System Integrations
This category contains integration scenarios that use IBM Security Intelligence products.
System Integrations Courses:
Experts from the IBM Resilient and QRadar Support teams show the SOC analyst how to safely and effectively troubleshoot their Resilient integration with QRadar when issues arise. This video is a recording of a live Open Mic web seminar originally broadcast
on 29-July-2020.
Agenda:
- How to enable debug and retrieve logs
- Checking connectivity
- How to read the logs
- Using the IBM QRadar API
- Common errors
- Opening a case, what next?
- Questions for the panel
Duration: 26minutes
This video presented by Jose Bravo discusses a technique to use Guardium Data Encryption and QRadar to help protect against ransomware.
This course demonstrates integration between IBM Security Secret Server
and IBM Security QRadar SIEM. You use Secret Server to manage privileged
user account activity, which is reported to QRadar in syslog events.
In
the course demonstration, syslog CEF logging is enabled in Secret
Server, and QRadar is configured to parse and normalize the events that
are received from Secret Server. As part of the course, a custom content
extension is provided, which contains over 170 mapped events from the
Secret Server. In addition, the extension has one custom rule, two
reference sets, two custom search queries, and one log source type named
SecretServer_SLA.
The purpose of this custom extension is to show how Secret Server can help you investigate some critical activities.
This lab focuses on the integration of IBM Security Resilient SOAR Platform and IBM Security QRadar SIEM products.
The
IBM QRadar SIEM solution helps you monitor and detect security threats.
Based on the QRadar correlation rule engine (CRE), the product can
generate offenses that require the attention of a security analyst.
- The IBM Resilient QRadar Integration app
The app is installed on QRadar. It is responsible for sending the offense, offense details, owner, and artifacts to Resilient as well as synchronizing notes, and synchronizing closure of the incident or the offense on the both platforms. - The QRadar Functions for Resilient app
The app installs on the Resilient App Host. The app can run the searches of QRadar data by using QRadar Ariel Query Language (AQL) and API calls to perform updates of QRadar configuration such as manipulation of the data in the QRadar reference sets.
Some of the topics covered in the lab are:
- Install QRadar app for Resilient
- Configure QRadar app for Resilient
- Customize the Resilient configuration
- Customize the Jinja templates
- Configure Custom Actions and synchronization
- Install QRadar functions for Resilient
- Create table with artifacts by using the QRadar functions
- Create action to search QRadar for file hashes from a log source
- Test the apps integration and customization using the QRadar offenses
IBM Security Guardium is a data security and data privacy solution that helps ensure the integrity of data that is stored on servers. Guardium uses policies to monitor data servers and act when it detects suspicious database activity, such as:
- Failed logins
- Unauthorized access
- SQL Error codes such as SQL injection attacks
- Users trying to escalate their privileges
- Users trying to indirectly access sensitive data
The Guardium S-TAP agent monitors the data servers that host the sensitive data and report database activity to a Guardium Collector. The Guardium Collector applies policies to the database activity. When a policy rule is triggered, the Guardium Collector can use the system log to send an alert to IBM Security QRadar security information and event management (SIEM). QRadar receives the alert through a connector, which is called the Guardium device support module (DSM), and displays it in a console.
In this lab, you integrate Guardium and QRadar to display an event in the QRadar SIEM console when a suspicious user attempts to read or manipulate sensitive data.