Configure Intelligence Center Integration#

Configure EclecticIQ Intelligence Center Integration for IBM QRadar SOAR.

After installing the app, you can proceed to set it up.

The app setup consists of the following steps:

  1. Create the configuration file for the app.

  2. Set the passwords for the IBM QRadar SOAR and EclecticIQ Intelligence Center users that consume the integration.

  3. Create a message destination to store data and to make it available programmatically to external scripts.

Create the configuration file#

The app.config file holds the app configuration parameters that define the integration behavior in IBM QRadar SOAR.

  1. To create an app.config configuration file, run the following command:

    resilient-circuits config -c
    

    By default, app.config is stored in /home/resadmin/.resilient .

    If the file already exists, you are prompted to replace it.

    In this case, press N to cancel the operation.

  2. Open app.config in a text editor such as Vim or Nano:

    vi /home/resadmin/.resilient/app.config
    

In the app.config file, edit the [resilient] stanza to set up the integration for the IBM QRadar SOAR service, and edit the [eclecticiq] stanza to define EclecticIQ Intelligence Center-specific parameters.

  1. Edit the [resilient] stanza to specify the correct settings for your configuration:

    Field

    Description

    Example

    host

    Enter the IP address of the host the IBM QRadar SOAR instance runs on, and where incidents are processed.

    If your IBM QRadar SOAR is deployed on a single machine, and if it is not part of a distributed installation, set the host to 127.0.0.1.

    127.0.0.1

    port

    Enter the port number you want to assign to the integration.

    The resilient-circuits integration module listens to this port.

    The default port is 443.

    Data flow uses the TCP transmission protocol.

    443

    email

    Enter the email address associated with the integration user you previously defined in IBM QRadar SOAR.

    firstname-lastname@orgname.com

    password

    Enter the set-password alias corresponding to the password associated with the integration user you previously defined in IBM QRadar SOAR.

    The configuration file stores content in plain text.

    We recommend using IBM QRadar SOAR res-keyring to store passwords, and to represent them in plain text with aliases.

    res-keyring aliases must begin with a caret (^).

    Example: ^my_very_secret_password

    ^res_password

    org

    Enter the organization name associated with the integration user you previously defined in IBM QRadar SOAR.

    OrgName

    cafile

    To use the IBM QRadar SOAR server self-signed certificate, see the comment right above this field in the app.config file.

    To disable certificate validation, set it to false.

    false

    Example:

    [resilient]
    
    # Basic service connection
    host=127.0.0.1
    port=443
    [email protected]
    password=^res_password
    org=Empire
    
    ...
    
    cafile=false
    
  2. Edit the [eclecticiq] stanza to specify the correct settings for your configuration:

    Field

    Description

    Example

    eclecticiq_url

    Enter the URL pointing to EclecticIQ Intelligence Center instance you want to integrate with IBM QRadar SOAR.

    The platform instance must be able to communicate with the IBM QRadar SOAR host through the resilient-circuits integration module.

    By default, the communication port is 443.

    https://eclecticiq-instance.local.com

    eclecticiq_user

    Enter a valid user name to sign in to and to access EclecticIQ Intelligence Center instance.

    admin

    eclecticiq_password

    Enter the res-keyring alias corresponding to the password associated with your Intelligence Center user name.

    The configuration file stores content in plain text.

    We recommend using IBM QRadar SOAR res-keyring to store passwords, and to represent them in plain text with aliases.

    res-keyring aliases must begin with a caret (^).

    Example: ^my_very_secret_password

    Note

    EclecticIQ Intelligence Center Integration for IBM QRadar SOAR version 1.1.5 and newer

    You can use an Intelligence Center user’s API token in the eclecticiq_password field instead of a password.

    For more information on creating API tokens, see Create an API token.

    ^eclecticiq_password

    eclecticiq_ssl_check

    Enter a True or False Boolean value to enable or disable SSL certificate validation:

    • To check EclecticIQ Intelligence Center certificate, set it to True.

    • To allow self-signed platform certificates, set it to False.

    False

    sightings_auto_creation

    Enter a True or False Boolean value to enable or disable automatic sighting creation:

    • To enable IBM QRadar SOAR to automatically create sightings in your Intelligence Center when it detects hits, set it to True.

    • To disable this feature, set the field value to False.

    True

    sightings_group_name

    Enter a valid Intelligence Center user group name.

    This group corresponds to the data source of the sightings IBM QRadar SOAR creates in your Intelligence Center.

    Testing Group

    Example:

    [eclecticiq]
    
    # API credentials
    eclecticiq_url=https://eclecticiq-instance.local.com
    eclecticiq_user=admin
    eclecticiq_password=^eclecticiq_password
    eclecticiq_ssl_check=False
    
    # Sightings parameters
    sightings_auto_creation=True
    sightings_group_name=Testing Group
    

Note

Every time you edit app.config and you save your changes, you must:

  1. Reinstall the app.

  2. Stop, and then start the resilient-circuits integration module.

# Go to the '/home/resadmin' directory.
cd /home/resadmin

# Reinstall the app.
# 'x.x.x' is a placeholder representing the app release.
# Example: 1.1.2
sudo pip install -e rc-cts-eclecticiq-x.x.x

# After manually stopping the integration module, start it again.
resilient-circuits run

# Successful response.
resilient-circuits has started successfully and is now running...
Subscribe to message destination 'eclecticiq_sighting'
Subscribe to message destination actions.201.eclecticiq_sighting

Set the passwords#

The configuration file stores content in plain text.

We recommend using IBM QRadar SOAR res-keyring to store passwords, and to represent them in plain text with aliases.

res-keyring aliases must begin with a caret (^).

Example: ^my_very_secret_password

res-keyring relies on an existing keyring password manager already installed on the system.

res-keyring prompts users to assign a hidden password to a specified alias.

After assigning the alias a password, the latter is stored as a secret.

This is a one-time operation: after setting up the alias/password pairs, you do not need to repeat this task, unless you want to change the password values.

By default:

  • The configuration file res-keyring looks for values beginning with a caret (^) in /home/resadmin/.resilient/app.config.

  • Secrets are stored with keyrings.alt file.

To set password aliases for the IBM QRadar SOAR and the EclecticIQ Intelligence Center users that consume the integration:

  1. Run the following command to launch res-keyring:

    res-keyring
    
  2. res-keyring searches the app.config file for values beginning with a caret, and then it prompts users to assign each alias a password:

    [resilient] password: ^res_password
      Enter new value (or <ENTER> to leave unchanged):
    
    [eclecticiq] eclecticiq_password: ^eclecticiq_password
      Enter new value (or <ENTER> to leave unchanged):
    
    Done.
    

    Note

    Make sure you enter the correct passwords associated with the IBM Resilient and EclecticIQ Intelligence Center users specified in the app.config file in the email and the eclecticiq_user fields, respectively.

Create a message destination#

A message destination stores the data the sighting creation action generates and requires to work correctly, and it makes the data available programmatically to external scripts.

Set up a subscription to the eclecticiq_sighting message destination for the integration to work correctly:

  1. Open a web browser, and log in to IBM QRadar SOAR through the GUI.

  2. Click the user menu.

  3. From the drop-down menu select Customization Settings.

  4. Under Customization Settings, click the Message Destinations tab.

  5. In the Message Destinations tab, click the Add Message Destination button.

  6. In the Create Message Destination dialog window, populate the configuration fields:

    1. From the Type drop-down menu, select Queue.

    2. In the Name field, enter a short and descriptive name for the message destination rule you are creating.

      Example: Manual EclecticIQ sightings

    3. In the Programmatic Name field, enter eclecticiq_sighting.

      The manual sighting creation setup works only if you specify exactly this value.

    4. From the Expect Acknowledgement drop-down menu, select Yes.

    5. In the Users field, start typing one or more IBM QRadar SOAR user names that can access and use the manual sighting creation feature.

      The field supports autocomplete.

    6. Click Create to add the new message destination, or Cancel to discard your changes.

  7. The new message destination is available as a new entry in the Message Destinations tab.

    To edit or to remove a message destination, click the corresponding entry in the Message Destinations tab.

Note

After creating a message destination and after starting the resilient-circuits integration module, IBM QRadar SOAR may return Java error messages, and it may fail to work correctly.

If this occurs, restart the IBM QRadar SOAR instance t o solve the problem.