AiStrike Documentation

IBM QRadar

Integrate AiStrike with your QRadar instance so it can fetch security events and alerts via the QRadar API for enrichment and analysis.

Prerequisites

  • QRadar public IP address — the public IP(s) from which your QRadar server sends alerts and syslog events (primary and secondary), so AiStrike can allowlist it on the syslog collector.

  • Administrative access in QRadar to create forwarding/routing rules, manage the AiStrike API user, and generate API tokens.

1. Network access

AiStrike requires API access to QRadar over HTTPS (port 443) or your custom port. For on-prem deployments, ensure your firewall allows the necessary traffic. If QRadar has an internal IP, configure Destination NAT via a public IP on your firewall.

Allowlist the following AiStrike IP addresses to reach your QRadar API endpoint:

3.135.165.25/32     3.148.24.98/32     3.148.93.249/32
3.14.192.137/32     13.201.28.59/32    18.223.178.199/32
52.15.138.222/32    54.246.180.34/32   63.35.37.74/32
54.220.227.162/32

If Destination NAT isn't possible, AiStrike can set up a dedicated AWS Site-to-Site VPN instead. Reach out to discuss options.

2. Create an AiStrike role

In QRadar, go to Admin > User Management > User Roles, click New, name it (e.g. Aistrike_Role), and assign Monitor, View, read-only, and dashboard permissions. Click Save.

3. Create a security profile

Go to Admin > User Management > Security Profiles > New Profile. Configure AiStrike_Profile with: Permission Precedence No Restrictions, Log Sources All Log Source Groups, Network All, Domains All Domains. Save.

4. Create an AiStrike user

Go to Admin > User Management > Users > New. Assign a username (e.g. Aistrike_User, email threat@aistrike.com), a strong password, the Aistrike_Role, and the AiStrike_Profile. Then click Deploy to apply changes.

5. Create an authorized service token

  1. Go to Admin > User Management > Authorized Services > Add Authorized Service.

  2. Configure: Service Name AIStrike_Integration, User Role Aistrike_Role, the security profile created above, and an expiry (No Expiry or per policy).

  3. Copy and securely store the generated token — it's required to complete the integration.

6. (If forwarding events) Forwarding destination & routing rule

Under Admin > System Configuration > Forwarding Destinations, click Add and enter the destination name, IP address, port, and protocol for AiStrike. Then under Routing Rules, add a Forwarding Rule, define conditions for which events to forward, select the destination, and save.

7. Connector configuration

In AiStrike, open the QRadar integration settings and enter:

  • Configuration name

  • QRadar API/server endpoint URL (e.g. https://<qradar-host>/api/)

  • API version

  • Authentication token (Authorized Service Token)

  • (Optional) Username and password

Once saved, AiStrike begins fetching data from QRadar.