Getting Started with IBM QRadar and Red Hat Ansible Automation Platform

IBM Security QRadar is a Security Information and Event Management (SIEM), which can help security teams to accurately detect and prioritize threats across the organization, providing intelligent insights that enable organisations to respond quickly to reduce the impact of incidents. By consolidating log events and network flow data from thousands of devices, endpoints, users and applications distributed throughout your network, QRadar correlates all this different information and aggregates related events into single alerts to accelerate incident analysis and remediation. 

Ansible and QRadar, better together

Ansible is the open and powerful language security teams can use to interoperate across the various security technologies involved in their day-to-day activities.

Customers can take advantage of the IBM QRadar Content Collection to create sophisticated security workflows through the automation of the following functionalities:

• Log sources configuration
• Offense rules enablement
• Offense management

Ansible allows security organizations to integrate QRadar into automated security processes, enabling them to automate QRadar configuration deployments in recurring situations like automated test environments, but also in large scale deployments where similar tasks have to be rolled out and managed across multiple nodes.

Security practitioners can automate investigation activities enabling QRadar to programmatically access new data sources. Also, they now have the ability to enable and disable correlations rules to support incident prioritization in more complex security workflows.

Furthermore, users can leverage Ansible to change the priority of an offense, its ownership and track activities in its note field directly as part of automated processes.

The IBM Security QRadar Content Collection

The integration of QRadar into a security environment automated with Red Hat Ansible Automation Platform is done through the Collection ibm.qradar. To use the Collection, it needs to be installed on the target nodes for example via:

$ ansible-galaxy collection install ibm.qradar
Process install dependency map
Starting collection install process
Installing 'ibm.qradar:1.0.1' to '/home/liquidat/.ansible/collections/ansible_collections/ibm/qradar'

For more information on how to use and install Ansible Content Collections, check out our blog post Hands on with Ansible collections from our Ajay Chenampara.

As of today, the Collection contains multiple modules and two plugins. The plugins provide the core functionality to connect to QRadar in the first place: QRadar provides a rich REST API to interact with, and the Collection uses this to execute various tasks. The plugins manage the authentication and the handling of the REST API calls.

The modules are built around the typical use cases of QRadar and follow the usage patterns of QRadar. Notable modules are:

• deploy - Trigger a qradar configuration deployment
• log_source_management - Manage Log Sources in QRadar
• offense_action - Take action on a QRadar Offense
• offense_info - Obtain information about one or many QRadar Offenses
• offense_note - Create or update a QRadar Offense Note
• rule - Manage state of QRadar Rules
• rule_info - Obtain information about one or many QRadar Rules

Using the modules in the Ansible Content Collection

To give a better idea of how to use the Collection, we will illustrate a simple example. After the installation of the collection mentioned above, we need to make sure that Ansible is capable of authenticating to QRadar. This can be ensured by a corresponding inventory entry of a QRadar instance:

qradar ansible_user=admin ansible_httpapi_pass="Ansible1!" ansible_connection=httpapi ansible_httpapi_use_ssl=yes ansible_network_os=ibm.qradar.qradar

As mentioned, communication with QRadar is done via REST API, so ansible_connection has to be set to httpapi. The connection should also use SSL (ansible_httpapi_use_ssl), and we need to provide a username and password via ansible_user and ansible_httpapi_pass, respectively. Last but not least we set the network os to QRadar: ansible_network_os=ibm.qradar.qradar

After the inventory is set up to talk to QRadar, we can execute the first playbook. For example, if we want to deactivate an existing rule inside QRadar, we can write a playbook that in the first task uses the module rule_info to query the existing rule, and in the second task deactivates the rule using the rule module:

---
- name: Change QRadar rule state
  hosts: qradar
  collections:
    - ibm.qradar
  tasks:
    - name: get info about qradar rule
      rule_info:
        name: "Potential DDoS Against Single Host (TCP)"
      register: rule_info
    - name: disable rule by id
      rule:
        state: disabled
        id: "{{ rule_info.rules[0]['id'] }}"

Another typical example is log sources management: imagine that during an investigation the log information of a given source needs to be added to the SIEM for further investigation. This can be done with the module log_source_management:

---
- name: Add CISCO ASA log source to QRadar
  hosts: qradar
  collections:
    - ibm.qradar
  tasks:
    - name: Add CISCO ASA remote logging to QRadar
      log_source_management:
        name: "CISCO ASA source"
        type_name: "Cisco Adaptive Security Appliance (ASA)"
        state: present
        description: "CISCO ASA log source"
        identifier: 11.22.33.44

In this example the new log source “CISCO ASA source” is configured, and all logs coming from the IP “11.22.33.44” of the type “Cisco Adaptive Security Appliance (ASA)” are put into that log source.

Enabling security automation use cases: investigation enrichment

The real power of Red Hat Ansible Automation Platform integrating QRadar shows when we use it in typical security automation use cases. Let’s take the task of investigation enrichment as an example: security practitioners often have to investigate suspicious behavior, and as part of this they gather more information from affected or related systems. Doing this manual can be repetitive and time-consuming. The Ansible Content Collections developed as part of the Ansible security automation initiative can help to overcome these challenges, as we have already shown in our dedicated blog post Getting started with Ansible security automation: investigation enrichment.

In that blog post we showed how QRadar as SIEM is a crucial part of the security environment and how Ansible automates the corresponding tasks: log sources from various systems can be automatically added or removed as needed, enabling security analysts to view information the moment they need it - and removing the logs when the investigation is done. Note that adding or removing log sources is usually only a part of larger automation processes supporting the security practitioners. They can also be created in advance and be part of a library of predefined automation processes ready to be consumed when needed. Together with Ansible Tower access to the elements of such a library can be controlled with typical enterprise governance processes like RBAC.

Takeaways and going forward

IBM Security QRadar helps security teams accurately detect and prioritize threats across the organization. Using the Ansible Content Collection for IBM QRadar, customers are able to integrate QRadar in larger security automation processes like investigation enrichment and others and automate sophisticated security workflows through the automation.

As next steps there are plenty of resources to follow up on the topic:

• Check out the upstream project for the QRadar collection on Ansible Galaxy
• Learn where you are in your journey to security automation, and what challenges are ahead of you.
• Learn more about the Ansible Security Automation use case of the Red Hat Ansible Automation Platform
• If you want to see the above mentioned playbooks and setup in action, check out the corresponding video in our Youtube channel.