Sending Findings to QRadar

IBM QRadar is an enterprise Security Information and Event Management (SIEM) system. It collects log data from an enterprise and its network devices, host assets and operating systems, applications, vulnerabilities, and user activities and behaviors.

Configuring QRadar

From IBM App Exchange, download and install the Dome9 QRadar application on a QRadar console or app host.
In the QRadar admin console, create a new QRadar role that only specifies access to the Dome9 application.
Create a new QRadar-authorized service that uses the role created in the previous step. Copy the Authentication Token for future use.
Below the System Settings, in the Advanced menu, set the Max TCP Syslog Payload Length value to 16,384.

If necessary, deploy the changes.
Create a new integration through the Dome9 Settings:
- Copy the Notifications HTTP Endpoint value for future use.
- (Optional) Provide the CloudGuard API credentials for the integration. With these credentials, you can acknowledge findings or create exclusions directly in QRadar.

Configuring CloudGuard

In CloudGuard, navigate to Settings > Notifications and click Add Notification.
Enter the applicable options as described in Notifications.
In the Immediate Notification section, select Send to HTTP Endpoint. The section of endpoint parameters opens.
Set the endpoint parameters:
- Below the Endpoint URL, select QRadar and paste the endpoint value you copied in step 5 of the QRadar configuration.
- Enter the Authentication Token value created in step 3 of the QRadar configuration as the password.
- Click the Test button to check the integration connectivity. If it is correct, you see the message that the Webhook test succeeded.
Click Save.

Testing the Integration

In QRadar, make sure that Dome9 notifications show in the QRadar events database.
Make sure that custom properties are populated as expected in a sample event.
Browse events in the viewer in the Dome9 QRadar application.