Managed security service providers (MSSP) protect organizations from an ever-growing array of cybersecurity threats. MSSPs can make the difference between your company being a trusted partner and a cautionary tale; they offer essential services from security monitoring to incident response.

MSSPs must have the right tools to perform their mission-critical tasks. When you integrate the IBM Security QRadar Suite with IBM Security QRadar SIEM (security information and event management), you enhance your operational efficiency, strengthen security protocols, and guarantee robust data integrity for your clients.

This tutorial takes MSSPs through the process of integrating IBM Security QRadar Suite with IBM Security QRadar SIEM, showing you how to fully leverage the combined strengths of this advanced security setup.

You'll see a special emphasis on the newly introduced SOAR (security orchestration, automation, and response) features, which are tailored for MSSPs and are instrumental in streamlining case management, orchestration and automation, and other processes. This combination enables you to handle multiple client cases through a unified dashboard while ensuring the isolation and easy access to individual case data.

MSSPs play a major role in guiding security technology investments. To learn where that money is going, you'll explore the increasing complexity of security threats, compliance requirements, and technology as a whole. Find out how to integrate the QRadar suite and QRadar SIEM within your security operations center (SOC), manage services for your clients, and maintain stringent standards for data confidentiality, integrity, and availability.

IBM Security QRadar Suite

The IBM Security QRadar Suite consists of the following components:

SOAR
Data Explorer
Case Management
Threat Investigator
Detection and Response Center
Risk Manager

QRadar SIEM and QRadar EDR are separate products and are managed using separate consoles.

Important: In this tutorial, QRadar Suite refers to the platform previously known as CP4S, QRadar XDR, or QRadar+. Despite the update to the name, some applications and configurations might still be labeled under the older designation, CP4S. These terms all pertain to the same product, and you might encounter this previous naming convention in certain system interfaces or documentation. As you navigate through system configurations or discuss the platform with others, be aware that QRadar Suite is the updated name, while CP4S represents its previous iteration.

MSSP account hierarchy in QRadar Suite

To effectively manage the security posture for multiple clients, MSSPs must understand the hierarchical structure of accounts within the QRadar Suite. The following example illustrate a hierarchy:

System Administration Account
├── Provider Account 1
│   ├── Standard Account 1 (Client A)
│   └── Standard Account 2 (Client B)
└── Provider Account 2
    ├── Standard Account 3 (Client C)
    └── Standard Account 4 (Client D)

This hierarchy shows an MSSP root account at the top level, with two provider accounts beneath it. Each provider account then manages two standard accounts, each of which represents a different client.

alt

These example topologies are designed to provide clarity on how MSSPs can organize their accounts within QRadar Suite to maintain a clear oversight of their clients' security landscapes. Proper account and domain management is crucial for MSSPs to deliver tailored security services and maintain strong security governance across diverse client environments.

Prerequisites

The following products and versions are required to integrate QRadar SIEM with MSSP tenants and accounts.

Requirement	Product / APP
QRadar App For Escalating Offense to QRadar Suite	IBM SOAR QRadar SIEM Plugin - QRadar v7.4.1FP2+ (SIEM APP available on App Exchange)
QRadar SIEM Instance with MSSP tenants	QRadar 7.4.1 Patch 2 + (SIEM)
QRadar Suite Instance with MSSP Accounts	Cloud Pak For Security - 1.10.17

Ensure that all the required versions are correctly installed and configured for optimal integration and performance.

Steps

To integrate the QRadar SIEM and QRadar Suite in your environment, you will follow these high-level steps to install, configure, and deploy:

Install the latest SOAR App for QRadar SIEM: IBM QRadar SIEM v7.4.1FP2+ (SIEM APP available on App Exchange).
MSSP Setup on QRadar SIEM: Configure QRadar SIEM with at least two tenants for MSSP setup.
Map QRadar SIEM Offenses in Different Domains: Ensure two QRadar SIEM offenses are mapped in two distinct domains.
Configure QRadar Suite: Set up QRadar Suite version 1.10.17 with at least one provider and two standard accounts under the MSSP configuration.
Configure IBM QRadar SOAR Plug-in: Integrate QRadar SIEM v7.4.1FP2+ with the QRadar Suite using the IBM QRadar SOAR Plug-in.
Deploy and push configuration: After verifying and saving the SOAR App escalation template, perform a "full deploy" and push the configuration" in both QRadar SIEM and QRadar Suite SOAR.

Step 1: Install the latest SOAR App for QRadar SIEM

Step 2: Create two tenants in QRadar SIEM for domain mapping

After you deploy the SOAR App, you will set up tenants within QRadar SIEM. These tenants will be mapped to specific domains for effective segregation and management.

Go to the tenant management section within QRadar SIEM. This area enables you to create and manage multiple tenants.
Create the first tenant:
1. In the menu, click Add to add the tenant.
2. Enter all the required tenant details, such as name, domain information, and any specific settings relevant to this tenant.
3. Click Create and verify that the first tenant has been created successfully.
Configure the domain management:
1. In the QRadar SIEM interface, click Domain Management.
2. Add new domains and attach the appropriate log sources or log collectors.
Create the second tenant:
1. Repeat the step above to create another tenant.
2. Ensure that the details for the second tenant are distinct from the first and are appropriate for the intended domain mapping.

Step 3: Map the tenants to domains

When both tenants have been created, you need to map them to their respective domains.

alt

This step is crucial for ensuring that each tenant operates within its designated domain, facilitating better management and security

mapping tannant

After mapping, double-check to ensure that each tenant is correctly associated with its domain. This verification prevents any potential issues or mix-ups in the tenant-domain association.

tenant-domain-mapping

Note: A domain can be associated with multiple log sources, event collectors, custom properties, or even disconnected log collectors.

You've now established the foundational structure for managing multiple tenants and domains within QRadar SIEM, which is a critical aspect of MSSP operations. Next, you'll configure the QRadar Suite.

Step 4: Configure IBM Security QRadar Suite

Log in to the QRadar Suite using an account with system administration privileges.
You'll create two Provider accounts that will be used under the MSSP configuration. In the menu, click Account management and then click Create account.
Enter a name and description for the account. In the Select identity provider menu, seclect the appropriate provider.
For the account type, select the Provider radio button. When you have finished adding the account details, click Create account.
You now need to assign users to the Provider account. (Note: The account that is creating the Provider account will be assigned as a user.) From the account list, select the Provider account you just created and click Add users.
Select the Provider account and in the QRadar menu, click Account Management and then click Create account.
Enter a name, description, and identity provider for the Standard account. When you have finished adding the account details, click Create account. (Note: The account type will be Standard by default.).
Create a second Standard account using the same process. When you have finished creating your accounts, the account menu should look similar to the following image:
You can now add users to the Standard accounts. In the QRadar menu, click Account management and then click Manage users > Add user.
You are now ready to push the configuration from the Provider account to the Standard accounts. For details on how to complete this process, see Pushing configuration changes in the IBM Security documentation.

Step 5: Configure the IBM SOAR QRadar SIEM Plugin for integration with the QRadar Suite

Now, you'll configure the IBM SOAR QRadar SIEM Plugin for integrating QRadar SIEM with QRadar Suite. Note: You will replace the values in these steps with those relevant to your environment.

Navigate to Qradar Soar Plugin App Configuration to configure the app for offence escalation, similar to the following images: alt

alt

Step 6: Perform a full deploy and push configuration

You must perform a full deploy and push configuration in QRadar SIEM and CP4S SOAR after verifying and saving the SOAR App escalation template.

Step 7: Verify escalated cases in QRadar Suite

After you have escalated offenses to QRadar Suite, you can view all related cases as follows: alt

Log in to the QRadar Suite and go to the Provider account.
Click Case Management > Cases and view all cases that originated from the Standard account (that is, the tenant).

Summary

In this tutorial, you've learned how to integrate IBM Security QRadar Suite and QRadar SIEM for use by Managed Security Services Providers (MSSPs). You've seen the cybersecurity protection and response capabilities that an MSSP can take advantage of, and you should now understand how to set up your own integrated configuration.

Next steps

Check out the following resources to get more familiar IBM's MSSP-specific capabilities and the different IBM Security tools available for you.

Configuring QRadar Suite and QRadar SIEM for MSSPs

Configuring QRadar Suite and QRadar SIEM for MSSPs