Send data to QRadar

Most recent version: v0.3.0

See the changelog of the QRadar Data sink type here.

Overview

Onum supports integration with QRadar.

IBM Security QRadar is a security intelligence platform, specifically a Security Information and Event Management (SIEM) and Security Orchestration, Automation, and Response (SOAR) solution.

Prerequisites

You must know the IP address or hostname of the target QRadar component that will receive the data, typically an Event Collector or the Console itself.

Save these, as you will need to enter them later.

Onum Setup

Double-click the QRadar Sink.

Enter a Name for the new Data Sink. Optionally, add a Description and some Tags to identify the Sink.

Decide whether or not to include this Data sink info in the metrics and graphs of the Home area.

Add the configuration to establish the connection, which will be the Host* IP address or hostname (use 0.0.0.0 to indicate all) and the destination IP Port* number.

Now you can configure the specifics of the connection details

Network buffer size - a max size for the network buffer. The minimum value is -1.
Write timeout - the number of milliseconds to wait before considering the request a timeout. The minimum value is 1.
Idle timeout - the milliseconds the connection remains open and idle before it is automatically terminated or closed. The minimum value is 1.
Dial timeout - the maximum time (in ms) allowed for establishing a connection before the attempt is aborted. The minimum value is 1.
Connection Time to Live - the maximum duration (in ms) the connection remains active before it is forcibly closed, regardless of whether it is idle or in use. The minimum value is 1.

If you are using a proxy to establish the connection, toggle on the Proxy configuration button and enter the details here:

Certificate - your TLS certificate from your Secrets or create one.
Private Key - your private key from your Secrets or create one.
CA Chain - your CA chain from your Secrets or create one.
Skip TLS validations - decide whether or not to skip TLS validations.
Minimum TLS version - the TLS version to use.
Subject alternate name to verify - if you have assigned your TLS configuration another name, enter it here.

In the Secrets area, New secret to create a new one:

Give the secret a Name.
Turn off the Expiration date option.
Click Add new value and paste the corresponding value.
Click Save.

Learn more about secrets in Onum in this article.

You can now select the created secrets in the configuration.

Click Finish when complete. Your new Data sink will appear in the Data sinks area list.

Pipeline configuration

When you use this sink in a Pipeline, you can configure the output parameters. This is where you give the message the required format to be processed in Qradar.

Output configuration

If your message already has the required format, toggle Passthrough to send on the message exactly as the sink receives it. Uncheck Passthrough to manually format the message:

Type

Parameter

Description

Output type

The Syslog format to send in:

The original BSD format (Syslog RFC 3164)
The “new” format (Syslog RFC 5424)

If you are unsure about the veracity of the fields you have chosen, you can click Validate to check if they are valid. For the Syslog RCF 3164 type, you have the option to Auto-fix the values to correctly populate them.

You must select the incoming fields that correspond to each value to build the end message in QRadar. The fields to configure will differ depending on the Syslog type chosen.

Header

Enter the header parameters:

Priority*/ Severity & Facility* - The field corresponding to the Priority OR the fields corresponding to the Severity and Facility that will be used to make the Priority field.
Timestamp - The field containing the timestamp value.
Hostname - The field containing the hostname.