Getting started with TAP
IBM’s Tech Alliance Program(TAP) is designed to help business partners to build QRadar Applications for integrating security products with QRadar SIEM. To explain the process of building the QRadar apps, you may start by contacting the TAP team. Email - IBMSecurityAlliances@wwpdl.vnet.ibm.com. TAP team will provide you with the access to the QRadar ISO which you can use to build QRadar SIEM locally on a VM. A 12 month license can also be requested, so that you can have ample time to develop the application.
Fetching data
Once QRadar is set up, the next phase is to use a protocol on QRadar to fetch data from the endpoint. We strongly suggest that you use Universal REST API Protocol (UREST Protocol) to fetch the data. Information on UREST in following links.
UREST Protocol documentation
UREST Protocol Github Examples
Parsing data using DSM Editor
When you use UREST, the events are received in JSON format. Use DSM Editor to parse the events. More information on DSM Editor.
DSM Editor Documentation
Implementing security use cases
For the integration, you may have a few security use cases that you would like to implement. Once events are received, you may create QRadar Rules which map the security use cases.There are other QRadar features like Reference Data, Saved Searches, Reports that you may further use.
Packaging the customization in App
You may then export the customisation viz parsing logic, rules, searches, reports etc. using CMT tool or via API.
IBM also provides Software Development Kit(SDK) so that you could further write code to work with available data on QRadar. There is detailed literature on how to use SDK and setup the environment.
QRadar App Framework SDK
The custom code, along with the customisation export can be packaged as a zip file. You may run the application using Pre-validation app available on IBM Exchange Portal. This helps you provide feedback on the developed app and changes can be implemented.
Submit the App
The zip file along with sample data can then be submitted to the IBM Exchange Portal. Validation team will check the developed app and provide feedback if necessary. The app finally goes through the Secure coding team to check for any vulnerabilities. Once the app is through Security team, it will be published on the IBM Exchange Portal.
Below are few important points to note:
- Do NOT use QRadar Community Edition for developing QRadar apps. A free QRadar Enterprise ISO will be made available.
- Get in touch with TAP team before planning the development of app or integration. Email IBMSecurityAlliances@wwpdl.vnet.ibm.com.
#QRadar
#Free #SDK