This category contains integration scenarios that use IBM Security Intelligence products.
System Integrations Courses:
This lab demonstrates bidirectional integration of IBM® QRadar® SIEM and IBM® Guardium®. QRadar SIEM collects the logs from various devices in enterprise networks. The logs are received through connectors called Device Support Module (DSM). QRadar has a DSM for Guardium. That DSM enables QRadar to receive and process logs from Guardium.
Alternatively, Guardium has an API that provides an option for QRadar to react to certain events detected by QRadar, and send Guardium those commands to adjust the database policy to properly react to the event. For example, if QRadar detects that the source IP from an internal network is communicating with an IP address classified as the Botnet Server, it can send a command to Guardium to block any access to the database from the same IP address. The call from QRadar to Guardium can be done using the Custom Actions feature of QRadar or using IBM Security Directory Integrator® (IDI) that acts as the proxy; transforming various events from QRadar into Guardium API calls.
This IDI solution uses custom
developed code that IBM provides as-is without any support and
maintenance commitments. You can download the code from the Security
Learning Academy in the Additional Resources section of this course.
This course teaches you how to take advantage of the information posted in IBM X-Force Exchange (XFE) platform by using the API, curl tool, and python language.
The course also demonstrates integration between XFE and QRadar SIEM using XFE SDK and direct integration or Threat Intelligence Application and TAXII endpoints.
- Learn how to leverage the X-Force Exchange API, curl tool, and python scripts to pull threat data from the X-Force Exchange platform
- Install the Threat Intelligence app in QRadar SIEM
- Test the API using online documentation
- Use curl commands and the X-Force Exchange API documentation to simulate browser requests
- Write a python script that uses X-Force Exchange API code
- Use TAXII feeds, collections, and the QRadar Threat Intelligence app to integrate the X-Force Exchange API and QRadar SIEM
- Configure threat data feeds to monitor and detect ransomware outbreaks
This lab focuses on the integration of IBM Security Resilient SOAR Platform and IBM Security QRadar SIEM products.
The IBM QRadar SIEM solution helps you monitor and detect security threats. Based on the QRadar correlation rule engine (CRE), the product can generate offenses that require the attention of a security analyst.
- The IBM Resilient QRadar Integration app
The app is installed on QRadar. It is responsible for sending the offense, offense details, owner, and artifacts to Resilient as well as synchronizing notes, and synchronizing closure of the incident or the offense on the both platforms.
- The QRadar Functions for Resilient app
The app installs on the Resilient App Host. The app can run the searches of QRadar data by using QRadar Ariel Query Language (AQL) and API calls to perform updates of QRadar configuration such as manipulation of the data in the QRadar reference sets.
Some of the topics covered in the lab are:
- Install QRadar app for Resilient
- Configure QRadar app for Resilient
- Customize the Resilient configuration
- Customize the Jinja templates
- Configure Custom Actions and synchronization
- Install QRadar functions for Resilient
- Create table with artifacts by using the QRadar functions
- Create action to search QRadar for file hashes from a log source
- Test the apps integration and customization using the QRadar offenses
IBM Security Guardium is a data security and data privacy solution that helps ensure the integrity of data that is stored on servers. Guardium uses policies to monitor data servers and act when it detects suspicious database activity, such as:
- Failed logins
- Unauthorized access
- SQL Error codes such as SQL injection attacks
- Users trying to escalate their privileges
- Users trying to indirectly access sensitive data
The Guardium S-TAP agent monitors the data servers that host the sensitive data and report database activity to a Guardium Collector. The Guardium Collector applies policies to the database activity. When a policy rule is triggered, the Guardium Collector can use the system log to send an alert to IBM Security QRadar security information and event management (SIEM). QRadar receives the alert through a connector, which is called the Guardium device support module (DSM), and displays it in a console.
In this lab, you integrate Guardium and QRadar to display an event in the QRadar SIEM console when a suspicious user attempts to read or manipulate sensitive data.