Install and Configure the app on QRadar

Caution

This app is no longer supported and this documentation will be removed on 1 December 2024.

Migrate to the new IBM QRadar App for continued support. (Documentation)

This topic describes how to integrate the EclecticIQ Platform with IBM QRadar.

Prerequisites

• EclecticIQ Platform version 2.1 or later

• QRadar version 7.2.8 or later

Set up EclecticIQ Platform to send data to IBM QRadar

(Optional) Create source group

Create a new dedicated source group to manage data sent to and received from the Threat Intelligence EclecticIQ Platform App for IBM QRadar.

When adding Allowed sources to the group, make sure to add Sources that contain data that you want to send to the Threat Intelligence EclecticIQ Platform App for IBM QRadar.

Source groups for IBM QRadar:

• are case-sensitive;

• must not contain spaces.

Set up outgoing feed

In order to allow your IBM QRadar instance to use intelligence from EclecticIQ Platform to detect threats, set up an outgoing feed on your platform instance:

1. In the left navigation bar, click Data Configuration > Outgoing feeds > +.

2. Set the following fields in your new outgoing feed:

   Field name	Description
   Feed name*	Enter a descriptive name for the outgoing feed. Example: Outgoing feed for <vendor system>
   Transport type*	Set this to HTTP download.
   Content type*	Set this to EclecticIQ Observables CSV.
   Feed content	Datasets*: Select one or more datasets to include in this outgoing feed. Update strategy*: Select an update strategy. The Threat Intelligence EclecticIQ Platform App for IBM QRadar supports these update strategies: REPLACE: Select this option to purge the reference tables and then update it each time the feed runs. Caution Not recommended for feeds with large datasets, or feeds with frequent execution schedules. DIFF: Select this option to send incremental updates through the feed.
   Transport configuration	Public: Do not select. Unauthenticated feeds are not supported by the Threat Intelligence EclecticIQ Platform App for IBM QRadar. Authorized groups: Select one or more groups to make this feed available to. If you created a source group earlier, add that here.
   Execution schedule	Set to None by default. To have your IBM QRadar instance receive the latest data available for this feed, set this to a schedule that is more frequent than the EclecticIQ Feeds Ingestion field when configuring the app
   Observable and Enrichment Observable types	Set this to: ipv4, uri, domain, email, and one or more of the hash observable types

   Tip

   For more information on configuring HTTP download outgoing feeds, see Outgoing feed - HTTP download feed.

3. Save and run the outgoing feed.

Get feed ID

We need the ID of the outgoing feed that you’ve just created.

To get the feed ID:

1. In the left navigation bar, click Data Configuration > Outgoing feeds.

2. In the Outgoing feeds overview, click on the outgoing feed you’ve just created.

3. In the panel that appears, click on the Created packages tab.

4. Locate and note the feed ID shown in this tab.

   The feed ID is displayed as part of the outgoing feed URLs shown. For example, in:

   You can download the latest package from:
   https://tip.example.com/private/open-outgoing-feed-download/8/runs/f32b18ed-3292-4eb7-9359-afa97a2783f3/content-blocks/latest
   

   the feed ID is 8.

Install Threat Intelligence EclecticIQ Platform App for IBM QRadar

Download the integration

To download the Threat Intelligence EclecticIQ Platform App for IBM QRadar:

• Go to the IBM App Exchange and download the application to your machine.

• Or, contact EclecticIQ Support and request the application.

Generate Authorized Service Token

To allow the Threat Intelligence EclecticIQ Platform App for IBM QRadar to communicate with IBM QRadar, we need to create an Authorized Service:

1. Open IBM QRadar.

2. In the navigation menu (☰), click Admin.

3. In the User Management section, click Authorized Services > Add Authorized Service.

4. Fill out the following fields:

   Field name	Value
   Service Name	Set this to: EclecticIQ-Platform
   User Role	Select an appropriate User Role to associate with the Threat Intelligence EclecticIQ Platform App for IBM QRadar.
   Security Profile	Select an appropariate Security Profile to associate with the Threat Intelligence EclecticIQ Platform App for IBM QRadar. Your security profile determines the networks and log sources the app can access on IBM QRadar.
   Expirty Date	Set an expiry date for the Authorized Service, or select No Expiry.

5. Click Create Service.

6. Note the generated Authorized Service Token.

   This is used when you Configure the integration

Add Threat Intelligence EclecticIQ Platform App for IBM QRadar

1. In IBM QRadar, click the menu (☰) in the top-left corner.

2. Click Admin

3. In the left navigation bar, click System Configuration, then click Extensions Management.

4. On the top-right, click Add.

5. Locate the Threat Intelligence EclecticIQ Platform App for IBM QRadar downloaded in Download the integration.

6. Select the Install immediately checkbox.

7. Click Add.

Configure Threat Intelligence EclecticIQ Platform App for IBM QRadar

1. Open IBM QRadar.

2. In the navigation menu (☰), click Admin.

3. In the left navigation bar, click Apps.

4. Click the EclecticIQ Threat Intelligence application.

5. In the EclecticIQ Threat Intelligence Platform Configuration Page, fill out the following fields:

   Field name	Description
   QRadar Security Token	Set this to the Authorized Service Token generated in Generate Authorized Service Token.
   EclecticIQ Platform URL	Set this to the URL to access your EclecticIQ Platform instance.
   EclecticIQ Platform Login	Set this to your user name. If you set up a new source group earlier, this user must belong to it.
   EclecticIQ Platform Password	Set this to your user password or API token.
   (Optional) Proxy URL	Set this to the IP address or URL of the proxy server to connect to.
   (Optional) Proxy Login	Set this to the user name used to authenticate with the proxy server.
   (Optional) Proxy Password	Set this to the password used to authenticate with the proxy server.
   EclecticIQ Platform Feed ID#	Set this to one or more feed IDs from Get feed ID. You can enter multiple feed IDs as comma-separated values. For example: 12, 13
   EclecticIQ Platform Version	Set this to your EclecticIQ Platform version. For example: 2.9
   EclecticIQ User Group Name	Set this to a source group name. This must be at least one of the Authorized Groups set for your outgoing feed. For the Threat Intelligence EclecticIQ Platform App for IBM QRadar to send sightings to your EclecticIQ Platform instance, your user must have modify entities permissions for the source groups set here. Source groups for IBM QRadar: are case-sensitive; must not contain spaces.
   EclecticIQ Feeds Ingestion schedule. Download data every, min	Set this to an appropriate ingestion schedule, in minutes. For example, setting this to 120 would download data from the specified feed ID every 2 hours.
   Validate Threat Intelligence Platform SSL certs	Select to validate the EclecticIQ Platform ssl certificates.
   Pull Outgoing Feeds Immediately	Select this to ingest data from the specified feed ID immediately after you click Save.

6. Click Save.