The purpose of this project is to provide a mechanism for ingesting IBM Cloud Security and Compliance Network Insights into QRadar using the Universal Cloud REST API protocol.
IBM Cloud account(s) with privileges to:
- User account to create and configure Network Insights
- User or service account for accessing the Findings API
IBM Cloud Security and Command Center Network Insights: Follow the guide to setup at least one Virtual Private Cloud (VPC) network interface flow logs to detect any suspicious activity by using learned patterns and threat intelligence. See Enabling Network Insights
- The Universal Cloud REST API protocol is supported on QRadar 7.3.2 or later, and you must have the QRadar Log Source Management app installed. For information on how to install the app, see Installing the QRadar Log Source Management app. For Universal Cloud REST API protocol examples, see GitHub samples.
- IBM QRadar user account with privileges to create/modify log sources and create/modify DSMs.
- Reference the Universal Cloud REST API for additional information.
The parameters needed to configure the Univeral Cloud Rest API require information specific to the instance of IBM Cloud Security Insights. The following information will need to be put into the Workflow Parameters.
- api_key: Create an API key to generate the access token for the Findings API
- endpoint_url: The Endpoint URL for the desired location. Only use the FQDN and not the full URL. For example, use "us-south.secadvisor.cloud.ibm.com". Do NOT use the full URL "https://us-south.secadvisor.cloud.ibm.com/findings".
- You can find the right endpoint_url at Findings Endpoints based upon your Location setting.
- Incorrect location setting will result in a HTTP 406 Error.
- account_id: Go to the Account settings page in the console to view your account ID and account type.
- Log in to QRadar.
- Click the Admin tab.
- To open the app, click the QRadar Log Source Management app icon.
- Click New Log Source > Single Log Source.
- On the Select a Log Source Type page, Select a Log Source Type (Universal DSM) and click Select Protocol Type (Universal Rest API).
- On the Select a Protocol Type page, select a protocol and click Configure Log Source Parameters.
- On the Configure the Log Source parameters page, configure the log source parameters and click Configure Protocol Parameters.
- On the Configure the Protocol Parameters page, configure the protocol-specific parameters (Workflow and Workflow Parameter Values).
- In the Test protocol parameters window, click Start Test.
- To fix any errors, click Configure Protocol Parameters. Configure the parameters and click Test Protocol Parameters.
- Click Finish
If you have any questions or issues you can create a new issue here.
Pull requests are very welcome! Make sure your patches are well tested. Ideally create a topic branch for every separate change you make. For example:
- Fork the repo
- Create your feature branch (
git checkout -b my-new-feature) - Commit your changes (
git commit -am 'Added some feature') - Push to the branch (
git push origin my-new-feature) - Create new Pull Request
All source files must include a Copyright and License header.
If you would like to see the detailed LICENSE click here.
#
# Copyright 2020- IBM Inc. All rights reserved
# SPDX-License-Identifier: Apache2.0
#