The IBM QRadar Integration lets you set Orca as a data log source and easily integrate Orca alert data into your QRadar cloud security workflows. You can combine QRadar’s behavior analytics and machine learning capabilities with Orca’s contextual analysis and wide visibility of cloud security issues to prevent and reduce the potential harm to your organization.
- Modify the Orca Security Workflow for QRadar
- Create a new Log Source in QRadar
Modify the Orca Security Workflow for QRadar
The Workflow is an XML document that defines parameters for how QRadar will retrieve Orca alerts. To implement the Workflow, you will need to create a new QRadar Log Source. But before creating a new Log Source, make sure you update the relevant Workflow parameter values in the XML file as described below.
Orca Security Workflow is available at the IBM GitHub repository:
In the Orca-Security-Workflow-Parameter-Values.xml file:
api_host- (Orca API host) should be set to
api_key- (Orca API key for QRadar) should be set to the API key for QRadar value obtained from Orca.
Your XML file should look similar to ours:
<?xml version="1.0" encoding="UTF-8" ?>
<Value name="api_host" value="api.orcasecurity.io" />
<Value name="api_key" value="99LCJhJ9.eyJ0b299tjYWIiwiZX99..." />
Obtain the API key for QRadar
- Log in to your Orca Security account.
- Select Integrations from the Settings submenu.
- In the SIEM section, locate the IBM QRadar tile and click Connect QRadar.
- When the dialog window opens, Click Generate to reveal the API key and enable the integration. Please note that the integration is not ready until you create a new Log Source in your QRadar account.
The API key can be disabled from the Orca integrations page. Once enabled, the IBM QRadar tile will display the “IBM QRadar is connected” message. Click Configure and then Disable to invalidate the API key.
Create a new Log Source in QRadar
Once the parameter values are populated, you can create a New Log Source from the QRadar Log Source Management screen:
- Log Source type is “Universal DSM”.
- Protocol type is “Universal Cloud REST API”.
- Log Source Name is “OrcaSecurity”.
- On the “Configure the protocol parameters” screen, add the Log Source Identifier, the Workflow (contents of the Orca-Security-Workflow.xml file), Workflow Parameter Values (updated contents of the Orca-Security-Workflow-Parameter-Values.xml file), and the workflow execution Recurrence interval.
- Make sure you’ve run the tests on the Test Protocol Parameters step.
The workflow will fetch all active non-informational alerts every time it runs. It will retrieve the same alerts that you see by default on the Orca Alerts screen.
To ensure the integration does work, you can set the interval to 10M (10 minutes) and expect to see the alert data from Orca in about 10 minutes (don’t forget to disable the workflow after your test or to change the Recurrence to a longer interval).
Please see the IBM documentation or additional resources about configuring a Universal Cloud REST API protocol.
We also recommend viewing video instructions on how to set up a new Log Source using Universal Cloud REST API. For example: https://www.youtube.com/watch?v=MqSxJShrHDg.