Before you start with IBM QRadar SOAR#
Review this information about requirements and dependencies before installing EclecticIQ Intelligence Center Integration for IBM QRadar SOAR.
Requirements#
IBM QRadar SOAR platform version 47 or later.
EclecticIQ Intelligence Center version 3.0 or later.
The IBM QRadar SOAR and EclecticIQ Intelligence Center instances can communicate through HTTPS.
By default, the communication protocol is TCP, and the corresponding port is 443.
You can access the IBM QRadar SOAR command line terminal, and you can run commands.
You can create integration users and groups in the EclecticIQ Intelligence Center instance.
Dependencies#
The following additional components must be installed on the IBM Resilient instance:
resilient-circuits: Resilient Circuits Framework for Custom Integrations.
rc-cts: Resilient Circuits Custom Threat Service Component.
rc-webserver: Resilient Circuits Web Server Component.
keyring: library providing Python access to the system keyring service.
Note
About keyring and Python compatibility
Python 2.7 is compatibile with keyring versions 18.0.1 and earlier.
Python 3 is compatibile with keyring versions 19.0.0 and later.
To install the additional components:
Open a terminal session.
Run pip install:
# IBM QRadar SOAR dependencies sudo pip install resilient_circuits sudo pip install rc-cts sudo pip install rc-webserver # Keyring password manager sudo pip install keyring # Alternate keyring backend implementations sudo pip install keyrings.alt
Integration user#
Optionally, it is possible to assign the integration a dedicated automation user.
For the integration to work as expected, the user must have administrator-level access rights.
When you configure the integration and edit the IBM QRadar SOAR app.config file, specify email address, password, and organization details related to this user.
To create a new IBM QRadar SOAR user:
Open a terminal session in the IBM QRadar SOAR instance.
Run the following command:
# Replace the "[email protected]", "firstname", "lastname", and "orgname" placeholders with # actual values that apply to the user you are creating: # - A valid email address for the integration user. # - The integration user's name. # - The integration user's family name. # - The organization the integration user belongs to. sudo resutil newuser -createorg -email "[email protected]" -first "firstname" -last "lastname" -org "orgname"