IBM QRadar

Updated 1 year ago by Elvis Hovor

Introduction

The TruSTAR - QRadar App allows users to utilize context of TruSTAR’s IOCs and incidents within their QRadar workflow. This user guide will provide overall App Specification for the QRadar app, It contains details of app specification and the functionality supported as part of this integration.

Features

  • Submit QRadar offenses and events to your TruSTAR private as reports. This can be performed as a manual or automated action.
  • Search TruSTAR for all indicators correlated to indicator of interest in QRadar.
  • Populate QRadar reference list with indicators from TruSTAR.
  • Age TruSTAR indicators in the QRadar reference list to keep it relevant and actionable.

Demo Video

Requirements

The details below summarizes the prerequisites and requirements needed for the TruSTAR Qradar app to work. Please make sure below components are downloaded/available.

QRadar V7.2.8 and above (Required)

QRadar User Roles with Admin, TruSTAR Application, and IP Right Click Menu Extension Capabilities

QRadar Authorization Token ("Admin" -> "Authorized Services")

Retrieve the authorization token:

  1. Navigate to "Admin"-> "Authorized Services"
  2. Click "Add Authorized Service"
  3. Enter service name
  4. Select “Admin” as User Role and “Admin” as security profile, check "No Expiry".
  5. Click on "Create Service".
  6. Click on “Deploy Change” on "Admin Page" toolbar.
Role Matrix: 

The table depicts the capabilities required for the role of the user to access a particular feature.

Feature

Capabilities

Configuration Page

Admin

TruSTAR Application

Auto Submit Offense


TruSTAR Application

IOC Feed

Admin

TruSTAR Application

Submit Offense

(GUI Action)


TruSTAR Application

Submit Event

(GUI Action)


TruSTAR Application

Hunt IP (GUI Action)


TruSTAR Application,

IP Right Click Menu Extension

HOW TO INSTALL

Manual Installation

Download Files

The following bundles are required for successful install of the TruSTAR app. 

You can direct download TruSTAR app file required from here.

#

Bundle Name

Description

1

TrustarAppForQradar-R-1.0.1-90

This file contains all the actions required to support TruSTAR actions for QRadar. The current version is 1.0.1-9

After successfully downloading the verifying the content complete these steps:

  1. Navigate to Admin Tab
  2. Select Extension Management
  3. Click on Add and navigate to the TruSTAR App bundle
  4. Click on “Install Immediately”
  5. Select OK to install.

Once the app is successfully installed the TruSTAR App Settings becomes visible on the admin page, and will show additional GUI action buttons.

Installing from the IBM App Exchange

TruSTAR is yet to get the QRadar app in the IBM -Xforce app exchange. Upon acceptance into the app exchange, users will be able to download the app installation bundle from the exchange for easy installation. 

App Configuration & Setup

Users need to configure the TruSTAR app to start leveraging its features fully. Below is a list of parameters which needs to be configured. 

User needs QRadar Admin Privileges to configure the TruSTAR application.
Users can to create QRadar Authorized token from Admin->Authorized Service --> “Deploy Change” from admin Tab.
  1. Authorized Service Token: After generating Token, copy token and into Authorized Service Token field in configuration.
  2. TruSTAR Server URL: User need to configure TruSTAR API Endpoint. (https://station.trustar.co)
  3. TruSTAR Access Key: User needs to insert TruSTAR API key (available here)
  4. TruSTAR Secret Key: User need to insert TruSTAR Secret key (available here)
  5. Enclave IDs: User need to insert TruSTAR Enclave IDs (comma separated). IDs entered here are only for the enclaves into which you want QRadar offenses and events to be submitted into.
  6. Max Events per Offense: User can configure max no of events to process per Offense.
  7. Enable Auto Submission: User need to Enable this feature if he wants to star Auto-Submission of Offense.
    • Poll Interval: User needs to configure no of minutes or hours to set as poll interval
    • Max Offense to Process: User needs to configure max no of offenses to process per poll interval.
  8. IOC Feed: User needs to enable this feature to start collecting TruSTAR IOCs as QRadar reference sets.
    • Poll Interval: User need to configure no of minutes or hours to set as poll interval
  9. Proxy: If your QRadar instance uses a proxy you will need to fill enable this option and fill out your proxy details.

Usage & App Commands

TruSTAR’s QRadar app provides the end-user the ability to troubleshoot security offenses and improve the overall security posture of the organization. The actions below allow users to send QRadar offenses into TruSTAR and receive additional enrichment from the TruSTAR platform.

Send Offense to TruSTAR (GUI Manual Action)

Using this functionality QRadar user can send an IBM QRadar Offense as TruSTAR report. Below are steps to perform this action.

  1. Navigate to Offense tab
  2. Double Click on Offense to submit
  3. Click on Send to TruSTAR
Send Event to TruSTAR (Manual Action)

Using this functionality a QRadar user can send the event as TruSTAR report.

  1. Navigate to Log Activity Tab
  2. Double Click on event which you want to submit to TruSTAR
  3. Click on Send to TruSTAR
Hunt IOC in TruSTAR (Manual Action)

Using this functionality users can hunt for correlated indicators in the TruSTAR platform right from the app. The list of IOC types that TruSTAR supports can be found here.

  1. Navigate to Log Activity Tab or Offense Tab
  2. Right click on IOC you want to Hunt in TruSTAR and select TruSTAR Lookup.
  3. Pop-up will open with deep links of correlated indicators.
Auto Submit Offenses

Auto submission of offenses functionality will submit newly created offenses to TruSTAR. This feature will auto submit offenses based on configuration parameters. A user needs to configure the auto submission of offense feature in the config page to activate this feature. Please refer to configuration page screenshots to Send Offense to TruSTAR

Populate QRadar Reference Sets

This feature will populate QRadar reference list for each TruSTAR Indicators. There is a reference list for each type of indicators.

Users need to configure Auto IOC Feed feature in config page to activate this feature.

Troubleshooting & FAQ's

  1. The QRadar app needs network access https://api.trustar.co for the app to complete the configuration process. Please allow your firewalls and other security controls to access this api endpoint.
  2. Manual actions wouldn’t return a result if response time is over a minute. If the underlying API calls to TruSTAR takes more than a min, the manual actions wouldn’t respond. Workaround – Refresh the page and retry if TruSTAR report isn’t submitted.
  3. TruSTAR report creation for a particular offense fails. This often happens when the event contains special characters. In such instances, the server logs can be checked to troubleshoot further and users can reach out to TruSTAR support team for additional support.
  4. To configure the enclaves in TruSTAR from which to ingest indicators from into the QRadar reference set you need to make sure the user's API keys that is being used has access to only the enclaves/data sources you want to ingest from.
  5. Log files can be found by:
    1.Click on System and License Management in Admin Panel. 
    2. Select the host on which TruSTAR App is installed. 
    3. Click on Actions in top panel and select the option Collect Log Files; a pop-up named Log File Collection will open.  
    4. Click on Advanced Options. 
    5. Select the checkbox to Include Debug Logs, Application Extension Logs , Setup Logs (Current Version). 
    6. Select the number of days prior to present moment for which you'd like to download logs.
    7. Click on Collect Log Files Button.
    8. Click on "Click here to download files". This will download all the log files in a single zip on your local machine.
Please reach out to support@trustar.co for any additional questions.


How Did We Do?