Configure the QRadar app for Fusion Center

This topic describes how to configure the Threat Intelligence EclecticIQ Platform App for IBM QRadar for the EclecticIQ Fusion Center Essentials CSV feed.

Prerequisites

  • EclecticIQ Fusion Center Essentials CSV feed.

  • QRadar version 7.2.8 or later.

Install Threat Intelligence EclecticIQ Platform App for IBM QRadar

Download the integration

To download the Threat Intelligence EclecticIQ Platform App for IBM QRadar:

Generate Authorized Service Token

To allow the Threat Intelligence EclecticIQ Platform App for IBM QRadar to communicate with IBM QRadar, we need to create an Authorized Service:

  1. Open IBM QRadar.

  2. In the navigation menu (☰), click Admin.

  3. In the User Management section, click Authorized Services > Add Authorized Service.

  4. Fill out the following fields:

    Field name

    Value

    Service Name

    Set this to: EclecticIQ-Platform

    User Role

    Select an appropriate User Role to associate with the Threat Intelligence EclecticIQ Platform App for IBM QRadar.

    Security Profile

    Select an appropariate Security Profile to associate with the Threat Intelligence EclecticIQ Platform App for IBM QRadar.

    Your security profile determines the networks and log sources the app can access on IBM QRadar.

    Expirty Date

    Set an expiry date for the Authorized Service, or select No Expiry.

  5. Click Create Service.

  6. Note the generated Authorized Service Token.

    This is used when you Configure the integration

Add Threat Intelligence EclecticIQ Platform App for IBM QRadar

  1. In IBM QRadar, click the menu (☰) in the top-left corner.

  2. Click Admin

  3. In the left navigation bar, click System Configuration, then click Extensions Management.

  4. On the top-right, click Add.

  5. Locate the Threat Intelligence EclecticIQ Platform App for IBM QRadar downloaded in Download the integration.

  6. Select the Install immediately checkbox.

  7. Click Add.

Configure Threat Intelligence EclecticIQ Platform App for IBM QRadar

  1. Open IBM QRadar.

  2. In the navigation menu (☰), click Admin.

  3. In the left navigation bar, click Apps.

  4. Click the EclecticIQ Threat Intelligence application.

  5. In the EclecticIQ Threat Intelligence Platform Configuration Page, fill out the following fields:

    Field name

    Description

    QRadar Security Token

    Set this to the Authorized Service Token generated in Generate Authorized Service Token.

    EclecticIQ Platform URL

    Set this to: https://cti.eclecticiq.com

    EclecticIQ Platform Login

    Set this to your Fusion Center user name.

    EclecticIQ Platform Password

    Set this to your Fusion Center user password.

    (Optional) Proxy URL

    Set this to the IP address or URL of the proxy server to connect to.

    (Optional) Proxy Login

    Set this to the user name used to authenticate with the proxy server.

    (Optional) Proxy Password

    Set this to the password used to authenticate with the proxy server.

    EclecticIQ Platform Feed ID#

    Set this to the feed ID(s) provided by Fusion Center.

    To view available feeds go to: https://cti.eclecticiq.com/feeds/downloads/

    For example, the essentials.blacklist.csv.daily feed is ID 77.

    EclecticIQ Platform Version

    Set this to: FC

    EclecticIQ User Group Name

    Leave empty.

    EclecticIQ Feeds Ingestion schedule. Download data every, min

    Set this to: 120

    Validate Threat Intelligence Platform SSL certs

    Select to validate the EclecticIQ Platform ssl certificates.

    Pull Outgoing Feeds Immediately

    Select this to ingest data from the specified feed ID immediately after you click Save.

  6. Click Save.