Sending Findings to QRadar

IBM QRadar is an enterprise Security Information and Event Management (SIEM) system. It collects log data from an enterprise and its network devices, host assets and operating systems, applications, vulnerabilities, and user activities and behaviors.

Configuring QRadar

1. From IBM App Exchange, download and install the Dome9 QRadar application on a QRadar console or app host.

   

2. In the QRadar admin console, create a new QRadar role that only specifies access to the Dome9 application.

   

3. Create a new QRadar-authorized service that uses the role created in the previous step. Copy the Authentication Token for future use.

   

4. Below the System Settings, in the Advanced menu, set the Max TCP Syslog Payload Length value to 16,384.

   If necessary, deploy the changes.

   

5. Create a new integration through the Dome9 Settings:

   • Copy the Notifications HTTP Endpoint value for future use.

   • (Optional) Provide the CloudGuard API credentials for the integration. With these credentials, you can acknowledge findings or create exclusions directly in QRadar.

   

Configuring CloudGuard

1. In the CloudGuard portal, from the left menu, click Integration Hub

2. In the Events and Logging section, click Qradar.

   The Qradar sliding menu opens.

3. Create the integration.

Testing the Integration

1. In QRadar, make sure that Dome9 notifications show in the QRadar events database.

   

2. Make sure that custom properties are populated as expected in a sample event.

   

3. Browse events in the viewer in the Dome9 QRadar application.