#BeyondTheDSMGuide: IBM Verify and IBM QRadar Integration

Hi QRadar and Verify communities,

Our teams have recently updated our IBM Verify (Formerly IBM Cloud Identity) DSM to reflect the change in naming, so I wanted to take this opportunity and share some highlights of this integration. Before we get started, I just want to thank my colleague and Identity Security expert, Bryan Blackwell, for his contributions to this post and project!

 For users not familiar with IBM Security Verify it is an Identity Service (aaS) Solution. IBM Security Verify provides several functions including: log-on services for cloud and on-prem applications; (2) multi-factor authentication (MFA); and (3) adaptative access and analytics.

 For users not familiar with QRadar, QRadar is a Security Intelligence platform that takes log and flow data from all sources and then correlates that data to give you intelligent answers about the security events happening in an environment.

 The integration take less than 20 minutes to set up and requires just a few simple steps:

1. Create an API Client definition in Verify
2. Enter the Verify API Definition and User ID into QRadar and configure in the Log Source Management App

A full walkthrough can be seen here (Thanks, Jose!): https://www.youtube.com/watch?v=zN2HEgcvc4A

User Guide:

https://www.ibm.com/support/knowledgecenter/SS42VS_DSM/com.ibm.dsm.doc/c_dsm_guide_ibm_cloud_identity_overview.html

  What would be an example of why an organization would want to integrate these two solutions?

Well, Identity data is always very valuable in QRadar. Let me give you an example. Let’s say that our user, let’s call her Amanda, is a marketer based out of Boston.

o   If Amanda (or someone using Amanda’s credentials) tries to login to her organization’s systems at 3:00 AM Eastern time from Helsinki, Verify will capture this activity and send it to QRadar. Then QRadar will flag this activity as anomalous and create an offense; her risk score will then increase within QRadar’s User Analytics function.

o  Therefore her organization’s security analysts can quickly understand that there is anomalous behavior in their environment and decide if they would like to investigate.

One step further with this:

 A user can have a total closed-life cycle loop within the IBM Security Offerings. So we have sent Verify data to QRadar to create an offense. I can send this offense to our SOAR capabilities within CloudPak for Security. Then depending on an organization’s settings we can utilize our playbooks to use automated actions to do enforcement back in Verify.

 Hope this was helpful! Please reach out with any questions or use cases for this integration.

 Wendy Willner

QRadar Offering Manager - Integrations