Skip to main content

Integrate Contrast Security ADR with IBM QRadar®

The Contrast Security ADR integration with IBM QRadar® enables ADR to send incident details to your SIEM (Security Information and Event Management), SOAR (Security orchestration, automation and response), and XDR (Extended Detection and Response) environments, contextualizing incidents with other threat detection and response solutions.

How it works

When configured, the Contrast Security ADR for QRadar app sends detected attack events from the Contrast Security platform to an Event Collector.

The Contrast Security ADR for QRadar app on exchange.xforce.ibmcloud.com enables QRadar to:

  • Parse and normalize the data received over the HTTP Event Collector

  • Display Contrast Security ADR dashboards, reports, and searches in QRadar

  • (On request) Call the Contrast Security ADR REST APIs for contextual data to help investigate incidents

  • Provide runbooks to assist SOC Analysts in resolving AppSec-related security incidents

Before you begin

Before you start, you must have:

  • IBM QRadar 7.5. See the icon-external-link.svginstallation guide for information.

  • Applications instrumented with a Contrast agent

Step 1: Install the Contrast Security ADR for QRadar app

Install from the Marketplace

  1. In IBM Exchange Xforce, select Apps Exchange and select Search by application.

  2. Search for Contrast Security ADR.

  3. Check the requirements.

  4. Select Download.

After installation, you should see the Contrast Security ADR for QRadar app in the apps dropdown.

Install from a file

  1. In IBM Exchange Xforce, select Apps Exchange and select Search by application.

  2. Search for Contrast Security ADR.

  3. Select download and save the file to a convenient location.

  4. Select Manage.

  5. Select Install app from file.

  6. Select the app you downloaded.

    Optionally, select Upgrade app if you previously installed the Contrast Security ADR app.

  7. Select Upload.

After installation, you should see the Contrast Security ADR for QRadar app in the apps dropdown.

Step 2: Configure Log Source in Qradar

  1. Log in to IBM Qradar.

  2. Go to Admin > Data Sources > Events > Log Sources.

  3. Select Contrast ADR Log Source.

  4. Select Edit and add the Log Source Identifier provided by Contrast ADR Security.

    ContrastADR_QRadar.png

Step 3: Set up API details

  1. In IBM QRadar, select Contrast ADR from the apps menu.

  2. Go to the Setup > Setup Configurations page.

  3. Specify the settings in each field:

    • Hostname: The host domain of your Contrast platform. For example, https://cs001.contrastsecurity.com.

    • Username: The username in Contrast

    • Organization UUID: The organization ID in Contrast

    • API Key: The API key in Contrast

    • Service Key: The service key in Contrast

    • Enrichment Excluded Fields: Fields to exclude from the API response

    • Max Retries: Maximum number of retries to be performed in connection errors

  4. Select Submit.

Step 4: Configure Contrast Security ADR to send attack events to QRadar

Configure the integration in Contrast to send attack events to the IBM QRadar app.

  1. In Contrast, go to the user menu and select Organization settings > Integrations.

  2. Select the IBM QRadar option under the ADR Integrations section.

    QRadar1.png

  3. Under the IBM QRadar fields, enter the URL for the destination.

    QRadar2.png

  4. Select Save.

Step 5: View Contrast ADR data in IBM QRadar

IBM QRadar provides runbooks where you can access runbooks with Contrast data. Runbooks are accessed through a dropdown menu in the application's navigation bar.

See also

In this section: