QRadar Operation
The web format of this guide reflects the most current release. Guides for older iterations are available in PDF format.
Integration Details
ThreatQuotient provides the following details for this integration:
| Current Integration Version | 1.4.0 |
| Compatible with ThreatQ Versions | >= 4.26.0 |
| Support Tier | ThreatQ Supported |
Introduction
The QRadar Operation provides a historical look up of events related to IP Address, FQDN, and URL type Indicators.
The operation provides the following action:
- Search - performs a historical look up of events related to the submitted object.
The operation is compatible with IP Address, FQDN, and URL type Indicators.
Prerequisites
Review the following requirements before attempting to install or upgrade the QRadar operation.
QRadar Authentication Token
You must have a valid QRadar Authorization Token for each of the QRadar systems you want to run the operation against. You can generate an Auth Token in the QRadar UI by navigating Admin > Authorized Services > Add Authorized Services.
Installation
This integration can be installed in the My Integration section of your ThreatQ instance. See the Adding an Integration topic for more details.
Configuration
ThreatQuotient does not issue API keys for third-party vendors. Contact the specific vendor to obtain API keys and other integration-related credentials.
To configure the integration:
- Navigate to your integrations management page in ThreatQ.
- Select the Operation option from the Type dropdown (optional).
- Click on the integration entry to open its details page.
- Enter the following parameters under the Configuration tab:
Parameter Description Host Configuration Enter your host and sec_token configuration settings in the field provided. Each entry should contain the following: - QRadar Instance Name - the name that you want it to show up as in the system. Note that at least the first 10 characters should be unique.
- host - the host (with scheme) to the QRadar instance you want to run the operation against.
- sec-token - the authorized service token from the QRadar instance you want to run the operation against.
Example:
QRadar 1: host: https://10.10.10.10 sec_token: 5b579449-5864-4a17-8dcf-82865ea89244 QRadar 2: host: https://10.10.10.11 sec_token: 8dcf5864-9449-5b57-5ea8-4a1792448286Days to Search The number of days for the historical lookup. Record Limit Enter a value to limit the return results. The default value is 100. Verify SSL Enable this option to verify SSL when connecting to QRadar. First Results Enable this option to see the 100 earliest results. If this option is not enabled, you will see the 100 latest results. - Review any additional settings, make any changes if needed, and click on Save.
- Click on the toggle switch, located above the Additional Information section, to enable it.
Actions
The operation provides the following action:
| Action | Description | Object Type | Object Subtype |
|---|---|---|---|
| Search | Performs a historical look up of events related to the submitted object. | Indicator | IP Address, FQDN, URL |
Run Parameters
The following parameters are available when you select the operation's action to run against an object:
| Parameter | Description |
|---|---|
| Days to Query | Enter how many days back from the current date to query.
The value is limited by the Days to Search parameter set on the operation's configuration settings. |
| Start Date | Start date for a date range query. Format must be Y-m-d H:M:S (Example: 2022-01-01 00:00:00) |
| End Date | End date for a date range query. Format must be Y-m-d H:M:S (Example: 2022-01-01 00:00:00) |
| Dry Run | Disable this option in order to automatically upload returned indicators to ThreatQ. |
Known Issues / Limitations
- Version 1.3.0 introduced the ability to to run the operation against multiple instances at one time. You may experience technical limitations when performing the operation against more than one appliance.
Change Log
- Version 1.4.0
- You are no longer required to create and link a separate configuration file in order to install/use the operation. This information can now be entered from the configuration screen via the new Host Configuration parameter field.
- Removed the Config parameter from the configuration screen.
- Added Host Configuration parameter field to the configuration screen.
- Added the following run configuration parameters for the Search action:
- Dry Run
- Days to Query
- Start Date
- End Date
See the Run Parameters section of this guide for more details.
- You are no longer required to create and link a separate configuration file in order to install/use the operation. This information can now be entered from the configuration screen via the new Host Configuration parameter field.
- Version 1.3.1
- Fixed a dependency issue.
- Version 1.3.0
- Added the ability to allow the operation to be run against multiple instances at the same time.
- Version 1.2.2
- Modified the SQL query.
- Improved Logging.
- Added new configuration option, Limit, to allow you to limit the number of records returned.
- Version 1.2.0
- Initial release
PDF Guides
| Document | ThreatQ Version |
|---|---|
| QRadar Operation Guide v1.4.0 | 4.26.0 or Greater |
| QRadar Operation Guide v1.3.1 | 4.26.0 or Greater |
| QRadar Operation Guide v1.3.0 | 3.6.0 or Greater |
| QRadar Operation Guide v1.2.0 | 3.6.0 or Greater |