IBM QRadar
To create an IBM QRadar alert channel, follow the steps in the sections below.
Set Up a Device Support Module in QRadar
This section discusses creating and configuring a log source type with the HttpReceiver protocol in a Device Support Module (DSM). Lacework then uses it to post messages to the QRadar server.
The process consists of the following steps:
- Create the Lacework log source type
- Configure the Lacework log source type
Prerequisites
IBM QRadar latest update
The latest update includes a required fixpack related to HttpReceiver:
PROTOCOL-HTTPReceiver-7.4-20200528133828.noarch.rpm
If you need to install the fixpack, run the following:
yum -y install PROTOCOL-HTTPReceiver-7.4-20200528133828.noarch.rpm
Create the Lacework Log Source Type
- Log in to QRadar.
- From the Admin console, under the Data Sources section, click DSM Editor.
- Click Create New.
- Name the log source Lacework and click Save.
Configure the Lacework Log Source Type
- In the Admin console left pane, navigate to Apps > QRadar Log Source Management.
- Click QRadar Log Source Management.
This allows you to configure your new (Lacework) log source type. - Click New Log Source.
- Click Single Log Source.
- Select the name you gave to your new log source and click Step 2: Select Protocol Type.
- Select HTTP Receiver as the protocol type.
- Click Step 3: Configure Log Source Parameters.
- Configure the following log source parameters:
- Name
- Target Event Collector: Keep the default or enter your own value.
- Click Step 4: Configure Protocol Parameters.
- Configure the following protocol parameters:
- Log Source Identifier: Enter a unique value.
- Communication Type: Select HTTPS.
- Listen Port: Enter a port of your choice.
Copy this port number for use when creating the alert channel in Lacework. - Message Pattern: Ensure this is empty.
This results in IBM QRadar receiving one event per REST call. - Use As a Gateway Log Source: Ensure this is disabled.
- Click Step 5: Test Protocol Parameters.
Running the test is optional. Skip the test or wait until it is done and click Finish.
- On the Admin page, click Deploy Changes.
IBM QRadar configuration is complete.
Create an IBM QRadar Alert Channel from the Lacework Console
Navigate to IBM QRadar
- Log in to the Lacework Console as a Lacework user with administrative privileges.
- Go to Settings > Notifications > Alert Channels.
- Click + Add new.
- Select IBM QRadar.
- Click Next.
- Follow the steps in the next section.
Create an IBM QRadar Alert Channel
Ensure you have set up a device support module in QRadar as described in Set Up a Device Support Module in QRadar. Then complete the following steps:
- Name the alert channel.
- For Communication Type, select HTTPS or HTTPS Self Signed Cert.
- For QRadar Host Url, enter the domain name or IP address of QRadar.
- For QRadar Host Port, enter the listen port defined in QRadar.
- Click Save.
- Click Alert rules and configure your required alert routing details/options by leveraging the alert channel you created.
You should now begin to receive Lacework alert notifications in QRadar.
Create a Lacework IBM QRadar Alert Channel Using Terraform
For organizations using Terraform to manage their environments, Lacework maintains the Terraform provider for Lacework, which enables configuration of Lacework alert channels using automation.
If you are new to the Lacework Terraform Provider, or Lacework Terraform Modules, read the Terraform for Lacework Overview to learn the basics on how to configure the provider and more.
For a complete list of custom Terraform resources to manage alert channels in Lacework, see Managing Alert Channels with Terraform.
# Configure IBM QRadar Alert Channel in Lacework
resource "lacework_alert_channel_qradar" "example" {
name = "IBM QRadar Channel Alert Example"
host_url = "https://qradar-lacework.com"
host_port = 4000
communication_type = "HTTPS"
}
Additional information on the lacework_alert_channel_qradar resource can be found on the Terraform Registry.