Integrate Contrast Security ADR with IBM QRadar®
The Contrast Security ADR integration with IBM QRadar® enables ADR to send incident details to your SIEM (Security Information and Event Management), SOAR (Security orchestration, automation and response), and XDR (Extended Detection and Response) environments, contextualizing incidents with other threat detection and response solutions.
How it works
When configured, the ContrastSecurity ADR for QRadar app sends detected attack events from the Contrast Security platform to an Event Collector.
The Contrast Security ADR for QRadar application on exchange.xforce.ibmcloud.com enables QRadar to:
Parse and normalize the data received over the HTTP Receiver
Display Contrast Security ADR dashboards, reports, and searches in QRadar
(On request) Call the Contrast Security ADR REST APIs for contextual data to help investigate incidents
Provide runbooks to assist SOC Analysts in resolving AppSec-related security incidents
Before you begin
Before you start, you must have:
IBM QRadar 7.5. See the
installation guide for information.Applications instrumented with a Contrast agent
Step 1: Install the Contrast Security ADR for QRadar application
Follow the steps outlined in the IBM QRadar documentation here.
Step 2: Configure Log Source in QRadar
See the IBM documentation for setting up a QRadar log source.
Log in to IBM Qradar.
Go to Admin > Data Sources > Events > Log Sources.
Configure a Gateway Log Source; this is the Log Source that Contrast Security ADR will point to. Select Add Quick Log Source (or New Log Source) with the following configuration:
Log Source Type: Contrast ADR DSM
Protocol Type: HTTP Receiver
Log Source Identifier:
contrast_adrCoalescing Events: Off (recommended)
Communication Type: HTTPS
Authentication Parameters
Event Parsing Method: Event Per HTTP Post
Use As A Gateway Log Source: On
Use Predictive Parsing: Off
Log Source Identifier Pattern:
contrast_adr_incidents=incidentId contrast_adr_attackevents=eventUuid
Create a dedicated Log Source to ingest attack events from the Gateway Log Source. Select Add Quick Log Source (or New Log Source) with the following configuration:
Log Source Type: Contrast ADR DSM
Protocol Type: Syslog
Extension:
ContrastADRDSMCustom_extCoalescing Events: Off (recommended)
Log Source Identifier:
contrast_adr_attackeventsIncoming Payload Encoding: UTF-8
Important
Administrators wanting to enable authentication on the HTTP Receiver Log Source using custom HTTP authentication headers, as seen in the
IBM documentation for HTTP Receiver protocol configuration options should configure Contrast Security ADR using the Universal ADR Forwarder, where it will be able to specify the custom headers to match their configuration. Disregard step 3 and follow the instructions in ADR Universal Forwarder documentation.The configuration above is designed to minimize the number of ports needed to be exposed on the QRadar Log Collector side. However, administrators who do not want to use a Gateway Log Source can configure individual Contrast ADR DSM and Contrast ADR Incidents Log Sources directly using the HTTP Receiver protocol. For this configuration, disregard step 3 and follow the instructions in ADR Universal Forwarder documentation.
Step 3: Configure Contrast Security ADR to send attack events to QRadar
Configure the integration in Contrast to send attack events to the IBM QRadar app.
In Contrast, go to the user menu and select Organization settings > Integrations.
Select the IBM QRadar option under the ADR Integrations section.
Under the IBM QRadar fields, enter the URL for the destination. Make sure the URL includes the destination port as defined for the Gateway Log Source in Step 2.
Select Save.