When using CLIP with a target of Type "QRadar", you can manually or automatically create security incidents and events within your ITOM / ITSM tool from QRadar offenses.
To configure an integration into IBM QRadar, the following steps need to be performed:

  • Preparing the IBM QRadar instance: usually, this task is performed by the IBM QRadar Administrator. In this task,
    • an authentication token or – alternatively – an integration user is generated for CLIP to access the QRadar instance (required)
    • the AppLink QRadar App is installed and configured to allow manual submission of QRadar offenses by means of a button in the "offense summary" (optional)
  • Configure a CLIP target of type IBM QRadar: usually, this task is performed by the CLIP Administrator.

Supported Versions

Please assure that the system you intend to integrate meets the version requirements outlined in the table below.

ProductSupported Version
ServiceNow ???

System Preparation

For Clip to access the QRadar instance, Clip either connects as an "authorized service" by means of an "authentication token" – which is the recommended way - or, as an alternative as a regular user.

Configuring an “authorized service”

Clip accesses the QRadar RESTful API - you can configure an authorized service on the Admin tab to authenticate Clip's API calls for your QRadar deployment:

The authentication token must have been granted access to look up and manipulate offenses via the REST API. For details about creating the service token, please refer to https://www.ibm.com/support/knowledgecenter/SS42VS_7.3.0/com.ibm.qradar.doc/c_qradar_adm_man_auth_service.html . After adding the "authorized service", deploy the configuration.

Configuring an “integration user” (alternatively)

To create a regular user in QRadar, please select "Users" in the Admin tab:


The user must have been granted access to look up and manipulate offenses via the REST API.

Installing and Configuring the QRadar App

To allow manual submission of QRadar offenses by means of a button in the "offense summary", the QRadar App needs to be installed and configured:

  • Locate the app - it can be found after installing CLIP in:

[Clip]/apache-tomcat/webapps/Clip/modules/IBM_QRadar/AppLinkIncidents.zip

  • Log in to QRadar console as an administrator
  • Navigate to the Admin tab
  • Click the Extensions Management icon
  • Click Add in the Extensions Management window
  • Select the file in step 1. and select the Install immediately check box
  • Click Submit

The Extensions Management screen now shows the new Plug-in "AppLink Incidents", which now needs to be configured and the following values entered:

  • "AppLink Instance URL": the URL of the CLIP instance that the QRadar app uses to submit offenses to, e.g. https://clipprd.applink.de:9443 for HTTPS or http://clipprd.applink.de:9090 for HTTP if the Clip instance runs on host "clipprd.applink.de"
  • "CLIP Target": for a standard integration, enter the default value "IBM_QRadar" – it refers to the target name of the QRadar target in ClipConfig.xml
  • "Username" and "Password": this account information refers to a user Clip user, a standard user / password combination is "admin" / "admin"
  • "Accept all certificates": enable this checkbox to accept the certificate presented by the Clip instance – if it is not checked, the certificate needs to be installed in the QRadar instance.
  • "Debug": enable this checkbox only for troubleshooting purposes.


Clip Target Configuration

To enable a target of type "QRadar", copy the example Clip configuration file with example integrations for IBM QRadar

from:
[Clip]/apache-tomcat/webapps/Clip/modules/IBM_QRadar/ClipConfig_New_QRadar.xml
to:
[Clip]/conf/ClipConfig.xml

If QRadar uses a self-signed certificate, Clip will not trust this certificate when establishing a connection. Therefore the certificate has to be downloaded by using a browser, opening the QRadar Web UI and saving the certificate in a file. This certificate file needs to be added to the Clip JVM TrustStore. In order to do so the following command has to be executed:

CLIP_HOME\jre\bin\keytool -import -alias myQRadarCertificate -file QRadarCert.cer -keystore "CLIP_HOME\jre\lib\security\cacerts"

The default password is "changeit".
If the QRadar certificate is exported from a web browser please choose the certificate format X.509 (PEM).

On the Clip Server edit the configuration file [Clip]/conf/ClipConfig.xml – for the QRadar integration, the file contains the example target "IBM_QRadar" and an integration which can be used as a template:

<integration status="active" name="IBM_QRadar__BMC_Remedy">
	<target targetRef="IBM_QRadar "></target>
	<target targetRef="BMC_ITSM"></target>
</integration>
XML


This integration references the QRadar example target called "IBM_QRadar":

<apiTarget name="IBM_QRadar"
                   url="https://qradar.applink.de"
                   user="SEC"
                   passwd="$-3mw5oxC8YvfO3YBdHPv+dIb90Eqojaw==-$"
                   scriptPath="modules\IBM_QRadar"
                   scriptName="ModQRadar.groovy"
                   
                   incidentPollingForNew="false"
                   incidentPollingIntervalSecsNew="60">
XML


The following attributes have to be set in the QRadar target definition:

  • "name" attribute of the target tag. For a standard integration, leave the default value "IBM_QRadar" unchanged. Please note that this name relates to the "CLIP Target" name as it is configured in the QRadar App's "Instance Configuration" screen.
  • "scriptPath" attribute: the path, relative from the Clip installation directory to the directory that contains the script for the module
  • "scriptName" attribute: the name of the script for the module
  • "url" attribute: type in the URL of your QRadar instance. Please note that for HTTPS connections to QRadar, you have to import the QRadar certificate into Clip's certificate store "cacerts", otherwise you will see an error message in the Clip Web UIs status page ("unable to find valid certification path to requested target")
  • "user" attribute: to connect to QRadar as an "authorized service" enter "SEC" and otherwise, the user name of the account configured in QRadar in step 5.9.1.2
  • "passwd" attribute: to connect to QRadar as an "authorized service" enter the authentication token (e.g. "1e723e0f-1e7b-47ed-81e2-9fb1dd25a86e") and otherwise, the user password of the account configured in QRadar in step 5.9.1.2 . The value for this field can be entered encrypted by using the encryption feature in the "Miscellaneous" tab in the Clip Web UI.


In order to automatically forward QRadar offenses to your ITOM / ITSM tool, use the following settings:

  • "incidentPollingForNew" attribute: must be set to true to enable automatic transmission and "false" otherwise
  • "incidentPollingIntervallSecsNew" attribute: the interval between queries for new offenses to be automatically forwarded


The offenses to be automatically forwarded are determined by a filter which can be modified in the script file "ModQRadar.groovy":

pollNewOffensesFilter="status = OPEN and severity > 1";

For a description about the QRadar filter syntax, please refer to https://www.ibm.com/support/knowledgecenter/SSKMKU/com.ibm.qradar.doc_cloud/c_rest_api_filtering.html .