This article provides onboarding steps for QRadar.
Step 1: Enable console access
This procedure creates a user account for Expel that keeps the Expel activity separate from other activity on the QRadar console.
Create an Admin Account
- Navigate to Admin > Users. A new window opens.
- Click on +Add next to the search bar in the new window.
- Type a User Name.
- Fill User Description as you would like.
- For E-mail type: soc+<your organization name>@expel.io.
- Under Authentication toggle Local Authentication Fallback on and type a password.
- Set the User Role and Security Profile to Admin.
- Click Save.
- Close the window.
Step 2: Enable API Access for Expel
This procedure creates an authentication token that allows the Expel Assembler to access the QRadar API.
Create the Authorized Services Account
- Navigate to Admin > Authorized Services. A new window opens.
- Click the Add Authorized Service in the Manage Authorized Services window.
- Type Expel API as the Service Name.
- Make sure the User Role and Security Profile are set to Admin.
- Select No Expiry.
- Click Create Service.
- Make note of the newly generated Authentication Token.
Step 3: Configure QRadar in Workbench
- In a new browser tab, login to https://workbench.expel.io.
- On the console page, navigate to Settings and click Security Devices.
- At the top right of the page, click Add Security Device.
- Search for and select QRadar.
- (Optional) Select the Assembler with a network connectivity to the QRadar device.
- For Name type the hostname of the QRadar device.
- For Location, type the geographic location of the appliance.
- For Server address type the hostname or console IP of device.
- For API key type the Authentication Token created in step 2.
- For Username and Password type the credentials created in step 1.
After a few minutes, refresh the Security Devices page and you see your device status reporting as Healthy, or if there is an issue, you see details of what the issue may be.
To check if alerts are coming through, navigate to Alerts on the console page. Click the icon in the upper right to switch to grid view, then check the list for device alerts.