IBM Developer

Tutorial

Configuring QRadar Suite and QRadar SIEM for MSSPs

A guide for managed security service providers on setting up IBM Security tools

By

Anuj Shrivastava,

Mahesh Desai

On this page

Managed security service providers (MSSP) protect organizations from an ever-growing array of cybersecurity threats. MSSPs can make the difference between your company being a trusted partner and a cautionary tale; they offer essential services from security monitoring to incident response.

MSSPs must have the right tools to perform their mission-critical tasks. When you integrate the IBM Security QRadar Suite with IBM Security QRadar SIEM (security information and event management), you enhance your operational efficiency, strengthen security protocols, and guarantee robust data integrity for your clients.

This tutorial takes MSSPs through the process of integrating IBM Security QRadar Suite with IBM Security QRadar SIEM, showing you how to fully leverage the combined strengths of this advanced security setup.

You'll see a special emphasis on the newly introduced SOAR (security orchestration, automation, and response) features, which are tailored for MSSPs and are instrumental in streamlining case management, orchestration and automation, and other processes. This combination enables you to handle multiple client cases through a unified dashboard while ensuring the isolation and easy access to individual case data.

MSSPs play a major role in guiding security technology investments. To learn where that money is going, you'll explore the increasing complexity of security threats, compliance requirements, and technology as a whole. Find out how to integrate the QRadar suite and QRadar SIEM within your security operations center (SOC), manage services for your clients, and maintain stringent standards for data confidentiality, integrity, and availability.

IBM Security QRadar Suite

The IBM Security QRadar Suite consists of the following components:

  • SOAR
  • Data Explorer
  • Case Management
  • Threat Investigator
  • Detection and Response Center
  • Risk Manager

QRadar SIEM and QRadar EDR are separate products and are managed using separate consoles.

Important: In this tutorial, QRadar Suite refers to the platform previously known as CP4S, QRadar XDR, or QRadar+. Despite the update to the name, some applications and configurations might still be labeled under the older designation, CP4S. These terms all pertain to the same product, and you might encounter this previous naming convention in certain system interfaces or documentation. As you navigate through system configurations or discuss the platform with others, be aware that QRadar Suite is the updated name, while CP4S represents its previous iteration.

MSSP account hierarchy in QRadar Suite

To effectively manage the security posture for multiple clients, MSSPs must understand the hierarchical structure of accounts within the QRadar Suite. The following example illustrate a hierarchy:

System Administration Account
├── Provider Account 1
│   ├── Standard Account 1 (Client A)
│   └── Standard Account 2 (Client B)
└── Provider Account 2
    ├── Standard Account 3 (Client C)
    └── Standard Account 4 (Client D)

This hierarchy shows an MSSP root account at the top level, with two provider accounts beneath it. Each provider account then manages two standard accounts, each of which represents a different client.

alt

These example topologies are designed to provide clarity on how MSSPs can organize their accounts within QRadar Suite to maintain a clear oversight of their clients' security landscapes. Proper account and domain management is crucial for MSSPs to deliver tailored security services and maintain strong security governance across diverse client environments.

Prerequisites

The following products and versions are required to integrate QRadar SIEM with MSSP tenants and accounts.

RequirementProduct / APP
QRadar App For Escalating Offense to QRadar SuiteIBM SOAR QRadar SIEM Plugin - QRadar v7.4.1FP2+ (SIEM APP available on App Exchange)
QRadar SIEM Instance with MSSP tenantsQRadar 7.4.1 Patch 2 + (SIEM)
QRadar Suite Instance with MSSP AccountsCloud Pak For Security - 1.10.17

Ensure that all the required versions are correctly installed and configured for optimal integration and performance.

Steps

To integrate the QRadar SIEM and QRadar Suite in your environment, you will follow these high-level steps to install, configure, and deploy:

  1. Install the latest SOAR App for QRadar SIEM: IBM QRadar SIEM v7.4.1FP2+ (SIEM APP available on App Exchange).
  2. MSSP Setup on QRadar SIEM: Configure QRadar SIEM with at least two tenants for MSSP setup.
  3. Map QRadar SIEM Offenses in Different Domains: Ensure two QRadar SIEM offenses are mapped in two distinct domains.
  4. Configure QRadar Suite: Set up QRadar Suite version 1.10.17 with at least one provider and two standard accounts under the MSSP configuration.
  5. Configure IBM QRadar SOAR Plug-in: Integrate QRadar SIEM v7.4.1FP2+ with the QRadar Suite using the IBM QRadar SOAR Plug-in.
  6. Deploy and push configuration: After verifying and saving the SOAR App escalation template, perform a "full deploy" and push the configuration" in both QRadar SIEM and QRadar Suite SOAR.

Step 1: Install the latest SOAR App for QRadar SIEM

  1. Go to the IBM Security App Exchange and install the IBM SOAR QRadar SIEM Plugin - QRadar SIEM v7.4.1FP2+ SIEM App. Authorised service token
  2. Generate an authentication token:
    1. Navigate to Authorized Services and generate an authentication token. This token is crucial for secure communication between the SOAR App and QRadar SIEM.
    2. Follow the on-screen instructions to generate the token without expiry. Be sure to store a copy of the token securely as it will be required for subsequent steps. Token creation
  3. Perform the full deployment:
    1. After obtaining the authentication token, access the deployment section within the SIEM.
    2. Initiate a full deployment. This process might take some time, depending on your environment and system resources.
    3. Monitor the deployment process to ensure it completes successfully. Note and address any issus.

Step 2: Create two tenants in QRadar SIEM for domain mapping

After you deploy the SOAR App, you will set up tenants within QRadar SIEM. These tenants will be mapped to specific domains for effective segregation and management.

  1. Go to the tenant management section within QRadar SIEM. This area enables you to create and manage multiple tenants. alt
  2. Create the first tenant:
    1. In the menu, click Add to add the tenant. alt
    2. Enter all the required tenant details, such as name, domain information, and any specific settings relevant to this tenant.
    3. Click Create and verify that the first tenant has been created successfully. Tenant Creation
  3. Configure the domain management:
    1. In the QRadar SIEM interface, click Domain Management. alt
    2. Add new domains and attach the appropriate log sources or log collectors. domain mapping
  4. Create the second tenant:
    1. Repeat the step above to create another tenant.
    2. Ensure that the details for the second tenant are distinct from the first and are appropriate for the intended domain mapping.

Step 3: Map the tenants to domains

When both tenants have been created, you need to map them to their respective domains.

alt

This step is crucial for ensuring that each tenant operates within its designated domain, facilitating better management and security

mapping tannant

After mapping, double-check to ensure that each tenant is correctly associated with its domain. This verification prevents any potential issues or mix-ups in the tenant-domain association.

tenant-domain-mapping

Note: A domain can be associated with multiple log sources, event collectors, custom properties, or even disconnected log collectors.

You've now established the foundational structure for managing multiple tenants and domains within QRadar SIEM, which is a critical aspect of MSSP operations. Next, you'll configure the QRadar Suite.

Step 4: Configure IBM Security QRadar Suite

  1. Log in to the QRadar Suite using an account with system administration privileges. create tennant
  2. You'll create two Provider accounts that will be used under the MSSP configuration. In the menu, click Account management and then click Create account.
  3. Enter a name and description for the account. In the Select identity provider menu, seclect the appropriate provider.
  4. For the account type, select the Provider radio button. When you have finished adding the account details, click Create account. provider-account-creation
  5. You now need to assign users to the Provider account. (Note: The account that is creating the Provider account will be assigned as a user.) From the account list, select the Provider account you just created and click Add users. assigning-user users
  6. Select the Provider account and in the QRadar menu, click Account Management and then click Create account. alt alt
  7. Enter a name, description, and identity provider for the Standard account. When you have finished adding the account details, click Create account. (Note: The account type will be Standard by default.).
    alt
  8. Create a second Standard account using the same process. When you have finished creating your accounts, the account menu should look similar to the following image: alt

  9. You can now add users to the Standard accounts. In the QRadar menu, click Account management and then click Manage users > Add user. alt

    alt

    alt

  10. You are now ready to push the configuration from the Provider account to the Standard accounts. For details on how to complete this process, see Pushing configuration changes in the IBM Security documentation. alt

    alt

Step 5: Configure the IBM SOAR QRadar SIEM Plugin for integration with the QRadar Suite

Now, you'll configure the IBM SOAR QRadar SIEM Plugin for integrating QRadar SIEM with QRadar Suite. Note: You will replace the values in these steps with those relevant to your environment.

Navigate to Qradar Soar Plugin App Configuration to configure the app for offence escalation, similar to the following images: alt

alt

  1. Enter your desired name for the QRadar SIEM destination.
  2. Enter the token generated from QRadar SIEM for this app. This is the token you saved earlier.
  3. Enter your SOAR server URL. For example: https://cp4s.example-0000.us-south.containers.appdomain.cloud
  4. Select the appropriate checkbox to activate CP4S mode (or, in current terminology, QRadar Suite MSSP mode) alt
  5. Add the CP4S (QRadar Suite) connection parameters:
    • REST URL: For example, cases-rest.cp4s.test-example-0000.us-south.containers.appdomain.cloud.
    • STOMP Host: For example, cases-stomp.cp4s.test-example-0000.us-south.containers.appdomain.cloud.
    • STOMP Port: Use port 443.
  6. Before you can add the API key and secret, you need to generate it:
    1. Click the hamburger menu at the top left of the screen.
    2. Click Case Management > Permission and Access. alt
    3. From the Users tab, click API Keys and then click the Create API Key button. alt
    4. Enter a display name and select all permissions for Provider and Standard accounts.
    5. Click Create. Generate the token and then copy and save both the API Key ID and API Key Secret. They will be required during the configuration of the IBM SOAR QRadar Plugin app, as shown in the following image: alt
    6. When you have copied the credentials, click OK.
    7. In the Administrator Settings page, go to Organization and note the organization name. You will need this name to complete the configuration of the IBM SOAR QRadar Plugin app.
  7. Select the checkbox to support multiple organizations.
  8. Go to the hamburger menu and click Account Management.
  9. Enter the Name of the Provider account. alt
  10. Leave the SOAR Timeout (seconds) field as the default setting of 30 seconds.
  11. Select the Connect Securely checkbox only if you require a secure connection.
  12. Select the Enable Configuring SOAR checkbox.
  13. Leave the Proxy Configuration checkbox deselected unless you have a proxy setup.
  14. Verify all the configuration settings and click Save.
  15. You now need to map QRadar SIEM domains to SOAR organizations. Note: This is a crucial step to ensure efficient incident management and streamlined operational processing. This IBM X-Force Exchange guide provides the steps to establish the mapping. alt

Step 6: Perform a full deploy and push configuration

You must perform a full deploy and push configuration in QRadar SIEM and CP4S SOAR after verifying and saving the SOAR App escalation template.

Step 7: Verify escalated cases in QRadar Suite

After you have escalated offenses to QRadar Suite, you can view all related cases as follows: alt

  1. Log in to the QRadar Suite and go to the Provider account.
  2. Click Case Management > Cases and view all cases that originated from the Standard account (that is, the tenant). alt

Summary

In this tutorial, you've learned how to integrate IBM Security QRadar Suite and QRadar SIEM for use by Managed Security Services Providers (MSSPs). You've seen the cybersecurity protection and response capabilities that an MSSP can take advantage of, and you should now understand how to set up your own integrated configuration.

Next steps

Check out the following resources to get more familiar IBM's MSSP-specific capabilities and the different IBM Security tools available for you.


07 March 2024

Legend