Configuring the QRadar SOAR Plug-in app

You must configure the connection between IBM® QRadar® and SOAR.

Before you begin

Ensure that you copied the CA certificates to the QRadar Console to allow access to the inbound destinations for your SOAR environment. For more information, see Configuring access to the inbound destinations.

You must create an authorized service token to authenticate the API calls made by IBM Security SOAR. For more information, see Creating an authorized service token.

Procedure

Log in to the QRadar Console as an administrator.
On the Admin tab, in the IBM QRadar SOAR Plugin section, click Configuration.

On the Access tab, provide the configuration information.

Configure the QRadar destination name, service token, and SOAR URL.

Configuration setting	Description
QRadar Destination Name	A unique name for the destination location for this IBM QRadar SOAR Plug-in integration. As of QRadar SOAR Plug-in 4.0, this field supports synchronization of multiple QRadar instances with a single SOAR platform. The destination name must be unique for each QRadar instance. Important: If you change the destination name, all existing open cases are updated to store the new value.
Authorized Service Token	The authorized service token that is used to authenticate the API calls that are made by QRadar SOAR Plug-in. Important: The token must have full administrative permissions to configure the app with QRadar. For more information, see Creating an authorized service token.
SOAR Server URL	The URL of your SOAR platform server. The URL string must start with http:// or https://.

Configuration setting

Description

QRadar Destination Name

A unique name for the destination location for this IBM QRadar SOAR Plug-in integration.

As of QRadar SOAR Plug-in 4.0, this field supports synchronization of multiple QRadar instances with a single SOAR platform. The destination name must be unique for each QRadar instance.

Important: If you change the destination name, all existing open cases are updated to store the new value.

Authorized Service Token

The authorized service token that is used to authenticate the API calls that are made by QRadar SOAR Plug-in.

Important: The token must have full administrative permissions to configure the app with QRadar.

For more information, see Creating an authorized service token.

SOAR Server URL

The URL of your SOAR platform server.

The URL string must start with http:// or https://.

If applicable, configure the connection parameters for SOAR for IBM Cloud Pak® for Security.

When you select the CP4S mode checkbox, more fields are displayed to configure the connection to SOAR for IBM Cloud Pak for Security.

Configuration setting	Description
CP4S mode	Select this checkbox when you want to escalate QRadar offenses to SOAR for IBM Cloud Pak for Security cases.
REST URL	The URL that is used to access the SOAR API. The URL string must start with `https://` and includes the cases-rest affix. For example, https:// CUSTOMER-INSTANCE .cases-rest.xdr.security.ibm.com.
STOMP Host	The hostname that is used to access the STOMP messaging protocol, including cases-stomp affix. For example, CUSTOMER-INSTANCE .cases-stomp.xdr.security.ibm.com.
STOMP Port	The port to use with the STOMP URL to access the SOAR for IBM Cloud Pak for Security STOMP protocol.
OpenWire Host	The hostname that is used to access the OpenWire protocol, including the cases-openwire affix. QRadar uses the OpenWire protocol to promote offenses to SOAR for IBM Cloud Pak for Security. For example, CUSTOMER-INSTANCE .cases-openwire.xdr.security.ibm.com
OpenWire Port	The port to use with the OpenWire hostname.

Configure the SOAR API key credentials to be used for authentication.
Configuration setting
Description

API Key ID

The ID of the SOAR API key account that is used for authentication.

API Key Secret

The secret of the SOAR API key account.
- To create API keys in SOAR for IBM Cloud Pak for Security, your global role must have the API Keys permission. Make sure that the API key is created in the Application Settings > Case Management > Permissions and access > API Keys setting. Do not create the API key in General Settings > API keys.
  
  If you are using SOAR with an MSSP configuration, make sure that the API key is pushed to the child organizations and has appropriate access. For more information, see Minimum system requirements.

Configuration setting	Description
API Key ID	The ID of the SOAR API key account that is used for authentication.
API Key Secret	The secret of the SOAR API key account.

If your deployment is configured for Managed Security Service Providers (MSSP), configure the SOAR organization settings.

Configuration setting	Description
Multiple Organization Support	Select this checkbox to support mapping between QRadar domains and multiple SOAR organizations. This option is required in a SOAR for Managed Security Service Providers deployment.
Organization Name	The name of your SOAR organization.

Configuration setting

Description

Multiple Organization Support

Select this checkbox to support mapping between QRadar domains and multiple SOAR organizations.

This option is required in a SOAR for Managed Security Service Providers deployment.

Organization Name

The name of your SOAR organization.

If you are connecting to a SOAR Platform that is configured for Managed Security Service Providers (MSSP), the Organization Name is the name of the configuration organization. You can identify the configuration organization by the icon.
If you are connecting to SOAR for IBM Cloud Pak for Security (CP4S), the Organization Name might be different depending on which version you have installed.
- For SOAR for IBM Cloud Pak for Security 1.10 or later, you can set the Organization Name to use either the account ID or the account name.
  Using the account name can make it easier when you are mapping organizations to QRadar domains.
- For earlier versions of CP4S, use the account ID.

Configure the app to use secure connections.

Configuration setting	Description
Connect Securely	Select this checkbox to verify CA-signed certificates. For on-premises deployments that use self-signed SSL certificates, or deployments that have SSL certificate problems, you might need to deselect Connect Securely to allow the integration to make a successful but unverified connection.

Configuration setting

Description

Connect Securely

Select this checkbox to verify CA-signed certificates.

For on-premises deployments that use self-signed SSL certificates, or deployments that have SSL certificate problems, you might need to deselect Connect Securely to allow the integration to make a successful but unverified connection.

1. Upload the trusted certificate into the persistent storage of the app.
  The persistent storage is located in /store/docker/volumes/qapp-<app-id>/<cert_name.cer>.
  
  To find the app ID, type /opt/qradar/support/qappmanager and locate the IBM QRadar SOAR Plug-in in the App Definitions section.
2. In the app.config under the [resilient] section , set the cafile option to the absolute path to the certificate: cafile=/opt/app-root/store/<cafile name here>.
3. Restart the QRadar SOAR Plug-in app by using the QRadar API.
  The following example shows curl commands to restart the service by using API 19.0.
  curl -s -X POST -u <USER> -H 'Version: 19.0' -H 'Accept: application/json' && 'https://<QRADAR_IP_ADDRESS/api/gui_app_framework/applications/<QAPP_ID>?status=STOPPED'
  curl -s -X POST -u <USER> -H 'Version: 19.0' -H 'Accept: application/json' && 'https://<QRADAR_IP_ADDRESS/api/gui_app_framework/applications/<QAPP_ID>?status=RUNNING'
  Depending on your QRadar installation, you might have a different API version. For more information about using API calls in other versions, see the QRadar API documentation.

Configure the remaining configuration settings.

Configuration setting	Description
SOAR Timeout (seconds)	The length of time that the QRadar SOAR Plug-in app tries to connect to SOAR before it times out. The default value is 30 seconds.
Execution Threads	Defines the number of threads that can run simultaneously. Increasing the number of execution threads can reduce the time that it takes for offenses to be escalated from QRadar to SOAR. The default value is 25. If you increase the number of execution threads, use increments of 25 and review the impact on your system before you move to a higher thread count.
Enable loglevel DEBUG	Select this checkbox to enable DEBUG level logging for both the QRadar SOAR Plug-in app and `resilient-circuits`.
Enable Configuring SOAR	Select this checkbox to enable the QRadar SOAR Plug-inapp to create the fields, actions, and message destinations in SOAR. These settings are required for the bidirectional communication between QRadar and the SOAR platform.
Proxy configuration	Select this checkbox when your configuration requires a connection through a proxy server. When this checkbox is selected, more proxy settings are shown. In the Host field, type the hostname as a URL address. If the scheme is not provided for the proxy host, https:// is used by default. In the Port field, type the port that is to be used with hostname URL. If the proxy connection requires authentication, enter the username and password. The proxy feature uses the basic authentication method to support authentication.

Click Verify and Configure.
The verification process checks the following settings:
- A connection can be made to the SOAR Server URL.
- A QRadar ID field is present in SOAR.
- The authorized service token is valid.
- The proxy connection, if configured, is valid.
When the verification process is finished, the following message appears at the end of the configuration page. Connection and Configuration Verified Successfully
If Multiple Organization Support is enabled, configure the mapping.
1. Click on the Mapping tab.
2. Map the QRadar domains and SOAR child organizations.
3. Click Configuration Push to push the configuration changes to the child organizations.
  
  In SOAR, you can go to the Configuration Organization page to verify that the configuration push completed successfully.
In QRadar, on the Access tab of the QRadar SOAR Plug-in app configuration window, click Save.

Results

The following objects are created to support the QRadar SOAR Plug-in app. The QRadar destination, appearing in angle brackets, is determined by the value of the QRadar Destination Name that you provided when you configured the app.

Table 1. QRadar SOAR Plug-in 5.x app object creation
Object type	Description
Message destination	`qradar_<QRadar_Destination>` This destination is the unified message queue for all of the actions that are processed by the QRadar SOAR Plug-in app.
Inbound destination	`qrp_inbound_<QRadar_Destination>` The inbound destination is a queue for each organization that reads and writes messages from QRadar.
Rules	The following rules are created. `close_offense for <QRadar_Destination>` When synchronization is enabled, this automated rule closes the related QRadar offense or SOAR case when either is closed. `qradar_note for <QRadar_Destination>` When synchronization is enabled, this automated rule synchronizes notes between the case and the offense. `Add to QRadar reference set for <QRadar_Destination>` This rule does not apply to MSSP deployments. When custom actions are enabled, you can use this manual rule to send case artifacts to the QRadar reference sets of the QRadar instance that is defined by the QRadar Destination Name field. `QRadar Ariel Query for <QRadar_Destination>` When custom actions are enabled, you can use this manual rule to run Ariel queries on the case artifacts in the QRadar instance that is defined by the QRadar Destination Name field.

What to do next

Configure the escalation settings.