IBM QRadar can process beSECURE native XML files and integrate the findings listed inside them into its Vulnerability Management dashboards and processes.
To integrate beSECURE and QRadar you will need to create a collection point – as QRadar cannot directly receive vulnerability information from beSECURE nor does it support a RESTful API to pull the results directly from beSECURE.
The collection point is an intermediate server, accessible via SCP (Secure Copy via SSH) to which both beSECURE and QRadar can share the data through.
The integration process would go as follows:
1. A scan of one or more targets would be performed by beSECURE
2. At the end of the scan process, an XML report would be generated by beSECURE and uploaded via SCP (to an SSH server)
3. Periodically IBM QRadar would query the same XML folder configured in beSECURE and where the file was uploaded to in Step 2, whenever a file is found in this folder it would pull the XML file and process it – the results found inside it would get integrated into QRadar.
To start the integration process by going to the IBM QRadar user interface:
There click on the Hamburger sign:
Click on the “Admin” section
Then on the “Data Sources” -> “Vulnerability” -> “VA Scanners”:
Followed by click on the “Add” sign:
From the drop down “Type” menu choose Beyond Security AVDS Scanner:
In the popup configuration page type in “beSECURE” on the Scanner Name, and provide the intermediate SSH Server from which the IBM QRadar will pull the XML reports from, in this case we configured it to use 192.168.15.127, the username ‘beyond’, SSH Key authentication, a remote directory of ‘/home/beyond/xml/’, configure at least one CIDR of the scans you are going to have QRadar pick the results for, you can use “0.0.0.0/0” for a wildcard of ‘all’, the rest of the parameters can be left unchanged.
Click on the “Save”.
We now need to configure the uploading of the results from beSECURE via SCP (using SSH), access the beSECURE interface, Integration section, there enable the “Report Sink” option:
Use matching settings to those placed in the QRadar configuration:
From this point on, whenever a scan completes, a report will be uploaded using SCP (via SSH) to the host 192.168.15.127, the login will be ‘beyond’, using an SSH key, and placed in the ‘/home/beyond/xml/’ folder, the report generated will be an XML file – this is what QRadar expects. The filename created in the server will be ‘report-[ID of the Scan]-[Scan Number].xml’.