About cookies on this site Our websites require some cookies to function properly (required). In addition, other cookies may be used with your consent to analyze site usage, improve the user experience and for advertising. For more information, please review your options. By visiting our website, you agree to our processing of information as described in IBM’sprivacy statement. To provide a smooth navigation, your cookie preferences will be shared across the IBM web domains listed here.
Article
Automate QRadar, Verify, and guardium workflows using APIConnectHub
New AI-driven interface simplifies complex security integration using natural language queries
On this page
Security operations centers (SOCs) and analysts routinely interact with a variety of security tools to perform daily tasks such as tenant management, user provisioning, evidence collection, and compliance checks. Traditionally, this involves navigating multiple web interfaces and dashboards, resulting in workflow inefficiencies, repetitive manual lookups, and increased potential for human error.
APIConnectHub is a unified API agent project that addresses these challenges by introducing a single, AI-driven interface that automates complex workflows across IBM QRadar, IBM Verify, and IBM guardium platforms using natural language queries. Powered by IBM watsonx.ai's llama4 large language model and dynamic API documentation search, this solution enables analysts to perform intricate multi-system operations through a conversational interface without requiring direct API knowledge or switching between browser tabs.
Component technologies
APIConnectHub is built using a modular architecture that leverages the following key technologies:
- Streamlit: Provides an intuitive web interface for users to enter natural language queries and review results, making the solution accessible to analysts with varying technical backgrounds.
- Tavily Search: Enables real-time search of product API documentation (QRadar, Verify, guardium), ensuring that API call plans are based on the most current and authoritative reference material.
- LangChain: Used to integrate custom LLMs and support prompt engineering for complex multi-step planning and summarization.
- Custom API utilities: Dedicated Python modules for QRadar, Verify, and guardium handle authentication, token management, and secure API execution.
- Environment-based configuration: The use of the
dotenvmodule ensures that credentials and endpoints can be securely managed and easily adapted across environments.
Challenges
Security analysts face several daily operational challenges when working with multiple security platforms:
- Context switching: Analysts often juggle numerous tabs and interfaces, switching between QRadar, Verify, guardium, and other tools to accomplish multi-step tasks such as onboarding a new user or validating compliance checklists.
- Manual data lookups: Many workflows require fetching IDs, resolving entity relationships, or performing multi-stage operations where the output of one step is an input to another. Doing this manually is tedious and error-prone.
- Lack of workflow automation: Out-of-the-box automation is limited across siloed security products. Even common actions like updating a user or extracting evidence for audits often require a deep understanding of each platform’s API.
- Risk of human error: Manual copying of values (IDs, tokens), repeated data entry, and fragmented processes can introduce errors, leading to misconfigurations or delays in incident response.
- Documentation complexity: Keeping up with changing API endpoints, headers, and required parameters across different products is a significant burden for SOC teams.
Benefits
By automating and unifying the API interaction layer, the Unified API Agent delivers tangible benefits to security operations:
- Single pane of glass: Analysts interact with QRadar, Verify, and guardium through one chat-based interface—no need to open multiple dashboards or memorize product-specific workflows.
- Natural language automation: Anyone can initiate complex operations using plain English queries, lowering the skill barrier and enabling faster onboarding of new team members.
- Reduced manual effort: Automated ID lookups, token management, and sequential multi-step workflows eliminate repetitive tasks, freeing analysts for higher-value activities.
- Increased accuracy: By automating the resolution of entity relationships and API payload construction, the solution minimizes errors from manual data handling.
- Future-ready extensibility: Adding new security products or updating to new API versions only requires updating documentation references, not core logic.
- Audit and compliance: Every API call is planned, executed, and explained transparently, supporting internal audit requirements and regulatory compliance.
Workflow
The agent-driven workflow consists of several tightly integrated steps:
- User input: The analyst submits a natural language query describing the desired task (e.g., “Create a new tenant and onboard all critical log sources”).
- API documentation search: The system uses Tavily to search the provided official API documentation for QRadar, Verify, and guardium, extracting relevant endpoints and examples.
- AI planning: Watsonx.ai Llama 4 parses the user query and doc context, generating a step-by-step API execution plan in JSON format, including any necessary lookups (e.g., resolving tenant IDs).
- Memory management: The agent maintains an in-memory map of entities (IDs, tokens) across steps, ensuring seamless chaining of API calls.
- API execution: The system securely calls each product API as specified in the plan, handling authentication, payload preparation, and response parsing.
- Summarization: The LLM generates a plain English summary and, where appropriate, a tabular display of results, making it easy for analysts to interpret the outcome.
- Output: The analyst sees each executed step, raw API responses, and concise, actionable summaries—all within a single unified interface.
Demo video
The following video walks you through the APIConnectHub workflow:
Video will open in new tab or window
Summary
APIConnectHub represents a significant step forward in automating, simplifying, and accelerating security operations for enterprises who use IBM’s security stack. Analysts benefit from less time spent on routine, manual operations and more time focused on high-impact security analysis, investigation, and response.
By combining the latest advancements in large language models, live documentation search, and secure API integration, APIConnectHub bridges the gap between security intent and execution.
Next steps
To learn more about the technologies used to create APIConnectHub, see the following resources: