IBM QRadar

Hi , 

We are trying to make use of our Cloudera data lake . 

I need your guidance on the following scenario:

We have a SIEM (QRadar) infrastructure where Event Collectors receive logs from various data sources. These logs are correlated based on SIEM rules and use cases.

we plan to send logs to the SIEM while also storing a copy in a Data Lake.

We have structured the workflow as follows:
DATA SOURCES → Cloudera NiFi → Store in DATA LAKE & Forward to SIEM

So far we have tried multiple approaches on how to make this work but were unable to make it successiful. 

Did anyone had any experience  on how to do this? 

You don't mention what issues you ran into but looking at Cloudera NiFi DataFlow Processors and Controller Services, they support syslog listeners and readers.  You could try to change the data flow like:

DATA SOURCES →  Received/correlated by  SIEM → Forward to Cloudera NiFi DataFlow Processors and Controller Services → Store in DATA LAKE 

To establish this, you should create a forwarding destination in your QRadar following these instructions:  https://www.ibm.com/docs/en/qsip/7.5?topic=administration-forward-data-other-systems

Good luck,

Erwin

Hi , 

We are trying to make use of our Cloudera data lake . 

I need your guidance on the following scenario:

We have a SIEM (QRadar) infrastructure where Event Collectors receive logs from various data sources. These logs are correlated based on SIEM rules and use cases.

we plan to send logs to the SIEM while also storing a copy in a Data Lake.

We have structured the workflow as follows:
DATA SOURCES → Cloudera NiFi → Store in DATA LAKE & Forward to SIEM

So far we have tried multiple approaches on how to make this work but were unable to make it successiful. 

Did anyone had any experience  on how to do this? 

Hi Erwin, 

Actually we need to send the logs to datalake, and from there to forward to SIEM. The issue here that we are unable to properly set up that connection.

We can get the logs going to datalake, but when we are trying to do datalake to SIEM, its either not communicating to SIEM, or if we get them to work they are not parsed properly or assigned to a proper log source, and appear as unknown log event. 

You don't mention what issues you ran into but looking at Cloudera NiFi DataFlow Processors and Controller Services, they support syslog listeners and readers.  You could try to change the data flow like:

DATA SOURCES →  Received/correlated by  SIEM → Forward to Cloudera NiFi DataFlow Processors and Controller Services → Store in DATA LAKE 

To establish this, you should create a forwarding destination in your QRadar following these instructions:  https://www.ibm.com/docs/en/qsip/7.5?topic=administration-forward-data-other-systems

Good luck,

Erwin

Hi , 

We are trying to make use of our Cloudera data lake . 

I need your guidance on the following scenario:

We have a SIEM (QRadar) infrastructure where Event Collectors receive logs from various data sources. These logs are correlated based on SIEM rules and use cases.

we plan to send logs to the SIEM while also storing a copy in a Data Lake.

We have structured the workflow as follows:
DATA SOURCES → Cloudera NiFi → Store in DATA LAKE & Forward to SIEM

So far we have tried multiple approaches on how to make this work but were unable to make it successiful. 

Did anyone had any experience  on how to do this?