IBM Security Verify and IBM QRadar Integration
Introduction
IBM® QRadar® is Security Information and Event Management (SIEM) which helps security teams accurately detect and prioritise threats across the enterprise, and it provides intelligent insights that enable teams to respond quickly to reduce the impact of incidents. By consolidating log events and network flow data from thousands of devices, endpoints and applications distributed throughout your network, QRadar correlates all this different information and aggregates related events into single alerts to accelerates incident analysis and remediation.
IBM Security Verify is an Identity-as-a-service (IDaaS) platform that provides SSO, risk-based MFA and adaptive access, user lifecycle management, and identity analytics. Verify delivers a modernised, modular IAM platform that leverages unparalleled context for decisions about who should be able to access what, with AI-powered, risk-based authentication. It takes a highly consumable, API-first approach with a robust, guided developer experience to fit custom needs, while integrating with comprehensive security workflows including threat management and incident response. Verify delivers smart identity for the hybrid multi-cloud world.
In this paper, we would like to highlight some of the benefits of integrating these two products.
Context Setting
The IBM Qradar DSM for IBM Security Verify collects JSON events from an IBM Security Verify service.
The two products IBM Security Verify and QRadar can now co-exist and can speak to each other. The integration takes the identity management to reach the next level of managing the alerts and malicious activities generated by access controls from the user’s accounts.
Use Cases
- Detection of Multiple User creation in a short span of time
- Malicious activities from any identities i.e login from multiple locations, device change or login from a malicious system
- Risks with the elevated privileges.
Architecture
The Architecture includes two major components viz. IBM Security Verify and IBM QRadar. QRadar is monitoring the events from different logs sources and identities the malicious events, IBM Security Verify is an Identity management solution to manage the identities, roles and application access. IBM QRadar is connected to IBM Security Verify via REST API by leveraging the DSM available.
Initialize the setup
Step 1: Access the Qradar and check if the Cloud Identity DSM RPM is installed. If the DSM is not installed, RPMs are available for download from the IBM support website. (http://www.ibm.com/support).
Download and install the most recent version of the following RPMs on the QRadar Console:
- Protocol Common RPM
- IBM Security VerifyEvent Service Protocol RPM
- IBM Security VerifyDSM RPM
RPM file name - DSM-IBMCloudIdentity-QRadar_version-build_number.noarch.rpm
Step 2 : Go to Admin -> Data Souces -> Log Sources or Click on Qradar Log Source Management
Click on Add to add the new Log Source to Qradar log
Step 3: DSM Adapter Installation/Configuration
|
Log Source type
|
IBM Cloud Identity Event Service
|
|
Protocol Configuration
|
IBM Cloud Identity Service
|
|
Log Source Identifier
|
https://<your tenant>.ice.ibmcloud.com/v1.0/applications
|
Step 4:
Step 6: Add an IBM Security Verify log source on the QRadar Console.
Step 7 : Select the IBM Security Verify (Cloud Identity) Service
Step 8 : Enable the Log Sources
Step 9 : Add the Target Event Collector
Step 10 : We need to get the Client ID and Client Secret from the IBM Security Verify
Configure IBM Security Verify
Configure your IBM Security Verify server to get the API to send events to QRadar.
Step 1: Login to IBM Security Verify Administrative console:-
Step 2 : Switch to admin
Step 3 :Click on Configuration
Step 4 : Click the Add API client button above the table
Step 5: Specify the API Name -> Enable the API Client
Credentials will be generated once we save the API
We need to select individual accesses rather than the approach of “select all”. There are two (2) Manage and Read Reports accesses required for the adapter out of a total of 49 in the security verify.
Step 6 : Save the new API Client to create the API/ Connector
Step 7 : For the ClientID and Client Secret, we can open (edit) the API client you specified before
- Scroll down to the Client ID field and click the copy to clipboard icon to the right
- Return to the IGI UI and past the field in For the Client Secret
- Scroll down to the Client Secret field and click the copy to clipboard icon to the right
- Return to the IGI UI and past the field in
Configure IBM Qradar with Rest API
We can go back to QRadar DSM screen and provide the Client ID and Client Secret which we received from IBM Security Verify
Provide the protocols that will be used for authentication and authorisation of API use.
Once the log source is configured, Test the configuration
Now we can see the events has started coming, we can click on the Finish icon.
We can see the new log source as added in QRadar
We can check the Real Time logs under the Log Activity.
Logs have started coming to QRadar from IBM Security Verify
Conclusion:-
Events from IBM Security Verify - IAM (identity and access management) can be sent to QRadar - Security information and event management (SIEM) for the monitoring the identities and to detect any malicious activity at the same time. This helps in keeping the steppingstone towards building the Zero Trust.
Resources: -
Knowledge Center URL:
https://www.ibm.com/support/knowledgecenter/SSCT62/com.ibm.iamservice.doc/concepts/apis.html
Supported Connectors:-
https://www.ibm.com/support/knowledgecenter/SSCT62/com.ibm.iamservice.doc/references/r_supported_apps_and_connectors.html
QRadar DSM:-
https://www.ibm.com/support/knowledgecenter/SSCT62/com.ibm.iamservice.doc/concepts/c_ibm_security_qradar.html
Thank You
Vandana Verma Sehgal- IBM ISL - GSI Labs
Betala Shanbag - IBM ISL - GSI Labs
#Highlights-home#Highlights