Overview

Skill Level: Any Skill Level

The recipe presents a custom integration approach to bring in security findings from QRadar on to a single IBM Cloud Security Advisor insights dashboard on IBM Cloud Security and Compliance Center.

Ingredients

  1. IBM Cloud Account with access to IBM Cloud Security and Compliance Center
  2. IBM QRadar configured to collect network events and flows.

Step-by-step

  1. Preface

    IBM Cloud Security and Compliance Center comes integrated with IBM Cloud Security Advisor insights dashboard that allows you to view security posture of your IBM Cloud services through a single, centralized dashboard. The security insights dashboard gives you access to user activity and network insights. You can monitor your cloud resources for potential security risks and take suggested remediation steps to mitigate that risk.

    Now there may be a scenario where an enterprise is already using a SIEM tool like QRadar for threat management. In such a case they may want to ingest their QRadar security findings in to a single centralized security insights dashboard on IBM Cloud Security and Compliance Center for monitoring critical security events.

    IBM Cloud Secuirty Advisor supports this through custom integration. The solution in this recipe uses QRadar siem/offenses API to get the offense data from QRadar and ingest it into IBM Cloud Secuirty Advisor using its “findings” API.

  2. Solution Architecture

    Visual represenation of the solution architecture.

     

    Solution-1

  3. QRadar Configurations

    The offenses data from QRadar is obtained by calling siem/offenses API. This requires authentication token to authenticate the API calls.  To create authentication token in QRadar –

    i. Login to QRadar and go to Admin menu ->Authorized Services.

    Step1_1-5

    ii. Add an authorization service.

    Step1_2-1

    iii. Copy the authentication token from “Selected Token” and use it during QRadar API call.

    Step1_3-1

     

  4. IBM Cloud Configurations

    Before findings from QRadar can be brough into Security Advisor insights dashboard, following prerequisites should be met.

    i. The user should have “Manager” IAM Role assigned in Access IAM for the Security Advisor service.

    Step2_1-1

    ii. Create IBM Cloud API Key to get tan IAM token for calling findings API.

    Go to Access IAM -> API Keys->Create an IBM Cloud API Key

    Step2_2-1

    iii. Copy or download the API Key

    Step2_3-1

    { 
                "name": "ibmscc-api-key",
           "description": "IBM SCC Api Key", 
                "createdAt": "2021-05-03T10:23+0000", 
            "apikey": "ABC6_GjbadSdyrqOpx0Di6u88QK_YprtyuNbjh2uuz1lmy57-"
    }

    The apikey in the above snippet is a sample apikey. For you it will be different.

    iv. Use this API key to get an IAM token while calling the IBM Cloud and Compliance Centre findings API findings API.

  5. Import findings from QRadar.

    Importing findings from QRadar is a three-step process –

    1.        Create a Note to register a new finding type.

    2.        Define a card to display the QRadar findings.

    3.        Post the the QRadar offenses (findings) to IBM SCC.

    1. Register a new finding type

    i. Open the IBM Cloud Shell

    Step3_1-1

     

    Step3_2-1

    ii. Login to IBM Cloud

    ibmcloud login -sso

    Step3_3-2

    iii. Make a note of the account id to which you are logged in

    Step3_4-2

    This Account Id is needed while making call to Security Advisor Findings API

    iv. Get the IBM Cloud IAM auth token.

    ibmcloud iam oauth-tokens

    Step3_5-1

    v. Create a Note to register a new finding type by calling the API       https://{region}.secadvisor.cloud.ibm.com/findings/v1/<account_id>/providers/my-custom-tool/notes

    Example:

    curl -X POST "https://us-south.secadvisor.cloud.ibm.com/findings/v1/1d341fdce08c4011b670e9f4de4b401a/providers/my-custom-tool/notes" -H  "accept: application/json" -H  "Authorization: Bearer eyJraWQiOiIyMDIxMDIxOTE4MzUiLCJhbGciOiJSUzI1NiJ9......" -H  "Content-Type: application/json" -d "{  \"kind\": \"FINDING\",  \"short_description\": \"QRadar Findings\",  \"long_description\": \"Offenses from QRadar.\",  \"provider_id\": \"QRadar\",  \"id\": \"QRadar\",  \"reported_by\": {    \"id\": \"QRadar\",    \"title\": \"QRadar Offenses\"  } ,  \"finding\": {    \"severity\": \"MEDIUM\",    \"next_steps\": [      {        \"title\": \"Check QRadar for details\"      }    ]  }}"

    Note: Use the bearer token returned by “ibmcloud iam oauth-tokens” for Authorization header in the curl request

    https://cloud.ibm.com/docs/security-advisor?topic=security-advisor-setup_custom#integrate-3rd-party-findings

    2. Defining a card to display the QRadar findings

    i. Create the Card to display the QRadar Offenses by calling the API – https://<region>.secadvisor.cloud.ibm.com/findings/v1/<account_ID>/providers/<provider_id>/notes

    Example:

    curl -X POST "https://us-south.secadvisor.cloud.ibm.com/findings/v1/1d341fdce08c4011b670e9f4de4b401a/providers/QRadar/notes" -H  "accept: application/json" -H  "Authorization: Bearer eyJraWQiOiIyMDIxMDIxOTE4MzUiLCJhbGciOiJSUzI1NiJ9....." -H  "Content-Type: application/json" -d  '{"kind":"CARD","id":"custom-tool-card","short_description":"Security risk found by my custom tool","long_description":"More detailed description about why this security risk needs to be fixed","reported_by":{"id":"my-custom-tool","title":"My security tool"},"card":{"section":"On-Prem Security Tools","order":1,"title":"On-Prem Security Tools","subtitle":"QRadar 114 Findings","badge_text":"No findings to show","badge_image":"","finding_note_names":["providers/my-custom-tool/notes/Offenses"],"elements":[{"kind":"NUMERIC","text":"Count of findings reported by my security tool","default_time_range":"1d","value_type":{"kind":"FINDING_COUNT","finding_note_names":["providers/my-custom-tool/notes/Offenses"]}}]}}'

    Note: Use the bearer token returned by “ibmcloud iam oauth-tokens”  for Authorization header in the curl request

    https://cloud.ibm.com/docs/security-advisor?topic=security-advisor-setup_custom#integrate-3rd-party-findings

    3. Post the findings from QRadar.

    Findings from QRadar are posted as occurrences by calling https://{region}.secadvisor.cloud.ibm.com/findings/v1/<account_id>/providers/<provider_id>/occurrences  API

    This is automated to recieve regular updates for offenses from QRadar. This is achieved through custom code implementation that pulls the offenses from QRadar and push them as findings to IBM Security Advisor of IBM Cloud Security and compliance Centre. The entire process is scheduled at periodic intervals so that the push happens at reguar configurable interval.

    The code has been implemented in python.

    The sequence of steps is as follows:

    1.        Get the Offenses from QRadar by calling the /siem/offenses API

    2.        Get the IBM cloud IAM token using the API key

    3.        Use the IAM token and push the Offenses to IBM Cloud Security and Compliance Center by calling the /findings/v1/<account-id>/providers/<provider-id>/occurrences API.

    Sample Code:

    config.ini

    [QRADAR]qradar_token = <qradar_auth_token>
    qradar_url = <qradar_console_url>
    qradar_offenses_api = <qradar_offenses_api>

    [IBMSCC]note_name: <ibmscc_note_name>
    provider_id = <ibmscc_custom_provider_id>
    api_key = <ibmscc_api_key>
    iam_token_api = <iam_token_api>
    findings_api = <ibmscc_findings_api>

    [SCHEDULER]schedule_frequencey_sec = 3600

    qradar_offenses_to_scc.py

    import requests
    import ssl
    import sys
    import base64
    import logging
    import json
    import time
    import datetime
    import configparser

    ibmscc_custom_template="""{
    "note_name": "1d341fdce08c4011b670e9f4de4b401a/providers/my-custom-tool/notes/my-custom-tool-findings-type",
    "kind": "FINDING",
    "remediation": "remediation",
    "provider_id": "provider_id",
    "id": "id",
    "context":
    {
    "region": "location",
    "resource_id": "resource_id",
    "resource_name": "resource_name",
    "resource_type": "resource_type",
    "service_name": "service_name"
    },
    "finding":
    {
    "severity": "HIGH",
    "next_steps": [
    {
    "title": "Investigate the Offense",
    "url":"https://9.121.242.114"
    }
    ],
    "short_description": "short_description",
    "long_description": "long_description"
    }
    }"""

    scc_headers = {
    'content-type': 'application/json',
    'accept': 'application/json'
    }

    qradar_headers={'SEC': 'xxxxx-xxxxx-xxxxx-xxxx-xxxx', 'Accept': 'application/json'}

    print("Initializing the configuration values ......")
    config = configparser.ConfigParser()
    config.read('config.ini')

    qradar_token = config['QRADAR']['qradar_token']
    qradar_url = config['QRADAR']['qradar_url']print('qradar_url:' + qradar_url)
    qradar_offenses_api = config['QRADAR']['qradar_offenses_api']print('qradar_offenses_api:' + qradar_offenses_api)
    note_name = config['IBMSCC']['note_name']
    print('note_name:' + note_name)
    provider_id = config['IBMSCC']['provider_id']print('provider_id:' + provider_id)
    api_key = config['IBMSCC']['api_key']iam_token_api = config['IBMSCC']['iam_token_api']print('iam_token_api:' + iam_token_api)
    findings_api = config['IBMSCC']['findings_api']print('findings_api:' + findings_api)
    print('schedule_frequencey_sec:' + config['SCHEDULER']['schedule_frequencey_sec'])
    schedule_frequencey_sec = int(config['SCHEDULER']['schedule_frequencey_sec'])

    def get_offenses_from_qradar():

    qradar_headers['SEC'] = qradar_token

    #last one hour
    starttime = str(int(round(datetime.datetime.now(datetime.timezone.utc).timestamp()*1000)) - schedule_frequencey_sec*1000)
    response = requests.get(qradar_offenses_api + '?filter=start_time%3E' + starttime, headers=qradar_headers, verify=False)

    return response

    def get_iam_token():
    ## Get IAM token
    iam_headers={'content-type': 'application/x-www-form-urlencoded', 'accept': 'application/json'}

    token_response=requests.post(iam_token_api, headers=iam_headers, data='grant_type=urn%3Aibm%3Aparams%3Aoauth%3Agrant-type%3Aapikey&apikey=' + api_key)

    print(token_response.content)
    access_token_dictionary = json.loads(token_response.content)
    iam_access_token = access_token_dictionary['access_token']
    return iam_access_token

    def push_offenses_to_ibmscc():
    response = get_offenses_from_qradar()
    print('Response from Qradar: %s' %response.content)
    print('Http Status Code for get offenses from Qradar: %d' %response.status_code)

    if(response.status_code == 200):
    response_dictionary = json.loads(response.content)
    response_dictionary_length=len(response_dictionary)
    print(response_dictionary_length)
    scc_template_dictionary = json.loads(ibmscc_custom_template)

    ## Get IAM token
    iam_access_token = get_iam_token()

    authorization_header_value = 'Bearer ' + iam_access_token
    scc_headers['Authorization'] = authorization_header_value

    for value in response_dictionary:
    print('Pushing Offenses to IBM SCC')
    scc_template_dictionary['provider_id'] = provider_id
    scc_template_dictionary['id'] = str(time.time()*1000)
    scc_template_dictionary['remediation'] = value['description'] scc_template_dictionary['context']['region'] = 'US'
    scc_template_dictionary['context']['resource_id'] = str(value['log_sources'][0]['id'])
    scc_template_dictionary['context']['resource_name'] = value['log_sources'][0]['name']
    scc_template_dictionary['context']['resource_type'] = value['log_sources'][0]['type_name']
    scc_template_dictionary['context']['service_name'] = value['offense_source'] scc_template_dictionary['finding']['short_description'] = value['description'] scc_template_dictionary['finding']['long_description'] = value['description']
    ## Push to SCC.
    response = requests.post(findings_api, data=json.dumps(scc_template_dictionary), headers=scc_headers)

    while 1:
    push_offenses_to_ibmscc()
    time.sleep(schedule_frequencey_sec)

    4. Solution deployment 

    The solution can be deployed on any server that has python and required python modules installed. The server can be on prem or on IBM cloud and should be able to connect to QRadar and IBM cloud. 

  6. Verify QRadar Offenses on IBM Cloud Security and Compliance Center

    1. Login to your IBM Cloud account – https://cloud.ibm.com/

    2. Go to Navigation Menu -> Security and Compliance.

    Step4_1-1

    3. On the Security and Compliance menu go to Insights

    Step4_2-1

    4. Scroll down the Security Advisor Insights dashboard. You will find a new Insights card added for QRadar

    Step4_3-1

     

    5.Clicking on “View related findings” will display the Security Offenses that were detected by QRadar.

    Step4_4-1

    Step4_5-1

  7. Summary

    The solution implements a custom scheduler to pull the offenses data from QRadar. The same solution can be implemented by setting up a scheduled task with IBM Cloud Function.

    Sources:

    https://cloud.ibm.com/docs/security-compliance?topic=security-compliance-overview

    https://cloud.ibm.com/docs/security-advisor?topic=security-advisor-setup_custom

    https://cloud.ibm.com/apidocs/security-advisor/findings#introduction

    https://www.ibm.com/docs/en/qsip/7.4

    https://www.ibm.com/docs/en/qsip/7.4?topic=endpoints-get-siemoffenses

     

  8. Acknowledgements

    I would like to thank Betala Shanbhag for his valuable inputs on QRadar. Many thanks to Sivapatham Muthaiah for reviewing this recipe and providing his valuable feedback.

Join The Discussion