Not only does IBM Security QRadar SIEM record log events, such as user logins or VPN connections, but it also records flow data—network activity that can last for seconds to days, such as a streaming a movie. This unique ability helps QRadar SIEM provide comprehensive visibility across your security and cybersecurity environments, including on-premises data centers, clouds, SaaS applications and employee endpoints, to limit blind spots where malicious activity could be hiding.
You can extend your QRadar SIEM threat detection capabilities even further with multiple integration points such as device support modules (DSM), network behavior collection devices, threat intelligence feeds and vulnerability scanners.
Types of integrations
Event Log Sources
Access more than 450 device support modules (DSM) and more than 370 applications
Threats move fast. Unlike other SIEM solutions on the market, QRadar SIEM automatically parses and normalizes a log source’s event into standard taxonomy format. To do this, QRadar SIEM autodetects more than 450 DSM modules, from Amazon to Zscaler, that are ready for use with the installation of QRadar and supported by IBM.
QRadar SIEM accepts events from log sources by using protocols such as syslog, syslog-tcp, and SNMP. QRadar SIEM can also set up outbound connections to retrieve events by using protocols such as SCP, SFTP, FTP, JDBC, Check Point OPSEC, and SMB/CIFS.
Network Flow Devices
Guard your network with network behavior collection devices
QRadar SIEM can receive flows from many different types of network data sources, or flow sources, classified as either internal or external. This provides a deeper view into your network to help eliminate blind spots.
The following external flow protocols are supported:
IPFIX sFlow J-Flow Packeteer Napatech interface Network interface
Identify and prioritize threats quickly
Integrations with vulnerability data help QRadar SIEM understand more about the assets in your environment to prioritize alerts and reduce false positives. Additionally, vulnerability assessment scanners can provide vulnerability assessment profiles for network assets.
Get ahead of emerging worldwide threats
For additional context to prioritize threats, QRadar SIEM uses integrations with threat intelligence feeds and vulnerability scanners. Threat intelligence feeds provide QRadar SIEM current information on the latest threats discovered around the world, so you can proactively take action to guard your environment.
IBM X-Force® Threat Intelligence IBM Security® QRadar® Threat Intelligence Trusted Automated Exchange of Intelligence Information (TAXII™) (link resides outside ibm.com) Structured Threat Information Expression (STIX™) (link resides outside ibm.com)
Build your own integrations
If there isn’t already integration support for a system in your environment, QRadar SIEM allows you to create a custom parser for your data source. You can also collect events from various REST APIs for less common data sources that do not have a specific DSM or protocol by using the QRadar SIEM Universal Cloud Rest API.
QRadar SIEM and QRadar EDR
QRadar EDR and QRadar SIEM empower organizations with deep endpoint visibility through natively integrated workflows to enable consistency in proactive detection and response. (1,449 KB)
Frequently asked questions
It is important to get a complete view of what is occurring on your network.
Event data represents log events that occur at a single point in time in a user’s environment, such as user logins, email, VPN connections, firewall denials, proxy connections and more.
Flow data is network activity information or session information between two hosts on a network. QRadar SIEM translates or normalizes the raw data from IP addresses, ports, byte and packet counts, and other information into flow records. In addition to collecting basic flow information, full packet capture is available with the QRadar Network Insights (QNI) component available on QRadar SIEM.
A key difference between event and flow data is the time period each data type is able to represent. An event occurs at a specific time and the event is logged at that time. A flow is network activity between two hosts that can last for seconds, minutes, hours or days depending on the activity within the session. For example, a web request that downloads multiple files such as images, ads and video that lasts for 5 to 10 seconds, or a user who watches a movie with a streaming service.
QRadar SIEM gives your security analysts a complete view from the beginning, middle and end of an event.
Internal flow sources collect raw packets from a network tap device, SPAN port or mirror port that is connected to a Napatech or network interface card. These sources provide packet data as it appears on the network and sends it to a monitoring port on a flow collection device, which converts the packet data into the flow records used in QRadar SIEM.
External flow sources, such as routers that send common network monitoring protocols, including NetFlow, IPFIX, sFlow, J-Flow, and Packeteer data, provide a different level of visibility than internal flow sources. For example, NetFlow records can provide both the router interface that the packets crossed, and the ASN record numbers of the originating network. When using IPFIX, additional fields that are not parsed into normalized fields can be placed into the payload as name value pairs, which can then be used as custom properties.
A device support module (DSM) is a plug-in file that QRadar SIEM can use to collect events from your third-party security products.
Yes, QRadar SIEM provides automatic updates for IBM-supported DSMs in accordance with vendor product updates, including new DSM releases, corrections to parsing issues and protocol updates.
If you would like more information on IBM QRadar, contact us today!