Configure Intelligence Center Integration#
Configure EclecticIQ Intelligence Center Integration for IBM QRadar SOAR.
After installing the app, you can proceed to set it up.
The app setup consists of the following steps:
Create the configuration file for the app.
Set the passwords for the IBM QRadar SOAR and EclecticIQ Intelligence Center users that consume the integration.
Create a message destination to store data and to make it available programmatically to external scripts.
Create the configuration file#
The app.config
file holds the app configuration parameters that define
the integration behavior in IBM QRadar SOAR.
To create an
app.config
configuration file, run the following command:resilient-circuits config -c
By default,
app.config
is stored in/home/resadmin/.resilient
.If the file already exists, you are prompted to replace it.
In this case, press N to cancel the operation.
Open
app.config
in a text editor such as Vim or Nano:vi /home/resadmin/.resilient/app.config
In the app.config
file, edit the [resilient]
stanza to set up the
integration for the IBM QRadar SOAR service, and edit the [eclecticiq]
stanza to define EclecticIQ Intelligence Center-specific parameters.
Edit the
[resilient]
stanza to specify the correct settings for your configuration:Field
Description
Example
host
Enter the IP address of the host the IBM QRadar SOAR instance runs on, and where incidents are processed.
If your IBM QRadar SOAR is deployed on a single machine, and if it is not part of a distributed installation, set the host to 127.0.0.1.
127.0.0.1
port
Enter the port number you want to assign to the integration.
The resilient-circuits integration module listens to this port.
The default port is 443.
Data flow uses the TCP transmission protocol.
443
email
Enter the email address associated with the integration user you previously defined in IBM QRadar SOAR.
firstname-lastname@orgname.com
password
Enter the set-password alias corresponding to the password associated with the integration user you previously defined in IBM QRadar SOAR.
The configuration file stores content in plain text.
We recommend using IBM QRadar SOAR
res-keyring
to store passwords, and to represent them in plain text with aliases.res-keyring
aliases must begin with a caret (^
).Example: ^my_very_secret_password
^res_password
org
Enter the organization name associated with the integration user you previously defined in IBM QRadar SOAR.
OrgName
cafile
To use the IBM QRadar SOAR server self-signed certificate, see the comment right above this field in the
app.config
file.To disable certificate validation, set it to false.
false
Example:
[resilient] # Basic service connection host=127.0.0.1 port=443 [email protected] password=^res_password org=Empire ... cafile=false
Edit the
[eclecticiq]
stanza to specify the correct settings for your configuration:Field
Description
Example
eclecticiq_url
Enter the URL pointing to EclecticIQ Intelligence Center instance you want to integrate with IBM QRadar SOAR.
The platform instance must be able to communicate with the IBM QRadar SOAR host through the resilient-circuits integration module.
By default, the communication port is 443.
https://eclecticiq-instance.local.com
eclecticiq_user
Enter a valid user name to sign in to and to access EclecticIQ Intelligence Center instance.
admin
eclecticiq_password
Enter the
res-keyring
alias corresponding to the password associated with your Intelligence Center user name.The configuration file stores content in plain text.
We recommend using IBM QRadar SOAR
res-keyring
to store passwords, and to represent them in plain text with aliases.res-keyring
aliases must begin with a caret (^).Example: ^my_very_secret_password
Note
EclecticIQ Intelligence Center Integration for IBM QRadar SOAR version 1.1.5 and newer
You can use an Intelligence Center user’s API token in the eclecticiq_password field instead of a password.
For more information on creating API tokens, see Create an API token.
^eclecticiq_password
eclecticiq_ssl_check
Enter a True or False Boolean value to enable or disable SSL certificate validation:
To check EclecticIQ Intelligence Center certificate, set it to True.
To allow self-signed platform certificates, set it to False.
False
sightings_auto_creation
Enter a True or False Boolean value to enable or disable automatic sighting creation:
To enable IBM QRadar SOAR to automatically create sightings in your Intelligence Center when it detects hits, set it to True.
To disable this feature, set the field value to False.
True
sightings_group_name
Enter a valid Intelligence Center user group name.
This group corresponds to the data source of the sightings IBM QRadar SOAR creates in your Intelligence Center.
Testing Group
Example:
[eclecticiq] # API credentials eclecticiq_url=https://eclecticiq-instance.local.com eclecticiq_user=admin eclecticiq_password=^eclecticiq_password eclecticiq_ssl_check=False # Sightings parameters sightings_auto_creation=True sightings_group_name=Testing Group
Note
Every time you edit app.config
and you save your changes, you must:
Reinstall the app.
Stop, and then start the
resilient-circuits
integration module.
# Go to the '/home/resadmin' directory.
cd /home/resadmin
# Reinstall the app.
# 'x.x.x' is a placeholder representing the app release.
# Example: 1.1.2
sudo pip install -e rc-cts-eclecticiq-x.x.x
# After manually stopping the integration module, start it again.
resilient-circuits run
# Successful response.
resilient-circuits has started successfully and is now running...
Subscribe to message destination 'eclecticiq_sighting'
Subscribe to message destination actions.201.eclecticiq_sighting
Set the passwords#
The configuration file stores content in plain text.
We recommend using IBM QRadar SOAR
res-keyring
to store passwords, and to represent them in plain text with aliases.
res-keyring
aliases must begin with a caret (^).
Example: ^my_very_secret_password
res-keyring
relies on an existing keyring password manager already
installed on the system.
res-keyring
prompts users to assign a hidden password to a specified
alias.
After assigning the alias a password, the latter is stored as a secret.
This is a one-time operation: after setting up the alias/password pairs, you do not need to repeat this task, unless you want to change the password values.
By default:
The configuration file
res-keyring
looks for values beginning with a caret (^) in/home/resadmin/.resilient
/app.config.Secrets are stored with
keyrings.alt
file.
To set password aliases for the IBM QRadar SOAR and the EclecticIQ Intelligence Center users that consume the integration:
Run the following command to launch
res-keyring
:res-keyring
res-keyring
searches theapp.config
file for values beginning with a caret, and then it prompts users to assign each alias a password:[resilient] password: ^res_password Enter new value (or <ENTER> to leave unchanged): [eclecticiq] eclecticiq_password: ^eclecticiq_password Enter new value (or <ENTER> to leave unchanged): Done.
Note
Make sure you enter the correct passwords associated with the IBM Resilient and EclecticIQ Intelligence Center users specified in the
app.config
file in the email and the eclecticiq_user fields, respectively.
Create a message destination#
A message destination stores the data the sighting creation action generates and requires to work correctly, and it makes the data available programmatically to external scripts.
Set up a subscription to the eclecticiq_sighting
message destination for
the integration to work correctly:
Open a web browser, and log in to IBM QRadar SOAR through the GUI.
Click the user menu.
From the drop-down menu select Customization Settings.
Under Customization Settings, click the Message Destinations tab.
In the Message Destinations tab, click the Add Message Destination button.
In the Create Message Destination dialog window, populate the configuration fields:
From the Type drop-down menu, select Queue.
In the Name field, enter a short and descriptive name for the message destination rule you are creating.
Example: Manual EclecticIQ sightings
In the Programmatic Name field, enter eclecticiq_sighting.
The manual sighting creation setup works only if you specify exactly this value.
From the Expect Acknowledgement drop-down menu, select Yes.
In the Users field, start typing one or more IBM QRadar SOAR user names that can access and use the manual sighting creation feature.
The field supports autocomplete.
Click Create to add the new message destination, or Cancel to discard your changes.
The new message destination is available as a new entry in the Message Destinations tab.
To edit or to remove a message destination, click the corresponding entry in the Message Destinations tab.
Note
After creating a message destination and after starting the resilient-circuits integration module, IBM QRadar SOAR may return Java error messages, and it may fail to work correctly.
If this occurs, restart the IBM QRadar SOAR instance t o solve the problem.