The TruSTAR - QRadar App allows users to utilize context of TruSTAR’s IOCs and incidents within their QRadar workflow. This user guide will provide overall App Specification for the QRadar app, It contains details of app specification and the functionality supported as part of this integration.
The following bundles are required for successful install of the TruSTAR app.
TrustarAppForQradar-R-1.0.0-1.zip - trustar.xml
This XML file contains all the actions required to support TruSTAR actions for QRadar.
TrustarAppForQradar-R-1.0.0-1.zip - manifest.txt
- TruSTAR App Bundle
- QRadar version: 7.2.8 +
- TruSTAR API Endpoint
- TruSTAR API Secret Key
- QRadar User Roles with Admin, TruSTAR Application, and IP Right Click Menu Extension Capabilities
- QRadar Authorization Token (Admin-> Authorized Services)
- Navigate to Admin-> Authorized Services
- Click Add Authorized Service
- Enter service name
- Select “Admin” as User Role and “Admin” as security profile, check No Expiry.
- Click on Create Service.
- Click on “Deploy Change” on Admin Page toolbar.
The table depicts the capabilities required for the role of the user to access a particular feature.
Auto Submit Offense
Hunt IP (GUI Action)
IP Right Click Menu Extension
To manually install the TruSTAR app for QRadar
- Navigate to Admin Tab
- Select Extension Management
- Click on Add and navigate to the TruSTAR App bundle
- Click on “Install Immediately”
- Select OK to install.
Once the app is successfully installed the TruSTAR App Settings becomes visible on the admin page, and shows additional GUI action buttons.
Installing from the IBM App Exchange
TruSTAR is yet to get the QRadar app in the IBM -Xforce app exchange. Upon acceptance into the app exchange, a user can download the app installation bundle from the exchange for easy install
Users need to configure the TruSTAR app to start leveraging its features fully. Below is a list of parameters which needs to be configured.
- Authorized Service Token: After generating Token, copy token and into Authorized Service Token field in configuration.
- TruSTAR Server URL: User need to configure TruSTAR API Endpoint
- Access Key: User need to insert TruSTAR Access key
- Secret Key: User need to insert TruSTAR Secret key
- Enclave IDs: User need to insert TruSTAR Enclave IDs (comma separated). IDs entered here are only for the enclaves into which you want QRadar offenses and events to be submitted into.
- Max Events per Offense: User can configure max no of events to process per Offense.
- Enable Auto Submission: User need to Enable this feature if he wants to star Auto-Submission of Offense.
- Poll Interval: User needs to configure no of minutes or hours to set as poll interval
- Max Offense to Process: User needs to configure max no of offenses to process per poll interval.
- IOC Feed: User needs to enable this feature to start collecting TruSTAR IOCs as QRadar reference sets.
- Poll Interval: User need to configure no of minutes or hours to set as poll interval
- Incident Enrichment Workflow
TruSTAR’s QRadar app provides the end-user the ability to troubleshoot security offenses and improve the overall security posture of the organization. The actions below allow users to send QRadar offenses into TruSTAR and receive additional enrichment from the TruSTAR platform.
Send Offense to TruSTAR (GUI Manual Action)
Using this functionality QRadar user can send an IBM QRadar Offense as TruSTAR report. Below are steps to perform this action.
- Navigate to Offense tab
- Double Click on Offense to submit
- Click on Send to TruSTAR
Send Event to TruSTAR (Manual Action)
Using this functionality a QRadar user can send the event as TruSTAR report.
- Navigate to Log Activity Tab
- Double Click on event which you want to submit to TruSTAR
- Click on Send to TruSTAR
Hunt IP in TruSTAR (Manual Action)
Using this functionality QRadar user Hunt IP in TruSTAR for Correlated indicators.
- Navigate to Log Activity Tab or Offense Tab
- Right click on IP address field which we want to Hunt in TruSTAR and select TruSTAR Lookup.
- Pop-up will open with deep links of correlated indicators.
Auto Submit Offenses
Auto submission of offenses functionality will submit newly created offenses to TruSTAR. This feature will auto submit offenses based on configuration parameters. A user needs to configure the auto submission of offense feature in the config page to activate this feature. Please refer to configuration page screenshots to Send Offense to TruSTAR
Populate QRadar Reference Sets
This feature will populate QRadar reference list for each TruSTAR Indicators. There is a reference list for each type of indicators.
Users need to configure Auto IOC Feed feature in config page to activate this feature.
- Manual actions wouldn’t return a result if response time is over a minute. If the underlying API calls to TruSTAR takes more than a min, the manual actions wouldn’t respond. Workaround – Refresh the page and retry if TruSTAR report isn’t submitted.
- TruSTAR report creation for a particular offense fails. This often happens when the event contains special characters. In such instances, the server logs can be checked to troubleshoot further and users can reach out to TruSTAR support team for additional support.
- To configure the enclaves in TruSTAR from which to ingest indicators from into the QRadar reference set you need to make sure the user's API keys that is being used has access to only the enclaves/data sources you want to ingest from.