Skip to main content

Integrations

Install and Configure the Illumio App for QRadar

The following topics describe how to install and configure the Illumio App for QRadar.

Before You Begin

Install this software before you can run the Illumio 1.4.0 app on QRadar:

  • Illumio App Bundle (v1.4.0)

  • QRadar version 7.4.3 GA or later

  • Access to the Illumio PCE

  • Illumio credentials to access labels from PCEs

Install QRadar

The application installation requires access to the QRadar console through a web interface at https://<<QRadarconsoleIP>>/.

For details about logging into QRadar, see the IBM QRadar documentation.

  1. Log into the QRadar console.

    IBM_QRadar_Screen

  2. Go to Admin > Extension Management.

    Extension_Management

  3. Click Add and select the downloaded Illumio App zip file.

    QRadar displays a list of changes that the app is making.

  4. Click Install.

    After the application is installed, it will create a Docker container in the backend.

  5. Deploy the changes on the Admin panel.

  6. Refresh the browser to display the configuration page.

Configure the Application

After you complete the installation, you must configure the application to start data collection.

If you finished installing the app, you are already on the Configuration page. Skip to the second step.

  1. To get to the Configuration page, find the installed app on the QRadar Admin Panel under Apps.

    Installed_Apps_Config_Page

  2. Open the Illumio App Configuration page, and click Configure PCE.

    Note

    The app supports multiple accounts for PCE configurations.

    Illumio_App_Config_Page
    Add_New_PCE_Configuration.jpg

  3. In the following screen, the Authorized Service Token is a value obtained from the QRadar App Authorization Manager.

    Authorized_Service_Token.jpg

  4. Configure the PCE URL and your Illumio credentials, and your data collection will start. If Illumio PCE contains self-signed or internal CA certificates, make sure that the certificates are present in QRadar. If they are not, see Add Illumio PCE SSL Certificates in QRadar.

    Note

    Saved credentials are listed and you can set a proxy to fetch data from Illumio PCE configurations.

Assign User Roles and Capabilities

QRadar supports access-control lists (ACL) configurations for restricting access to different actions and dashboards. The Illumio App for QRadar adds a new capability that controls access to the Illumio dashboards. To access the Illumio dashboards, a user must be assigned a role that has this capability. By default, admin users have access to all the capabilities.

Use the following steps to add a new QRadar role with the Illumio dashboard capability:

  1. Log into the QRadar console.

  2. Go to Admin > User Roles.

    User_Roles

  3. Click New and enter the name of the role.

  4. Assign the Illumio Adaptive Security Platform capability, as shown in the following figure. This role is for users who should be allowed to view Illumio dashboards.

    Assign_App_Permission

Add the PCE as a Log Source in QRadar

To enable QRadar to receive events from the Illumio App, you must add the Illumio PCE to QRadar as a log source. You need to add a separate log source to collect data from each PCE.

  1. On the Admin tab in QRadar, select Log Sources, and click Launch.

    Add_Log_Source

  2. Select the Log Sources option, click New Log Source in the top-right corner, and select the Single Log source option.

    Add_New_Log_Source

  3. Select the Illumio ASP v2 option and click Step 2: Select Protocol Type in the left pane.

    Select_Illumio_ASP_v2

  4. Select the Syslog option and click Step 3: Configure Log Source Parameters in the left pane.

    Select_Syslog_Protocol_Type

  5. Give the log source a suitable name for the PCE node, add a description if you want, and make sure to select Enabled.

    Name_Log_Source

  6. For the Extension field, choose IllumioASPCustom_ext.

    Log_Source_Extension_Field

  7. Turn off the Coalescing Events configuration and then click Step 4: Configure Protocol Parameters in the left pane.

    Coalescing_Events

  8. In Log Source Identifier, enter the log source identifier as set in the syslog header on the host. This is typically the hostname (such as core1-2x2devtest59).

  9. Keep the Incoming Payload Encoding field as the default value (UTF-8).

    Configure_Protocol_Parameters

  10. Click Finish.

  11. Go back to the QRadar console, and in the Admin tab, click Deploy Changes.

  12. Repeat these steps for all other core and database nodes in the cluster (such as core1, db1, db0).