QRadar 1.9.0

QRadar - 1.9.0

tags: python | SIEM | Security Analytics | Automate Intelligence | Automate Containment

Table of Contents

• Description
• CDC Command Lines
• Workflows
• Rules
• Sensors
• Triggers
• Known Issues

Description

Integration with IBM QRadar supports CDC users by providing the extraction of logs and observables from the QRadar platform. This enables CDC users to make informed decisions regarding incident response.

IBM QRadar Security Information and Event Management (SIEM) helps Security teams accurately detect and prioritize threats across the enterprise. By consolidating log events and network flow data from thousands of devices, endpoints, and applications distributed throughout your network, QRadar correlates this information and aggregates related events into single alerts, to accelerate incident analysis and remediation.

IBM QRadar has provided CyberProof with a REST API, which is integrated with CDC. CDC receives new offenses as alerts from the QRadar offense service.

All the read information is passed on to CDC in the form of an alert, with information stored as raw information and observables.

CDC Command Lines

No CDC command lines

Workflows

• close_alert
  Close the alert in QRadar.

• execute_query
  Execute the AQL query in QRadar.

• inject_qradar_alert_to_cdc
  Enrich QRadar alerts and push them to the CDC.

• push_alerts
  Enrich QRadar alerts and push them to the CDC.

• push_alerts_redis
  Enrich QRadar alerts and push them to the CDC.

• push_qradar_alerts_to_redis
  Enrich QRadar alerts and push them to the CDC.

Rules

• new_offense
  Triggered when a new offense is created.

• close_alert
  Close alerts (i.e., offenses) in QRadar.

Sensors

• OffensesSensor
  Sensor to pull all offenses details from QRadar.

Poll interval - 30s

Triggers

No triggers

Known Issues

No known issues