Install and Configure the app on QRadar#

Caution

This app is no longer supported and this documentation will be removed on 1 December 2024.

Migrate to the new IBM QRadar App for continued support. (Documentation)

This topic describes how to integrate the EclecticIQ Platform with IBM QRadar.

Prerequisites#

  • EclecticIQ Platform version 2.1 or later

  • QRadar version 7.2.8 or later

Set up EclecticIQ Platform to send data to IBM QRadar#

(Optional) Create source group#

Create a new dedicated source group to manage data sent to and received from the Threat Intelligence EclecticIQ Platform App for IBM QRadar.

When adding Allowed sources to the group, make sure to add Sources that contain data that you want to send to the Threat Intelligence EclecticIQ Platform App for IBM QRadar.

Source groups for IBM QRadar:

  • are case-sensitive;

  • must not contain spaces.

Set up outgoing feed#

In order to allow your IBM QRadar instance to use intelligence from EclecticIQ Platform to detect threats, set up an outgoing feed on your platform instance:

  1. In the left navigation bar, click Data Configuration Data configuration icon > Outgoing feeds > +.

  2. Set the following fields in your new outgoing feed:

    Field name

    Description

    Feed name*

    Enter a descriptive name for the outgoing feed.

    Example: Outgoing feed for <vendor system>

    Transport type*

    Set this to HTTP download.

    Content type*

    Set this to EclecticIQ Observables CSV.

    Feed content

    • Datasets*: Select one or more datasets to include in this outgoing feed.

    • Update strategy*: Select an update strategy.

      The Threat Intelligence EclecticIQ Platform App for IBM QRadar supports these update strategies:

      • REPLACE: Select this option to purge the reference tables and then update it each time the feed runs.

        Caution

        Not recommended for feeds with large datasets, or feeds with frequent execution schedules.

      • DIFF: Select this option to send incremental updates through the feed.

    Transport configuration

    • Public: Do not select.

      Unauthenticated feeds are not supported by the Threat Intelligence EclecticIQ Platform App for IBM QRadar.

    • Authorized groups: Select one or more groups to make this feed available to.

      If you created a source group earlier, add that here.

    Execution schedule

    Set to None by default.

    To have your IBM QRadar instance receive the latest data available for this feed, set this to a schedule that is more frequent than the EclecticIQ Feeds Ingestion field when configuring the app

    Observable and Enrichment Observable types

    Set this to:

    ipv4, uri, domain, email, and one or more of the hash observable types

    Tip

    For more information on configuring HTTP download outgoing feeds, see Outgoing feed - HTTP download feed.

  3. Save and run the outgoing feed.

Get feed ID#

We need the ID of the outgoing feed that you’ve just created.

To get the feed ID:

  1. In the left navigation bar, click Data Configuration Data configuration icon > Outgoing feeds.

  2. In the Outgoing feeds overview, click on the outgoing feed you’ve just created.

  3. In the panel that appears, click on the Created packages tab.

  4. Locate and note the feed ID shown in this tab.

    The feed ID is displayed as part of the outgoing feed URLs shown. For example, in:

    You can download the latest package from:
    https://tip.example.com/private/open-outgoing-feed-download/8/runs/f32b18ed-3292-4eb7-9359-afa97a2783f3/content-blocks/latest
    

    the feed ID is 8.

Install Threat Intelligence EclecticIQ Platform App for IBM QRadar#

Download the integration#

To download the Threat Intelligence EclecticIQ Platform App for IBM QRadar:

Generate Authorized Service Token#

To allow the Threat Intelligence EclecticIQ Platform App for IBM QRadar to communicate with IBM QRadar, we need to create an Authorized Service:

  1. Open IBM QRadar.

  2. In the navigation menu (☰), click Admin.

  3. In the User Management section, click Authorized Services > Add Authorized Service.

  4. Fill out the following fields:

    Field name

    Value

    Service Name

    Set this to: EclecticIQ-Platform

    User Role

    Select an appropriate User Role to associate with the Threat Intelligence EclecticIQ Platform App for IBM QRadar.

    Security Profile

    Select an appropariate Security Profile to associate with the Threat Intelligence EclecticIQ Platform App for IBM QRadar.

    Your security profile determines the networks and log sources the app can access on IBM QRadar.

    Expirty Date

    Set an expiry date for the Authorized Service, or select No Expiry.

  5. Click Create Service.

  6. Note the generated Authorized Service Token.

    This is used when you Configure the integration

Add Threat Intelligence EclecticIQ Platform App for IBM QRadar#

  1. In IBM QRadar, click the menu (☰) in the top-left corner.

  2. Click Admin

  3. In the left navigation bar, click System Configuration, then click Extensions Management.

  4. On the top-right, click Add.

  5. Locate the Threat Intelligence EclecticIQ Platform App for IBM QRadar downloaded in Download the integration.

  6. Select the Install immediately checkbox.

  7. Click Add.

Configure Threat Intelligence EclecticIQ Platform App for IBM QRadar#

  1. Open IBM QRadar.

  2. In the navigation menu (☰), click Admin.

  3. In the left navigation bar, click Apps.

  4. Click the EclecticIQ Threat Intelligence application.

  5. In the EclecticIQ Threat Intelligence Platform Configuration Page, fill out the following fields:

    Field name

    Description

    QRadar Security Token

    Set this to the Authorized Service Token generated in Generate Authorized Service Token.

    EclecticIQ Platform URL

    Set this to the URL to access your EclecticIQ Platform instance.

    EclecticIQ Platform Login

    Set this to your user name.

    If you set up a new source group earlier, this user must belong to it.

    EclecticIQ Platform Password

    Set this to your user password or API token.

    (Optional) Proxy URL

    Set this to the IP address or URL of the proxy server to connect to.

    (Optional) Proxy Login

    Set this to the user name used to authenticate with the proxy server.

    (Optional) Proxy Password

    Set this to the password used to authenticate with the proxy server.

    EclecticIQ Platform Feed ID#

    Set this to one or more feed IDs from Get feed ID.

    You can enter multiple feed IDs as comma-separated values. For example: 12, 13

    EclecticIQ Platform Version

    Set this to your EclecticIQ Platform version.

    For example: 2.9

    EclecticIQ User Group Name

    Set this to a source group name.

    This must be at least one of the Authorized Groups set for your outgoing feed.

    For the Threat Intelligence EclecticIQ Platform App for IBM QRadar to send sightings to your EclecticIQ Platform instance, your user must have modify entities permissions for the source groups set here.

    Source groups for IBM QRadar:

    • are case-sensitive;

    • must not contain spaces.

    EclecticIQ Feeds Ingestion schedule. Download data every, min

    Set this to an appropriate ingestion schedule, in minutes.

    For example, setting this to 120 would download data from the specified feed ID every 2 hours.

    Validate Threat Intelligence Platform SSL certs

    Select to validate the EclecticIQ Platform ssl certificates.

    Pull Outgoing Feeds Immediately

    Select this to ingest data from the specified feed ID immediately after you click Save.

  6. Click Save.