Set up Your IBM QRadar Integration Instance - Tutorials - 6.x - Cortex XSOAR - Cortex - Security Operations

Install the IBM QRadar pack.

1. Go to the Cortex XSOAR Marketplace.

2. Search for IBM QRadar v3.

3. Click the pack and click Install.

4. Click Install again to confirm the installation.

Configure the IBM QRadar instance.

Before you configure the instance:

1. Go to Settings → Instances.

2. Search for IBM QRadar v3.

3. Click Add Instance.

4. Under Classifier, select N/A.

5. Under Incident Type, select QRadar Generic

   At this point we are using the generic QRadar incident type. As you become more familiar with Cortex XSOAR, you can create custom incident types as needed.

6. Under Mapper Incoming, select QRadar - Generic Incoming Mapper.

7. Enter the URL of your QRadar server, as well as the username and password (or credentials) and the QRadar API version.

8. Select the Fetch mode. This parameter defines whether to fetch offenses with events.

   Options are Fetch With All Events (default), Fetch Without Events, or Fetch Correlation Events Only.

9. Under the Maximum number of events per incident parameter, enter the number of events for this offense that you want to ingest.

   Out-of-the-box, Cortex XSOAR ingests 20 events. When investigating incidents, you will see the total number of events per incident is much larger. However, ingesting all the events for each offense would slow down system performance.

10. Set the Number of offenses to pull per API call (max 50). For mirroring with events, this value is used for mirroring API calls as well, so we recommend using a small value. Default is 20.

    

11. In the Query to fetch offenses parameter, define which offenses to fetch.

    Before defining your query to fetch incidents, we recommend that you check your QRadar offenses and fetch the most recent 5 offenses using the ID field. For example, id=483 where 483 is the fifth most recent ID number in the QRadar offenses. For example, "severity >= 4 AND id > 5 AND status=OPEN"

12. Select the Incidents Enrichment. This enrichment provides additional information about IP addresses and assets that are related to the offenses you’re ingesting.

    Options are IPs And Assets (default), IPs, or None.

13. Add or remove fields from Event fields to return from the events query.

    This parameter lists all of the IBM QRadar fields for this offense that Cortex XSOAR ingests out-of-the-box (uses AQL SELECT syntax).

    Caution

    This parameter is correlated to the incoming mapper and changing the values may adversely affect mapping.

14. (Optional) Configure mirroring (for QRadar 7.3.3 Fix Pack 3 and up).

    1. Select one of the Mirroring Options. This parameter defines how mirroring from QRadar to Cortex XSOAR should be done.

       Options are No Mirroring (default), Mirror Offense, or Mirror Offense and Events.

    2. Select the Close Mirrored XSOAR Incident checkbox to close the Cortex XSOAR incident if the related offense is closed in QRadar.

    3. Set The number of incoming incidents to mirror each time (default is 100).

15. Set any Advanced Parameters.

    This parameter is a comma-separated list of advanced parameter values. For example, EVENTS_INTERVAL_SECS=20,FETCH_SLEEP=5

16. Select the Long running instance checkbox.

    This ensures the connection with the QRadar server is always kept open so you have the most up-to-date information.

Go to the Incidents page and verify that incidents are being ingested.