Before you start with IBM QRadar SOAR

Review this information about requirements and dependencies before installing EclecticIQ Intelligence Center Integration for IBM QRadar SOAR.

Requirements

• IBM QRadar SOAR platform version 47 or later.

• EclecticIQ Intelligence Center version 3.0 or later.

• The IBM QRadar SOAR and EclecticIQ Intelligence Center instances can communicate through HTTPS.

  By default, the communication protocol is TCP, and the corresponding port is 443.

• You can access the IBM QRadar SOAR command line terminal, and you can run commands.

• You can create integration users and groups in the EclecticIQ Intelligence Center instance.

Dependencies

The following additional components must be installed on the IBM Resilient instance:

• resilient-circuits: Resilient Circuits Framework for Custom Integrations.

• rc-cts: Resilient Circuits Custom Threat Service Component.

• rc-webserver: Resilient Circuits Web Server Component.

• keyring: library providing Python access to the system keyring service.

  Note

  About keyring and Python compatibility

  • Python 2.7 is compatibile with keyring versions 18.0.1 and earlier.

  • Python 3 is compatibile with keyring versions 19.0.0 and later.

To install the additional components:

1. Open a terminal session.

2. Run pip install:

   # IBM QRadar SOAR dependencies
   sudo pip install resilient_circuits
   sudo pip install rc-cts
   sudo pip install rc-webserver
   
   # Keyring password manager
   sudo pip install keyring
   
   # Alternate keyring backend implementations
   sudo pip install keyrings.alt
   

Integration user

Optionally, it is possible to assign the integration a dedicated automation user.

For the integration to work as expected, the user must have administrator-level access rights.

When you configure the integration and edit the IBM QRadar SOAR app.config file, specify email address, password, and organization details related to this user.

To create a new IBM QRadar SOAR user:

1. Open a terminal session in the IBM QRadar SOAR instance.

2. Run the following command:

   # Replace the "[email protected]", "firstname", "lastname", and "orgname" placeholders with
   # actual values that apply to the user you are creating:
   # - A valid email address for the integration user.
   # - The integration user's name.
   # - The integration user's family name.
   # - The organization the integration user belongs to.
   
   sudo resutil newuser -createorg -email "[email protected]" -first "firstname" -last "lastname" -org "orgname"