Install and Configure the app on QRadar#
Caution
This application is no longer supported.
From 3 August 2022, use the new EclecticIQ Intelligence Center App instead. (Documentation)
This topic describes how to integrate the EclecticIQ Platform with IBM QRadar.
Prerequisites#
EclecticIQ Platform version 2.1 or later
QRadar version 7.2.8 or later
Set up EclecticIQ Platform to send data to IBM QRadar#
(Optional) Create source group#
Create a new dedicated source group to manage data sent to and received from the Threat Intelligence EclecticIQ Platform App for IBM QRadar.
When adding Allowed sources to the group, make sure to add Sources that contain data that you want to send to the Threat Intelligence EclecticIQ Platform App for IBM QRadar.
Source groups for IBM QRadar:
are case-sensitive;
must not contain spaces.
Set up outgoing feed#
In order to allow your IBM QRadar instance to use intelligence from EclecticIQ Platform to detect threats, set up an outgoing feed on your platform instance:
In the left navigation bar, click Data Configuration > Outgoing feeds > +.
Set the following fields in your new outgoing feed:
Field name
Description
Feed name*
Enter a descriptive name for the outgoing feed.
Example: Outgoing feed for <vendor system>
Transport type*
Set this to HTTP download.
Content type*
Set this to EclecticIQ Observables CSV.
Feed content
Datasets*: Select one or more datasets to include in this outgoing feed.
Update strategy*: Select an update strategy.
The Threat Intelligence EclecticIQ Platform App for IBM QRadar supports these update strategies:
REPLACE: Select this option to purge the reference tables and then update it each time the feed runs.
Caution
Not recommended for feeds with large datasets, or feeds with frequent execution schedules.
DIFF: Select this option to send incremental updates through the feed.
Transport configuration
Public: Do not select.
Unauthenticated feeds are not supported by the Threat Intelligence EclecticIQ Platform App for IBM QRadar.
Authorized groups: Select one or more groups to make this feed available to.
If you created a source group earlier, add that here.
Execution schedule
Set to None by default.
To have your IBM QRadar instance receive the latest data available for this feed, set this to a schedule that is more frequent than the EclecticIQ Feeds Ingestion field when configuring the app
Observable and Enrichment Observable types
Set this to:
ipv4
,uri
,domain
,email
, and one or more of thehash
observable typesTip
For more information on configuring HTTP download outgoing feeds, see Outgoing feed - HTTP download feed.
Save and run the outgoing feed.
Get feed ID#
We need the ID of the outgoing feed that you’ve just created.
To get the feed ID:
In the left navigation bar, click Data Configuration > Outgoing feeds.
In the Outgoing feeds overview, click on the outgoing feed you’ve just created.
In the panel that appears, click on the Created packages tab.
Locate and note the feed ID shown in this tab.
The feed ID is displayed as part of the outgoing feed URLs shown. For example, in:
You can download the latest package from: https://tip.example.com/private/open-outgoing-feed-download/8/runs/f32b18ed-3292-4eb7-9359-afa97a2783f3/content-blocks/latest
the feed ID is 8.
Install Threat Intelligence EclecticIQ Platform App for IBM QRadar#
Download the integration#
To download the Threat Intelligence EclecticIQ Platform App for IBM QRadar:
Go to the IBM App Exchange and download the application to your machine.
Or, contact EclecticIQ Support and request the application.
Add Threat Intelligence EclecticIQ Platform App for IBM QRadar#
In IBM QRadar, click the menu (☰) in the top-left corner.
Click Admin
In the left navigation bar, click System Configuration, then click Extensions Management.
On the top-right, click Add.
Locate the Threat Intelligence EclecticIQ Platform App for IBM QRadar downloaded in Download the integration.
Select the Install immediately checkbox.
Click Add.
Configure Threat Intelligence EclecticIQ Platform App for IBM QRadar#
Open IBM QRadar.
In the navigation menu (☰), click Admin.
In the left navigation bar, click Apps.
Click the EclecticIQ Threat Intelligence application.
In the EclecticIQ Threat Intelligence Platform Configuration Page, fill out the following fields:
Field name
Description
QRadar Security Token
Set this to the Authorized Service Token generated in Generate Authorized Service Token.
EclecticIQ Platform URL
Set this to the URL to access your EclecticIQ Platform instance.
EclecticIQ Platform Login
Set this to your user name.
If you set up a new source group earlier, this user must belong to it.
EclecticIQ Platform Password
Set this to your user password or API token.
(Optional) Proxy URL
Set this to the IP address or URL of the proxy server to connect to.
(Optional) Proxy Login
Set this to the user name used to authenticate with the proxy server.
(Optional) Proxy Password
Set this to the password used to authenticate with the proxy server.
EclecticIQ Platform Feed ID#
Set this to one or more feed IDs from Get feed ID.
You can enter multiple feed IDs as comma-separated values. For example:
12, 13
EclecticIQ Platform Version
Set this to your EclecticIQ Platform version.
For example:
2.9
EclecticIQ User Group Name
Set this to a source group name.
This must be at least one of the Authorized Groups set for your outgoing feed.
For the Threat Intelligence EclecticIQ Platform App for IBM QRadar to send sightings to your EclecticIQ Platform instance, your user must have
modify entities
permissions for the source groups set here.Source groups for IBM QRadar:
are case-sensitive;
must not contain spaces.
EclecticIQ Feeds Ingestion schedule. Download data every, min
Set this to an appropriate ingestion schedule, in minutes.
For example, setting this to
120
would download data from the specified feed ID every 2 hours.Validate Threat Intelligence Platform SSL certs
Select to validate the EclecticIQ Platform ssl certificates.
Pull Outgoing Feeds Immediately
Select this to ingest data from the specified feed ID immediately after you click Save.
Click Save.