qradar integration guide - ibm · 4 | page onapsis security platform qradar integration guide about...
TRANSCRIPT
Copyright © 2016, Onapsis and/or its affiliates. All rights reserved.
The Products (which include both the software and documentation) contain proprietary information; they are provided under a license
agreement containing restrictions on use and disclosure and are also protected by copyright, patent, and other intellectual and industrial
property laws. Reverse engineering, disassembly, or decompilation of the Products, except to the extent required to obtain interoperability with
other independently created software or as specified by law, is prohibited.
The information contained in this document is subject to change without notice. If you find any problems in the documentation, please report
them to us in writing. This document is not warranted to be error-free. Except as may be expressly permitted in your license agreement for these
Products, no part of these Products may be reproduced or transmitted in any form or by any means, electronic or mechanical, for any purpose.
Unless otherwise noted, the example companies, organizations, products, domain names, email addresses, people, places, and events depicted
herein are fictitious, and no association with any real company, organization, product, domain name, email address, person, place, or event is
intended or should be inferred. Complying with all applicable copyright laws is the responsibility of the user. Without limiting the rights under
copyright, no part of this documentation may be reproduced, stored in or introduced into a retrieval system, or transmitted in any form or by any
means (electronic, mechanical, photocopying, recording, or otherwise), or for any purpose, without the express written permission of Onapsis,
Inc.
Onapsis may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject matter in this
documentation. Except as expressly provided in any written license agreement from Microsoft, the furnishing of this documentation does not
give you any license to these patents, trademarks, copyrights, or other intellectual property.
Onapsis is a registered trademark of Onapsis Inc. and/or its affiliates.
All other trademarks are property of their respective owners.
3 | P a g e
Onapsis Security Platform QRadar Integration Guide
Table of Contents Table of Contents ....................................................................................................................................3
About this Guide .....................................................................................................................................4
Overview of this Guide .................................................................................................................................. 4
Audience ........................................................................................................................................................ 4
If You Need Assistance ................................................................................................................................... 4
Manage QRadar Integration ....................................................................................................................5
Overview of QRadar Integration .................................................................................................................... 5
Overview of the IBM QRadar Setup Process ................................................................................................. 5
Create an IBM QRadar Connection ............................................................................................................... 6
New Connector Fields .................................................................................................................................... 6
Send Assess, Audit and Alarm Results to IBM QRadar .................................................................................. 7
Edit a Connection .......................................................................................................................................... 7
Delete a Connection ...................................................................................................................................... 7
4 | P a g e
Onapsis Security Platform QRadar Integration Guide
About this Guide
Overview of this Guide
This guide provides details on using the Onapsis Security Platform (OSP) to populate IBM® QRadar® with security
events generated by the Vulnerability, Compliance and Detection capabilities of OSP. This integration reduced the time
needed to carry out the analytical process, with all results and analysis from OSP available in the one QRadar console.
Audience
This guide is written for users responsible for keeping a company secure, including, but not limited to the following
departments: Information Security, Compliance and Audit, and SAP Infrastructure and Governance.
If You Need Assistance
IBM Security QRadar products
See the Links & Important Support Resources for IBM Security QRadar products page available on the IBM Support site
http://www-01.ibm.com/support/docview.wss?uid=swg21616144
Onapsis Security Platform
View the complete User Guide, available in the Onapsis Customer Portal (https://portal.onapsis.com)
Contact support by email at [email protected] Monday-Friday 7am-7pm ET. Please include steps to reproduce the
issue, screenshots, and indicate that you use OSP and list the version. Technical Support is unavailable during regional
and major US holidays.
5 | P a g e
Onapsis Security Platform QRadar Integration Guide
Manage QRadar Integration
Overview of QRadar Integration
You can send assessment scans, audit compliance results, and alarm information in real-time to IBM QRadar to better
analyze and gain visibility into vulnerabilities across your entire organization. The information from the scans or
alarms can be compared with information from your network (such as information flows or traffic, and data about
ports and protocols), asset context, events from third-party devices, feeds, and other sources to provide your
company with a comprehensive security posture assessment. With this integration, you extend your existing QRadar
security processes and workflows to include security and compliance information from OSP, while retaining a single
reporting tool for analyzing risk within your organization.
Overview of the IBM QRadar Setup Process
1. Install the OSP IBM QRadar app from the IBM Marketplace. The app is supported on IBM QRadar version 7.2.6
or later.
a. Download the OSP application from the IBM Security App Exchange
(https://exchange.xforce.ibmcloud.com/.)
b. Connect to your IBM QRadar server.
c. Upload and install the OSP application as described here:
http://www.ibm.com/support/knowledgecenter/en/SS42VS_7.2.6/com.ibm.apps.doc/t_Qapps_uploa
d.html.
d. Use the IBM Security QRadar Extension Management tool to upload your app ZIP archive directly to
your QRadar Console:
i. Click Admin tab > Extension Management.
ii. In the Extension Management window, click Add.
iii. Select the OSP application ZIP archive.
iv. Select Install immediately.
v. See the list of installation items before installation, to make sure you selected the correct app.
1. Note: It can take several minutes for the app to become active.
vi. When the installation is complete, close the Extension Management window
e. From the ‘Advanced’ drop down menu at the top of the Admin page choose the ‘Deploy Full
Configuration’ option in order to complete the deployment of the OSP QRadar application.
i. The deployment will ask to confirm the full configuration deployment. Click ‘Continue’ to
allow the deployment to take place
6 | P a g e
Onapsis Security Platform QRadar Integration Guide
2. The Onapsis Application for QRadar ships with a predefined log source included called 'Onapsis Inc. Onapsis
Security Platform'
3. This predefined log source is already configured as required with the exception of the Log Source Identifier which
has a dummy/placeholder value of XXX.XXX.XXX.XXX.
4. Change the Log Source Identifier value from XXX.XXX.XXX.XXX to the IP address of the user's OSP instance.
5. Set the 'Port' instructions should indicate that the value should be 517 to match the pre-configured log source.
Create an IBM QRadar Connection
1. Click the Settings icon, and select Settings.
2. Select the Connectors tab.
3. Click Add Connector.
4. Complete the New Connector fields for the appropriate notification type.
5. Click Save.
New Connector Fields
Field Description
Name The name of the connection to create. This name displays when defining actions for an alarm.
Type The type of connection to set up - QRadar Notification
Description A description of the connection - Example: EMEA QRadar
Host Hostname or IP address of the server to connect to for sending alarms.
Port Port number to connect to the service on the host - The default port used by the Onapsis QRadar
application is 517
7 | P a g e
Onapsis Security Platform QRadar Integration Guide
Send Assess, Audit and Alarm Results to IBM QRadar
To send the results for a defined audit or scan execution to QRadar you must add your QRadar connector as the
defined connector in the audit or scan definition. To send the results for a given alarm, you must add an action in the
alarm definition and select the IBM QRadar connection from the Agent drop-down when you create the alarm.
Edit a Connection
1. Click the Settings icon, and select Settings.
2. Select the Connectors tab.
3. Click the Edit icon for the connection to modify.
4. Make the required changes.
5. Click Save.
Delete a Connection
1. Click the Settings icon, and select Settings.
2. Select the Connectors tab.
3. Click the Delete icon for the connection to remove.
4. Click Accept.
8 | P a g e
Onapsis Security Platform QRadar Integration Guide
Leveraging the QRadar Application
Viewing OSP Data in QRadar
The information is shown in the Onapsis for SAP dashboard within QRadar as follows:
The dashboard is made up of the following components:
Total Vulnerabilities
Displays the total vulnerabilities known to the QRadar
Application. Can be filtered to show the count of
vulnerabilities for a specific SAP system (SID).
9 | P a g e
Onapsis Security Platform QRadar Integration Guide
Vulnerabilities by Time
Shows the change in vulnerabilities over time for all
assets. Can be filtered to show the count of
vulnerabilities for a specific SAP system (SID).
Time is defined by the use of the From and To date
filters.
Compliance
Shows the overall compliance posture for a specific
audit for all applicable assets. Can be filtered to show
the compliance status for a specific SAP system (SID).
Compliance over Time
Shows the change in compliance levels for a specific
compliance policy over time for all assets. Can be
filtered to show the compliance status overtime for a
specific SAP system (SID).
Time is defined by the use of the From and To date
filters.