Integrating ASMS with IBM QRadar

Supported Versions

The AlgoSec IBM QRadar App v1.0.1 was tested with IBM QRadar v7.2.8 and AlgoSec Security Management Suite v6.9, v6.10 and v6.11.

Installing the AlgoSec App

To Install the AlgoSec App:

  1. Download the App from IBM Security App Exchange.
  1. Install the App using the Extensions Management tool in the Admin area.
  1. Configure the AlgoSec App, by doing the following:
  1. Go to the Admin tab.
  1. Under the Plug-ins section, find AlgoSec Security Incident Response, and click AlgoSec Configuration Page.
  1. Provide the AlgoSec server IP Address, username, password, and Requestor email address.

The AlgoSec Incident Response App is now ready for use.

 

Viewing Business Impact and Internet Exposure Information

The AlgoSec App provides the ability to retrieve business application information and internet exposure information for a specific server. The information includes:

  • Business Application context from AlgoSec AppViz: names of affected applications, indication as to whether the application is critical, and more details about the applications, including a link to a AppViz window with the relevant applications.
  • Network Connectivity (exposure to the Internet): AlgoSec Traffic Simulation Query results to indicate whether the server is open to the Internet.

There are two different ways to access the AlgoSec App: from the IP address or directly for the App. Accessing the App from the IP address will pre-populate the server field.

To view business application and internet exposure information from the IP address:

  1. Search the logs for the desired IP address.
  1. Right-click the IP address, hover over More Options, and select Security Incident Analysis.

The Security Incident Analysis window appears.

The Business Impact area includes:

  • A list of affected applications.
  • A notification for each application indicating whether any of the affected applications are a part of a critical process.
  • A link to the list of affected applications in AppViz.

The Exposure to the Internet area includes:

  • A list of devices in the path between the server and the internet.
  • A notification for each device indicating whether the device allows the traffic.
  • A link to the specifics of the traffic query in AFA.

To view business application and internet exposure information directly from the App:

  1. Click on the Incident Response (AlgoSec) tab.
  1. To view business impact information, complete the Server IP address field and click Submit.

The Business Impact information includes:

  • A list of affected applications.
  • A notification for each application indicating whether any of the affected applications are a part of a critical process.
  • A link to the list of affected applications in AppViz.
  1. To view internet exposure information, complete the Source IP and Destination IP fields and click Check Network Connectivity.

The Exposure to the Internet information includes:

  • A list of devices in the path between the server and the internet.
  • A notification for each device indicating whether the device allows the traffic.
  • A link to the specifics of the traffic query in AFA.

Isolating a Server

You can open a FireFlow change request to isolate a risky server.

There are two different ways to access the AlgoSec App: from the IP address or directly for the App. Accessing the App from the IP address will pre-populate the server field.

To isolate the server from the IP address:

  1. Search the logs for the desired IP address.
  1. Right-click the IP address, hover over More Options, and select Isolate server.

The Isolate server window opens.

  1. Complete the IP of Server to Isolate, Change Request Title, and Details fields.
  1. Click Isolate.

A change request is created in AlgoSec FireFlow, requesting to block all traffic to and from this server. A link to the change request appears, allowing you to track implementation progress.

To isolate a server directly from the App:

  1. Click on the Incident Response (AlgoSec) tab.
  1. Complete the IP of Server to Isolate, Change Request Title, and Details fields.
  1. Click Submit.

A change request is created in AlgoSec FireFlow, requesting to block all traffic to and from this server. A link to the change request appears in the page to allow you to track implementation progress.

Customizing Default Field Values and Logic

You can optionally customize the default value for any of the input fields or customize the logic of a functionality of the AlgoSec App using the IBM QRadar SDK.

The App's functionalities and each of their input fields are listed below.

  • Business Impact:Server IP
  • Exposure to the Internet:Source IP and Destination IP
  • Isolate Server:Server IP, Change Request Title, and Details