Fortinet Document Library

Version:


Table of Contents

1.3.0
Copy Link

About the connector

IBM QRadar SIEM helps your business by detecting anomalies, uncovering advanced threats and removing false positives. It consolidates log events and network flow data from thousands of devices, endpoints, and applications distributed throughout a network.

This document provides information about the IBM QRadar connector, which facilitates automated interactions, with a QRadar server using FortiSOAR™ playbooks. Add the IBM QRadar connector as a step in FortiSOAR™ playbooks and perform automated operations, such as automatically getting information about the offenses and details of the offenses from QRadar and also querying a QRadar device.

Version information

Connector Version: 1.3.0

FortiSOAR™ Version Tested on: 5.0.1-098

IBM QRadar Version Tested on: 7.2.8

Authored By: Fortinet

Certified: Yes

Release Notes for version 1.3.0

Following enhancements have been made to the IBM QRadar connector in version 1.3.0:

  • Added support for configuring QRadar data ingestion using the FortiSOAR™ Data Ingestion Wizard, a new feature in FortiSOAR™ 5.0.0. Following new playbooks: > IBM QRadar > Create Alert, > IBM QRadar > Fetch, >> IBM QRadar > Fetch Events, Source and Destination IP of an Offense, >> IBM QRadar > Handle Macros, and IBM QRadar > Ingest have been added for data ingestion. For information on how to ingesting IBM QRadar offenses using the Data Ingestion Wizard, see the Ingesting IBM QRadar data using the Data Ingestion Wizard section.
  • Added a new optional input parameter named "Closure Note" for the Close Offense operation.
  • Added a new operation and playbook named "Manipulate Reference Set Content."

Installing the connector

From FortiSOAR™ 5.0.0 onwards, use the Connector Store to install the connector. For the detailed procedure to install a connector, click here.
You can also use the yum command to install connectors. Connectors provided by FortiSOAR™ are delivered using a FortiSOAR™ repository. Therefore, you must set up your FortiSOAR™ repository and run the yum command as a root user to install connectors:

yum install cyops-connector-qradar

Prerequisites to configuring the connector

  • You must have the IP address of QRadar server to which you will connect and perform the automated operations and API token to access that server.
  • To access the FortiSOAR™ UI, ensure that port 443 is open through the firewall for the FortiSOAR™ instance.
  • To automatically forward offenses from the QRadar UI to FortiSOAR™ directly, you must install and configure the CyberSponse Application on the QRadar server. See the Installing the CyberSponse Application on the QRadar Server section.

Configuring the connector

For the procedure to configure a connector, click here.

Configuration parameters

In FortiSOAR™, on the Connectors page, click the IBM QRadar connector row (if you are in the Grid view on the Connectors page) and in the Configurations tab enter the required configuration details:

Parameter Description
Address IP address of the QRadar server from where the connector gets offenses information and to which you connect and perform automated operations.
API Token API token to access the QRadar server to which you connect and perform automated operations.
API Version Version of the QRadar API to be used for performing automated operations.
Verify SSL Specifies whether the SSL certificate for the server is to be verified or not.
Defaults to True.

Installing the CyberSponse Application on the QRadar Server

If you want to forward offenses to FortiSOAR™ from the QRadar UI directly, then you require to install the CyberSponse Application on the QRadar server. The extension zip file (CyberSponse_1.1.0.zip) is attached with this document. Upload and install the extension on the QRadar console following the steps described in the following IBM document: https://www.ibm.com/support/knowledgecenter/en/SS42VS_7.2.7/com.ibm.qradar.doc/t_cmt_importing_extensions.html.

After the installation, the CyberSponse Integration icon appears in the Plug-ins section of the Admin tab.

CyberSponse Application - CyberSponse Integration icon

 

Click the CyberSponse Integration icon to open the Server Configuration dialog. Enter the details of the CyberSponse server to which you want to forward the offenses and then click Save.

CyberSponse Application - Server Configuration dialog

Ensure that the QRadar server has connectivity to the FortiSOAR™ server and can send requests to the FortiSOAR™ instance on port 443. Now, you can forward offenses to FortiSOAR™ by using the Create CyOPs alert button in the Offense Summary Toolbar as shown in the following image:

Offense Summary Toolbar - Create CyOPs alert button

 

Clicking the Create CyOPs alert button sends a POST trigger to the https://<CyOPs>/api/triggers/1/qradar with the payload {“Offense_ID”: <id>} URL.
The API - Push Offense From QRadar included playbook listens to this API trigger and fetches all the data related to the offense specified in the offense id and creates a FortiSOAR™ alert. You can verify the integration with the help of this playbook or make a copy of the playbook and update it as per your requirement. If you make a copy, deactivate the included playbook, to avoid two playbooks acting on the same API trigger.

Actions supported by the connector

The following automated operations can be included in playbooks, and you can also use the annotations to access operations from FortiSOAR™ release 4.10.0 onwards:

Function Description Annotation and Category
Get Offenses from QRadar Retrieves a list of offenses from the QRadar server based on the filter string that you have specified. get_offenses
Investigation
Get Events Related to an Offense Retrieves details of events associated with a QRadar offense, from the QRadar server, based on the QRadar offense ID that you have specified. get_events
Investigation
Make an Ariel Query to QRadar Executes an Ariel query on the QRadar server. QRadar uses the Ariel Query Language (AQL) to search for offenses or events based on query parameters. run_query
Investigation
Get Offense Closing Reasons Retrieves a list of closing reasons associated with all offenses from the QRadar server. get_offense_closing_reasons
Remediation
Close Offense Closes an offense on the QRadar server based on the offense ID that you have specified. close_offense
Remediation
Get Source IP Addresses Retrieves IP address details associated with a source address IDs from the QRadar server, based on the source address IDs that you have specified ip_details
Investigation
Get Destination IP Addresses Retrieves IP address details associated with a destination address IDs from the QRadar server, based on the destination address IDs that you have specified ip_details
Investigation
Invoke QRadar REST API Invokes a function to Get or Post an API endpoint on the QRadar server. api_call
Miscellaneous
Get Offense Types Retrieves a list containing IDs of all the offense types from the QRadar server. get_offense_type
Investigation
Manipulate Reference Set Content Adds or deletes the content that you have specified from a specified reference set on QRadar. handle_reference_set_value
Investigation
 

operation: Get Offenses from QRadar

Input parameters

Parameter Description
Filter String Filter string based on which you want to retrieve the list of offenses from QRadar.
For example, assigned_to="admin".

Output

The JSON output contains a list of offenses retrieved from the QRadar server, based on the filter string that you have specified.

The output contains the following populated JSON schema:

     "source_count": "", 
     "credibility": "", 
     "status": "", 
     "categories": [ 
         "" 
     ], 
     "protected": "", 
     "offense_source": "", 
     "event_count": "", 
     "closing_user": "", 
     "closing_reason_id": "", 
     "policy_category_count": "", 
     "last_updated_time": 1501624285172, 
     "severity": "", 
     "username_count": "", 
     "description": "", 
     "assigned_to": "", 
     "destination_networks": [ 
         "" 
     ], 
     "security_category_count": "", 
     "start_time": 1501624284334, 
     "id": "", 
     "offense_type": "", 
     "relevance": "", 
     "device_count": "", 
     "magnitude": "", 
     "domain_id": "", 
     "local_destination_address_ids": [ 
         "" 
     ], 
     "inactive": "", 
     "source_address_ids": [ 
         "" 
     ], 
     "category_count": "", 
     "source_network": "", 
     "local_destination_count": "", 
     "flow_count": "", 
     "follow_up": "", 
     "close_time": "", 
     "remote_destination_count": "" 
}

operation: Get Events Related to an Offense

Input parameters

Parameter Description
QRadar Offense ID Offense ID based on which you want to retrieve events from QRadar.
Offense Start Time Number of milliseconds since epoch since the offense was started.
Offense Last Update Time Number of milliseconds since epoch since the offense was last modified.
Max Events to return (Optional) Maximum number of events that this operation should return.

Output

A JSON output contains details of events associated with a QRadar offense, retrieved from the QRadar server, based on the QRadar offense ID that you have specified.

The output contains the following populated JSON schema:
{
"events":[
{
"qid": "",
"category": "",
"sourceip": "",
"username": "",
"magnitude": "",
"starttime": "",
"eventcount": "",
"identityip": "",
"protocolid": "",
"sourceport": "",
"logsourceid": "",
"destinationip": "",
"destinationport": "",
}
]
}

operation: Make an Ariel Query to QRadar

Input parameters

Parameter Description
Ariel Search String Ariel query that you want to be run on the QRadar server.

Output

The JSON output contains details of offenses or events depending on the query that you run on the QRadar server. QRadar uses the Ariel Query Language (AQL) to search for offenses or events based on query parameters.

The output contains a non-dictionary value.

operation: Get Offense Closing Reasons

Input parameters

None

Output

The JSON output contains a list of closing reasons associated with all offenses retrieved from the QRadar server.

The output contains the following populated JSON schema:

     "is_reserved": "", 
     "id": "", 
     "text": "", 
     "is_deleted": "" 
}

operation: Close Offense

Input parameters

Parameter Description
Offense ID ID of the offense that you want to close on the QRadar server.
Offense Closing Reason - ID ID of the offense closing reason using which you want to close the offense on the QRadar server.
Closure Note (Optional) Note that you want to associate with the offense that you want to close on the QRadar server.

Output

The JSON output contains the updated offense details, including the status (should be closed) of the specified offense retrieved from the QRadar server.

The output contains the following populated JSON schema:

     "source_count": "", 
     "credibility": "", 
     "status": "", 
     "categories": [], 
     "protected": "", 
     "offense_source": "", 
     "event_count": "", 
     "closing_user": "", 
     "closing_reason_id": "", 
     "policy_category_count": "", 
     "last_updated_time": "", 
     "severity": "", 
     "username_count": "", 
     "description": "", 
     "assigned_to": "", 
     "destination_networks": [], 
     "security_category_count": "", 
     "start_time": "", 
     "id": "", 
     "offense_type": "", 
     "relevance": "", 
     "device_count": "", 
     "magnitude": "", 
     "domain_id": "", 
     "local_destination_address_ids": [], 
     "inactive": "", 
     "source_address_ids": [], 
     "category_count": "", 
     "source_network": "", 
     "local_destination_count": "", 
     "flow_count": "", 
     "follow_up": "", 
     "close_time": "", 
     "remote_destination_count": "" 
}

operation: Get Source IP Addresses

The offense data provided by QRadar contains the IDs of the source addresses. Use this operation to fetch the IP address details for the specified source address IDs.

Input parameters

Parameter Description
Source Address Ids IDs of source addresses based on which you want to retrieve IP address details from the QRadar server. For example, [3,4,5].

Output

The JSON output contains the IP address details associated with the specified source address IDs, retrieved from the QRadar server.

The output contains the following populated JSON schema:

     "id": "", 
     "magnitude": "", 
     "source_ip": "", 
     "network": "" 
}

operation: Get Destination IP Addresses

The offense data provided by QRadar contains the IDs of the destination addresses. Use this operation to fetch the IP address details for the specified destination address IDs.

Input parameters

Parameter Description
Destination Address Ids IDs of destination addresses based on which you want to retrieve IP address details from the QRadar server. For example, [3,4,5].

Output

The JSON output contains the IP address details associated with the specified destination address IDs, retrieved from the QRadar server.

The output contains the following populated JSON schema:

     "local_destination_ip": "", 
     "id": "", 
     "magnitude": "", 
     "network": "" 
}

operation: Invoke QRadar REST API

If you require to invoke a QRadar API apart from the functions that we provide, you can use this function to directly invoke the QRadar API. Refer to IBM documentation for more information on the QRadar REST APIs: https://www.ibm.com/support/knowledgecenter/en/SSKMKU/com.ibm.qradar.doc_cloud/t_adm_restapi_using.html.

Input parameters

Parameter Description
Endpoint Specifies the REST endpoint. For example, siem or offenses.
Request Method Select the request method. You can choose between GET or POST.
  • If you select GET, then you should specify the Request Parameters parameter. In the Request parameters parameter, specify the request parameters for the specified endpoint.
  • If you select POST, then you can specify either the Request Parameters in JSON Format or the Request Payload in JSON Format parameter. In these parameters, specify either the request parameters or request JSON payload for the specified endpoint.
Headers in json format (Optional) Additional JSON formatted headers.
Following headers are already added by the connector:
'Accept': 'application/JSON', 
'Content-Type': 'application/JSON', 
'SEC': <token>,
'Version': <api_version>,

Output

The JSON output contains the JSON response of the API invoked.

The output contains a non-dictionary value.

operation: Get Offense Types

Input parameters

None

Output

The JSON output contains a list containing IDs of all the offense types retrieved from the QRadar server. You can use the offense type IDs as a filter criterion in the Get Offenses operation.

The output contains the following populated JSON schema:

     "id": "", 
     "property_name": "", 
     "database_type": "", 
     "name": "", 
     "custom": "" 
}

operation: Manipulate Reference Set Content

Input parameters

Parameter Description
Request Method Select the request method option of the operation that you want to perform on the specified reference set in QRadar. You can choose from Retrieves Value, Add Value, or Delete Value.
Reference Set Name Name of the reference set in which you want to perform the operation based on the option you have specified in the Request Method.
  • If you choose Add Value as the Request Method, then this operation will add the specified value to the reference set you have specified in this field.
  • If you choose Delete Value as the Request Method, then this operation will delete the specified value from the reference set you have specified in this field.
  • If you choose Retrieves Value as the Request Method, then this operation will retrieve the values of the reference set you have specified in this field.
Value Value that you want to add or remove from the specified reference set. You must specify the value in this field if you have chosen Add Value or Delete Value as the Request Method. 

Output

The output is conditional and based on the request method that you choose.

For example, if you choose Retrieves Value as the Request Method, then the output contains the following populated JSON schema:
{
"data": [
{
         "first_seen": "",
          "last_seen": "",
          "source": "",
          "value": ""
}
],
          "message": "",
          "element_type": "",
          "timeout_type": "",
          "name": "",
          "number_of_elements": "",
          "creation_time": "",
}

Or for example, if you choose Add Value or Delete Value as the Request Method, then the output contains the following populated JSON schema:
{
          "message": "",
          "element_type": "",
          "timeout_type": "",
          "name": "",
          "number_of_elements": "",
          "creation_time": "",
}

Included playbooks

The Sample - IBM QRadar - 1.3.0 playbook collection comes bundled with the IBM QRadar connector. This playbook contains steps using which you can perform all supported actions. You can see the bundled playbooks in the Automation > Playbooks section in FortiSOAR™ after importing the IBM QRadar connector.

  • API - Push Offense From QRadar:
    Requires installation and configuration of the CyberSponse Application on the QRadar server. See the Installing the CyberSponse Application on the QRadar Server section.
  • Close QRadar Offenses
    > Close Offense
  • Get Destination IP Addresses
  • Get Events Related to an Offense
  • Get Offenses
  • Get Offense Type
    Requires installation and configuration of the CyberSponse Application on the QRadar server. See the Installing the CyberSponse Application on the QRadar Server section.
  • Get Source IP Addresses
  • > IBM QRadar > Create Alert
  • > IBM QRadar > Fetch
  • >> IBM QRadar > Fetch Events, Source  and Destination IP of an Offense
  • >> IBM QRadar > Handle Macros
  • IBM QRadar > Ingest
  • Invoke QRadar REST API
  • Manipulate Reference Set Content
  • Run Ariel Query

Note: If you are planning to use any of the sample playbooks in your environment, ensure that you clone those playbooks and move them to a different collection since the sample playbook collection gets deleted during connector upgrade and delete.

 

Ingesting IBM QRadar data using the Data Ingestion Wizard

Use the Data Ingestion Wizard to easily ingest data into FortiSOAR™ by pulling offenses from IBM QRadar. For more information on the Data Ingestion Wizard, see the "Connectors Guide: in FortiSOAR™ product documentation.

Process of ingesting offenses from IBM QRadar using the Data Ingestion Wizard

  1. Log on to FortiSOAR™.
  2. On the left navigation pane, click Automation > Connectors.
    On the Connectors page, you will see the list of installed connectors, either in the card view or the grid/list view.
  3. Click IBM QRadar v1.3.0.
  4. On the Connector Configuration pane, click Configure Data Ingestion to display the Data Ingestion Wizard.
  5. On the Welcome screen of the Data Ingestion Wizard, read the Prerequisites mentioned on the Welcome screen and if all the requirements to ingest data are met, click the Continue button to display the Fetch Sample Data screen. 
  6. Sample data is required to create a field mapping between your IBM QRadar data and FortiSOAR™.   
    1. In the Method field, select the method to be used to create the mapping. Currently, the only data ingestion using playbooks is supported. Therefore, Ingestion Playbook is selected. 
    2. From the Playbook To Fetch Sample Data drop-down list,  the playbook that should be used to fetch data is selected. In case of IBM QRadar it is > IBM QRadar > Fetch playbook.
    3. In the Filter_string field, type the string based on which you want to retrieve the list of offenses from IBM QRadar.  
      For example, if you want to fetch all "Open" offenses from IBM QRadar, then type status="Open" in the Filter_string field.
    4. In the QRadar_timezone field, type the timezone in which your IBM QRadar server is located. For example, UTC.
    5. In the Pull_Sample_Offense_in_Past_X_Minutes field, type the time in minutes from when you want to pull offenses from IBM QRadar.
    6.  Click Continue to Field Mapping.  
  7. On the Field Mapping screen, map the fields of the sample data to the fields present in FortiSOAR™ as follows: 
    1. The Field Mapping screen displays the Sample Data on the right-side and the Field Mapping (FortiSOAR™ fields) on the left-side. The sample data is in the form of a Key-Value pair.  
      From the Module drop-down list that appears next to Field Mapping, select the FortiSOAR™ module for which you want to map the fields. The default module will be already be selected, for example, Alerts.  
      Note: If you select any module other than the default module, you will require to remap all the fields.
      Also, some fields such as Name and some picklists can come pre-mapped with their jinja value. You do not require to re-map these fields unless you want to override their default values.  
    2. To map a field, click the key in the sample data to add jinja for the field.
      For example, map the Severity field in FortiSOAR™ by clicking severity from the IBM QRadar sample data. Once you click severity, {{vars.sourcedata["severity"]}} is added in the Severity field.
      Next, you must map the items of picklists. For example, the Severity picklist in FortiSOAR™ has items such as Minimal, Low, Medium, High, and Critical. These picklist items can be mapped as per the values defined in the source. Also, more than one picklist item in FortiSOAR™ can map to a single value in the source. For example, both Minimal and Low can be mapped to 3 or you also map one picklist item in FortiSOAR™ to two values in the source, for example, you can map Minimal severity to both 1 and 2, Low to 3 and 4, etc.
      You can similarly map the other picklists such as Status and Type.
      The Source Field will be QRadar and you can map the Source ID field to the id field in the IBM QRadar sample data. The Source Data field, mapped to {{vars.offense_data | toJSON }} by default, contains the object of the entire offense.
    3. Once you are satisfied with the mappings, click Save and Continue.  
  8. (Optional) On the Scheduling screen, you can specify the schedule for data ingestion from the connector into FortiSOAR™, i.e., you can specify the polling frequency to IBM QRadar, so that the content gets pulled from IBM QRadar into FortiSOAR™. 
  9. The Summary screen displays a brief summary of the mapping done and it also contains links to the modified playbooks. 
  10. Click Done to complete the data ingestion. 

CyberSponse_1.1.0

About the connector

IBM QRadar SIEM helps your business by detecting anomalies, uncovering advanced threats and removing false positives. It consolidates log events and network flow data from thousands of devices, endpoints, and applications distributed throughout a network.

This document provides information about the IBM QRadar connector, which facilitates automated interactions, with a QRadar server using FortiSOAR™ playbooks. Add the IBM QRadar connector as a step in FortiSOAR™ playbooks and perform automated operations, such as automatically getting information about the offenses and details of the offenses from QRadar and also querying a QRadar device.

Version information

Connector Version: 1.3.0

FortiSOAR™ Version Tested on: 5.0.1-098

IBM QRadar Version Tested on: 7.2.8

Authored By: Fortinet

Certified: Yes

Release Notes for version 1.3.0

Following enhancements have been made to the IBM QRadar connector in version 1.3.0:

Installing the connector

From FortiSOAR™ 5.0.0 onwards, use the Connector Store to install the connector. For the detailed procedure to install a connector, click here.
You can also use the yum command to install connectors. Connectors provided by FortiSOAR™ are delivered using a FortiSOAR™ repository. Therefore, you must set up your FortiSOAR™ repository and run the yum command as a root user to install connectors:

yum install cyops-connector-qradar

Prerequisites to configuring the connector

Configuring the connector

For the procedure to configure a connector, click here.

Configuration parameters

In FortiSOAR™, on the Connectors page, click the IBM QRadar connector row (if you are in the Grid view on the Connectors page) and in the Configurations tab enter the required configuration details:

Parameter Description
Address IP address of the QRadar server from where the connector gets offenses information and to which you connect and perform automated operations.
API Token API token to access the QRadar server to which you connect and perform automated operations.
API Version Version of the QRadar API to be used for performing automated operations.
Verify SSL Specifies whether the SSL certificate for the server is to be verified or not.
Defaults to True.

Installing the CyberSponse Application on the QRadar Server

If you want to forward offenses to FortiSOAR™ from the QRadar UI directly, then you require to install the CyberSponse Application on the QRadar server. The extension zip file (CyberSponse_1.1.0.zip) is attached with this document. Upload and install the extension on the QRadar console following the steps described in the following IBM document: https://www.ibm.com/support/knowledgecenter/en/SS42VS_7.2.7/com.ibm.qradar.doc/t_cmt_importing_extensions.html.

After the installation, the CyberSponse Integration icon appears in the Plug-ins section of the Admin tab.

CyberSponse Application - CyberSponse Integration icon

 

Click the CyberSponse Integration icon to open the Server Configuration dialog. Enter the details of the CyberSponse server to which you want to forward the offenses and then click Save.

CyberSponse Application - Server Configuration dialog

Ensure that the QRadar server has connectivity to the FortiSOAR™ server and can send requests to the FortiSOAR™ instance on port 443. Now, you can forward offenses to FortiSOAR™ by using the Create CyOPs alert button in the Offense Summary Toolbar as shown in the following image:

Offense Summary Toolbar - Create CyOPs alert button

 

Clicking the Create CyOPs alert button sends a POST trigger to the https://<CyOPs>/api/triggers/1/qradar with the payload {“Offense_ID”: <id>} URL.
The API - Push Offense From QRadar included playbook listens to this API trigger and fetches all the data related to the offense specified in the offense id and creates a FortiSOAR™ alert. You can verify the integration with the help of this playbook or make a copy of the playbook and update it as per your requirement. If you make a copy, deactivate the included playbook, to avoid two playbooks acting on the same API trigger.

Actions supported by the connector

The following automated operations can be included in playbooks, and you can also use the annotations to access operations from FortiSOAR™ release 4.10.0 onwards:

Function Description Annotation and Category
Get Offenses from QRadar Retrieves a list of offenses from the QRadar server based on the filter string that you have specified. get_offenses
Investigation
Get Events Related to an Offense Retrieves details of events associated with a QRadar offense, from the QRadar server, based on the QRadar offense ID that you have specified. get_events
Investigation
Make an Ariel Query to QRadar Executes an Ariel query on the QRadar server. QRadar uses the Ariel Query Language (AQL) to search for offenses or events based on query parameters. run_query
Investigation
Get Offense Closing Reasons Retrieves a list of closing reasons associated with all offenses from the QRadar server. get_offense_closing_reasons
Remediation
Close Offense Closes an offense on the QRadar server based on the offense ID that you have specified. close_offense
Remediation
Get Source IP Addresses Retrieves IP address details associated with a source address IDs from the QRadar server, based on the source address IDs that you have specified ip_details
Investigation
Get Destination IP Addresses Retrieves IP address details associated with a destination address IDs from the QRadar server, based on the destination address IDs that you have specified ip_details
Investigation
Invoke QRadar REST API Invokes a function to Get or Post an API endpoint on the QRadar server. api_call
Miscellaneous
Get Offense Types Retrieves a list containing IDs of all the offense types from the QRadar server. get_offense_type
Investigation
Manipulate Reference Set Content Adds or deletes the content that you have specified from a specified reference set on QRadar. handle_reference_set_value
Investigation
 

operation: Get Offenses from QRadar

Input parameters

Parameter Description
Filter String Filter string based on which you want to retrieve the list of offenses from QRadar.
For example, assigned_to="admin".

Output

The JSON output contains a list of offenses retrieved from the QRadar server, based on the filter string that you have specified.

The output contains the following populated JSON schema:

     "source_count": "", 
     "credibility": "", 
     "status": "", 
     "categories": [ 
         "" 
     ], 
     "protected": "", 
     "offense_source": "", 
     "event_count": "", 
     "closing_user": "", 
     "closing_reason_id": "", 
     "policy_category_count": "", 
     "last_updated_time": 1501624285172, 
     "severity": "", 
     "username_count": "", 
     "description": "", 
     "assigned_to": "", 
     "destination_networks": [ 
         "" 
     ], 
     "security_category_count": "", 
     "start_time": 1501624284334, 
     "id": "", 
     "offense_type": "", 
     "relevance": "", 
     "device_count": "", 
     "magnitude": "", 
     "domain_id": "", 
     "local_destination_address_ids": [ 
         "" 
     ], 
     "inactive": "", 
     "source_address_ids": [ 
         "" 
     ], 
     "category_count": "", 
     "source_network": "", 
     "local_destination_count": "", 
     "flow_count": "", 
     "follow_up": "", 
     "close_time": "", 
     "remote_destination_count": "" 
}

operation: Get Events Related to an Offense

Input parameters

Parameter Description
QRadar Offense ID Offense ID based on which you want to retrieve events from QRadar.
Offense Start Time Number of milliseconds since epoch since the offense was started.
Offense Last Update Time Number of milliseconds since epoch since the offense was last modified.
Max Events to return (Optional) Maximum number of events that this operation should return.

Output

A JSON output contains details of events associated with a QRadar offense, retrieved from the QRadar server, based on the QRadar offense ID that you have specified.

The output contains the following populated JSON schema:
{
"events":[
{
"qid": "",
"category": "",
"sourceip": "",
"username": "",
"magnitude": "",
"starttime": "",
"eventcount": "",
"identityip": "",
"protocolid": "",
"sourceport": "",
"logsourceid": "",
"destinationip": "",
"destinationport": "",
}
]
}

operation: Make an Ariel Query to QRadar

Input parameters

Parameter Description
Ariel Search String Ariel query that you want to be run on the QRadar server.

Output

The JSON output contains details of offenses or events depending on the query that you run on the QRadar server. QRadar uses the Ariel Query Language (AQL) to search for offenses or events based on query parameters.

The output contains a non-dictionary value.

operation: Get Offense Closing Reasons

Input parameters

None

Output

The JSON output contains a list of closing reasons associated with all offenses retrieved from the QRadar server.

The output contains the following populated JSON schema:

     "is_reserved": "", 
     "id": "", 
     "text": "", 
     "is_deleted": "" 
}

operation: Close Offense

Input parameters

Parameter Description
Offense ID ID of the offense that you want to close on the QRadar server.
Offense Closing Reason - ID ID of the offense closing reason using which you want to close the offense on the QRadar server.
Closure Note (Optional) Note that you want to associate with the offense that you want to close on the QRadar server.

Output

The JSON output contains the updated offense details, including the status (should be closed) of the specified offense retrieved from the QRadar server.

The output contains the following populated JSON schema:

     "source_count": "", 
     "credibility": "", 
     "status": "", 
     "categories": [], 
     "protected": "", 
     "offense_source": "", 
     "event_count": "", 
     "closing_user": "", 
     "closing_reason_id": "", 
     "policy_category_count": "", 
     "last_updated_time": "", 
     "severity": "", 
     "username_count": "", 
     "description": "", 
     "assigned_to": "", 
     "destination_networks": [], 
     "security_category_count": "", 
     "start_time": "", 
     "id": "", 
     "offense_type": "", 
     "relevance": "", 
     "device_count": "", 
     "magnitude": "", 
     "domain_id": "", 
     "local_destination_address_ids": [], 
     "inactive": "", 
     "source_address_ids": [], 
     "category_count": "", 
     "source_network": "", 
     "local_destination_count": "", 
     "flow_count": "", 
     "follow_up": "", 
     "close_time": "", 
     "remote_destination_count": "" 
}

operation: Get Source IP Addresses

The offense data provided by QRadar contains the IDs of the source addresses. Use this operation to fetch the IP address details for the specified source address IDs.

Input parameters

Parameter Description
Source Address Ids IDs of source addresses based on which you want to retrieve IP address details from the QRadar server. For example, [3,4,5].

Output

The JSON output contains the IP address details associated with the specified source address IDs, retrieved from the QRadar server.

The output contains the following populated JSON schema:

     "id": "", 
     "magnitude": "", 
     "source_ip": "", 
     "network": "" 
}

operation: Get Destination IP Addresses

The offense data provided by QRadar contains the IDs of the destination addresses. Use this operation to fetch the IP address details for the specified destination address IDs.

Input parameters

Parameter Description
Destination Address Ids IDs of destination addresses based on which you want to retrieve IP address details from the QRadar server. For example, [3,4,5].

Output

The JSON output contains the IP address details associated with the specified destination address IDs, retrieved from the QRadar server.

The output contains the following populated JSON schema:

     "local_destination_ip": "", 
     "id": "", 
     "magnitude": "", 
     "network": "" 
}

operation: Invoke QRadar REST API

If you require to invoke a QRadar API apart from the functions that we provide, you can use this function to directly invoke the QRadar API. Refer to IBM documentation for more information on the QRadar REST APIs: https://www.ibm.com/support/knowledgecenter/en/SSKMKU/com.ibm.qradar.doc_cloud/t_adm_restapi_using.html.

Input parameters

Parameter Description
Endpoint Specifies the REST endpoint. For example, siem or offenses.
Request Method Select the request method. You can choose between GET or POST.
  • If you select GET, then you should specify the Request Parameters parameter. In the Request parameters parameter, specify the request parameters for the specified endpoint.
  • If you select POST, then you can specify either the Request Parameters in JSON Format or the Request Payload in JSON Format parameter. In these parameters, specify either the request parameters or request JSON payload for the specified endpoint.
Headers in json format (Optional) Additional JSON formatted headers.
Following headers are already added by the connector:
'Accept': 'application/JSON', 
'Content-Type': 'application/JSON', 
'SEC': <token>,
'Version': <api_version>,

Output

The JSON output contains the JSON response of the API invoked.

The output contains a non-dictionary value.

operation: Get Offense Types

Input parameters

None

Output

The JSON output contains a list containing IDs of all the offense types retrieved from the QRadar server. You can use the offense type IDs as a filter criterion in the Get Offenses operation.

The output contains the following populated JSON schema:

     "id": "", 
     "property_name": "", 
     "database_type": "", 
     "name": "", 
     "custom": "" 
}

operation: Manipulate Reference Set Content

Input parameters

Parameter Description
Request Method Select the request method option of the operation that you want to perform on the specified reference set in QRadar. You can choose from Retrieves Value, Add Value, or Delete Value.
Reference Set Name Name of the reference set in which you want to perform the operation based on the option you have specified in the Request Method.
  • If you choose Add Value as the Request Method, then this operation will add the specified value to the reference set you have specified in this field.
  • If you choose Delete Value as the Request Method, then this operation will delete the specified value from the reference set you have specified in this field.
  • If you choose Retrieves Value as the Request Method, then this operation will retrieve the values of the reference set you have specified in this field.
Value Value that you want to add or remove from the specified reference set. You must specify the value in this field if you have chosen Add Value or Delete Value as the Request Method. 

Output

The output is conditional and based on the request method that you choose.

For example, if you choose Retrieves Value as the Request Method, then the output contains the following populated JSON schema:
{
"data": [
{
         "first_seen": "",
          "last_seen": "",
          "source": "",
          "value": ""
}
],
          "message": "",
          "element_type": "",
          "timeout_type": "",
          "name": "",
          "number_of_elements": "",
          "creation_time": "",
}

Or for example, if you choose Add Value or Delete Value as the Request Method, then the output contains the following populated JSON schema:
{
          "message": "",
          "element_type": "",
          "timeout_type": "",
          "name": "",
          "number_of_elements": "",
          "creation_time": "",
}

Included playbooks

The Sample - IBM QRadar - 1.3.0 playbook collection comes bundled with the IBM QRadar connector. This playbook contains steps using which you can perform all supported actions. You can see the bundled playbooks in the Automation > Playbooks section in FortiSOAR™ after importing the IBM QRadar connector.

Note: If you are planning to use any of the sample playbooks in your environment, ensure that you clone those playbooks and move them to a different collection since the sample playbook collection gets deleted during connector upgrade and delete.

 

Ingesting IBM QRadar data using the Data Ingestion Wizard

Use the Data Ingestion Wizard to easily ingest data into FortiSOAR™ by pulling offenses from IBM QRadar. For more information on the Data Ingestion Wizard, see the "Connectors Guide: in FortiSOAR™ product documentation.

Process of ingesting offenses from IBM QRadar using the Data Ingestion Wizard

  1. Log on to FortiSOAR™.
  2. On the left navigation pane, click Automation > Connectors.
    On the Connectors page, you will see the list of installed connectors, either in the card view or the grid/list view.
  3. Click IBM QRadar v1.3.0.
  4. On the Connector Configuration pane, click Configure Data Ingestion to display the Data Ingestion Wizard.
  5. On the Welcome screen of the Data Ingestion Wizard, read the Prerequisites mentioned on the Welcome screen and if all the requirements to ingest data are met, click the Continue button to display the Fetch Sample Data screen. 
  6. Sample data is required to create a field mapping between your IBM QRadar data and FortiSOAR™.   
    1. In the Method field, select the method to be used to create the mapping. Currently, the only data ingestion using playbooks is supported. Therefore, Ingestion Playbook is selected. 
    2. From the Playbook To Fetch Sample Data drop-down list,  the playbook that should be used to fetch data is selected. In case of IBM QRadar it is > IBM QRadar > Fetch playbook.
    3. In the Filter_string field, type the string based on which you want to retrieve the list of offenses from IBM QRadar.  
      For example, if you want to fetch all "Open" offenses from IBM QRadar, then type status="Open" in the Filter_string field.
    4. In the QRadar_timezone field, type the timezone in which your IBM QRadar server is located. For example, UTC.
    5. In the Pull_Sample_Offense_in_Past_X_Minutes field, type the time in minutes from when you want to pull offenses from IBM QRadar.
    6.  Click Continue to Field Mapping.  
  7. On the Field Mapping screen, map the fields of the sample data to the fields present in FortiSOAR™ as follows: 
    1. The Field Mapping screen displays the Sample Data on the right-side and the Field Mapping (FortiSOAR™ fields) on the left-side. The sample data is in the form of a Key-Value pair.  
      From the Module drop-down list that appears next to Field Mapping, select the FortiSOAR™ module for which you want to map the fields. The default module will be already be selected, for example, Alerts.  
      Note: If you select any module other than the default module, you will require to remap all the fields.
      Also, some fields such as Name and some picklists can come pre-mapped with their jinja value. You do not require to re-map these fields unless you want to override their default values.  
    2. To map a field, click the key in the sample data to add jinja for the field.
      For example, map the Severity field in FortiSOAR™ by clicking severity from the IBM QRadar sample data. Once you click severity, {{vars.sourcedata["severity"]}} is added in the Severity field.
      Next, you must map the items of picklists. For example, the Severity picklist in FortiSOAR™ has items such as Minimal, Low, Medium, High, and Critical. These picklist items can be mapped as per the values defined in the source. Also, more than one picklist item in FortiSOAR™ can map to a single value in the source. For example, both Minimal and Low can be mapped to 3 or you also map one picklist item in FortiSOAR™ to two values in the source, for example, you can map Minimal severity to both 1 and 2, Low to 3 and 4, etc.
      You can similarly map the other picklists such as Status and Type.
      The Source Field will be QRadar and you can map the Source ID field to the id field in the IBM QRadar sample data. The Source Data field, mapped to {{vars.offense_data | toJSON }} by default, contains the object of the entire offense.
    3. Once you are satisfied with the mappings, click Save and Continue.  
  8. (Optional) On the Scheduling screen, you can specify the schedule for data ingestion from the connector into FortiSOAR™, i.e., you can specify the polling frequency to IBM QRadar, so that the content gets pulled from IBM QRadar into FortiSOAR™. 
  9. The Summary screen displays a brief summary of the mapping done and it also contains links to the modified playbooks. 
  10. Click Done to complete the data ingestion. 

CyberSponse_1.1.0