SevOne

 View Only

Maximize QRadar SIEM with SevOne NPM anomaly detection

By Raul Gonzalez posted Wed January 10, 2024 09:49 AM

  

SIEM solutions, like QRadar SIEM, are tools that offer security threat detections and response solutions for different types of security risks in your IT environment. Most of the times these tools relay on receiving events from different sections of the network such as syslog or SNMP Traps from network devices, log files from applications, events from servers and OS’s, and then using different techniques, combine different events that are related into a single ‘issue’ or ‘offence’ as defined in QRadar.

 QRadar Dashboard

Therefore, a big part of keeping your network secure is by analysing the log data received from the network, but what happens when the network devices don’t know yet that there is a security threat? What happens when the next security issue can’t be detected by monitoring events?

QRadar Event

Imagine the following scenario: suddenly there is a spike of ICMP packets received on a firewall, but on that firewall (for some reasons we won’t get in) is allowing those packets through. As we can’t enable DEBUG mode in all firewall rules that are allowing traffic through (we would kill the device) we cannot detect using logs/events this security threat.

SevOne Security Network Report

 

What if we could monitor the total number of hits in all firewall rules using SNMP? That’s something that we can do with almost all NPM solutions, like SevOne, but what about detecting anomalies on the behaviour of those firewall rules? SevOne does not only collects the metrics, but also analyses the data collected to understand if there is an anomaly on that metric.

SevOne Anomaly Detection

 

For example, as when we describe this scenario, SevOne would be able to detect the anomaly on the number of hits on the firewall rule allowing ICMP traffic through and would send that event to QRadar for further analytics in order to find where the issue comes from and how to mitigate it.

SevOne Events in QRadar

 

There are hundreds of examples on how an NPM solution like SevOne that has the ability to detect anomalies on every single metric monitored can help solutions like QRadar to become more efficient and effective detecting and mitigating security threats.

QRadar Offence

 


#IBMSevOne
#SevOne
#SevOne
#QRadar-SIEM
#IBMQRadar
0 comments
32 views

Permalink