IBM Security Cloud Pak for Security

 View Only

Configure MSSP between IBM Cloud Pak for Security and IBM QRadar

By Anuj Shrivastava posted Tue September 13, 2022 08:32 AM

  
IBM Cloud Pak for Security is an open security platform that connects to your existing data sources to generate deeper insights and enables you to act faster with automation. Now introducing The SOAR for Managed Security Service Providers (MSSP) Feature enhancements in Case Management and Orchestration & Automation which provides the ability to manage multiple customers' cases from a single dashboard. Customer case data is stored separately but can be accessed and viewed from one dashboard.

More than half of security technology purchases are influenced by MSSPs, led by a widening skills gap and triggered by more advanced attacks, tougher compliance requirements, and a need to innovate quickly. In a complex environment, more MSPs are partnering to take advantage of that opportunity. here we will see how & the intent of this blog is to showcase how you can integrate QRadar & CP4S in an MSSP SOC to offer services to multiple clients and at the same time ensure confidentiality, integrity, and availability.


NOTE: Please use the same version of Products & apps to get similar results.

Version CheckList:
Requirement Product/ APP version
QRadar Instance with MSSP tenants  QRadar 7.4.1 Patch 2 + (SIEM) QRadar 7.4.1 Patch 2 +
QRadar App For Escalating Offense to CP4S

IBM SOAR QRadar Plugin - QRadar v7.4.1FP2+ (SIEM APP available on App Exchange)

 4.0.7
CP4S Instance with MSSP Accounts Cloud Pak For Security - 1.10.3

1.10.3


Here are some steps which should be on your checklist to replicate the same in your environment.

  1. Install the Latest version of the SOAR App for QRadar - IBM SOAR QRadar Plugin - QRadar v7.4.1FP2+ (SIEM APP available on App Exchange)
  2. MSSP Setup on QRadar with at least 2 Tenants.
  3. 2 QRadar Offense mapped in 2 different domains.
  4. CP4S version 1.10.3 with at least 1 Provider & 2 Standard accounts under MSSP configuration.
  5. Configure IBM SOAR QRadar Plugin - QRadar v7.4.1FP2+ for integrating QRadar with CP4S
  6. Remember to do a full deploy & push configuration in QRadar & CP4S SOAR after verifying & saving the SOAR App escalation template.

Detailed step-by-step Procedure:

  1. Install the Latest version of the SOAR App for QRadar - IBM SOAR QRadar Plugin - QRadar v7.4.1FP2+ (SIEM APP available on App Exchange)

    1. Generate auth Token for SOAR App and Perform full deploy
    2. create token without expiry
    3. Download & install the App from AppExchange IBM SOAR QRadar Plugin - QRadar v7.4.1FP2+ or install it from QRadar assistant.  

  2. MSSP Setup on QRadar with at least 2 Tenants.

    1. Go to Domain Management > add new domains & attach appropriate LogSources or LogCollector
    2. Now Create two tenants to map them with the domain.  

  3. Two different QRadar Offense mapped in 2 different domains.

    1. If different Log Sources are attached to two different Domains, the offense will appear in different domains automatically as soon as the Co-Relation-Rules triggers. I have used the Experience center app on QRadar to generate dummy logs and offenses, so they can be escalated for demo purposes.
    2. Go to Domain Management > add new domains & attach appropriate LogSources or LogCollector
    3. Now Create two tenants to map them with the domain.  
      Note: A domain can be equipped with multiple Log sources, Event Collectors, Custom Properties, or even disconnected Log Collectors also.

  4. CP4S version 1.10.3 with at least 1 Provider & 2 Standard accounts under MSSP configuration.

      1. Login to CP4S using an Account that has System Administration Privileges and creates two Providers account.
      2. Now assign users to the Provider account, [Account which is creating the Prover account will be assigned as a user ].
      3. Now switch to Provider accounts and create Standard Accounts
         After All, accounts are created, Account Menu will look like this:
         
        After creating Standard Account > Add some users with desired access.

      4. Push the configuration from the Provider account to the Standard accounts, as described in Pushing configuration changes.
          Note: consider below example topologies to understand the MSSP account hierarchy

  5. Configure IBM SOAR QRadar Plugin - QRadar v7.4.1FP2+ for integrating QRadar with CP4S

    1. QRadar Destination Name: <your Desired Name>
    2. Authorized Service Token: <Token generated from QRadar for this APP>
    3. SOAR Server URL:  <https://cp4s.example-0000.us-south.containers.appdomain.cloud>
    4. CP4S mode: <Enable this checkbox>
    5. CP4S Connection Parameters 
      1. REST URL:  <cases-rest.cp4s.test-example-0000.us-south.containers.appdomain.cloud>
      2. STOMP Host: <cases-stomp.cp4s.test-example-0000.us-south.containers.appdomain.cloud>
      3. STOMP Port: 443 
    6. Authentication method: Select API key > go to Provider Account >click on Menu > Application settings > Permission & Access  
      1. API Key ID: <api-key-id>
      2. API Key Secret: <api-key-id>
    7. Multiple Organization Support: <enable this checkbox>
    8. Configuration Organization Name: <UUID of Provider Account>
    9. SOAR Timeout (seconds): <Leave it to default as 30 sec>
    10. Connect securely: <Uncheck/Don't Select this box>
    11. Enable Configuring SOAR: <Enable this checkbox>
    12. Need to configure a proxy? <Uncheck/Don't Select this box, unless you have a Proxy setup in your environment>
    13. Verify & configure the configuration then  Save save.

  6. Remember to do a full deploy & push configuration in QRadar & CP4S SOAR after verifying & saving the SOAR App escalation template.

    End Result verification: 

    After escalating two offenses to CP4S:


    Go To Provider Account > Case Management - here you should be able to see  all Cases from Standard Org(Tenant)

    In this blog, I have listed the possible approach with the CP4S MSSP using QRadar & cp4s SOAR capability integration. GSI Ecosystem Lab Security team is actively developing more such use cases and deep dive demonstrations.

    Find the below documentation links:- 

    CP4S MSSP Documentation  
    App Exchange

    If you have any questions regarding any of the points mentioned above or want to discuss this further, feel free to get in touch.

    Anuj Shrivastava : @Anuj Shrivastava - ashrivastava@in.ibm.com

    Betala R. Shanbhag : @Betala Shanbhag - beshanb1@in.ibm.com





0 comments
32 views

Permalink