QRadar 2.0.0
- 02 Apr 2025
- 2 Minutes to read
- DarkLight
- PDF
QRadar 2.0.0
- Updated on 02 Apr 2025
- 2 Minutes to read
- DarkLight
- PDF
Article summary
Did you find this summary helpful?
Thank you for your feedback!
QRadar - 2.0.0
tags: python | SIEM | Security Analytics | Automate Intelligence | Automate Containment
Table of Contents
Description
Integration with IBM QRadar supports CDC users by providing the extraction of logs and observables from the QRadar platform. This enables CDC users to make informed decisions regarding incident response.
IBM QRadar Security Information and Event Management (SIEM) helps Security teams accurately detect and prioritize threats across the enterprise. By consolidating log events and network flow data from thousands of devices, endpoints, and applications distributed throughout your network, QRadar correlates this information and aggregates related events into single alerts, to accelerate incident analysis and remediation.
IBM QRadar has provided CyberProof with a REST API, which is integrated with CDC. CDC receives new offenses as alerts from the QRadar offense service.
All the read information is passed on to CDC in the form of an alert, with information stored as raw information and observables.
| Integration Type: | SIEM |
| Information read: | Logs from IBM QRadar based on Criteria defined |
| API Supported: | 7.4 |
| Input: | N/A |
| Output: | Detailed logs which lead to creation of Observables on CDC. |
CDC Command Lines
* **add_and_replace_custom_events_fields_cli**
Replaces/adds custom events fields to azure blob. Custom fields takes precedence over dynamic fields. Only unique custom fields will be stored. A dynamic field will be removed if it is added as a custom fields. Example:
| Option | Type | Description | Required |
|---|---|---|---|
| fields | string | Custom events fields | True |
* **clear_custom_events_fields_cli**
Clears custom events fields from azure blob.
| Option | Type | Description | Required |
|---|
* **extend_custom_events_fields_cli**
Extends custom events fields to azure blob. Only unique custom fields will be stored. Example: extend_custom_events_fields_cli --fields="qid,location"
| Option | Type | Description | Required |
|---|---|---|---|
| fields | string | Custom events fields | True |
* **get_custom_events_fields_cli**
Gets events fields from azure blob.
| Option | Type | Description | Required |
|---|
Workflows
* **add_update_replace_custom_events_fields**
Replace/adds events fields to azure blob.
* **clear_custom_events_fields**
Clears custom events fields from azure blob.
* **close_alert**
Close the alert in QRadar
* **execute_query**
Execute AQL query in QRadar.
* **get_custom_events_fields**
Gets events fields from azure blob.
* **inject_qradar_alert_to_cdc**
Enrich QRadar alerts and push them to the CDC
* **push_qradar_alerts_to_redis**
Enrich QRadar alerts and push them to the CDC
* **update_dynamic_events_fields**
Fetch and update the non empty fields of events tables
Rules
* **new_offense**
Triggered when a new offense is created.
* **close_alert**
Close alerts (i.e. offenses) in QRadar
* **update_dynamic_events_fields_trigger**
Triggered at poll intervals to fetch and update the non-empty fields from qradar events table to azure storage/redis
Sensors
* **OffensesSensor**
Sensor to pull all offenses details from QRadar and auto update non-empty fields from qradar events table to azure storage/redis
Poll interval - 30s
Triggers
* **update_dynamic_events_fields_trigger**
Auto updates non-empty fields from qradar events table to azure storage/redis
Known Issues
Was this article helpful?