QRadar SIEM integration (RUX)

There is a known issue affecting implementations of this integration. Please use the attached Workflow files (Workflow_v1.0.1.zip) during installation. This version of the workflows addresses an issue with log source naming and also updates ingestion so that triaged detections are not ingested.

If you would like additional details on the log source naming issue, it can be found here: https://support.vectra.ai/s/article/KB-VS-1755

As stated in the summary, this article only applies to customers using Vectra's Respond UX. If you are using the Quadrant UX please see the Vectra Detect App for QRadar Deployment Guide. If you are unsure of which UX you are using, please see Vectra Analyst User Experiences (Respond vs Quadrant).

Integration Overview

Vectra AI is the leader in AI-driven threat detection and response for hybrid and multi-cloud enterprises. Vectra AI's cloud-native platform - powered by our patented Attack Signal Intelligence- provide security teams with unified threat visibility, context and control across public cloud, SaaS, identity and data center networks in a prioritized feed. The Vectra XDR App for QRadar brings real-time, precorrelated attack detections to the operational intelligence of the QRadar platform. Included DSM provides QID mapping from Vectra XDR product into QRadar and also custom properties to fully leverage data provided by the Vectra platform into Qradar. The Vectra XDR App provides multiple dashboards to visualize collected data.

Installation Steps

The attachment to this KB (scroll to the bottom) contains the bulk of the documentation for this integration. When following the guide, you will come to a section called "Steps to get Workflow and Workflow Parameter Value for Vectra XDR". In this section you will need to enter Vectra API client information into the Workflow Parameter file used when configuring the Universal Cloud Rest API protocol for use with the Log Source being created. The instructions for creating the API clients is below. All other documentation for this integration is in the attached document at the bottom of this page.

QRadar Integration API Client Requirements

It is a requirement to create individual API clients for each endpoint required for the integration. This is done for several reasons:

Different endpoints required for integration are polled individually.
- These different endpoints required differing levels of permissions within Vectra.
It helps with performance and scale when accessing the various API endpoints.
Troubleshooting is easier when different API clients are used for the various endpoints.

API Clients Required for Integration

Please create the following API clients for use with Vectra's QRadar integration:

ro_qradar_entity_scoring
- Read only role for QRadar polling entity_scoring endpoint
ro_qradar_detections
- Read only role for QRadar polling detections endpoint
ro_qradar_lockdown
- Read only role for QRadar polling lockdown endpoint
audit_qradar_audits
- Auditor role for QRadar polling audits endpoint
audit_qradar_health
- Auditor role for QRadar polling health endpoint

Creating API Clients

To create each of the API clients listed above:

Enter a name for the client you are creating, select the role, optionally enter a description and then click "Generate Credentials".

On the "API Client Created" screen, copy the Client ID and Secret Key to a safe place for later configuration in Splunk and then click "Done".
- !! Please note that this is the only time you can copy the secret key. If you do not copy the key now, you will need to delete your API client and start over creating that client.