How the IBM QRadar SIEM integration
works with our SOAR platform

 

However large or small your digital footprint, it’s likely you already have some form of cybersecurity monitoring system in place. Security Information and Event Management (SIEM) solutions have become one of the most widely used tools implemented by security conscious organizations.

While many vendors offer SIEM solutions, the IBM QRadar SIEM is one of the market leaders designed for security events monitoring. If you’re already using this tool, nothing needs to change; our feature integration with QRadar means SIRP can sync with your existing deployment to improve response times to security alerts across your digital infrastructure.

In this post we explore why this is important, and how the two platforms function together.

Why should you integrate this feature?

The IBM QRadar SIEM provides an overview of cybersecurity events across your infrastructure through a centralized monitoring dashboard. As suggested by the name, functionality falls into two main categories:

  • Information Management: Storage and analysis of security data, such as logs produced by servers, firewalls and antivirus software. The analysis of logs allows the SIEM to identify suspicious activity trying to pass undetected.
  • Event Management: Real-time monitoring and correlation of events.

With this, analysts are able to examine the activity from the dashboards and drill-down into specific areas of interest, including detailed logs, source of events and event frequency. The tool is highly scalable with the ability to integrate and analyze security data from across the organization. Depending on the size and scale, QRadar typically produces 100’s - 1000’s of alerts each day due to the granular level of analysis it provides.

When customers deploy SIRP, they don’t need to change the use of this valuable tool in their cybersecurity arsenal or replicate any existing workflows. The feature integration means that SIRP integrates with QRadar out-of-the-box, so you can start benefiting from the orchestration and automation benefits we offer instantly.

How does the integration work?

In order for the integration to work, SIRP ingests the existing alerts, also known as offenses, from QRadar. For example, anti-virus alerts are typically collected by your SIEM. After integration, SIRP will ingest these anti-virus alerts and create cases against them. Each alert is then associated with its own data, known as artifacts. In the case of an infection alert, this will contain information such as the virusname, hash and filepath of the infected endpoint.

SIRP ingests QRadar alerts using polling. You can configure the SIRP QRadar app to connect to QRadar using an authentication token. This allows alerts to be displayed by source in SIRP’s console to keep a clear view of activity. The name and severity of the alerts maps back to the same name and magnitude in QRadar so you can easily return to the source if needed.

Secondly, it is not uncommon for organizations to have a single mailbox configured to receive customized alerts for further investigation. The ingestion feature of the IMAP app interacts with this protocol to pull the emails into SIRP, where cases and artifacts are then created.

Orchestrated Efforts for Improved Results

By integrating QRadar SIEM with our platform, customers can benefit from the automated detection and response functionality of SIRP. This provides a faster response time to malicious activity and reduces the burden on security analysts.

The information being fed from QRadar is also incorporated into the risk and asset management modules which enables smart prioritization of automatic decisions. Without having to set up new systems and workflows, SIRP’s approach to security operations improves your overall cybersecurity efforts through better coordination and visibility.

To find out more about how SIRP can empower your security function, book a demo today.

 
Get a Demo
//]]>