IBM QRadar can process beSECURE native XML files and integrate the findings inside them into its Vulnerability Management dashboards and processes.
To integrate beSECURE and QRadar you must create a Collection Point (an intermediate server, accessible via SCP (Secure Copy via SSH) to which both beSECURE and QRadar can share the data through) as QRadar cannot directly receive vulnerability information from beSECURE, nor does it support a RESTful API to pull the results directly from beSECURE.
The integration process is as follows:
- beSECURE scans one or more targets.
- At the end of the scan process, beSECURE generates an XML report that is uploaded by way of SCP to an SSH server.
- Periodically, IBM QRadar queries the folder where the XML file was uploaded in step 2. Whenever a file is found in this folder, it pulls the XML file and processes it. The results in the file are then integrated into QRadar.
Configuring IBM QRadar to integrate with beSECURE
To integrate IBM QRadar with beSECURE, do the following:
- Connect to IBM QRadar.
- Select the hamburger menu and then select the hamburger menubutton.
- Select Admin > Data Sources > Vulnerability > VA Scanners.
- Select Add.
- In the Type box, select Beyond Security AVDS Scanner.
- On the dialog, do the following (see image for an example):
- In the Scanner Name box, enter beSECURE.
- In the Remote Hostname box, enter the IP address of intermediate SSH server IBM QRadar will pull the XML reports from.
- In the Login Username box, enter the login username for the SSH server.
- Select Enable Key Authentication.
- In the Remote Directory, enter the directory where IBM QRadar will pull the XML reports from.
- In the CIDR Ranges box, enter the IP address of a beSECURE scan you want IBM QRadar pull results for. You can use 0.0.0.0/0 as a wildcard for all scans.
- Leave all other parameters unchanged.Note: You will use these same settings in the next section.
- Select Save.
Configuring beSECURE to integrate with IBM QRadar
To integrate beSECURE with IBM QRadar, do the following:
- Log in to beSECURE.
- Select More > Server > Integration.
- Select Report Sink.
- On the Report Sink parameters page, do the following:
- In the Type box, select SCP.
- In the Hostname box, enter the same IP address you entered for Remote Hostname in IBM QRadar.
- In the Port box, enter the port for the SSH server.
- In the Username box, enter the same username you entered for Login Username in IBM QRadar.
- In the SSH Key box, enter the key for the SSH server.
- In the Destination Directory, enter the path you entered for Remote Directory in IBM QRadar.
- In the Report Format box, select XML.
- In the Report Filename box, enter the following filename, customizing the ID and Scan Number: report-[ID of the Scan]-[Scan Number].xml.