Guides
/
Provider Configuration
/
QRadar Configuration Guide

This guide walks you through creating a QRadar Service Token, an HTTP Receiver log source, and gathering the configuration needed to create a QRadar SIEM integration.

Configure a new QRadar Service Token

1. Log in to QRadar as an administrator

Once logged in, Navigate to the Admin tab to create the service token

2. Create the Service Token

Follow the QRadar documentation for creating a service token.

To limit the data returned when querying events and investigations click the 'Manage Security Profiles' link, and create a new security profile with the desired access, or just use the default 'Admin' profile.

Choose a user role, or click 'Manage User Roles' to create a new user role. If you create a role it must have the following permissions:

  • Offenses
    • Assign Offenses to Users
    • Manage Offense Closing Reasons
  • Log Activity
    • Manage Time Series
    • User Defined Event Properties
    • View Custom Rules
  • Network Activity
    • Manage Time Series
    • User Defined Flow Properties
    • View Flow Content
    • View Custom Rules
  • Assets
    • View VA Data

Once the Service Token is created, copy the string from the Selected Token field to a safe location.

You can stop following the QRadar instructions after the Service Token is created, you do not need to add the token in the 'Operations' section.

3. Deploy the changes

On the QRadar Admin tab click 'Deploy Changes' and wait for the updates to propagate to your QRadar installation.

Configure QRadar to receive data

4. Open the Log Source Management tool

Navigate to the Admin tab and click 'QRadar Log Source Management'. Click 'Log Sources' to enter the log source management tool.

5. Create a new HTTP Receiver log source

Following the instructions for creating a new Log Source.

Choose 'Single Log Source'

If you have created a DSM for OCSF events, choose the OCSF log source type, otherwise choose Universal DSM or the DSM you would like to use and then click 'Select Protocol Type'.

Search for 'HTTP Receiver' and choose the 'HTTP Receiver' log source type. Select it and click 'Configure Log Source Parameters'.

Provide a name and description for the log source. Configure any addition parameters if desired, then click 'Configure Protocol Parameters'.

Provide a log source identifier. Choose a port number over which to receive events and note in a safe location.

Set the 'Message Pattern' to "\n"; this will split events on new lines.

Choose 'Skip Test and Finish' to create the new log source.

Close the Log Source Management window.

6. Deploy the changes

On the QRadar Admin tab click 'Deploy Changes' and wait for the updates to propagate to your QRadar installation.

Configure the Integration

Create your integration by supplying all of the required and any desired optional values.

URL The root URL for the QRadar installation. This is the root URL only, without any path components and must be HTTPS. For example, "https://qradar.westus2.cloudapp.azure.com"

Token This is the Service Token value gathered in step 2

Collection Port This is the collection port number gathered in step 5

Skip TLS Verify (Optional) If this is a test instance of QRadar using a self-signed TLS certificate, you can set this to true. This should not be used in production. If you are unsure, leave the default value of 'false'.

Previous page
Next page