About cookies on this site Our websites require some cookies to function properly (required). In addition, other cookies may be used with your consent to analyze site usage, improve the user experience and for advertising. For more information, please review your options. By visiting our website, you agree to our processing of information as described in IBM’sprivacy statement. To provide a smooth navigation, your cookie preferences will be shared across the IBM web domains listed here.
Article
Centralize your threat hunting actions by integrating QRadar EDR and QRadar SOAR
Identify and mitigate threats on your organization's endpoints
On this page
Note: This article and demo is the first part of a two-part series. This part covers the actual integration of QRadar EDR and QRadar SOAR. The second part, Take action on security threats using QRadar SOAR and QRadar EDR, demonstrates the security tasks you can complete once you've completed the integration.
From malware to malicious attacks to data theft, cybersecurity threats have never been more widespread. This myriad of threats puts security teams under pressure, since they often face budgetary and personnel limits and rely on a mix of tools to gather intelligence and respond to threats.
Endpoint detection and response, or EDR, is software designed to automatically protect an organization's end users, endpoint devices, and IT assets against cyberthreats that get past antivirus software and other traditional endpoint security tools. Hunting threats on separate tools requires larger teams, bigger budgets, and longer schedules. A central threat-hunting tool simplifies the work of security professionals from top to bottom.
IBM Security QRadar EDR integrates seamlessly with IBM Security QRadar SOAR (Security Orchestration, Automation and Response) and its Data Explorer module to perform threat hunting from a central location. Because most of the indicators of compromise (IoCs) will be hunted on endpoints — devices connected from outside an organization's firewall — the QRadar EDR Universal Data Insights connector works conveniently and quickly to identify threats.
Component technologies
The QRadar EDR and SOAR Data Explorer integration is completed using the following components:
QRadar SOAR UDI
Universal Data Insights (UDI) connector for IBM QRadar EDR is available on IBM App Exchange for integration on the IBM Cloud Pak for Security platform. The connector is built into the QRadar suite and does not need to be installed separately. You can add QRadar EDR as a data source in the QRadar suite; the video included with this article demonstrates how to configure and test the UDI. The video also shows you how to install the IBM QRadar EDR app for QRadar SOAR, which imports EDR alerts as cases in SOAR. You can extract artifacts from those cases for threat hunting with the UDI connector.
QRadar EDR API
QRadar EDR exposes an API for consumption by prospective integrating solutions. You can access the API by authenticating using an API key/secret combination. When the API key and API secret are created, the API can be configured and authenticated in the prospective connecting application.
An authenticated API allows remote tools to query and write to alerts and policies, perform remote actions, such as killing processes and isolating endpoints, and perform threat hunting.
IBM Data Explorer on QRadar SOAR
The IBM QRadar suite includes the Data Explorer module, which helps you identify sightings of IoCs associated with each threat in your environment.
Challenges and benefits
Following are some specific threat-hunting challenges that you can meet by integrating QRadar EDR and SOAR:
Multiple searches on multiple tools: Many companies have security tools from multiple vendors, complicating security teams' tasks. Each tool has to be manually logged into in order to run the threat hunt locally. The central threat-hunting capabilities of the QRadar EDR and SOAR integration helps simplify security tasks.
Disconnected triaging: Once you have threat-hunting results, you need to compare and match them on separate screens, or export them manually to a central location and update them to a common format before they can be compared. QRadar EDR and SOAR integration brings all results to a single, central location and automates and optimizes your triage.
Data residency constraints: Sometimes security tools reside in certain regions which are governed by data residency laws. In such cases, data from the tools cannot be exported out of the region and therefore cannot be triaged together. Integrated QRadar EDR and SOAR do not move data out of any tool, but only gather certain parameters. This ensures that the data residency is maintained.
UDI and query workflow
Following is a typical work progression to implement the solution demonstrated in the accompanying video:
- Create the API key and API secret.
- Download the QRadar EDR app for IBM SOAR from IBM App Exchange and install in the QRadar suite platform.
- Configure the QRadar EDR for IBM SOAR app and UDI data source in the Data Explorer module. Configure the parameters in the app, including the API key and API secret. Add IBM QRadar EDR as a data source and configure the API key and secret, in addition to other parameters.
- Perform centralized threat hunting.
Demo video
Learn how to integrate QRadar EDR and QRadar SOAR:
Video will open in new tab or window.
Summary
In this article and demo, you've learned how to create API credentials and implement them in the Universal Data Insights connector. You've seen how to install and configure the IBM Security QRadar EDR app for SOAR and add EDR as a data source in the Data Explorer. And you've learned how the app polls the alerts from EDR and creates cases in the IBM Security Case Management app. You can then extract artifacts such as hash values from those cases and perform threat hunting on EDR.
Next steps
You are now ready to integrate IBM Security QRadar EDR and SOAR and perform threat-hunting actions on the EDR alerts remotely. Use the following resources to explore further: