Integrating IBM QRadar with Energy SOAR

Integrating IBM QRadar with Energy SOAR
You can create Energy SOAR alerts out of QRadar offenses (alerts). Furthermore, when a case or alert related to a QRadar offense is closed in Energy SOAR, it also closes it in QRadar automatically.
The integration leverages QRadar REST-API.

Automatic alert creation
POST request creates alerts in Energy SOAR. New alert contains metadata related to the offense, logs that triggered it and a link to open it in QRadar. Observables such as IP address are automatically added during promotion to a case.

Qradar integration

Closing QRadar offense from Energy SOAR
When an analyst want to close the case on Energy SOAR side, he doesn’t need to connect to QRadar to close the offense because the system does it automatically.
Energy SOAR closes the related offense in QRadar when:

  • a QRadar alert is marked as read,
  • a case, opened from a QRadar alert, is closed,
  • a case, created from merged cases where at least one of them is related to a QRadar alert, is closed.

Configuration
The configuration is pretty straightforward.

  1. QRadar server
    Fill in the FQDN or the IP of QRadar. The value will be used to interact with QRadar but also generates the URL to offenses.
    Example:
    server: qradar.acme.com OR server: 10.0.0.44
  2. QRadar Auth token
    API is used to get and close offenses. In order to authenticate against the API, generate an auth_token in QRadar and fill the auth_token option with it.
    Example:
    auth_token:0d3bcc3e-d46f-4e8b-a434-e1027776cc96
  3. QRadar certificate
    You need to provide QRadar certificate to Energy SOAR to avoid any SSL issues.
    To do so:
    Go to QRadar web interface.
    Extract the certificate from your browser (base 64 format).
    Upload it to Energy SOAR server.
    Put the full file path to the certificate in the config file.
    Example:
    cert_filepath:/opt/cert/qradar.crt
  4. QRadar API version
    As several API versions are supported by QRadar, you can choose which one to use.
    By default the version used is 8.0, you can keep this setting unchanged.
    Example:
    api_version:8.0