IBM QRadar connector powered by Jitterbit

The BMC Helix iPaaS IBM QRadar connector for Jitterbit Harmony Cloud Studio provides an interface for entering user-provided input such as credentials to create an authenticated IBM QRadar connection. That connection provides the foundation to configure associated IBM QRadar connector activities for offense data that interact with the connection. Together, a specific IBM QRadar connection and its activities are referred to as an IBM QRadar endpoint.

Supported API versions and prerequisites

The IBM QRadar connector uses the   QRadar RestAPI . Refer to the API documentation for information on the schema fields.

The IBM QRadar connector requires the use of an agent version  10.1  or later. These agent versions automatically download the latest version of the connector when required.

Connector overview

This connector is used to first configure an IBM QRadar connection, establishing access to IBM QRadar, and then used to configure one or more IBM QRadar activities associated with that connection as a source or target within an operation:

• Get Offense Notes: Finds offense notes details at an IBM QRadar endpoint and is intended to be used as a source in an operation.
• Query Offenses: Finds offenses at an IBM QRadar endpoint and is intended to be used as a source in an operation.
• Add Offense Notes: Places offense notes into an IBM QRadar endpoint and is intended to be used as a target in an operation
• Close an Offense: Places details of an offense to close into an IBM QRadar endpoint and is intended to be used as a target in an operation.
• Update an Offense: Places offense details into an IBM QRadar endpoint and is intended to be used as a target in an operation.

To configure an IBM QRadar connection

1. From the design canvas, open the Connectivity tab   of the design component palette:
2. Perform one of the following actions:
   • To configure a new IBM QRadar connection, use the Show dropdown to filter on Connectors, and then click the IBM QRadar connector block:
     
   • To configure an existing IBM QRadar connection, use the Show dropdown to filter on Connectors, and then click the IBM QRadar connector block:
     

3. On the configuration screen, enter the following configuration values:

   Tip

   Fields with a variable icon  support using  global variables ,  project variables , and Jitterbit variables . Begin either by typing an open square bracket [ into the field or by clicking the variable icon to display a list of the existing variables to choose from.

   Field name	Action
   Endpoint Name	Enter a name to identify the IBM QRadar connection. The name must be unique for each IBM QRadar connection and must not contain forward slashes (`/`) or colons (`:`). This name is also used to identify the IBM QRadar endpoint, which refers to both a specific connection and its activities.
   Host	Enter the Host URL for your IBM QRadar instance.
   User Name	Enter the user name to use to access IBM QRadar.
   Password	Enter the password of the user to use to access IBM QRadar.

   
   

4. Click Save Changes.
   After configuring an IBM QRadar connection, you can configure one or more IBM QRadar activities associated with that connection. For more information about creating an activity, see Creating an IBM QRadar activity.

To creat an IBM QRadar activity

1. From the design canvas, open the Connectivity tab of the design component palette:

2. To display activities that are available to be used with an IBM QRadar connection, use the Show dropdown to filter on Endpoints, and then click the IBM QRadar connection block :
   
   The following activities are available. For more information about configuring these activities, see the specific activity sections. 

   Activity name	Description
   Get Offense Notes	Retrieves Offense Notes data at an IBM QRadar endpoint and is intended to be used as a source in an operation.
   Query Offenses	Finds offense data at an IBM QRadar endpoint and is intended to be used as a source in an operation.
   Add Offense Notes	Places offense into an IBM QRadar endpoint and is intended to be used as a target in an operation.
   Close an Offense	Places offense data into an IBM QRadar endpoint and is intended to be used as a target in an operation.
   Update an Offense	Places offense into an IBM QRadar endpoint and is intended to be used as a target in an operation.

3. To create an activity that can be configured, drag the activity block from the palette to the operation.

For more information about the parts of an operation and adding activities to operations, see Operation Creation and Configuration . 

To configure a IBM QRadar Get Offense Notes activity

An IBM QRadar Get Offense Notes activity finds offense notes data at an IBM QRadar endpoint and is intended to be used as a source to provide data to an operation. After configuring an IBM QRadar connection, you can configure as many IBM QRadar activities as you like for each IBM QRadar connection.

To configure an IBM QRadar Get Offense Notes activity, complete the following steps:

1. After you add the activity to an operation, double-click the activity block.

2. On the configuration screen, enter a name and specify the following activity settings:

   Tip

   Fields with a variable icon  support using  global variables ,  project variables , and Jitterbit variables . Begin either by typing an open square bracket [ into the field or by clicking the variable icon to display a list of the existing variables to choose from.

   Field name	Action
   Name	Enter a name to identify the IBM QRadar Get Offense Notes activity. The name must be unique for each IBM QRadar Get Offense Notes activity and must not contain forward slashes (`/`) or colons (`:`).
   Offense ID	Enter the ID of the offense to retrieve.
   Optional Settings	Click to expand additional optional settings: Filter Query: Enter a query to filter the query results. For example to retrieve offense with ID 123, created by user XYZ, enter the following filter query: id=123 and cusername="XYZ".  optional parameters JSON input: (This event definition overrides the prior selections). Enter the Key-Value pair for the alert fields. Use the {"Key": "Value"} or [{"Key": "Value"}] format. For example: { "filter": "id>42 create_time>42 and username=String" }

   
   
   

3. Click Next.

4. Review the request and response data schemas displayed for your IBM QRadar instance.
   The data schemas list the fields available for the IBM QRadar Get Offense Notes activity. If the operation uses a transformation, the data schemas are displayed again later during the transformation mapping process. In the transformation mapping process, map target fields by using source objects, scripts, variables, custom values, and more. 
   The IBM Qradar connector uses the QRadar RestAPI . For more information about the schema fields, see the API documentation.

5. Click Finished.
   After the activity is created, menu actions for that activity are accessible from the project pane in either the Workflows or the Components tab, and from the design canvas. For more information, see Activity Actions Menu .

To complete the configuration of the operation, add and configure other activities, transformations, or scripts as steps in an operation. You can also configure an operation's settings, which include the ability to chain operations together that are in the same or different workflows.

IBM QRadar Get Offense Notes activity operation patterns

After configuring an IBM QRadar Get Offense Notes activity, complete the configuration of the operation by adding and configuring other activities, transformations, or scripts as operation steps. You can also configure an operation's operation settings, which include the ability to chain operations together that are in the same or different workflows.

After an IBM QRadar activity has been created, menu actions for that activity are accessible from the project pane in either the Workflows or the Components tabs, and from the design canvas. For more information, see Activity Actions Menu .

IBM QRadar Get Offense Notes activities can be used as a source with these operation patterns:

• Transformation Pattern
• Two-Target Archive Pattern (as the first source only)
• Two-Transformation Pattern  (as the first or second source)

Other patterns are not valid using IBM QRadar Get Offense Notes activities. For more information on the validation patterns, see the  Operation Validity  page.

A typical use case is to use an IBM QRadar Get Offense Notes activity in the Two-Transformation Pattern. In this example, the first transformation (IBM QRadar Get Offense Notes Request) creates a request structure that is passed to the IBM QRadar Get Offense Notes activity. The second transformation (IBM QRadar Get Offense Notes Response) receives the response structure, which is then written to a variable by a Variable Write activity (Write IBM QRadar Get Offense Notes Response) and a message is then logged by the Write to Operation Log script:

When ready, deploy and run the operation and validate behavior by checking the  operation logs . 

IBM QRadar Query Offenses activity 

An IBM QRadar Query Offenses activity finds offense data at an IBM QRadar endpoint and is intended to be used as a source to provide data to an operation. After configuring an IBM QRadar connection, you can configure as many IBM QRadar activities as you like for each IBM QRadar connection.

To configure an IBM QRadar Query Offenses activity, complete the following steps:

1. After you add the activity to an operation, double-click the activity block.

2. On the configuration screen, enter a name and specify the following activity settings:

   Tip

   Fields with a variable icon  support using  global variables ,  project variables , and Jitterbit variables . Begin either by typing an open square bracket [ into the field or by clicking the variable icon to display a list of the existing variables to choose from.

   Field name	Action
   Name	Enter a name to identify the IBM QRadar Query Offenses activity. The name must be unique for each IBM QRadar Query Offenses activity and must not contain forward slashes (`/`) or colons (`:`).
   Filter Query	Enter a query to filter the query results. For example to retrieve offense with ID 123, created by user XYZ, enter the following filter query: id=123 and cusername="XYZ".
   Sort	Enter the criteria to sort the results. For example, +FIELD_ONE = RESULT IN DESCENDING ORDER, -FIELD_ONE = RESULT IN ASCENDING ORDER
   Range	Enter the number of elements that are returned to the list. The list is indexed starting at zero, so to restrict the list to 100 elements, select 99.
   Optional Settings	Click to expand additional optional settings: optional parameters JSON input: This event definition overrides the prior selections. Enter the Key-Value pair for the alert fields. Use the {"Key": "Value"} or [{"Key": "Value"}] format. For example: { "filter": "field_one=String and field_two > 42", "sort": "+id", "Range": "items=0-20" }.

   
   

3. Click Next.

4. Review the request and response data schemas displayed for your IBM QRadar instance.
   The data schemas list the fields available for the IBM QRadar Query Offenses activity. If the operation uses a transformation, the data schemas are displayed again later during the transformation mapping process. In the transformation mapping process, map target fields by using source objects, scripts, variables, custom values, and more. 
   The IBM Qradar connector uses the QRadar RestAPI . For more information about the schema fields, see the API documentation.

5. Click Finished.
   After the activity is created, menu actions for that activity are accessible from the project pane in either the Workflows or the Components tab, and from the design canvas. For more information, see Activity Actions Menu .

To complete the configuration of the operation, add and configure other activities, transformations, or scripts as steps in an operation. You can also configure an operation's settings, which include the ability to chain operations together that are in the same or different workflows.

IBM QRadar Query Offenses activity operation patterns 

IBM QRadar Query Offenses activities can be used as a source with these operation patterns:

• Transformation Pattern
• Two-Target Archive Pattern (as the first source only)
• Two-Transformation Pattern (as the first or second source)

Other patterns are not valid using IBM QRadar Query Offenses activities. For more information on the validation patterns, see the  Operation Validity  page.

A typical use case is to use an IBM QRadar Query Offenses activity in the Two-Transformation Pattern. In this example, the first transformation (IBM QRadar Query Offenses Request) creates a request structure that is passed to the IBM QRadar Query Offenses activity. The second transformation (IBM QRadar Query Offenses Response) receives the response structure, which is then written to a variable by a Variable Write activity (Write IBM QRadar Query Offenses Response) and a message is then logged by the Write to Operation Log script:

When ready, deploy and run the operation and validate behavior by checking the operation logs . 

IBM QRadar Add Offense Notes activity 

An IBM QRadar Add Offense Notes activity places offense details into an IBM QRadar endpoint and is intended to be used as a target to consume data in an operation. After configuring an IBM QRadar connection, you can configure as many IBM QRadar activities as you like for each IBM QRadar connection.

To configure an IBM QRadar Add Offense Notes activity, complete the following steps:

1. After you add the activity to an operation, double-click the activity block.

2. On the configuration screen, enter a name and specify the following activity settings: 

   Field name	Action
   Name	Enter a name to identify the IBM QRadar Add Offense Notes activity. The name must be unique for each IBM QRadar Add Offense Notes activity and must not contain forward slashes (`/`) or colons (`:`).
   Offense ID	Enter the ID of the offense to retrieve.
   Note Text	Enter the note text of the offense to retrieve.

   
   

3. Click Next.

4. Review the request and response data schemas displayed for your IBM QRadar instance.
   The data schemas list the fields available for the IBM QRadar Add Offense Notes activity. If the operation uses a transformation, the data schemas are displayed again later during the transformation mapping process. In the transformation mapping process, map target fields by using source objects, scripts, variables, custom values, and more. 
   The IBM Qradar connector uses the QRadar RestAPI . For more information about the schema fields, see the API documentation.

5. Click Finished.
   After the activity is created, menu actions for that activity are accessible from the project pane in either the Workflows or the Components tab, and from the design canvas. For more information, see Activity Actions Menu .

To complete the configuration of the operation, add and configure other activities, transformations, or scripts as steps in an operation. You can also configure an operation's settings, which include the ability to chain operations together that are in the same or different workflows.

IBM QRadar Add Offense Notes activity operation patterns

IBM QRadar Add Offense Notes activities can be used as a target with these operation patterns:

• Transformation Pattern
• Two-Transformation Pattern (as the first or second source)

Other patterns are not valid using IBM QRadar Add Offense Notes activities. For more information on the validation patterns, see the  Operation Validity  page.

A typical use case is to use an IBM QRadar Add Offense Notes activity in the Two-Transformation Pattern. In this example, the first transformation (IBM QRadar Add Offense Notes Request) creates a request structure that is passed to the IBM QRadar Add Offense Notes activity. The second transformation (IBM QRadar Add Offense Notes Response) receives the response structure, which is then written to a variable by a Variable Write activity (Write IBM QRadar Add Offense Notes Response) and a message is then logged by the Write to Operation Log script: 

When ready, deploy and run the operation and validate behavior by checking the  operation logs . 

IBM QRadar Close an Offense activity 

An IBM QRadar Close an Offense activity places details of an offense to close into an IBM QRadar endpoint and is intended to be used as a target to consume data in an operation. After configuring an IBM QRadar connection, you can configure as many IBM QRadar activities as you like for each IBM QRadar connection.

To configure an IBM QRadar Close an Offense activity, complete the following steps:

1. After you add the activity to an operation, double-click the activity block.

2. On the configuration screen, enter a name and specify the following activity settings: 

   Field name	Action
   Name	Enter a name to identify the IBM QRadar Close an Offense activity. The name must be unique for each IBM QRadar Close an Offense activity and must not contain forward slashes (`/`) or colons (`:`).
   Offense ID	Enter the ID of the offense to close.
   Select a closing reason	Select a closing reason ID from the Select closing reason ID list. When reopening an existing activity configuration, only the selected closing reason ID is displayed instead of reloading the entire list.
   Selected closing reason id	Lists the selected closing reason ID.
   Search	Enter a part of the closing reason ID to filter the closing reason ID list. The search is not case-sensitive. If the closing reason ID is already displayed within the table, the results are filtered in real time with each keystroke.  To reload closing reason IDs from the endpoint for the search, enter the search criteria and then click refresh.
   Refresh	Click the refresh icon or the word Refresh to reload the closing reason ID from the IBM QRadar endpoint. This may be useful if you have recently added a closing reason ID to the IBM QRadar endpoint. This action refreshes all the metadata used to build the closing reason ID for the organization displayed in the configuration.
   Selected closing reason ID	Within the table, click on a row to select a closing reason ID. You can select only one closing reason ID. The information available for each closing reason ID is fetched from the IBM QRadar endpoint: ID: ID of the selected closing reason. Description: Short description of the closing reason. Important:  If the table does not populate with available closing reason ID defined for the organization configured, the [IBM QRadar connection](./connection.md) may not be successful. Ensure you are connected by reopening the connection and retesting the credentials.
   Optional Settings	Click to expand additional optional settings: optional parameters JSON input: This event definition overrides the prior selection. Enter the Key-Value pair for the offense fields. Use the {"Key": "Value"} or [{"Key": "Value"}] format. For example: { "offense_id": 123, "closing_reason_id": 2  }.

   
   

3. Click Next.

4. Review the request and response data schemas displayed for your IBM QRadar instance.
   The data schemas list the fields available for the IBM QRadar Close an Offense activity. If the operation uses a transformation, the data schemas are displayed again later during the transformation mapping process. In the transformation mapping process, map target fields by using source objects, scripts, variables, custom values, and more. 
   The IBM Qradar connector uses the QRadar RestAPI . For more information about the schema fields, see the API documentation.

5. Click Finished.
   After the activity is created, menu actions for that activity are accessible from the project pane in either the Workflows or the Components tab, and from the design canvas. For more information, see Activity Actions Menu .

To complete the configuration of the operation, add and configure other activities, transformations, or scripts as steps in an operation. You can also configure an operation's settings, which include the ability to chain operations together that are in the same or different workflows.

IBM QRadar Close an Offense activity operation patterns

After configuring an IBM QRadar Close an Offense activity, complete the configuration of the operation by adding and configuring other activities, transformations, or scripts as operation steps. You can also configure an operation's operation settings, which include the ability to chain operations together that are in the same or different workflows.

After an IBM QRadar activity has been created, menu actions for that activity are accessible from the project pane in either the Workflows or the Components tabs, and from the design canvas. See Activity Actions Menu for details.

IBM QRadar Close an Offense activities can be used as a target with these operation patterns:

• Transformation Pattern
• Two-Transformation Pattern (as the first or second source)

Other patterns are not valid using IBM QRadar Close an Offense activities. For more information on the validation patterns, see the  Operation Validity  page.

A typical use case is to use an IBM QRadar Close an Offense activity in the Two-Transformation Pattern. In this example, the first transformation (IBM QRadar Close an Offense Request) creates a request structure that is passed to the IBM QRadar Close an Offense activity. The second transformation (IBM QRadar Close an Offense Response) receives the response structure, which is then written to a variable by a Variable Write activity (Write IBM QRadar Close an Offense Response) and a message is then logged by the Write to Operation Log script:

When ready, deploy and run the operation and validate behavior by checking the  operation logs .

IBM QRadar Update an Offense activity 

An IBM QRadar Update an Offense activity places offense details into an IBM QRadar endpoint and is intended to be used as a target to consume data in an operation. After configuring an IBM QRadar connection, you can configure as many IBM QRadar activities as you like for each IBM QRadar connection. 

To configure an IBM QRadar Update an Offense activity, complete the following steps:

1. After you add the activity to an operation, double-click the activity block.

2. On the configuration screen, enter a name and specify the following activity settings:

   Tip

   Fields with a variable icon  support using  global variables ,  project variables , and Jitterbit variables . Begin either by typing an open square bracket [ into the field or by clicking the variable icon to display a list of the existing variables to choose from.

   Field name	Action
   Name	Enter a name to identify the IBM QRadar Update an Offense activity. The name must be unique for each IBM QRadar Update an Offense activity and must not contain forward slashes (`/`) or colons (`:`).
   Offense ID	Enter the ID of the offense you want to update.
   Assigned To Username	Enter the ID of the user to whom the offense is assigned.
   Follow up	Select to update an offense for which the Follow Up flag is selected.
   Protected	Select to update on offense for which the Protected flag is selected.
   Optional settings	Click to expand additional optional settings: optional parameters JSON input: This event definition overrides the prior selections. Enter the Key-Value pair for the alert fields. Use the {"Key": "Value"} or [{"Key": "Value"}] format. For example: { "offense_id": 123, "assigned_to": "username", "follow_up": false, "protected": false }.

   
   
   

3. Click Next.

4. Review the request and response data schemas displayed for your IBM QRadar instance.
   The data schemas list the fields available for the IBM QRadar Update an Offense activity. If the operation uses a transformation, the data schemas are displayed again later during the transformation mapping process. In the transformation mapping process, map target fields by using source objects, scripts, variables, custom values, and more. 
   The IBM Qradar connector uses the QRadar RestAPI . For more information about the schema fields, see the API documentation.

5. Click Finished.
   After the activity is created, menu actions for that activity are accessible from the project pane in either the Workflows or the Components tab, and from the design canvas. For more information, see Activity Actions Menu .

To complete the configuration of the operation, add and configure other activities, transformations, or scripts as steps in an operation. You can also configure an operation's settings, which include the ability to chain operations together that are in the same or different workflows.

IBM QRadar Update an Offense activity operation patterns

After configuring an IBM QRadar Update an Offense activity, complete the configuration of the operation by adding and configuring other activities, transformations, or scripts as operation steps. You can also configure an operation's operation settings, which include the ability to chain operations together that are in the same or different workflows.

After an IBM QRadar activity has been created, menu actions for that activity are accessible from the project pane in either the Workflows or the Components tabs, and from the design canvas. For more information, see Activity Actions Menu .

IBM QRadar Update an Offense activities can be used as a target with these operation patterns:

• Transformation Pattern
• Two-Transformation Pattern (as the first or second source)

Other patterns are not valid using IBM QRadar Update an Offense activities. For more information on the validation patterns, see the  Operation Validity  page.

A typical use case is to use an IBM QRadar Update an Offense activity in the Two-Transformation Pattern. In this example, the first transformation (IBM QRadar Update an Offense Request) creates a request structure that is passed to the IBM QRadar Update an Offense activity. The second transformation (IBM QRadar Update an Offense Response) receives the response structure, which is then written to a variable by a Variable Write activity (Write IBM QRadar Update an Offense Response) and a message is then logged by the Write to Operation Logscript:

When ready, deploy and run the operation and validate behavior by checking the  operation logs .