Activate and configure the IBM QRadar SIEM integration

The Integration Configuration feature allows you to quickly activate and set up third-party security integrations, including Security Operations QRadar Integration.

Before you begin

Role required: admin
Note: This procedure can be used to activate the plugin and configure the integration. You can also activate the plugin using the traditional method.

Procedure

  1. Navigate to Security Operations > Integration Configuration.
    The available security integrations appear as a series of cards.
    IBM QRadar integration card
  2. In the QRadar card, click Install Plugin.
  3. In the Install IBM QRadar - Enrichment integration dialog box, review the plugin details and click Activate.
  4. When the activation is complete, click Close & Reload Form.
    The Security Integration screen reloads and the Configure button for the integration is available.
  5. Click Configure.
  6. Fill in the fields on the form, as appropriate.
    Field Description
    Endpoint base Enter the base URL for QRadar. For example, if the REST endpoint is https://qradar.secops-snc.com/api/siem/source_addresses, the endpoint base is https://qradar.secops-snc.com
    QRadar Username The user name of the QRadar administrator who has access to Offenses tab in QRadar.
    QRadar Password The password of the QRadar administrator who has access to Offenses tab in QRadar.
    Use MID server If QRadar is not directly reachable from the Internet, select this check box to proxy requests through the MID Server.
    Use default workflows Select this check box to use the QRadar - Security Incident Enrichment workflow to automate the pulling of QRadar data.
  7. Click Submit.