IBM QRadar

IBM QRadar

Join this online user group to communicate across Security product users and IBM experts by sharing advice and best practices with peers and staying up to date regarding product enhancements.

 View Only
Back to discussions
Expand all | Collapse all

Creating offences via QRadar API

  • 1.  Creating offences via QRadar API

    Posted Mon December 23, 2019 09:09 AM
    Good day,

    I have a question about creating Offences using API. The docs for the REST API v.7.3.x doesn't present this option so far. I have already found one thread: https://www.ibm.com/developerworks/community/forums/html/topic?id=de47be11-2337-4755-ad30-17114344d1b6
    But the answer from IBM is inadequate and I want to ask if there is any change if there will be an extension of the API regarding Offences?
    There are serious integration reasons:

    - Integration with another environments (SPLUNK, SCOM etc.) and syncing incidents and correlate them. There is no reason to re-implement them in QRadar as they are already implemented elsewhere. But it's useful to integrate them and correlate.
    - We want to integrate the Endpoints Offenses detected by malware detection and centralize them into the QRadar. Yes, we can write a rule for parsing the logs but this is obsolete design. Offence was identified already and we just want to integrate it into QRadar. Create offence in QRadar with links plus other incident specific metadata not present in log and send analysts directly to malware detection site. Create and close the offence automatically based on the outcome from malware detection system.
    - We detect some Offences better in the database/DWH. E.g. for Windows environment we have our own parsing, more efficient than WinCollect. WC parses structured XML data into Syslog but we are storing and parsing original EventLog XML message. We are able to get search results in tens of ms on very large dat sets using low-end HW vs. high-end QRadar environment. Of course, for scenarios where different Log Sources outside of Windows EventLog are combined, we use QRadar. But for the vast majority of security events from the Windows environment, we only use events from the Eventlog and parse them better and search much faster than QRadar. There is no reason to do it slowly in QRadar, but there is reason to generate Offences into QRadar to keep it as a central Offence reporting.

    I understand this is a matter of EPSs, licensing costs and QRadar revenue. But the reasons above are so important for modern security architecture, that IBM should consider them to keep QRadar competitive to other solutions and extend the API to support wider integration scenarios.

    Thanks for any suggestions and feedback.

    ------------------------------
    John G.
    ------------------------------


Related Content