Working on integrating Trend Micro with QRadar SOAR, where the Trend Micro app is already integrated with IBM SOAR. However, I have encountered questions regarding how IBM SOAR can automatically fetch alerts directly from Trend Micro without relying on QRadar SIEM.

QRadar SIEM and SOAR Integration:

• QRadar SIEM is integrated with QRadar SOAR using the SOAR plugin.
• Offenses from Trend Micro are sent from QRadar SIEM to QRadar SOAR based on predefined templates in the SIEM plugin app.
• On the SOAR side, playbooks are configured to trigger automatically based on incident types defined in the SOAR plugin and mapped to custom incident types in SOAR.

The goal is for QRadar SOAR to fetch alerts directly from Trend Micro, bypassing QRadar SIEM.

Questions and Challenges:

1. Incident Type Mapping:

   • When creating a playbook in SOAR, incident types (or artifact types) and conditions must be defined to trigger the playbook automatically. How can this configuration work if alerts are fetched directly from Trend Micro and do not pass through QRadar SIEM?

2. SOAR Dependency:

   • As SOAR relies on QRadar SIEM for predefined templates and incident types, and QRadar SIEM depends on SOAR for playbook execution, how can SOAR independently fetch and process alerts directly from Trend Micro?

3. Playbook Triggering:

   • For direct Trend Micro alerts, what mechanisms or configurations can be implemented in SOAR to ensure  playbook triggering without requiring integration through QRadar SIEM?

Is there a supported way to bypass QRadar SIEM while ensuring that SOAR automatically fetches alerts from Trend Micro? If not, what alternative best practices would you recommend for achieving this requirement?

Hi Abu,

This is a good requirement and, unfortunately, the trend micro apps are not currently configured with a poller for direct alert escalation to SOAR. I would suggest creating an idea in our ideas portal (https://ideas.ibm.com) so that we can track that request. Please specify the specific Trend Micro app (ex. Deep Security?) as we have several published apps.

Regards,
Mark

Hi Abu Mussa ,

To integrate any solution ( that you require this solution to open Incidents directly on SOAR ) , there is there options :

1 - the solution has an application on IBM App Exchange , and that app has a Poller functionality (where its constantly checking the solution for new alerts / events) , like : QRadar app and Splunk app. (I couldn't check for you as you haven't mentioned what trend micro solution your are using , there is 10+ trend micro apps on the app exchange)

2 - using email integration :  your solution will send an email to SOAR and soar will process and parse that email and open an incident from that.

3 - using custom integration , you will write a script that is check for new alerts / events for your solution and use SOAR REST API to create incidents based on that.