To run investigations in your on-prem IBM QRadar instance, you need to do the following:
Configure a Data Plane integration with your IBM QRadar instance on the SOC Prime Platform
Set up an Authorized Service in IBM QRadar for Attack Detective
Install the SOC Prime Attack Detective App for IBM QRadar that connects your on-prem IBM QRadar instance to Attack Detective
Configure a Data Plane on the SOC Prime Platform
To use Attack Detective with IBM QRadar, first set up an integration profile (Data Plane) on the SOC Prime Platform.
Log in to your SOC Prime Platform account and go to Account icon > Platform Settings > Data Planes.
Click the Add Data Plane button.
Give your Data Plane profile a meaningful name.
Select IBM QRadar as your platform. Note that the On Prem switch is turned on automatically.
Select if you want to share the profile across your team.
Set the URL of your IBM QRadar web console.
Generate an Attack Detective API key by clicking the icon with arrows. You'll need to specify it in the .env file when installing the connector app. Please save the API key in a safe and accessible place. For security reasons, you won't be able to view it again. If you lose this secret key, you'll need to generate a new one.
Optionally, link a Custom Field Mapping profile. Custom Field Mapping profiles will be applied automatically to queries with matching log sources. Note that Share to Company and Make Default settings have to be enabled in the linked profiles.
Click Save Changes.
Set up an Authorized Service in IBM QRadar
To allow the Attack Detective connector app to access your IBM QRadar, set up an Authorized Service in IBM QRadar.
Go to Admin> Authorized Services.
Click Add.
Make settings and click Save:
Meaningful Authorized Service Label
Security Profile. Attack Detective searches will run with any permission, but will only return data from the Networks/Log Sources/Domains assigned to the selected Security Profile. If you need to create a new profile, go to Admin > User Management > Security Profiles, create a profile, and deploy changes.
User Role. Select a user role with at least these permissions: "Log Activity" for event searches and "Network Activity" for flow searches. If you need to create a new role, go to Admin > User Management > User Roles, create a role, and deploy changes.
Expiration date and time
An authorized service token is created. Copy it to a secure location for storage since you won't be able to access it after closing the dialog. You'll need to specify this token in the .env file when installing the connector app.
Install the SOC Prime Attack Detective App for IBM QRadar
Requirements
|
Download the Content Pack with the app from Threat Detection Marketplace.
Unpack the downloaded archive.
In the folder where the archive has been unpacked, create a .env file.
In the .env file, specify the values for the following variables:
Variable | Description | Required |
ATTACK_DETECTIVE_API_KEY | Attack Detective API key generated when configuring an IBM QRadar Data Plane on the SOC Prime Platform. See the instructions in the Configure a Data Plane on the SOC Prime Platform section of this guide. | Required |
QRADAR_HOST | The hostname of your IBM QRadar web console | Required |
QRADAR_PORT | The port number of your IBM QRadar | Required |
QRADAR_SCHEME | The connection scheme of your IBM QRadar Possible values: | Required |
QRADAR_API_TOKEN | The token of the Authorized Service created in IBM QRadar. See the instructions in the Set up an Authorized Service in IBM QRadar section of this guide. | Required |
QRADAR_API_VERSION | IBM QRadar API version Default: | Optional |
PROXY_FOR_ATTACK_DETECTIVE | Proxy URL for API access Default: | Optional |
PROXY_FOR_QRADAR | Proxy URL for IBM QRadar access Default: | Optional |
SEND_RESULTS_IMMEDIATELY | Sends results as soon as they are available Default: | Optional |
QRADAR_VERIFY_CERTS | Verifies SSL certificates Default: | Optional |
MAX_CONCURRENT_REQUESTS | Maximum parallel requests if connection fails Default: | Optional |
RETRY_COUNT | Maximum retry attempts if connection fails Default: | Optional |
RETRY_DELAY | Seconds between retries Default: | Optional
|
QRADAR_POLLING_INTERVAL | Seconds between AQL status checks Default: | Optional |
QRADAR_MAX_POLLING_ATTEMPTS | Maximum attempts for polling AQL results Default: | Optional |
LOG_LEVEL | Defines the logging level Possible values: Default: | Optional |
DEBUG_MODE | Enables detailed debug logging Default: | Optional |
LOGS_TO_STDOUT_ONLY | Logs only to stdout, typically used in Docker environments Default: | Optional |
ATTACK_DETECTIVE_BATCH_SIZE | Batch query size per one request Default: | Optional |
The code in the file will look like this:
# Attack Detective API Settings
ATTACK_DETECTIVE_API_URL=https://attacko.socprime.com/
ATTACK_DETECTIVE_API_KEY=your_api_key_here
PROXY_FOR_ATTACK_DETECTIVE=http://proxy.example.com:8080
SEND_RESULTS_IMMEDIATELY=False
ATTACK_DETECTIVE_BATCH_SIZE=20
# QRadar Settings
QRADAR_HOST=qradar.example.com
QRADAR_PORT=443
QRADAR_SCHEME=https
QRADAR_API_TOKEN=your_qradar_api_token_here
QRADAR_API_VERSION=18.0
QRADAR_VERIFY_CERTS=True
QRADAR_TIMEOUT=60
QRADAR_POLLING_INTERVAL=1
# Performance Settings
MAX_CONCURRENT_REQUESTS=3
RETRY_COUNT=3
RETRY_DELAY=5
# Logging Settings
LOG_LEVEL=INFO
DEBUG_MODE=False
5. In the same folder, run the following command:
docker-compose up -d --build
This command will launch a docker container in the background that will be running until it is stopped manually.
All dependencies will be installed from the requirements.txt file.
The successful response will contain a line that looks like this:
Container attack_detective_onpremise_app_qradar Started
6. To ensure that the installation has been successful, go to Docker container logs. In case of success, you'll see logs like these:
QRadar connection is OK
Attack Detective API connection is OK