Skip to main content

IBM QRadar Alert Channel

Create an IBM QRadar alert channel to enable Lacework to forward alerts.

Configure a log source type with the HttpReceiver protocol in a Device Support Module (DSM). Lacework then uses it to post messages to the QRadar server.

Create the Lacework Log Source Type

Do the following:

  1. Log in to QRadar.
  2. From the Admin console, under the Data Sources section, select DSM Editor.
  3. Select Create New.
  4. Name the log source Lacework and select Save.

Configure the Lacework Log Source Type

  1. In the Admin console left pane, navigate to Apps > QRadar Log Source Management.
  2. Select QRadar Log Source Management.
    Configure your new (Lacework) log source type.
  3. Select New Log Source.
  4. Select Single Log Source.
  5. Select the name you gave to your new log source and select Step 2: Select Protocol Type.
  6. Select HTTP Receiver as the protocol type.
  7. Select Step 3: Configure Log Source Parameters.
  8. Configure the following log source parameters:
    • Name
    • Target Event Collector: Keep the default or enter your own value.
  9. Select Step 4: Configure Protocol Parameters.
  10. Define the following protocol parameters:
    • Log Source Identifier: Enter a unique value.
    • Communication Type: Select HTTPS.
    • Listen Port: Enter a port of your choice.
      Copy this port number for use when creating the alert channel in Lacework.
    • Message Pattern: Leave this empty.
      This results in IBM QRadar receiving one event per REST call.
    • Use As a Gateway Log Source: Set to disabled.
  11. Select Step 5: Test Protocol Parameters.
    Running the test is optional. Skip the test or wait until it is done and select Finish.
  12. On the Admin page, click Deploy Changes.
    IBM QRadar configuration is complete.

Create an IBM QRadar Alert Channel from the Lacework Console

Do the following:

  1. Log in to the Lacework Console as a Lacework user with administrative privileges.
  2. Go to Settings > Notifications > Alert Channels.
  3. Click + Add new.
  4. Select IBM QRadar.
  5. Click Next.
  6. Specify the name of the alert channel.
  7. In Communication Type, select HTTPS or HTTPS Self Signed Cert.
  8. In QRadar Host Url, enter the domain name or IP address of QRadar.
  9. In QRadar Host Port, enter the listen port defined in QRadar.
  10. Select Save.
  11. Select Alert rules and configure your required alert routing details/options by leveraging the alert channel you created.

You now begin to receive Lacework alert notifications in QRadar.

Create a Lacework IBM QRadar Alert Channel Using Terraform

For organizations using Terraform to manage their environments, Lacework maintains the Terraform provider for Lacework, which enables configuration of Lacework alert channels using automation.

For a complete list of custom Terraform resources to manage alert channels in Lacework, see Managing Alert Channels with Terraform.

# Configure IBM QRadar Alert Channel in Lacework
resource "lacework_alert_channel_qradar" "example" {
  name               = "IBM QRadar Channel Alert Example"
  host_url           = "https://qradar-lacework.com"
  host_port          = 4000
  communication_type = "HTTPS"
}

Additional information on the lacework_alert_channel_qradar resource can be found on the Terraform Registry.

Last updated on