IBM Resilient SOAR Platform

QRadar Integration Guide

V4.0.0

Date: January 2021

IBM Security | January 2021 1

Licensed Materials – Property of IBM
© Copyright IBM Corp. 2010, 2021. All Rights Reserved.
US Government Users Restricted Rights: Use, duplication or disclosure restricted by GSA ADP Schedule Contract with IBM Corp.

IBM Resilient SOAR Platform

QRadar Integration Guide

Version Publication Notes

4.0.0 January 2021 Upgrade screen. Multiple QRadar support. MSSP API key
accounts. CP4S configuration. Unified message destination.
3.5.2 July 2020 Bug-fix release version.
3.5.0 June 2020 Support for API key account and other changes.
3.4.1 February 2020 Compatibility with newest Resilient version.
3.4.0 October 2019 Bug-fix release version.
3.3.0 August 2019 Supports the Resilient MSSP add-on feature.
3.2.2 August 2019 Mask authorization fields.
3.2.1 June 2019 Adjustments for automatic escalation poller.
3.2.0 May 2019 Bug-fix release version.
3.1.2 January 2018 Documentation update only. Added memory requirement and a
note about custom artifacts in templates.
3.1.2 December 2017 Supports Resilient platform V29.
3.1.1 September 2017 Documented the ability to map multiple IDs into multiple
artifacts.
3.1 June 2017 Initial publication.

IBM Security | January 2021 2

Table of Contents
What’s new? ........................................................................................................................................................... 5
Overview ................................................................................................................................................................. 6
Resilient Organization and MSSP ........................................................................................................................................ 6
Installation .............................................................................................................................................................. 7
Upgrading from previous versions........................................................................................................................ 10
Upgrading your current integration .................................................................................................................................. 10
Configuration ........................................................................................................................................................ 14
Creating Service Token ...................................................................................................................................................... 14
Configuring the Integration ............................................................................................................................................... 15
Automatic Escalation ............................................................................................................................................ 22
Manual Escalation ................................................................................................................................................. 23
Raising an Incident ............................................................................................................................................................ 23
Adding Artifacts to an Incident.......................................................................................................................................... 24
Custom Templates ................................................................................................................................................ 26
Template Creator Screen................................................................................................................................................... 26
Mapping Incident Fields ...................................................................................................................................................................26
Mapping Incident Artifacts ..............................................................................................................................................................27
Managing Templates........................................................................................................................................................................29
Manually Creating or Updating Templates ....................................................................................................................... 29
Poller Status .......................................................................................................................................................... 30
Configuration Page Tab ..................................................................................................................................................... 30
Dashboard item ................................................................................................................................................................. 30
Custom Actions ..................................................................................................................................................... 31
Ariel Search ........................................................................................................................................................................ 32
Add to Reference Set ......................................................................................................................................................... 33
Updating Incidents ................................................................................................................................................ 35
Synchronized Notes ........................................................................................................................................................... 35
Automatically Closing Offenses ......................................................................................................................................... 36
Automatically Closing Incidents ........................................................................................................................................ 36
Database Backup and Rollback ............................................................................................................................. 37
QRadar plugin database backup ....................................................................................................................................... 37
QRadar plugin database rollback ...................................................................................................................................... 37
License................................................................................................................................................................... 38

IBM Security | January 2021 3

IBM Security | January 2021 4
What’s new?
New in v4.0.0
• Details of actions to be performed during upgrade upon confirmation displayed on the admin page
• Support for API key accounts with MSSP organizations on Resilient platforms V38 and later
• Support for multiple IBM QRadar SOAR Plugins integrations synchronizing with a single Resilient platform
• Support for Cloud Pack For Security (CP4S) and escalating offenses as cases.
• One message destination can be used to support both manual and automatic actions
• Rules created per QRadar Appliance connected to Resilient platform through the integration
New in v3.5.2
• Fixed a bug for MSSP Add-on where offenses might be escalated to incorrect organization
• Fixed a bug where duplicate escalations might occur during high load on the integration
• “cafile” in app.config is not reset on configuration change
New in v3.5:
• Support for API key accounts except for MSSP installations
• Status of the background poller both in a New “Poller status” tab and as a dashboard item.
• Updated QRadar’s SDK
• Timeouts apply to all requests made to the Resilient platform
• Default RAM increased to 500Mb
• Dynamic “Additional Artifacts” in templates
• Offenses automatically escalated in chronological order
• Proper placeholders used in automatic escalation’s rule creation form
• Extra conditions added to automatically created rules in the Resilient platform
• Template’s rename/upload/creation cannot overwrite existing templates
• Template renaming does not create a duplicate
• Fixed a memory accumulation issue
• “loglevel” in app.config is not reset on every configuration change

IBM Security | January 2021 5

Overview
This document describes how to integrate the Resilient Security Orchestration, Automation and Response Platform
(SOAR) with IBM QRadar to simplify and streamline the process of escalating and managing incidents. Once an incident
is escalated from QRadar, the Resilient platform generates a detailed, incident-specific response plan so team members
can respond quickly.
This integration provides two ways to create incidents from QRadar: manually, and automatically. In the manual
escalation workflow, you can send incidents to the Resilient platform from the QRadar Offenses screen. Additionally,
you can add IP address artifacts to existing Resilient incidents.
For the automatic escalation workflow, you configure the conditions for sending offenses to the Resilient platform
automatically using the escalation menu.
Changes to offenses are pushed automatically to existing incidents to keep them up to date in the form of field updates
and new artifacts. Notes and closing events are synchronized bi-directionally between the systems.
The integration also utilizes the Resilient Action Module to enable several custom actions. You can perform Ariel
searches on artifacts and add values to QRadar Reference sets from within the Resilient platform.

Resilient Organization and MSSP

A Resilient organization is a self-contained area within the Resilient platform for managing incidents.
In a standard configuration, there is a single Resilient organization for all incidents. Optionally, the platform can be
configured with multiple organizations for separate business divisions, as well as one organization for development and
test and another for production. However, each organization is managed separately.
The Resilient for Managed Security Service Providers (MSSP) add-on is an optional deployment feature that allows
multiple Resilient child organizations, which are managed from a single configuration organization. Security analysts and
other users can monitor incidents in multiple child organizations.
If you are using this integration with a Resilient platform configured with the MSSP add-on, you need to enable Multiple
Organization Support and map the integration to the Resilient platform’s configuration organization. Whenever you
make changes, a Resilient administrator need to push those changes to the child organizations. The procedures in this
guide provide the details.

IBM Security | January 2021 6

Installation
Before you install the IBM QRadar SOAR Plugin, make sure that your environment meets the following prerequisites:
• QRadar version that supports applications created with QRadar SDK v2 and running UBI image.
• Resilient platform version is 31 or later. If supporting the Resilient for MSSPs, Resilient platform V33 or later. If
using an API key account without MSSP add-on, Resilient platform V35.2 or later, else Resilient platform v38.0 or
later.

Dedicated user account API key account

Single organization V31 or later V35.2 or later

With MSSP add-on V33 or later V38.0 or later

IBM Security | January 2021 7

 • Resilient Account:
o A dedicated Resilient API key account with permissions to read, create, and edit incidents, edit org data,
manage API keys, create simulations, and read incident action invocation. For example:

IBM Security | January 2021 8

 o If used with MSSP add-on, the API key account needs to have access to all the organizations to be used for
synchronization. For example, an API key account that has access to three organizations – Org1, Org2, and
Org3:

o A dedicated Resilient account. The account must have the permissions to create incidents, and view and
modify administrator and customization settings. You need to know the account username and password.
If supporting the Resilient for MSSP feature, the Resilient account must have permission to access the
configuration, global dashboard and all child organizations.
NOTE: Should you later change the Resilient account, make sure the account has the same permissions.
• The integration requires a minimum of 500MB memory.
• Configure your network to allow QRadar access to the following ports of Resilient platform:
o 443. Required for QRadar to connect to Resilient data using the REST API. This an "inbound-only" connection
from QRadar to the Resilient platform.
o 65001. Required to communicate with the platform using ActiveMQ OpenWire. The connection is
bidirectional.

Download the IBM QRadar SOAR Plugin .zip file from the IBM Security App Exchange and install it using QRadar’s
Extensions Management. Make sure to clear the cache after installation, as advised by IBM QRadar.

IBM Security | January 2021 9

Upgrading from previous versions
When upgrading from previous version of the IBM QRadar SOAR Plugin, the following message displays:

Execution of the background process and all manual actions are paused until the upgrade is confirmed and performed.
To perform migration, enter the access configuration, enable the Configuration checkbox, and click Verify and Configure
then Save at the bottom of the configuration page.

NOTE: During configuration, the browser window might turn white. Please monitor completion of the upgrade by
monitoring the logs. Additionally, if upon the refresh upgrade message is not displayed anymore, then the upgrade was
completed. You must click Save if the screen turned white after clicking the Verify and Configure button.

In the new section you will find a list of all the actions that will be performed as you will be gradually upgraded to the
version of the plugin you have installed from your latest version.

Upgrading your current integration

You perform the upgrade from the Extension Management tool located in the administrator console. You must have
administrator privileges in QRadar to upgrade the plugin.
Perform the following steps to upgrade QRadar integration:
1. In the administrator console in QRadar, select the Extensions Management tool icon.
2. In the Extensions Management window, click the Add button.
3. Click Browse then select the QRadar integration zip file.
4. Check the Install immediately option to begin installation once the application is uploaded to the QRadar
repository.

IBM Security | January 2021 10

5. Click the Add button to start the installation.

IBM Security | January 2021 11

6. When prompted, choose Overwrite to overwrite your existing data then click Install.
This option should save the templates in /store directory and keep your access configuration.

7. Click OK to finish the installation when you see the status of UPGRADE.

IBM Security | January 2021 12

NOTE: When done, make sure to clear your web browser’s cache after installation as advised by IBM QRadar. The
application is upgraded and available for use.

IBM Security | January 2021 13

Configuration
Creating Service Token
The integration requires an Authorized Service Token in order to access the QRadar API. To create the token, go to the
Admin tab and open the Authorized Services menu under User Management.

From there, click on Add Authorized Service and create a new service called Resilient with Admin Security Profile and
User Role.

This token is copied in the Resilient configuration screen in the next step.
If supporting the Resilient for MSSP feature, this token must have permission to access all the domains used in the
mapping.

IBM Security | January 2021 14

Configuring the Integration
The integration requires you to set configuration parameters. Go to the Admin tab then click Plug-Ins in the navigation
bar on the left. Find and click the IBM Resilient icon, Configuration, at the bottom of the screen.

IBM Security | January 2021 15

This opens a popup window for configuring the integration.

IBM Security | January 2021 16

The Access tab contains settings for configuring the connection between QRadar and the Resilient platform. The
following describes each field:
• QRadar Destination Name: A name you can give to the IBM QRadar SOAR Plugin running on this particular
instance of QRadar. This field along with changes in v4.0 supports synchronization of multiple QRadar instances
with single Resilient platform.
NOTE: Value of the name should be unique per instance of QRadar.
NOTE: Changing this value updates all existing open incidents to store the value of the new QRadar Destination.
During the initial configuration update and after changing its value, the “Verify and Configure” and “Save”
actions take extra time to complete and might return a blank white screen. This is normal – the browser timed
out waiting for a response; however, processing still happens in the background. You can monitor the logs to
confirm the completion of the process and view any errors in updating existing incidents.
• Authorized Service Token: An authorized service token used for API access.
• Resilient Server URL: URL of your Resilient platform server. The URL string must start with “http://” or “https://”.
• CP4S mode: Check this box if you are intending to escalate offenses from QRadar into cases of CP4S.
Checking the box results in additional fields being displayed, which are needed for successful connection.

Figure 1

o URL prefix: Prefix to use with the entered SOAR URL to access the API.
Example: cases-rest
o STOMP Host: URL with prefix used to access STOMP protocol. Do not start with https://.
Example: cases-stomp.example.com
o STOMP Port: Port to use along with STOMP URL to access SOAR’s STOMP.
Example: 443
• For authentication, two options are available:
o If using a Resilient user account for authentication:
o API User (email address): Email address of the Resilient account used for this integration.
o API User Password: Password for the API user.
o If using a Resilient API key account:
o API Key ID: ID of the key account.
o API Key Secret: Secret of the key account.
Note: If using CP4S, make sure that the API key is created in the “Orchestration and Automation” setting of
CP4S, and not within “Settings/Manage API key”.

IBM Security | January 2021 17

 If using MSSP API key, make sure that the key has been pushed to child orgs and has appropriate access and
described in section Installation.
• Multiple Organization Support: Check if supporting mapping between QRadar domains and multiple Resilient
organizations.
• Organization Name: Name of your Resilient organization. If connecting to a Resilient platform configured with
the MSSP add-on, this must be the configuration organization.
• Connect Securely: If checked, SSL certificates are verified. For on-premises deployments that use self-signed SSL
certificates or that have SSL certificate problems, you may need to deselect Connect Securely to allow the
integration to make a connection successfully, but insecurely; or upload the key into persistent storage of the
integration and set “cafile” option in app.config to be the absolute path to the key.
• Enable Configuring Resilient: If checked, the application creates in the Resilient platform all required fields,
actions, and message destinations that are needed for the integration to work.
• Proxy settings: Check this box if your configuration requires a connection through a proxy server. Enter the host
name as a URL address and port number. If the scheme is not provided for the proxy host, https:// is used by
default. If your proxy connection requires authentication, enter the username and password. The proxy features
use the basic authentication method to support authentication.
Click the Verify and Configure button to test that a connection can be made to the Resilient Server URL. This also tests
whether a QRadar ID field is present in your Resilient platform, the authorized service token is valid, and if using a proxy,
the proxy connection. If Multiple Organization Support is not enabled, go ahead and click the Save button once the
connection and configuration has been verified successfully.
If Multiple Organization Support is enabled, this also fetches all the QRadar domains and Resilient child organizations.
They are then shown in the Mapping tab where the user can select the mapping.

Before clicking Save, a Resilient administrator must log in to the Resilient platform and perform a push operation from
the configuration organization. This pushes the configuration information to all the child organizations. Once this
operation completes successfully, you can click the Save button from this window.

IBM Security | January 2021 18

After validating the connection and saving the configuration, the following Resilient customization components are
created for the integration. The value in angle brackets is replaced by your actual input into QRadar Destination field:
1 Message Destination:
• qradar_<QRadar destination name modified to fit expected rule name>: Unified message queue for all of the
actions processed by IBM QRadar SOAR Plugin.
4 Rules:
• close_offense for <QRadar Destination>: With synchronization enabled, this automatic rule closes the related
QRadar offense when the Resilient incident is closed, and vice versa.
• qradar_note for <QRadar Destination>: With synchronization enabled, this automatic rule synchronizes notes
between an incident and an offense.
• Add to QRadar Reference Set for <QRadar Destination> (only for non-MSSP environments): With custom actions
enabled, this manual rule allows the user to send incident artifacts to QRadar Reference Sets of QRadar instance
specified by QRadar Destination.
• QRadar Ariel Query for <QRadar Destination>: With custom actions, this manual rule enables the user to run
Ariel queries on incident artifacts in the QRadar Destination specified in the name.
NOTE: If you are upgrading from a version before 4.0.0, these rules and message destinations are created alongside your
existing message destinations and rules. We recommend you disable or delete these rules and message destinations
used by previous versions.
Previous message destinations:
• qradar_app
• qradar_ref
• qradar_search
Previous actions:
• close_offense
• qradar_note
• Add to QRadar Reference Set
• QRadar Ariel Query

IBM Security | January 2021 19

The Escalation tab contains settings for configuring how offenses are sent to the Resilient platform.

The following describes each section:

• Template Files. A template maps fields from the QRadar offense to the Resilient incident. You can create custom
templates as described in Custom Templates.
• Ignored Artifacts. You can define those artifacts that you do not wish to send to the Resilient platform as part of
the incident. These might include source and local destination addresses on an offense, which may be known
addresses of internal systems. You can reference this set of ignored artifacts in a template, as described in
Mapping Incident Artifacts.
• Escalations.
o Artifact Limit sets the maximum number of source and destination ip address artifacts to be created from
IDs to addresses. The default limit is 20 of each source and destination addresses.
o Automatic Escalation Conditions. You can add rules under which offenses can be escalated. A background
task continuously polls QRadar offenses to be considered as candidates for automatic escalation. See
Automatic Escalation for details.
o Manual Escalation Mode. Allows you to determine whether or not the information is sent immediately to
the Resilient platform when a user escalates an offense. With either manual escalation option listed below,
the incident is created and can be edited in the Resilient platform.
The Create incidents immediately upon escalation option sends the offense directly to the Resilient
platform. You should choose this option if you have an environment where multiple users are likely to
respond to the same offense and inadvertently create multiple incidents instead of one.

IBM Security | January 2021 20

 The Review incidents prior to escalation option allows users to review incident details before escalating
the offense to the Resilient platform. IP address IDs are not converted as artifacts during the
incident creation process. Instead, in the following update cycle, if there are IP addresses to convert
from IDs, they are mapped as artifacts up to the user-specified limit. .
NOTE: This setting applies to all escalations. If Multiple Organization Support is enabled, this setting applies to all
QRadar domains.
The Preferences tab is described in Custom Actions.

IBM Security | January 2021 21

Automatic Escalation
This section describes how to send QRadar offenses to the Resilient platform automatically.
When an administrator adds escalation rules, a background task continuously finds QRadar offenses and considers them
as candidates for automatic escalation. These are added on the Escalation tab in the configuration dialog.
The background task finds offenses where:
• The offense is Open.
• The offense matches an escalation rule. In the event that an offense matches more than one rule, the first rule
matched is used.
Escalation rule matching is performed by Python’s fnmatch package, using logic similar to that of UNIX filename
pattern matching.

For each offense, it searches the Resilient platform for an open incident that was previously escalated using this offense
ID. If none is found, it creates a new incident. In this way, new offenses are automatically and continuously mapped to
new Resilient incidents.
IMPORTANT: Automatic escalations run against new and existing open offenses in QRadar when the application
is first installed. Any open offenses that match your selection criteria should be closed prior to enabling
automatic escalation if you do not want an incident created for them.

An administrator can configure the mapping between properties of the offense and fields for the new incident by
providing a custom template file for each incident escalation rule. This can be used to automatically determine the
incident type, the assigned groups, and any other incident fields. For details of this custom template file format, see
Custom Templates.
If Multiple Organization Support is enabled, automatic escalation rules apply to all QRadar domains. Also, domain
information of an offense is used to look for the mapped Resilient organization. If a mapped organization is not found,
the corresponding offense is not escalated even if an automatic escalation condition is met.

IBM Security | January 2021 22

Manual Escalation
This section describes how a user can send QRadar offenses to the Resilient platform using the QRadar console user
interface, as well as how to add IP addresses as artifacts to existing incidents.
To perform these procedures, you need to have the IBM QRadar SOAR Plugin permission (as specified in User Role
Management); otherwise, you do not see the Send to SOAR button.

Raising an Incident
To send an offense from QRadar to the Resilient platform, go to the QRadar console and perform the following.
8. Make sure that you enable popups in your browser.
9. In the QRadar console, click the Offenses tab.
10. From the list of offenses, select only one offense. For example:

Figure 2

NOTE: If you are in the Offense Details screen, the Send to SOAR button is in the Details toolbar.
11. In the toolbar, click Send to SOAR. This opens a popup for you to select which mapping template you wish to use to
generate the incident.

12. Select a template from the dropdown and click OK.

IBM Security | January 2021 23

While the incident is created immediately, any artifacts specified in the template are not generated until the next
update cycle, which is when the app polls QRadar. Typically, this is approximately 2 minutes.
If Multiple Organization Support is enabled, the domain information of the selected offense is used to find the mapped
Resilient organization. If an organization is found, the offense is escalated to that organization. If not found, an error
message is shown; for example:

Figure 3

NOTE: Should you log into the Resilient platform after creating an incident and see the following message, Error: Unable
to find object with ID xxxxx, verify that you have logged into the same Resilient organization as the one configured in
the Access.

Adding Artifacts to an Incident

Perform the following to add an artifact to an incident:
1. Make sure that you enable popups in your browser.
2. In the QRadar console, click the Offenses tab.
3. From the list of offenses, click on an offense to open its details.
4. Right click on any IP address.
5. In the popup menu, click Add to SOAR.

6. In the Add Artifact screen, select the incident to add this IP address.
7. Click Add Artifacts.

IBM Security | January 2021 24

This feature also works on IP addresses in the Log Activity tab.

IBM Security | January 2021 25

Custom Templates
Template Creator Screen
The template creator is accessible via the escalation tab on the configuration screen. It allows mapping of fields from the
QRadar offense to the Resilient incident. The incident fields displayed are pulled from the Resilient platform and
updated each time this screen is accessed, so any changes to incident fields, including custom fields, are reflected here.
When you click Save, a template file is generated based on the mapping specified.
Mapping Incident Fields

To view the complete list of offense fields available for mapping, click show fields at the top of the screen. It includes all
the regular offense fields, plus ones that store ID fields converted to text values. The fields are QRadar siem/offenses API
endpoints, which are accessible and testable through the Interactive API for Developers menu item. The syntax to map
an offense field to an incident field is {{ offense.<fieldname> }}.
The list of valid values for incident selection fields is available from the field’s drop-down lists.
A red asterisk next to a field indicates that it is required, so a mapping must be specified.

IBM Security | January 2021 26

When a value is added to a field, a refresh icon appears next to it. This indicates that the field is updated anytime the
offense is updated. This has an effect on fields that contain an actual mapping from an offense field rather than just a
static value. If updates for a particular field are not desired, you can click the icon to change it to a lock. This indicates
that the incident field is locked upon creation and does not receive updates from QRadar when the offense changes. The
field can still be modified from the Resilient client.
There are several JINJA “filters” available for use when mapping your fields. They are essentially functions that format or
modify a value before copying it into the incident. The syntax when using a filter is:
{{ offense.<offense_field>|<filter_name> }}

NOTE: The template language is based on JINJA2. See the JINJA2 documentation for details.
Filter Name Description Sample Usage
ago Converts epoch milliseconds {{ offense.start_time|ago }}
timestamp value to a string
representation of the time in
milliseconds that has elapsed since
then.
csv Converts a list of values to a comma {{ offense.categories|csv }}
separated string.
res_email Converts the user’s display name to an {{ offense.assigned_to|res_email }}
email address, if the email address
exists in the Resilient org. If not, it
returns the default Resilient email
address specified in app.config.
html HTML-escaped version of value.
Iso8601 Converts epoch milliseconds {{ offense.start_time|iso8601 }}
timestamp value to an ISO8601
datetime value.
js Same as json filter but strips the {{ offense.description|js }}
surrounding quotes from the result.
json JSON-friendly version of the value. {{ offense.description|js }}
local_dest_ip_whitelist Removes all entries that are on the {{
offense.local_destination_addresses|local_de
configured Local Destination IP ignore
st_ip_whitelist }}
list from a list of values.
severity Maps a numeric QRadar severity to a {{ offense.severity|severity }}
Resilient severity:
8-10 = High
4-7 = Medium
1-3 = Low
src_ip_whitelist Removes all entries that are on the {{ offense.source_addresses|src_ip_whitelist
configured Source IP ignore list from a }}
list of values.
uniq Removes duplicate entries from a list
of values.
Mapping Incident Artifacts

In addition to incident fields, mapping templates also allow you to specify which artifacts you want created from an
offense. Artifacts are automatically created from the list of offense source addresses, offense local destination
addresses, and offense source if those boxes are checked.
If you wish to create artifacts from incident fields other than those, you can do so in the Create Additional Artifacts
section.

IBM Security | January 2021 27

There are likely to be source and local destination addresses on an offense that you do not want to be used to create
artifacts. Often these are known addresses of internal systems. If those known addresses are stored in a QRadar
Reference Set, then the integration can use that reference set as an “ignore list” for artifact creation. If Apply Ignore List
is checked on the template, then any addresses in the offense that are in the ignore list are skipped when generating
artifacts.
NOTE: The templates do not support custom artifact types that support file attachments.
You specify the reference sets to ignore on the Escalation tab in the configuration screen.

As new source and local destination IP addresses are added to the offense, new artifacts are added to the Incident as
well. In the event that an offense has a large number of IP addresses, it converts (from IDs to IP addresses) a maximum
of 20 to artifacts during each polling session.
You can test your template with the Test Template button. When clicked, you have the option to Render Test Only, that
will validate the field mappings, or Render and Submit Simulated Incident, that will additionally create a simulated
incident. Note: starting in Resilient v34.2, Simulation Permissions must be enabled in Resilient Administration Settings
for the user role / API key to create a simulated incident.

IBM Security | January 2021 28

Managing Templates

You manage template files on the Escalation tab in the configuration screen. Clicking Build a New Template or Modify
for an existing template takes you to the mapping screen. Clicking Download allows you to retrieve an existing template
for manual updates, and clicking Delete permanently removes a template from the app.

Manually Creating or Updating Templates

In most cases, the templates generated by the template creator should be sufficient. However, there are some use cases
where a more advanced template is required. You can get your template close to how you want it via the mapping
screen, then download it and modify it
The template language is based on JINJA2. See the JINJA2 documentation for details.
The template is rendered to a JSON document that is either posted to the Resilient platform to create a new incident or
converted to a URL with key/value parameters in the Resilient Web URL format. Refer to the Web URL Integration Guide
for complete details of this format.
The following is an example of a template. In this use case, manual updates to the template are required to support
mapping the Incident Type to different values based upon the offense description.
{
"name": "QRadar {{offense.offense_type_name}} - {{offense.offense_source}}, ID:
{{offense.id}}",

{# Set incident id from description #}

{% if "malware" in offense.description %}
"incident_type_ids": "Malware",
{% else %}
"incident_type_ids": "Other",
{% endif %}
"confirmed": 0,
"description" : "{{offense.event_count}} events in {{offense.category_count}} categories:
{{offense.description}}",
"discovered_date": {{offense.start_time}},
"start_date": {{offense.start_time}},
"severity_code" : {{offense.severity | severity}}
}
"type": "IP Address",
"value": "{{e.sourceip|js}}",
"description": "Source {{e.sourceip|js}}"
} {% if not loop.last %},{% endif %}
{% endfor %} ]
}

FROZEN="incident_type_ids","name","start_date","confirmed","discovered_date"

IBM Security | January 2021 29

Poller Status
Configuration Page Tab
The Poller Status tab displays the latest status of the background process performing auto-escalations (poller) known to
the system. Additionally, the ten latest changes in the status are displayed along with the Date and Time of the change.

Possible values displayed are: Running, Initialization – happens when the container running the application gets
restarted, Stopped – when background process gets terminated, and Restarting – when system registers poller’s
termination and attempts to start it up again.

Dashboard item
Information displayed in the Poller Status tab can also be accessed as a dashboard item as shown below. In this form the
status is refreshed at a regular interval.

To add Poller status to your dashboard find the dashboard item under the IBM QRadar SOAR Plugin section of the menu
in the list of available dashboard items.

IBM Security | January 2021 30

Custom Actions
The Resilient integration runs a background process that connects to the Resilient Action Module, enabling several
custom actions within the Resilient platform. This can be found under the Preferences tab in the Configuration Screen.

If Multiple Organization Support is enabled, make sure that a new Ariel search query contains the following token in all
proper places: domainid={{qradar_dom_id}} . This is to limit the ariel search with the proper domain. Also Enable
Adding Reference Entries From Resilient is disabled, since the QRadar API does not support adding reference entries to
a specific domain.

IBM Security | January 2021 31

Ariel Search
This is a manual custom action that enables Resilient users to search the QRadar Ariel database for any artifact value
from within the Resilient platform. This action is enabled in the Custom Actions section of the Preferences tab in the
Configuration Screen. The search results are then attached to the incident in a CSV file.
In an incident’s Artifact tab in the Resilient platform, click on the action menu next to the artifact you wish to query and
select “QRadar Ariel Query”.

Select the type of Ariel Query you wish to run from the popup modal.

IBM Security | January 2021 32

The search results can be found in the .csv file under the Attachments tab.

Add to Reference Set

This manual action enables a user to add an artifact value to a QRadar Reference set. When enabled, the list of selected
reference sets from QRadar automatically populates into the Rule drop-down list in the Resilient platform. This feature
can be used in conjunction with the “ignored artifacts” reference sets. If an artifact is created automatically from a
template but it is determined that it is not valuable data (such as an IP Address of internal system), you can use the Add
to Reference Set action to add the value to the ignore list. That prevents future incidents from having the unwanted
artifact added.
This is disabled if Multiple Organization Support is enabled.

App Configuration Option

Resilient Artifact Action Menu

IBM Security | January 2021 33

 Reference Set

IBM Security | January 2021 34

Updating Incidents
An offense in QRadar continues to evolve after it is created. New events and addresses become associated with it. These
updates are automatically pushed to the corresponding incident so long as both the incident and the offense remain
open. Because the same template that was used to create an incident is used to update it, any changes to that template
after an incident is created affects how it is updated. Similarly, deleting a template results in no further updates to the
incidents that were created with it. Any fields that contain a mapping using the {{ }} jinja syntax is updated any time the
offense changes, unless the template has marked the field as locked. See Mapping Incident Fields for more details.
Offense updates also trigger new artifacts to be created in the Resilient platform if the template was configured for
artifact generation.

Synchronized Notes
The integration polls QRadar for new offense notes to copy over to the Resilient platform. An automatic custom action
in the Resilient platform alerts the integration any time a new note is added to an Incident, which is then copied to the
corresponding offense. This bi-directional sync is enabled with the Synchronize Notes option in the Synchronization
section of the Preferences tab in the Configuration screen.
NOTE: This feature applies only to notes added to incidents, not the notes added to tasks.

IBM Security | January 2021 35

Automatically Closing Offenses
An automatic action notifies the integration whenever an incident is closed. If desired, this can trigger the corresponding
offense to close as well.
Under Synchronization of the Preferences tab in the Configuration Screen, check Close Offense when Incident closes.
When the offense is closed, a closing reason is provided. If the Resolution on the Incident matches a closing Reason in
QRadar, then that reason is used. If the Incident Resolution does not exist as a closing Reason in QRadar, then a default
of “Policy Violation” is used. For this reason, it is advised that you configure the Custom Offense Closing Reasons in
QRadar and Resolution Values in the Resilient platform to match. As shown in the following image, the integration warns
you of any Resolution values in the Resilient platform that do not have a corresponding closing Reason in QRadar.

When the offense is closed, a note is added to indicate the Resilient user who closed the incident, the Resolution ID, and
the Resolution Summary.

Automatically Closing Incidents

You can set the integration to close an incident automatically in the Resilient platform whenever it detects that the
corresponding Offense has been closed. This happens as part of the background update task, which runs every 2
minutes. The Resilient platform has a set of fields that are required to be populated in order for an incident to be closed.
That set of required closing fields is configurable.

Under the Synchronization section of the Preferences tab in the Configuration Screen, check Close Incident when
Offense closes. This prompts you to map a value for each of the Incident fields that have been set as “required on
close”. The syntax is the same as described in Mapping Incident Fields section.

IBM Security | January 2021 36

Database Backup and Rollback
The QRadar plugin contains a database, which needs to be kept in sync with the Resilient platform database. Whenever
you perform a backup or rollback of the Resilient database, you need to do the same for the QRadar local database. The
steps to do both are defined below.

QRadar plugin database backup

Before backing up the database, you must stop the QRadar plugin. This is best done using the API, as described in the
QRadar API documentation. The following example shows a curl command using the version 10.0 API:
curl -s -X POST -u <USER> -H 'Version: 10.0' -H 'Accept: application/json'
'https://<QRADAR_IP_ADDRESS/api/gui_app_framework/applications/<QRADAR_PLUGIN_APPLICATION_ID>?st
atus=STOPPED'

1. Navigate to the ``/store/docker/volumes/qapp-<your app-id>` directory.

2. Make a copy of the `resilient.db` file.
3. Restart the QRadar Plugin. This is best done using the API, as described in the QRadar API documentation. The
following is an example curl command using the version 10.0 API:
curl -s -X POST -u <USER> -H 'Version: 10.0' -H 'Accept: application/json'
'https://<QRADAR_IP_ADDRESS/api/gui_app_framework/applications/<QRADAR_PLUGIN_APPLICATION_ID>?st
atus=RUNNING'

QRadar plugin database rollback

Before rolling back the database, you must stop the QRadar plugin. This is best done using the API, as described in the
QRadar API documentation. The following example shows a curl command using the version 10.0 API:
curl -s -X POST -u <USER> -H 'Version: 10.0' -H 'Accept: application/json'
'https://<QRADAR_IP_ADDRESS/api/gui_app_framework/applications/<QRADAR_PLUGIN_APPLICATION_ID>?st
atus=STOPPED'

1. Enter the Docker image for the Resilient QRadar App.

2. Navigate to the `/store` directory.
3. Replace the `resilient.db` file with the backup file.
4. Restart the QRadar Plugin. This is best done using the API, as described in the QRadar API documentation. The
following is an example curl command using the version 10.0 API:
curl -s -X POST -u <USER> -H 'Version: 10.0' -H 'Accept: application/json'
'https://<QRADAR_IP_ADDRESS/api/gui_app_framework/applications/<QRADAR_PLUGIN_APPLICATION_ID>?st
atus=RUNNING'

IBM Security | January 2021 37

License
IBM Resilient is willing to license software or access to software to the company or entity that will be using or accessing the software and
documentation and that you represent, as an employee or authorized agent ("you" or "your"), that you will use or access this software and
documentation only on the condition that you accept all of the terms of this license agreement.

The software and documentation within IBM Resilient's Development Kit are copyrighted by and contain confidential information of IBM Resilient.
By accessing and/or using this software and documentation, you agree that while you may make derivative works of them, you:

1) will not use the software and documentation or any derivative works for anything but your internal business purposes in conjunction with your
licensed used of IBM Resilient's software, nor will you;

2) provide or disclose the software and documentation or any derivative works to any third party.

THIS SOFTWARE AND DOCUMENTATION ARE PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO,
THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL IBM RESILIENT
BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON
ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.

IBM Security | January 2021 38