to configure max no of offenses to process per poll interval.
    8. IOC Feed: User needs to enable this feature to start collecting TruSTAR IOCs as QRadar reference sets.
      • Poll Interval: User need to configure no of minutes or hours to set as poll interval
    9. Incident Enrichment Workflow

    TruSTAR’s QRadar app provides the end-user the ability to troubleshoot security offenses and improve the overall security posture of the organization. The actions below allow users to send QRadar offenses into TruSTAR and receive additional enrichment from the TruSTAR platform.

    Send Offense to TruSTAR (GUI Manual Action)

    Using this functionality QRadar user can send an IBM QRadar Offense as TruSTAR report. Below are steps to perform this action.

    1. Navigate to Offense tab
    2. Double Click on Offense to submit
    3. Click on Send to TruSTAR


    Send Event to TruSTAR (Manual Action)

    Using this functionality a QRadar user can send the event as TruSTAR report.

    1. Navigate to Log Activity Tab
    2. Double Click on event which you want to submit to TruSTAR
    3. Click on Send to TruSTAR


    Hunt IP in TruSTAR (Manual Action)

    Using this functionality QRadar user Hunt IP in TruSTAR for Correlated indicators.

    1. Navigate to Log Activity Tab or Offense Tab
    2. Right click on IP address field which we want to Hunt in TruSTAR and select TruSTAR Lookup.
    3. Pop-up will open with deep links of correlated indicators.

    Auto Submit Offenses

    Auto submission of offenses functionality will submit newly created offenses to TruSTAR. This feature will auto submit offenses based on configuration parameters. A user needs to configure the auto submission of offense feature in the config page to activate this feature. Please refer to configuration page screenshots to Send Offense to TruSTAR

    Populate QRadar Reference Sets

    This feature will populate QRadar reference list for each TruSTAR Indicators. There is a reference list for each type of indicators.

    Users need to configure Auto IOC Feed feature in config page to activate this feature.


    Troubleshooting

    1. Manual actions wouldn’t return a result if response time is over a minute. If the underlying API calls to TruSTAR takes more than a min, the manual actions wouldn’t respond. Workaround – Refresh the page and retry if TruSTAR report isn’t submitted.
    2. TruSTAR report creation for a particular offense fails. This often happens when the event contains special characters. In such instances, the server logs can be checked to troubleshoot further and users can reach out to TruSTAR support team for additional support.
    Please reach out to support@trustar.co for any additional questions.

    How Did We Do?