Skip to main content

IBM QRadar

IBM QRadar Integration

The IBM QRadar integration allows you to send Levo security Findings and Vulnerabilities to your QRadar SIEM instance using the Universal Cloud REST API (UCRA).

info

No configuration is required in Levo SaaS for this integration. All setup is performed within IBM QRadar.

Prerequisites

  • Access to IBM QRadar with administrative privileges
  • Levo API Base URL: https://api.levo.ai
    • US SaaS: https://api.levo.ai
    • India SaaS: https://api.india-1.levo.ai
  • Levo API authentication/refresh token (reach out to support@levo.ai)

Setup Steps

1. Configure Universal Cloud REST API (UCRA)

IBM QRadar's Universal Cloud REST API (UCRA) enables you to pull data from cloud-based REST APIs into QRadar.

  1. In IBM QRadar, navigate to Admin > Data Sources
  2. Select Log Sources from the left navigation menu
  3. Click Add to create a new log source

2. Create a New Log Source

Configure the log source with the following settings:

  • Log Source Type: Select Universal Cloud REST API
  • Log Source Name: Enter a descriptive name (e.g., "Levo API Security")
  • Log Source Description: Optional description for the integration
  • Protocol Configuration: Configure the REST API protocol parameters
    • API Base URL: Use https://api.levo.ai for US SaaS or https://api.india-1.levo.ai for India SaaS
    • Configure authentication method and credentials (authentication/refresh token)
    • Set the polling interval for data collection

3. Configure Workflow

The workflow defines how QRadar processes and parses the incoming data from Levo. You need to configure separate workflows for Findings and Vulnerabilities.

Download Configuration Files

Download the following XML configuration files:

  1. findings_workflow.xml - Workflow for retrieving Levo Findings
  2. vulnerabilities_workflow.xml - Workflow for retrieving Levo Vulnerabilities
  3. workflow_parameters.xml - Common parameters for both workflows
Configure the Workflow Files

Before uploading to QRadar, you must customize these files with your Levo credentials:

  1. Set API Base URL:

    • In both workflow XML files, replace the url attribute placeholder with your Levo API Base URL:
      • US SaaS: https://api.levo.ai/graphql
      • India SaaS: https://api.india-1.levo.ai/graphql

  2. Replace Authentication Token:

    • Replace all instances of YOUR_BEARER_TOKEN with your actual Levo API bearer token
    • This appears in the authorization header in both workflow files and in workflow_parameters.xml

  3. Replace Organization ID:

    • Replace all instances of YOUR_ORGANIZATION_ID with your Levo organization ID
    • Found in the x-levo-organization-id header

  4. Replace Workspace ID:

    • Replace all instances of YOUR_WORKSPACE_ID with your Levo workspace ID
    • Found in the x-levo-workspace-id header

  5. Replace Environment ID:

    • Replace all instances of YOUR_ENVIRONMENT_ID with your target Levo environment ID
    • This is used in the GraphQL query filter conditions
info

To obtain your Organization ID, Workspace ID, and Environment ID, reach out to support@levo.ai or refer to the Common Integration Tasks documentation.

Upload Workflows to QRadar
  1. In QRadar's UCRA configuration, upload the customized workflow XML files
  2. Associate the appropriate workflow with each log source:
    • Create one log source using findings_workflow.xml for Findings
    • Create another log source using vulnerabilities_workflow.xml for Vulnerabilities
  3. Upload and configure the workflow_parameters.xml file for parameter management
Adjust Polling Settings

Modify the following settings based on your requirements:

  • Polling Interval: Adjust the modifiedDate filter in the workflow files
    • Findings default: Last 10 minutes
    • Vulnerabilities default: Last 10 minutes
  • Page Size: Adjust the pageSize parameter (Findings: 1, Vulnerabilities: 1)
  • Severity Filters: Modify the severity filter values in the Findings workflow to control which severity levels are collected

4. Test the Integration

  1. After configuring the log source, click Test Connection to verify connectivity
  2. Review the log activity to confirm that events are being received
  3. Check the QRadar dashboard to ensure Levo security findings and vulnerabilities appear correctly

Workflow Configuration Details

Findings Workflow

The Findings workflow retrieves security findings from Levo using the following GraphQL query:

  • Query: GetFindings - Retrieves findings with detailed information including risk level, endpoint details, CWE references, and evidence
  • Filters:
    • Modified within the last 10 minutes (configurable)
    • Specific environment ID
    • Severity levels: MEDIUM, HIGH, CRITICAL
  • Data Retrieved: firstSeen, lastSeen, risk, appId, appName, ruleId, ruleName, evidences, endpointId, endpointPath, endpointMethod, checkName, ticketUrl, findingId, cwe, description, references

Vulnerabilities Workflow

The Vulnerabilities workflow retrieves active vulnerabilities from Levo:

  • Query: GetVulnerabilities - Retrieves vulnerability details including severity, status, and test case metadata
  • Filters:
    • Modified within the last 10 minutes (configurable)
    • Status: UNRESOLVED only
    • Specific environment ID
  • Data Retrieved: id, name, message, level, transaction, category, severity, appId, appName, endpointId, endpointPath, endpointMethod, status, firstSeen, lastSeen, count, ticketUrl, assignedTo, generic, authenticationOptional, testCaseMetadata

Troubleshooting

  • Connection Issues: Verify that QRadar can reach the Levo API endpoint and that authentication credentials are correct
  • No Data Appearing: Check the log source status and ensure the polling interval is configured appropriately
  • Parsing Errors: Review the workflow configuration and ensure it matches the expected Levo API response format

Additional Resources

For more information on configuring Universal Cloud REST API in QRadar, refer to the IBM QRadar Documentation.