Dropzone AI Documentation
WebsiteTest Drive
  • Dropzone Documentation
  • Overview
    • Alert Sources
    • Data Sources
    • Communicators
    • On-prem Support - Dropzone Connector
    • Interactive Chat
    • Metrics Guide
  • Dropzone Administraton
    • Team Admin
      • Google Workspace SAML
      • Okta SAML
  • Dropzone Integrations
    • Alert + Data Source Integrations
      • Amazon Web Services (AWS)
        • Cross-Account Access via CloudFormation
        • Cross-Account Access via Console
      • CrowdStrike
      • Datadog
      • Elasticsearch
      • Google Workspace
      • Google GCP
      • Jira
      • Microsoft (MS 365 etc)
        • Microsoft 365 / Microsoft Defender
        • Microsoft Sentinel
        • Microsoft 365 Exchange Online Management
      • Palo Alto Networks Firewall
      • Panther
      • QRadar
      • SentinelOne
      • Splunk
      • Sumo Logic
    • Alert Integrations
      • Gem
      • ServiceNow
    • Communicators
      • Microsoft Teams
      • Slack Communicator
    • Data Source Integrations
      • AbuseIPDB
      • Active Directory (LDAP)
      • Archive Inspector
      • Blocklist.de
      • CAPA
      • Censys
      • Crowdstrike Falcon Intelligence
      • DNSResolver
      • Dropzone URL Sandbox
      • EchoTrail
      • File
      • GreyNoise
      • Hybrid Analysis
      • Host.io
      • IPInfo.io
      • IPQualityScore
      • MalwareBazaar
      • Nuclei
      • NVD
      • Okta
      • oletools
      • OpenSSL Sign Code
      • PDF Analysis
      • Perplexity AI
      • PhishTank
      • Shodan
      • TShark
      • QRadar
      • UnshortenMe
      • URLhaus
      • Urlscan.io
      • VirusTotal
      • Vision
      • WHOIS
      • YARAify
Powered by GitBook
On this page
  • Create an API Key
  • Enable the Dropzone Data Source Integration
  • Enable The Dropzone Alert Source Integration

Was this helpful?

  1. Dropzone Integrations
  2. Alert + Data Source Integrations

QRadar

PreviousPantherNextSentinelOne

Last updated 1 day ago

Was this helpful?

This is a combined document for enabling the Dropzone AI Data Source and Alert Source for QRadar.

QRadar is an SIEM integration. SIEM integrations are used to perform analysis of any SIEM generated alerts, and/or to use generated data as part of investigation analysis.

The Dropzone platform integrates with the security SIEM. Many customers ingest other alert sources into QRadar (e.g. IDPs) and integrate Dropzone into QRadar rather than the source systems.

Create an API Key

QRadar requires an API key to enable.

To obtain an API Key, do the following:

  • In the upper bar in the QRadar Homepage, click "Admin"

  • In the left hand bar, navigate to System Configuration > User Management

  • Click on "Authorized Services"

  • In the window that pops up, click "Add"

  • Under "Authorized Service Label," label the key something memorable, such as "dropzone_ai"

  • Select an Admin security profile

  • Under "User Role, select "All"

  • Under "Expiry Settings," assign an expiration date if you choose

For conveniences sake, we recommend not assigning an expiration date for this API key, to prevent having to create a new one.

* Click "Save"

  • Store the authorized service token in a safe location for use later in the Dropzone UI where it will be called "API-Key"

Enable the Dropzone Data Source Integration

To enable the Data Source integration, you will need the following information:

Dropzone Field
Source

Server

The same as your servername in your QRadar url, eg myserver/console/qradar

Port

The standard html port, 443

API-Key

The authorized service token value you generated earlier

  • Navigate to your Dropzone AI tenant home page e.g. https://mycompany.dropzone.app

  • In the bottom left hand corner, click Settings > Integrations

  • Click "Available"

  • In the Search bar, search QRadar, then click "Configure"

  • Under the Data Source header, input the Server, Port, and API-Key

  • Click "Test & Save" to finish

If you have any errors engage your Dropzone AI support representative.

Enable The Dropzone Alert Source Integration

To enable the Alert Source integration, you will need the following information:

Dropzone Field
Source

Server

The same as your servername in your QRadar url, eg myserver/console/qradar

Port

The standard html port, 443

API-Key

The authorized service token value you generated earlier

  • Navigate to your Dropzone AI tenant home page e.g. https://mycompany.dropzone.ai

  • In the bottom left hand corner, click Settings > Integrations

  • Click "Available"

  • In the Search bar, search QRadar, then click "Configure"

  • Under the Alert Source header, input the Server, Port, and API-Key

  • Input your desired poll interval and lookback

  • Click "Test & Save" to finish

Under "Ignored Log Sources," you may add to ignore in Dropzone searches

Under "Enabled QRadar Offense Statuses," check the box for each you wish Dropzone to investigate alerts for

log sources
offense status
IBM QRadar
Navigate to Admin
Navigate to User Management
Click on "Authorized Services"
Click "Add"
Fill out token details
Copy the API-Key
Integrations Dropdown
Click Available
The QRadar Tile
The QRadar Data Configuration
Integrations Dropdown
Click Available
The QRadar Tile
The QRadar Alert Configuration pt 1
The QRadar Alert Configuration pt 2
The QRadar Alert Configuration pt 3