IBM QRADAR

introduction this guide explains how to authenticate the ibm qradar connector in swimlane using api key authentication you will generate a qradar sec token, collect the required deployment url, and configure the connector asset in swimlane prerequisites qradar access requirements you must have qradar administrator or equivalent permissions to access the qradar admin console create authorized services for api access generate sec tokens view system deployment url and api endpoint required credentials during setup you will collect qradar deployment url sec token (api key) optional api version ibm qradar api setup take the following steps to generate a sec api token in qradar log in to the ibm qradar console using administrator credentials from the top navigation bar, click admin navigate to user management → authorized services click add authorized service enter the following information service name (example swimlane api access) user role with appropriate permissions for the api expiry date if required api access level appropriate for your environment click create to generate the sec token copy and securely store the token it will only be shown once retrieve the qradar api url log in to the qradar console navigate to admin locate system information under system and license management identify the qradar host or ip address construct the api endpoint using the format https //\<qradar ip>/api/ example api url https //192 168 1 100/api/ optional test the qradar api token you can validate the sec token using a simple curl command curl location 'https //\<qradar ip>/api/siem/offenses' header 'sec \<your token>' header 'range items=0 0' if the request returns offense data, the api token is working correctly connector configuration in swimlane log in to turbine from the left navigation pane click orchestration and select assets click the plus (+) icon to create a new asset select ibm qradar from the asset type list fill in the asset settings and asset input fields as shown below true 220,220,221 unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type troubleshooting ensure the sec token was copied correctly when the authorized service was created verify the qradar api url uses the correct host or ip address followed by /api/ confirm the user role assigned to the authorized service has sufficient permissions if api requests fail with authentication errors, regenerate the sec token and update the swimlane asset if ssl errors occur, verify ssl settings or disable ssl verification if appropriate for your environment if qradar is behind a proxy, configure the http proxy field in the swimlane asset result you have successfully authenticated the ibm qradar connector in swimlane sources ibm qradar api documentation https //www ibm com/docs/en/qradar common ibm qradar ariel query language documentation https //www ibm com/docs/en/qradar common?topic=language ariel query airmdr qradar integration guide https //docs airmdr com/integrations/qradar