Tip
This article was accurate at the time of writing, but changes happen. If you find the instructions are outdated, leave a description in the comment field below and let us know!
Step 1: Enable console access
This procedure creates a user account for Expel that keeps the Expel activity separate from other activity on the QRadar console.
-
Navigate to Admin > Users. A new window opens.
-
Click +Add next to the search bar in the new window.
-
Type a User Name.
-
Complete User Description as you want.
-
For E-mail type: soc+<Your_Organization_Name>@expel.io.
Tip
Yes, the "+" sign is part of the email address, and it's important. Click here to find out why.
-
Under Authentication toggle Local Authentication Fallback on and type a password.
-
Set the User Role and Security Profile to Admin.
-
Close the window.
Step 2: Enable API Access for Expel
This procedure creates an authentication token that allows the Expel Assembler to access the QRadar API.
-
Navigate to Admin > Authorized Services. A new window opens.
-
Click the Add Authorized Service in the Manage Authorized Services window.
-
Type Expel API as the Service Name.
-
Make sure the User Role and Security Profile are set to Admin.
-
Select No Expiry.
-
Click Create Service.
-
Make note of the newly generated Authentication Token.
Step 3: Configure QRadar in Workbench
-
In a new browser tab, login to https://workbench.expel.io.
-
On the console page, navigate to Settings and click Security Devices.
-
At the top right of the page, click Add Security Device.
-
Search for and select QRadar.
-
(Optional) Select the Assembler with a network connectivity to the QRadar device.
-
For Name type the hostname of the QRadar device.
-
For Location, type the geographic location of the appliance.
-
For Server address type the hostname or console IP of device.
-
For API key type the Authentication Token created in step 2.
-
For Username and Password type the credentials created in step 1.
-
Comments
0 comments
Please sign in to leave a comment.