Integrate ContrastContrast Security ADR with IBM QRadar® (NorthstarNorthstar)
The ContrastContrast Security ADR integration with IBM QRadar® enables ADR to send incident details to your SIEM (Security Information and Event Management), SOAR (Security orchestration, automation and response), and XDR (Extended Detection and Response) environments, contextualizing incidents with other threat detection and response solutions.
How it works
When configured, the ContrastContrastSecurity ADR for QRadar app sends detected attack events from the ContrastContrast Security platform to an Event Collector.
The ContrastContrast Security ADR for QRadar application on exchange.xforce.ibmcloud.com enables QRadar to:
Parse and normalize the data received over the HTTP Receiver
Display ContrastContrast Security ADR dashboards, reports, and searches in QRadar
(On request) Call the ContrastContrast Security ADR REST APIs for contextual data to help investigate incidents
Provide runbooks to assist SOC Analysts in resolving AppSec-related security incidents
Before you begin
Before you start, you must have:
IBM QRadar 7.5. See the
installation guide for information.Applications instrumented with a ContrastContrast Security agent
Install the ContrastContrast Security ADR for IBM QRadar application
Follow the steps outlined in the IBM QRadar documentation
here.Continue with Configure Log Source in IBM QRadar.
Configure Log Source in IBM QRadar
See the IBM documentation for setting up a QRadar log source.
Log in to IBM Qradar.
Go to Admin > Data Sources > Events > Log Sources.
Configure a Gateway Log Source; this is the Log Source that ContrastContrast Security ADR will point to. Select Add Quick Log Source (or New Log Source) with the following configuration:
Log Source Type: Contrast ADR DSM
Protocol Type: HTTP Receiver
Log Source Identifier:
contrast_adrCoalescing Events: Off (recommended)
Communication Type: HTTPS
Authentication Parameters
Event Parsing Method: Event Per HTTP Post
Use As A Gateway Log Source: On
Use Predictive Parsing: Off
Log Source Identifier Pattern:
contrast_adr_incidents=incidentId contrast_adr_attackevents=eventUuid
Create a dedicated Log Source to ingest attack events from the Gateway Log Source. Select Add Quick Log Source (or New Log Source) with the following configuration:
Log Source Type: Contrast ADR Incidents
Protocol Type: Syslog
Extension:
ContrastADRIncidentsCustom_extCoalescing Events: Off (recommended)
Log Source Identifier:
contrast_adr_incidentsIncoming Payload Encoding: UTF-8
重要
Administrators wanting to enable authentication on the HTTP Receiver Log Source using custom HTTP authentication headers, as seen in the
IBM documentation for HTTP Receiver protocol configuration options should configure ContrastContrast Security ADR using the Universal ADR Forwarder, where it will be able to specify the custom headers to match their configuration. Disregard step 3 and follow the instructions in ADR Universal Fowarder documentation.The configuration above is designed to minimize the number of ports needed to be exposed on the QRadar Log Collector side. However, administrators who do not want to use a Gateway Log Source can configure individual ContrastContrast ADR DSM and ContrastContrast ADR Incidents Log Sources directly using the HTTP Receiver protocol. For this configuration, disregard step 3 and follow the instructions in ADR Universal Fowarder documentation.
Configure ContrastContrast Security ADR to send attack events to IBM QRadar
Configure the integration in ContrastContrast Security to send attack events to the IBM QRadar app.
In ContrastContrast, go to the user menu and select Organization settings > Integrations.
Select the IBM QRadar option under the ADR Integrations section.
Under the IBM QRadar fields, enter the URL for the destination. Make sure the URL includes the destination port as defined for the Gateway Log Source in Configure Log Source in IBM QRadar.
Select Save.