In this Code Pattern, we will be integrating IBM Resilient Incident Response Platform (IRP) with IBM QRadar Security information and event management (SIEM) using Rest API's. Today’s security information and event management systems (SIEM) operate with a more extensive knowledge base than their predecessors, and they are more useful in detecting and logging data than ever before—but they are never more powerful than when they are paired with a incident response (IR) platform.By integrating the Resilient Incident Response Platform (IRP) with IBM QRadar, security teams are empowered to simplify and streamline the process of escalating and managing incidents.
In this Code Pattern, we will showcase a methodology in which we will be creating speed and location related offences on IBM QRadar which will later be sent to abc and xyz organization on IBM Resilient Incident Response Platform respectively, using our QRadar-Resilient Integration Application.
When the readers have completed this Code Pattern, they will understand how to:
- Access the offences from IBM QRadar using Rest API.
- Create incidents on IBM Resilient using Rest API.
- Send offences from QRadar to their respective organizations on Resilient.
- Get all the offences from the IBM QRadar.
- Convert these offences into Resilient incident format.
- Send these incidents to their respective organization.
- IBM QRadar Community Edition: IBM is bringing free QRadar to a wider audience with Community Edition. Community Edition is a fully-featured version of QRadar that is low memory, low EPS, and includes perpetual license.
- IBM Resilient: IBM Resilient Incident Response Platform (IRP) is the leading platform for orchestrating and automating incident response processes.
- Maven - needed to build the client. Maven is a build automation tool used primarily for projects. Maven addresses two aspects of building software: first, it describes how software is built, and second, it describes its dependencies.
Please follow the below to setup and run this code pattern.
- Clone the repo
- Create organizations on Resilient
- Create rules to detect offences on QRadar
- Build the Applications using Maven
- Deploy and Run the Application
Clone the Integrating Resilient IRP with IBM QRadar SIEM using Rest API's repo locally. In a terminal, run:
$ git clone https://github.com/IBM/managing-security-incidents
We’ll be using the folder Java/
- Do an ssh to your resilient root.
- Create two organizations
abcandxyzon resilient using the following commands:
sudo resutil newuser -createorg -email "username@company.com" -first "Rxxxx" -last "Rxxxx" -org "abc"
sudo resutil newuser -createorg -email "username@company.com" -first "Rxxxx" -last "Rxxxx" -org "xyz"
In this pattern, we will be sending all the speed related offences to abc orginzation and location reated offences to xyz organization.
Setup QRadar for detecting speed and location related offences
- Open the
QRadar Consolefrom a browser. From the menu, selectAdminto go to theAdminview.
-
Scroll down to the
Data sourcessection and selectLog Sources.
-
Click on
Addto add a new log source.
- Configure the log source with the values shown. Click on
Save.
- In the
Adminview, click onDeploy changesto add the newly configured log source.
- Go to
Log Activityview.
- Go to the
Rulesview by clicking onRulesmenu.
- Select
Actionsand thenNew Common Rule.
- The rule wizard opens. Click
Next.
- Select
Events or flows. ClickNext.
- On the
Rule Test Stack Editor, enter a filter keywordpayload.
- Select the rule
When the Flow Source or Destination Payload contains this string. Enter the rule name asspeed violationwhile creating rule to detect speed offence andwrong locationwhile creating rule to detect location offence. Click on the hyperlinkthis stringas shown.
- Enter the string as
SPEEDINGwhile creating rule to detect speed offence andLOCATIONwhile creating rule to detect location offence. This is the string that we will send in the payload. ClickSubmit.
- Select the group as
Policy.
- Click
Next.
-
On the
Rule Responsepage,while creating rule to detect speed offence, enter the values as shown. Click
Next.
while creating rule to detect location offence, enter the values as shown. Click Next.
- Click
Finishon theRule summarypage.
- The newly created rule has been added to the list of rules.
You have successfully created rules to detect speed and location related offences. Now you are ready to send events and offences to QRadar.
NOTE: Please refer to Monitor device events using QRadar for more information on rules and offences.
QRadar-Resilient Integration Application
- The QRadar-Resilient Integration Application sources are present in the folder
Java/integrateof the repo. - Check your environment before executing the next step. Make sure, you are able to run
mvncommands properly.If
mvncommands fails, please refer to Pre-requisites to install maven.
To work with the QRadar-Resilient Integration Application, perform the following steps.
-
Open a command terminal and navigate to the
java/integratedirectory in the repo. Run the commandmvn install.cd ../java/integrate mvn install -
A jar file
QRadar-Resilient-0.0.1-SNAPSHOT-jar-with-dependencies.jaris built and can be found under thetargetfolder. This jar can be renamed toQRadar-Resilient.jarto keep the name short.cd target cp QRadar-Resilient-0.0.1-SNAPSHOT-jar-with-dependencies.jar QRadar-Resilient.jar
Offences Application
- The Offences Application sources are present in the folder
Java/offencesof the repo. - Check your environment before executing the next step. Make sure, you are able to run
mvncommands properly.If
mvncommands fails, please refer to Pre-requisites to install maven.
To work with the Offences Application, perform the following steps.
-
Open a command terminal and navigate to the
java/offencesdirectory in the repo. Run the commandmvn install.cd ../java/offences mvn install -
A jar file
offences-0.0.1-SNAPSHOT-jar-with-dependencies.jaris built and can be found under thetargetfolder. This jar can be renamed tooffences.jarto keep the name short.cd target cp offences-0.0.1-SNAPSHOT-jar-with-dependencies.jar offences.jar
-
First let us create a speed related offence on QRadar,by execute the following command from the target directory(directory where the offences.jar file is located).
java -cp offences.jar org.example.offences.SendOffencesFill in your QRadar Hostname/IP Address and enter 1 to sent speed related offence,
Output:
>>>Enter the QRadar Hostname/IP Address 192.168.xxx.xxx >>>Enter 1 to send SPEED related offence. >>>Enter 2 to send LOCATION related offence. 1 Offence successfully sentGo to
offencestab on QRadar to check if the offence is created. -
To deploy and run the QRadar-Resilient Integration application, execute the following command from the target directory(directory where the QRadar-Resilient.jar file is located).
java -cp QRadar-Resilient.jar org.example.integrate.TaskOutput on terminal:
>>>Enter your QRadar username: admin >>>Enter your QRadar password: xxxxxxxxx >>>Enter your QRadar hostname/IP Address: 192.168.xxx.xxx >>>Enter your Resilient email: username@company.com >>>Enter your Resilient password: xxxxxxxxxx >>>Enter your Resilient hostname/IP Address: 192.168.xxx.xxx PREPARING TO SEND THE OFFENCE : {"security_category_count":1,"source_count":1,"event_count":1,"description":"The vechile has exceeded the speed limit of 100kmph\n","offense_type":2,"local_destination_count":1,"follow_up":false,"domain_id":0,"inactive":true,"protected":false,"closing_user":null,"offense_source":"speeding violation","source_address_ids":[2],"credibility":3,"magnitude":3,"source_network":"Net-xx-xxx-xxx.Net_192_168_0_0","id":5,"categories":["Unknown"],"closing_reason_id":null,"device_count":1,"assigned_to":null,"severity":5,"local_destination_address_ids":[2],"close_time":null,"policy_category_count":0,"relevance":5,"destination_networks":["Net-xx-xxx-xxx.Net_192_168_0_0"],"remote_destination_count":0,"start_time":1542863188789,"flow_count":0,"last_updated_time":1542863188789,"category_count":1,"username_count":0,"status":"OPEN"} Response Code : 200 Incident Response Code : 200 SENT THE OFFENCE WITH ID : 1 TO RESILIENT INCIDENT CREATED IN ORG : abc ( ORG ID : 206) WITH ID : 2230 Successfully sent offence id 1 to resilient Offence ID's that are sent to resilient : [1] Waiting for new offences Waiting for new offences Waiting for new offencesOutput on Resilient:
Similarly let's send a location based offence using the offences.jar file and check if the QRadar-Resilient Integration application picks it up dynamically. After the Location based offence is detected in QRadar,the output looks like:
Output on terminal:
>>>Enter your QRadar username:
admin
>>>Enter your QRadar password:
xxxxxxxxxx
>>>Enter your QRadar hostname/IP Address:
192.168.xxx.xxx
>>>Enter your Resilient email:
username@company.com
>>>Enter your Resilient password:
xxxxxxxxx
>>>Enter your Resilient hostname/IP Address:
192.168.xxx.xxx
PREPARING TO SEND THE OFFENCE : {"security_category_count":1,"source_count":1,"event_count":1,"description":"The vechile has exceeded the speed limit of 100kmph\n","offense_type":2,"local_destination_count":1,"follow_up":false,"domain_id":0,"inactive":true,"protected":false,"closing_user":null,"offense_source":"speeding violation","source_address_ids":[2],"credibility":3,"magnitude":3,"source_network":"Net-xx-xxx-xxx.Net_192_168_0_0","id":5,"categories":["Unknown"],"closing_reason_id":null,"device_count":1,"assigned_to":null,"severity":5,"local_destination_address_ids":[2],"close_time":null,"policy_category_count":0,"relevance":5,"destination_networks":["Net-xx-xxx-xxx.Net_192_168_0_0"],"remote_destination_count":0,"start_time":1542863188789,"flow_count":0,"last_updated_time":1542863188789,"category_count":1,"username_count":0,"status":"OPEN"}
Response Code : 200
Incident Response Code : 200
SENT THE OFFENCE WITH ID : 1 TO RESILIENT
INCIDENT CREATED IN ORG : abc ( ORG ID : 206) WITH ID : 2230
Successfully sent offence id 1 to resilient
Offence ID's that are sent to resilient : [1]
Waiting for new offences
Waiting for new offences
Waiting for new offences
PREPARING TO SEND THE OFFENCE : {"security_category_count":1,"source_count":1,"event_count":3,"description":"The device has been moved into a restricted area\n","offense_type":2,"local_destination_count":1,"follow_up":false,"domain_id":0,"inactive":true,"protected":false,"closing_user":null,"offense_source":"wrong location","source_address_ids":[1],"credibility":3,"magnitude":2,"source_network":"Net-xx-xxx-xxx.Net_192_168_0_0","id":2,"categories":["Unknown"],"closing_reason_id":null,"device_count":1,"assigned_to":null,"severity":5,"local_destination_address_ids":[1],"close_time":null,"policy_category_count":0,"relevance":5,"destination_networks":["Net-xx-xxx-xxx.Net_192_168_0_0"],"remote_destination_count":0,"start_time":1542348416722,"flow_count":0,"last_updated_time":1542602582339,"category_count":1,"username_count":0,"status":"OPEN"}
Response Code : 200
Incident Response Code : 200
SENT THE OFFENCE WITH ID : 2 TO RESILIENT
INCIDENT CREATED IN ORG : xyz ( ORG ID : 207) WITH ID : 2231
Successfully sent offence id 2 to resilient
Offence ID's that are sent to resilient : [2,1]
Waiting for new offences
Click on the dropdown in the right corner on the resilient console and change the organization to xyz and view location related incident that has been created.
Output on Resilient:
This Application works dynamically.It checks for new offences at regular intervals.If a new offence is detected, it will be sent to its respective Resilient organization.
Please check Java/integrate/src/main/java/org/example/integrate/Resilient.java and Java/integrate/src/main/java/org/app/integrate/QRadar.java to add a new offence source and its respective Resilient organization.
If you encounter any certificate related exceptions, See DEBUGGING.md.






















