IBM QRadar

IBM QRadar

Join this online user group to communicate across Security product users and IBM experts by sharing advice and best practices with peers and staying up to date regarding product enhancements.

 View Only

  • 1.  AWS Security Lake + QRoC Integration

    Posted Fri March 08, 2024 05:21 AM

    Hey everyone,

    We are currently investigating how to ingest OSCF logs from AWS Security Lake into QRoC. We have UAX, aren't using it - but want to store the logs on system, so i.e QRoC.

    Reading (and viewing the diagram) on here: IBM QRadar SIEM & XDR Connect add support for Amazon Security Lake & AWS Verified Access

    It would suggest that we can ingest logs directly from the Security Lake, via. OSCF - but doesn't look to be native to QRoC? - Anyone tried something like this?

    TIA



    ------------------------------
    Charlie Kemp
    ------------------------------



  • 2.  RE: AWS Security Lake + QRoC Integration

    Posted Fri March 08, 2024 03:20 PM

    I asked a Dev this question from our integrations team and this was their response:

    We support Security Lake for Guard Duty, CloudTrail, VPC Flows, and Route53. And other providers pushing into Security Lake would require a DSM update to add parsing and mapping for events. There is no "Generic OCSF" parser yet. QRadar can parse metadata generically, but the EventID could be in various places depending on how a vendor chooses to slot things into the schema.



    ------------------------------
    Jonathan Pechta
    IBM Security - Community of Practice Lead
    jonathan.pechta1@ibm.com
    ------------------------------

    Original Message


Related Content