To create an IBM QRadar alert channel, follow the steps in the sections below.
Set Up a Device Support Module in QRadar
This section discusses creating and configuring a log source type with the HttpReceiver protocol in a Device Support Module (DSM). Lacework then uses it to post messages to the QRadar server.
The process consists of the following steps:
- Create the Lacework log source type
- Configure the Lacework log source type
IBM QRadar latest update
The latest update includes a required fixpack related to HttpReceiver:
If you need to install the fixpack, run the following:
yum -y install PROTOCOL-HTTPReceiver-7.4-20200528133828.noarch.rpm
Create the Lacework Log Source Type
- Log in to QRadar.
- From the Admin console, under the Data Sources section, click DSM Editor.
- Click Create New.
- Name the log source Lacework and click Save.
Configure the Lacework Log Source Type
- In the Admin console left pane, navigate to Apps > QRadar Log Source Management.
- Click QRadar Log Source Management.
This allows you to configure your new (Lacework) log source type.
- Click New Log Source.
- Click Single Log Source.
- Select the name you gave to your new log source and click Step 2: Select Protocol Type.
- Select HTTP Receiver as the protocol type.
- Click Step 3: Configure Log Source Parameters.
- Configure the following log source parameters:
- Target Event Collector: Keep the default or enter your own value
- Click Step 4: Configure Protocol Parameters.
- Configure the following protocol parameters:
- Log Source Identifier: Enter a unique value.
- Communication Type: Select HTTPS.
- Listen Port: Enter a port of your choice.
Copy this port number for use when creating the alert channel in Lacework.
- Message Pattern: Ensure this is empty.
This results in IBM QRadar receiving one event per REST call.
- Use As a Gateway Log Source: Ensure this is disabled.
- Click Step 5: Test Protocol Parameters.
Running the test is optional. Skip the test or wait until it is done and click Finish.
- On the Admin page, click Deploy Changes.
IBM QRadar configuration is complete.
Create an IBM QRadar Alert Channel in Lacework
After you create your Lacework log source type in QRadar, return to the Lacework Console and complete the following steps:
- Log in to the Lacework Console with a Lacework user that has administrative privileges.
- Navigate to Settings > Alert Routing > Alert Channels.
- Click + Create New.
- Select IBM QRadar.
- Name the channel.
- For Communication Type select HTTPS or HTTPS Self Signed Cert.
- For QRadar Host Url, enter the domain name or IP address of QRadar.
- For QRadar Host Port, enter the listen port defined in QRadar.
- Click Save.
You should now begin to receive Lacework alert notifications in QRadar.