QRadar Integration Guide Version 1.0

Onapsis Security Platform

Copyright © 2016, Onapsis and/or its affiliates. All rights reserved.

The Products (which include both the software and documentation) contain proprietary information; they are provided under a license

agreement containing restrictions on use and disclosure and are also protected by copyright, patent, and other intellectual and industrial

property laws. Reverse engineering, disassembly, or decompilation of the Products, except to the extent required to obtain interoperability with

other independently created software or as specified by law, is prohibited.

The information contained in this document is subject to change without notice. If you find any problems in the documentation, please report

them to us in writing. This document is not warranted to be error-free. Except as may be expressly permitted in your license agreement for these

Products, no part of these Products may be reproduced or transmitted in any form or by any means, electronic or mechanical, for any purpose.

Unless otherwise noted, the example companies, organizations, products, domain names, email addresses, people, places, and events depicted

herein are fictitious, and no association with any real company, organization, product, domain name, email address, person, place, or event is

intended or should be inferred. Complying with all applicable copyright laws is the responsibility of the user. Without limiting the rights under

copyright, no part of this documentation may be reproduced, stored in or introduced into a retrieval system, or transmitted in any form or by any

means (electronic, mechanical, photocopying, recording, or otherwise), or for any purpose, without the express written permission of Onapsis,

Inc.

Onapsis may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject matter in this

documentation. Except as expressly provided in any written license agreement from Microsoft, the furnishing of this documentation does not

give you any license to these patents, trademarks, copyrights, or other intellectual property.

Onapsis is a registered trademark of Onapsis Inc. and/or its affiliates.

All other trademarks are property of their respective owners.

3 | P a g e

Onapsis Security Platform QRadar Integration Guide

Table of Contents Table of Contents ....................................................................................................................................3

About this Guide .....................................................................................................................................4

Overview of this Guide .................................................................................................................................. 4

Audience ........................................................................................................................................................ 4

If You Need Assistance ................................................................................................................................... 4

Manage QRadar Integration ....................................................................................................................5

Overview of QRadar Integration .................................................................................................................... 5

Overview of the IBM QRadar Setup Process ................................................................................................. 5

Create an IBM QRadar Connection ............................................................................................................... 6

New Connector Fields .................................................................................................................................... 6

Send Assess, Audit and Alarm Results to IBM QRadar .................................................................................. 7

Edit a Connection .......................................................................................................................................... 7

Delete a Connection ...................................................................................................................................... 7

4 | P a g e

Onapsis Security Platform QRadar Integration Guide

About this Guide

Overview of this Guide

This guide provides details on using the Onapsis Security Platform (OSP) to populate IBM® QRadar® with security

events generated by the Vulnerability, Compliance and Detection capabilities of OSP. This integration reduced the time

needed to carry out the analytical process, with all results and analysis from OSP available in the one QRadar console.

Audience

This guide is written for users responsible for keeping a company secure, including, but not limited to the following

departments: Information Security, Compliance and Audit, and SAP Infrastructure and Governance.

If You Need Assistance

IBM Security QRadar products

See the Links & Important Support Resources for IBM Security QRadar products page available on the IBM Support site

http://www-01.ibm.com/support/docview.wss?uid=swg21616144

Onapsis Security Platform

View the complete User Guide, available in the Onapsis Customer Portal (https://portal.onapsis.com)

Contact support by email at support@onapsis.com Monday-Friday 7am-7pm ET. Please include steps to reproduce the

issue, screenshots, and indicate that you use OSP and list the version. Technical Support is unavailable during regional

and major US holidays.

5 | P a g e

Onapsis Security Platform QRadar Integration Guide

Manage QRadar Integration

Overview of QRadar Integration

You can send assessment scans, audit compliance results, and alarm information in real-time to IBM QRadar to better

analyze and gain visibility into vulnerabilities across your entire organization. The information from the scans or

alarms can be compared with information from your network (such as information flows or traffic, and data about

ports and protocols), asset context, events from third-party devices, feeds, and other sources to provide your

company with a comprehensive security posture assessment. With this integration, you extend your existing QRadar

security processes and workflows to include security and compliance information from OSP, while retaining a single

reporting tool for analyzing risk within your organization.

Overview of the IBM QRadar Setup Process

1. Install the OSP IBM QRadar app from the IBM Marketplace. The app is supported on IBM QRadar version 7.2.6

or later.

a. Download the OSP application from the IBM Security App Exchange

(https://exchange.xforce.ibmcloud.com/.)

b. Connect to your IBM QRadar server.

c. Upload and install the OSP application as described here:

http://www.ibm.com/support/knowledgecenter/en/SS42VS_7.2.6/com.ibm.apps.doc/t_Qapps_uploa

d.html.

d. Use the IBM Security QRadar Extension Management tool to upload your app ZIP archive directly to

your QRadar Console:

i. Click Admin tab > Extension Management.

ii. In the Extension Management window, click Add.

iii. Select the OSP application ZIP archive.

iv. Select Install immediately.

v. See the list of installation items before installation, to make sure you selected the correct app.

1. Note: It can take several minutes for the app to become active.

vi. When the installation is complete, close the Extension Management window

e. From the ‘Advanced’ drop down menu at the top of the Admin page choose the ‘Deploy Full

Configuration’ option in order to complete the deployment of the OSP QRadar application.

i. The deployment will ask to confirm the full configuration deployment. Click ‘Continue’ to

allow the deployment to take place

6 | P a g e

Onapsis Security Platform QRadar Integration Guide

2. The Onapsis Application for QRadar ships with a predefined log source included called 'Onapsis Inc. Onapsis

Security Platform'

3. This predefined log source is already configured as required with the exception of the Log Source Identifier which

has a dummy/placeholder value of XXX.XXX.XXX.XXX.

4. Change the Log Source Identifier value from XXX.XXX.XXX.XXX to the IP address of the user's OSP instance.

5. Set the 'Port' instructions should indicate that the value should be 517 to match the pre-configured log source.

Create an IBM QRadar Connection

1. Click the Settings icon, and select Settings.

2. Select the Connectors tab.

3. Click Add Connector.

4. Complete the New Connector fields for the appropriate notification type.

5. Click Save.

New Connector Fields

Field Description

Name The name of the connection to create. This name displays when defining actions for an alarm.

Type The type of connection to set up - QRadar Notification

Description A description of the connection - Example: EMEA QRadar

Host Hostname or IP address of the server to connect to for sending alarms.

Port Port number to connect to the service on the host - The default port used by the Onapsis QRadar

application is 517

7 | P a g e

Onapsis Security Platform QRadar Integration Guide

Send Assess, Audit and Alarm Results to IBM QRadar

To send the results for a defined audit or scan execution to QRadar you must add your QRadar connector as the

defined connector in the audit or scan definition. To send the results for a given alarm, you must add an action in the

alarm definition and select the IBM QRadar connection from the Agent drop-down when you create the alarm.

Edit a Connection

1. Click the Settings icon, and select Settings.

2. Select the Connectors tab.

3. Click the Edit icon for the connection to modify.

4. Make the required changes.

5. Click Save.

Delete a Connection

1. Click the Settings icon, and select Settings.

2. Select the Connectors tab.

3. Click the Delete icon for the connection to remove.

4. Click Accept.

8 | P a g e

Onapsis Security Platform QRadar Integration Guide

Leveraging the QRadar Application

Viewing OSP Data in QRadar

The information is shown in the Onapsis for SAP dashboard within QRadar as follows:

The dashboard is made up of the following components:

Total Vulnerabilities

Displays the total vulnerabilities known to the QRadar

Application. Can be filtered to show the count of

vulnerabilities for a specific SAP system (SID).

9 | P a g e

Onapsis Security Platform QRadar Integration Guide

Vulnerabilities by Time

Shows the change in vulnerabilities over time for all

assets. Can be filtered to show the count of

vulnerabilities for a specific SAP system (SID).

Time is defined by the use of the From and To date

filters.

Compliance

Shows the overall compliance posture for a specific

audit for all applicable assets. Can be filtered to show

the compliance status for a specific SAP system (SID).

Compliance over Time

Shows the change in compliance levels for a specific

compliance policy over time for all assets. Can be

filtered to show the compliance status overtime for a

specific SAP system (SID).

Time is defined by the use of the From and To date

filters.

10 | P a g e

Onapsis Security Platform QRadar Integration Guide

Most Vulnerable Assets

Shows 10 assets with the highest vulnerability count.

Alarms

Shows the most frequently generated alarms.