IBM Security Verify

Recipe for Integrating QRadar and IBM Security Verify

By Vandana Verma Sehgal posted Thu January 28, 2021 02:14 AM

  

IBM Security Verify and IBM QRadar Integration


Introduction

IBM® QRadar® is Security Information and Event Management (SIEM) which helps security teams accurately detect and prioritise threats across the enterprise, and it provides intelligent insights that enable teams to respond quickly to reduce the impact of incidents. By consolidating log events and network flow data from thousands of devices, endpoints and applications distributed throughout your network, QRadar correlates all this different information and aggregates related events into single alerts to accelerates incident analysis and remediation. 

IBM Security Verify is an Identity-as-a-service (IDaaS) platform that provides SSO, risk-based MFA and adaptive access, user lifecycle management, and identity analytics. Verify delivers a modernised, modular IAM platform that leverages unparalleled context for decisions about who should be able to access what, with AI-powered, risk-based authentication. It takes a highly consumable, API-first approach with a robust, guided developer experience to fit custom needs, while integrating with comprehensive security workflows including threat management and incident response. Verify delivers smart identity for the hybrid multi-cloud world.

In this paper, we would like to highlight some of the benefits of integrating these two products.

Context Setting

The IBM Qradar DSM for IBM Security Verify collects JSON events from an IBM Security Verify service.

The two products IBM Security Verify and QRadar can now co-exist and can speak to each other. The integration takes the identity management to reach the next level of managing the alerts and malicious activities generated by access controls from the user’s accounts.

Use Cases

  • Detection of Multiple User creation in a short span of time
  • Malicious activities from any identities i.e login from multiple locations, device change or login from a malicious system
  • Risks with the elevated privileges.

Architecture

 

The Architecture includes two major components viz. IBM Security Verify and IBM QRadar. QRadar is monitoring the events from different logs sources and identities the malicious events, IBM Security Verify is an Identity management solution to manage the identities, roles and application access.  IBM QRadar is connected to IBM Security Verify via REST API by leveraging the DSM available.

 

 QRadar_CI_Integration_1.png

  

Initialize the setup

Step 1: Access the Qradar and check if the Cloud Identity DSM RPM is installed. If the DSM is not installed, RPMs are available for download from the IBM support website. (http://www.ibm.com/support).

 

Download and install the most recent version of the following RPMs on the QRadar Console:

  • Protocol Common RPM
  • IBM Security VerifyEvent Service Protocol RPM
  • IBM Security VerifyDSM RPM

 

RPM file name - DSM-IBMCloudIdentity-QRadar_version-build_number.noarch.rpm

 

Step 2 : Go to Admin -> Data Souces -> Log Sources  or Click on Qradar Log Source Management



 Click on Add to add the new Log Source to Qradar log


Step 3:
DSM Adapter Installation/Configuration



Log Source type

IBM Cloud Identity Event Service

Protocol Configuration

IBM Cloud Identity Service

Log Source Identifier

https://<your tenant>.ice.ibmcloud.com/v1.0/applications

 

Step 4:

 

 

Step 6: Add an IBM Security Verify log source on the QRadar Console.

 

 

Step 7 : Select the IBM Security Verify (Cloud Identity) Service

Picture_7.jpg 

Step 8 : Enable the Log Sources

 Picture_8.jpg

 

Step 9 : Add the Target Event Collector

  Picture_9.jpg
Picture_10.jpg

 

Step 10 : We need to get the Client ID and Client Secret from the IBM Security Verify

 Picture_11.jpg

Configure IBM Security Verify

Configure your IBM Security Verify server to get the API to send events to QRadar.  

Step 1: Login to IBM Security Verify Administrative console:-



Step 2 : Switch to admin



Step 3 :Click on Configuration


Step 4 : Click the Add API client button above the table



Step 5: Specify the API Name  ->  Enable the API Client

Picture_16.jpg

Credentials will be generated once we save the API


Picture_17.jpg

We need to select individual accesses rather than the approach of “select all”. There are two (2) Manage and Read Reports accesses required for the adapter out of a total of 49 in the security verify.

Picture_18.jpg
Picture_19.jpg

Step 6 :
Save the new API Client to create the API/ Connector

Picture_20.png

Step 7 : For the ClientID and Client Secret, we can open (edit) the API client you specified before

  • Scroll down to the Client ID field and click the copy to clipboard icon to the right
  • Return to the IGI UI and past the field in For the Client Secret
  • Scroll down to the Client Secret field and click the copy to clipboard icon to the right
  • Return to the IGI UI and past the field in

 

Configure IBM Qradar with Rest API


We can go back to QRadar DSM screen and provide the Client ID and Client Secret which we received from IBM Security Verify

Picture_23.png

Provide the protocols that will be used for authentication and authorisation of API use.

Picture_24.jpg

Once the log source is configured, Test the configuration

Picture_25.jpg



Picture_26.jpg




Now we can see the events has started coming, we can click on the Finish icon.

 Picture_27.jpg

 

We can see the new log source as added in QRadar

Picture_28.jpg 

We can check the Real Time logs under the Log Activity.

 Picture_29.jpg

 

Logs have started coming to QRadar from IBM Security Verify

 Picture_30.png

 

Conclusion:-

Events from IBM Security Verify - IAM (identity and access management) can be sent to QRadar - Security information and event management (SIEM) for the monitoring the identities and to detect any malicious activity at the same time. This helps in keeping the steppingstone towards building the Zero Trust.

Resources: -

Knowledge Center URL:

https://www.ibm.com/support/knowledgecenter/SSCT62/com.ibm.iamservice.doc/concepts/apis.html

Supported Connectors:-

https://www.ibm.com/support/knowledgecenter/SSCT62/com.ibm.iamservice.doc/references/r_supported_apps_and_connectors.html

QRadar DSM:-

https://www.ibm.com/support/knowledgecenter/SSCT62/com.ibm.iamservice.doc/concepts/c_ibm_security_qradar.html


Thank You
Vandana Verma Sehgal- IBM ISL - GSI Labs
Betala Shanbag - IBM ISL - GSI Labs


#Highlights-home
#Highlights
0 comments
3228 views

Permalink