Integrate Contrast Security ADR with IBM QRadar®
The Contrast Security ADR integration with IBM QRadar enables ADR to send incident details to your Security Information and Event Management (SIEM), Security Orchestration, Automation and Response (SOAR), and Extended Detection and Response (XDR) environments, which contextualizes incidents with other threat detection and response solutions.
How it works
When configured, the ContrastSecurity ADR for QRadar application sends detected attack events from the Contrast Security platform to an Event Collector.
The Contrast Security ADR for QRadar application on exchange.xforce.ibmcloud.com enables QRadar to:
Parse and normalize the data received over the HTTP Receiver
Display Contrast Security ADR dashboards, reports, and searches in QRadar
(On request) Call the Contrast Security ADR REST APIs for contextual data to help investigate incidents
Provide runbooks to assist SOC Analysts in resolving application security-related incidents
Before you begin
Before you start, you must have:
IBM QRadar 7.5. See the
IBM QRadar Security Intelligence Platform guide for informationApplications instrumented with a Contrast Security agent
Install the Contrast Security ADR for IBM QRadar application
Follow the steps outlined in the
IBM QRadar documentation.Continue with Configure Log Source in IBM QRadar.
Configure Log Source in IBM QRadar
Refer to the Setting up a QRadar log source documentation for setting up a QRadar log source.
Log in to IBM QRadar.
Go to Admin > Data Sources > Events > Log Sources.
Configure a Gateway Log Source: this is the Log Source that Contrast Security ADR will point to. Select Add Quick Log Source (or New Log Source) with the following configuration:
Log Source Type:
Contrast ADR DSMProtocol Type:
HTTP ReceiverLog Source Identifier:
contrast_adrCoalescing Events:
Off(recommended)Communication Type:
HTTPSAuthentication Parameters
Event Parsing Method:
Event Per HTTP PostUse As A Gateway Log Source:
OnUse Predictive Parsing:
OffLog Source Identifier Pattern:
contrast_adr_incidents=incidentId contrast_adr_attackevents=eventUuid
Important
Administrators wanting to enable authentication on the HTTP Receiver Log Source using custom HTTP authentication headers, as seen in the
IBM documentation for HTTP Receiver protocol configuration options should configure Contrast Security ADR using the Universal ADR Forwarder, where it will be able to specify the custom headers to match their configuration. Disregard the following section and follow the instructions in ADR Universal Forwarder documentation.The configuration above is designed to minimize the number of ports needed to be exposed on the QRadar Log Collector side. However, administrators who do not want to use a Gateway Log Source can configure individual Contrast ADR DSM and Contrast ADR Incidents Log Sources directly using the HTTP Receiver protocol. For this configuration, disregard the following section and follow the instructions in the ADR Universal Forwarder documentation.
Configure Contrast Security ADR to send attack events to IBM QRadar
Configure the integration in Contrast Security to send attack events to the IBM QRadar application.
In Contrast, go to the user menu and select Organization settings > Integrations.
Select the IBM QRadar option under the ADR Integrations section.
Under the IBM QRadar fields, enter the URL for the destination. Make sure the URL includes the destination port as defined for the Gateway Log Source in Configure Log Source in IBM QRadar.
Select Save.