IBM QRadar Integration overview

Security Operations QRadar Integration is an enterprise security information and event management (SIEM) product that integrates easily with Security Operations.

Two workflows are included in the base system:
  • Security Operations QRadar Integration - Run Enrichment for IP
  • Security Operations QRadar Integration - Security Incident Enrichment

When the Configuration Item, Source IP, and/or Destination IP fields in a security incident are modified, a business rule causes the first workflow to orchestrate REST calls to the second workflow. One call is made for each of the fields modified. The Security Incident Enrichment workflow then makes the calls to QRadar depending on the field(s) that were modified. QRadar sends the enriched data to the security incident and populates the work notes with a summary of any offenses and event flows related to the IP addresses. The summary includes links that allow you to view the data on the QRadar console.

Figure 1. Sample work notes with QRadar summary
Sample work note summary showing QRadar enriched data

You can also click the Get QRadar IP Summaries related link to manually kick off the workflows and pull enriched data from QRadar.

Note: If the Use default workflows check box in the QRadar Configuration screen is not selected, the workflows does not run and the related link is not displayed.