Contents x
    QRadar
    • 14 Sep 2023
    • 3 Minutes to read
    • Print
    • Dark
      Light
    • PDF
    Contents

    QRadar

    • Updated on 14 Sep 2023
    • 3 Minutes to read
    • Print
    • Dark
      Light
    • PDF
    Article summary

    About this Article
    This article provides information about QRadar installation and integration with VSP.


    Pre-requisite

    1. QRadar app supports On-premise QRadar and QRadar on Cloud (QOC) version 7.3.3 (Patch 6) and above


    Webhook Configuration on CMS

    1. Log in to CMS using valid credentials
    2. Navigate to Administration > Webhooks in the left navigation pane
    3. Create five new webhook configurations to configure all the event types using the ADD WEBHOOK link and the values provided in this section
    4. Enable Webhook and provide relevant values for Name and Description 
    5. The below values are constant for all the five webhooks:
      1. Webhook URL– QRadar instance URL
        1. On-premise – https://<QRadarIPAddress>:<Port>
        2. On Cloud – https://<QRadarOn-premiseDataGatewayIPAddress>:<Port>
      2. Content Type – Application JSON
      3. Validate SSL/TLS Certificate – Enabled (Disabled if self-signed certificates are used on QRadar)
      4. Authentication – None
      5. HTTP Headers – None 
    6. The values for Incident Type and Body for the five webhooks are provided in the below sections
      1. For Web Events:
        1. Incident Filter – Selected and Applied Filter - Web Attack
        2. Body
          {
    "severity": "${Severity}",
    "incident_type": "${Properties[Type]}",
    "host_ip": "${Host Ip}",
    "action_taken": "${Attributes[Action]}",
    "description": "${Properties[Incident Description]}",
    "session_id": "${Attributes[Session token id]}",
    "eventtime": "${Properties[eventTime]}",
    "http_host": "${Attributes[Http Host]}",
    "attacker_port": "${Attributes[Attacker Port]}",
    "hostname": "${Host Name}",
    "incident_id": "${Display Id}",
    "event_type": "${Properties[category]}",
    "incident_state": "${Incident State}",
    "attacker_ip": "${Attributes[Attacker IP]}",
    "http_request_url": "${Attributes[HTTP Request]}"
}
      2. For Memory Integrity Events: 
        1. Incident Filter – Selected and Applied Filter - Memory Integrity
        2. Body
          {
    "severity": "${Severity}",
    "incident_type": "${Type}",
    "host_ip": "${Host Ip}",
    "action_type": "${Attributes[Inline Action]}",
    "action_taken": "${Attributes[Action]}",
    "process_tid": "${Properties[TId]}",
    "description": "${Attributes[Description]}",
    "eventtime": "${Properties[eventTime]}",
    "process_pid": "${Properties[pid]}",
    "destination_module_name": "${Attributes[Destination Module Name]}",
    "hostname": "${Host Name}",
    "incident_id": "${Display Id}",
    "event_type": "${Type}",
    "application_name": "${Application Name}",
    "incident_state": "${Incident State}",
    "destination_memory_address": "${Attributes[Destination Memory Address]}"
}
      3. For Host Events:
        1. Incident Filter – Selected and Applied Filter - Process Monitoring, Library Monitoring
        2. Body
          {
    "incident_type": "${Attributes[Incident Type]}",
    "severity": "${Severity}",
    "library_checksum": "${Attributes[Library Checksum]}",
    "host_ip": "${Host Ip}",
    "parent_process_name": "${Attributes[Parent Process Name]}",
    "action_taken": "${Attributes[Action]}",
    "description": "${Description}",
    "eventtime": "${Properties[eventTime]}",
    "process_pid": "${Attributes[Process Pid]}",
    "hostname": "${Host Name}",
    "incident_id": "${Display Id}",
    "event_type": "${Type}",
    "process_name": "${Attributes[Process Path]}",
    "library_name": "${Attributes[Library Name]}",
    "library_path": "${Attributes[Library Path]}",
    "process_checksum": "${Attributes[Process Checksum]}",
    "username": "${Attributes[Username]}"
}
      4. For Buffer Error Events:
        1. Incident Filter – Selected and Applied Filter - Buffer Error
        2. Body
          {
    "severity": "${Severity}",
    "incident_type": "${Properties[Type]}",
    "host_ip": "${Host Ip}",
    "action_taken": "${Attributes[Action]}",
    "process_tid": "${Properties[pid]}",
    "description": "${Attributes[Description]}",
    "eventtime": "${Properties[eventTime]}",
    "process_pid": "${Properties[pid]}",
    "hostname": "${Host Name}",
    "incident_id": "${Display Id}",
    "event_type": "${Type}",
    "application_name": "${Application Name}"
}


    Virsec App Installation in QRadar

    1. Download the QRadar Connector for VSP using the link: https://exchange.xforce.ibmcloud.com/hub/extension/1096c05fa58241ead5a6847220626695
    2. Login to QRadar using valid credentials
    3. Open  QRadar Extensions Management on the Admin tab to install the App on QRadar
    4. Navigate to the Admin tab 
    5. Under the System Configuration section, click Extensions Management
    6. Click Add to add a new Extension Management Item
    7. On the pop-up window
      1. Browse and select the installation kit from the local machine for upload
      2. Select the option Install immediately 
      3. Click AddValidation is commenced immediately
    8. Select the option Replace Existing Items. Click Install
    9. Click OK on the installation summary page
    10. Click Deploy Changes
    11. The installed app is listed in the Extensions Management window


    Configure Log Source

    1. Navigate to the Admin tab
    2. Navigate to Data Sources > Events. Click Log Sources
    3. Double-click on the Log Source Virsec Security Platform
    4. Configure the log source as described below:
      1. If QRadar Log Source Management app is NOT installed, configure the below parameter:
        1. Log Source Identifier – Provide the VSP CMS IP Address OR the IP Address from where QRadar receives the notifications
        2. Target Event Collector – For QRadar on Cloud, provide the on-premise data gateway from the dropdown
        3. Parameters such as Listen Port, Communication Type can also be modified if required
        4. Click Save
      2. If QRadar Log Source Management app is installed, a pop-up window is displayed. Click Launch
        1. Click Log Sources
        2. Search for Virsec Security Platform and press enter. Select the listed entry
        3. Select the tab Protocol
        4. Click Edit
        5. Log Source Identifier - Provide the CMS IP address OR the IP Address from where QRadar receives the notifications
        6. Parameters such as Listen Port, Communication Type can also be modified if required. It is recommended to change only the IP address and retain the default values for other parameters
        7. Click Save
    5. On the Admin tab of the QRadar SIEM console, click Deploy Changes to activate the newly configured log source
    6. Depending on the environment, IP Table modifications may be required on the QRadar instance OR data collector to allow the configured Listen Port


    View Event Details on QRadar

    The integration provides information of configured CMS events on QRadar in real-time and investigates them using customizable queries. 

    1. Click on Log Activity to view all the configured CMS events
    2. For detailed information on a specific event, double-click on it
    3. Payload Information is also available in Event Details


    In order to filter all the logs coming from Virsec Security Platform, a quick search can be added. The installed application has a filter. To add this filter in quick searches, follow below steps:

    1. Navigate to Log Activity Tab. Click Search > Edit Search
    2. Search for Virsec and select Virsec Security Platform Logs - Last 24 hours
    3. Select Include in my Quick Searches. Click Search
    4. This search is now listed in Quick Searches
    Was this article helpful?
    What's Next