Contents x
      QRadar 2.0.1
      • 02 Apr 2025
      • 2 Minutes to read
      • Dark
        Light
      • PDF
      Contents

      QRadar 2.0.1

      • Updated on 02 Apr 2025
      • 2 Minutes to read
      • Dark
        Light
      • PDF
      Article summary

      QRadar - 2.0.1

      tags: python | SIEM | Security Analytics | Automate Intelligence | Automate Containment

      Table of Contents

      Description

      Integration with IBM QRadar supports CDC users by providing the extraction of logs and observables from the QRadar platform. This enables CDC users to make informed decisions regarding incident response.

      IBM QRadar Security Information and Event Management (SIEM) helps Security teams accurately detect and prioritize threats across the enterprise. By consolidating log events and network flow data from thousands of devices, endpoints, and applications distributed throughout your network, QRadar correlates this information and aggregates related events into single alerts, to accelerate incident analysis and remediation.

      IBM QRadar has provided CyberProof with a REST API, which is integrated with CDC. CDC receives new offenses as alerts from the QRadar offense service.

      All the read information is passed on to CDC in the form of an alert, with information stored as raw information and observables.

      Integration Type:SIEM
      Information read:Logs from IBM QRadar based on Criteria defined
      API Supported:7.4
      Input:N/A
      Output:Detailed logs which lead to creation of Observables on CDC.

      CDC Command Lines

      • add_and_replace_custom_events_fields_cli
        Replaces/adds custom events fields to azure blob. Custom fields takes precedence over dynamic fields. Only unique custom fields will be stored. A dynamic field will be removed if it is added as a custom fields. Example:
      OptionTypeDescriptionRequired
      fieldsstringCustom events fieldsTrue
      • clear_custom_events_fields_cli
        Clears custom events fields from azure blob.
      OptionTypeDescriptionRequired
      • extend_custom_events_fields_cli
        Extends custom events fields to azure blob. Only unique custom fields will be stored. Example: extend_custom_events_fields_cli --fields="qid,location"
      OptionTypeDescriptionRequired
      fieldsstringCustom events fieldsTrue
      • get_custom_events_fields_cli
        Gets events fields from azure blob.
      OptionTypeDescriptionRequired

      Workflows

      • add_update_replace_custom_events_fields
        Replace/adds events fields to azure blob.

      • clear_custom_events_fields
        Clears custom events fields from azure blob.

      • close_alert
        Close the alert in QRadar

      • execute_query
        Execute AQL query in QRadar.

      • get_custom_events_fields
        Gets events fields from azure blob.

      • inject_qradar_alert_to_cdc
        Enrich QRadar alerts and push them to the CDC

      • push_qradar_alerts_to_redis
        Enrich QRadar alerts and push them to the CDC

      • update_dynamic_events_fields
        Fetch and update the non empty fields of events tables

      Rules

      • new_offense
        Triggered when a new offense is created.

      • close_alert
        Close alerts (i.e. offenses) in QRadar

      • update_dynamic_events_fields_trigger
        Triggered at poll intervals to fetch and update the non-empty fields from qradar events table to azure storage/redis

      Sensors

      • OffensesSensor
        Sensor to pull all offenses details from QRadar and auto update non-empty fields from qradar events table to azure storage/redis

      Poll interval - 30s

      Triggers

      • update_dynamic_events_fields_trigger
        Auto updates non-empty fields from qradar events table to azure storage/redis

      Known Issues

      Was this article helpful?
      What's Next