Integrate AiStrike with your QRadar instance so it can fetch security events and alerts via the QRadar API for enrichment and analysis.
Prerequisites
-
QRadar public IP address — the public IP(s) from which your QRadar server sends alerts and syslog events (primary and secondary), so AiStrike can allowlist it on the syslog collector.
-
Administrative access in QRadar to create forwarding/routing rules, manage the AiStrike API user, and generate API tokens.
1. Network access
AiStrike requires API access to QRadar over HTTPS (port 443) or your custom port. For on-prem deployments, ensure your firewall allows the necessary traffic. If QRadar has an internal IP, configure Destination NAT via a public IP on your firewall.
Allowlist the following AiStrike IP addresses to reach your QRadar API endpoint:
3.135.165.25/32 3.148.24.98/32 3.148.93.249/32
3.14.192.137/32 13.201.28.59/32 18.223.178.199/32
52.15.138.222/32 54.246.180.34/32 63.35.37.74/32
54.220.227.162/32
If Destination NAT isn't possible, AiStrike can set up a dedicated AWS Site-to-Site VPN instead. Reach out to discuss options.
2. Create an AiStrike role
In QRadar, go to Admin > User Management > User Roles, click New, name it (e.g. Aistrike_Role), and assign Monitor, View, read-only, and dashboard permissions. Click Save.
3. Create a security profile
Go to Admin > User Management > Security Profiles > New Profile. Configure AiStrike_Profile with: Permission Precedence No Restrictions, Log Sources All Log Source Groups, Network All, Domains All Domains. Save.
4. Create an AiStrike user
Go to Admin > User Management > Users > New. Assign a username (e.g. Aistrike_User, email threat@aistrike.com), a strong password, the Aistrike_Role, and the AiStrike_Profile. Then click Deploy to apply changes.
5. Create an authorized service token
-
Go to Admin > User Management > Authorized Services > Add Authorized Service.
-
Configure: Service Name
AIStrike_Integration, User RoleAistrike_Role, the security profile created above, and an expiry (No Expiry or per policy). -
Copy and securely store the generated token — it's required to complete the integration.
6. (If forwarding events) Forwarding destination & routing rule
Under Admin > System Configuration > Forwarding Destinations, click Add and enter the destination name, IP address, port, and protocol for AiStrike. Then under Routing Rules, add a Forwarding Rule, define conditions for which events to forward, select the destination, and save.
7. Connector configuration
In AiStrike, open the QRadar integration settings and enter:
-
Configuration name
-
QRadar API/server endpoint URL (e.g.
https://<qradar-host>/api/) -
API version
-
Authentication token (Authorized Service Token)
-
(Optional) Username and password
Once saved, AiStrike begins fetching data from QRadar.