IBM QRadar

IBM QRadar

Join this online user group to communicate across Security product users and IBM experts by sharing advice and best practices with peers and staying up to date regarding product enhancements.

 View Only

  • 1.  how to integrate RSA Netwitness with IBM Qradar

    Posted Sun December 26, 2021 09:34 AM

    Dear All,

    kindly need your support , how can we integrated RSA Netwitness alerts with Qradar SIEM.



    #QRadar
    #Support
    #SupportMigration


  • 2.  RE: how to integrate RSA Netwitness with IBM Qradar

    Posted Mon December 27, 2021 05:01 AM

    Hi,

    Did you check the QRadar integration guide provided by RSA?

    https://community.rsa.com/yfcdo34327/attachments/yfcdo34327/netwitness-threat-intelligence/8/1/QRadar.pdf

    Please go through the above guide and share your thoughts on how it went.

    Thank you.



    #QRadar
    #Support
    #SupportMigration


  • 3.  RE: how to integrate RSA Netwitness with IBM Qradar

    Posted Mon December 27, 2021 05:14 AM

    Dear Prabir,

    i did , but we are receiving only one alert from the RSA Netwitness, once i try to create a custom DSM parser for that then the whole event information does not show up.

    application logs : receiving.

    Alerts ( use cases ) - only one alert



    #QRadar
    #Support
    #SupportMigration


  • 4.  RE: how to integrate RSA Netwitness with IBM Qradar

    Posted Mon December 27, 2021 05:56 AM

    Since it seems to be a integration over syslog from the integration guide, you can try and do a tcpdump on the QRadar to check if you are receiving more than one alert being forwarded from RSA to QRadar. If not, this is something needs to be sorted out from the RSA side. If you are getting the alerts but it's going to unknown, then also check the sim generic log source if it's not being properly tagged to your custom DSM. After you find it, you can map the unknown events accordingly.



    #QRadar
    #Support
    #SupportMigration