IBM Security Global Forum

 View Only

XDR connect & QRadar integration usecases

By Betala Shanbhag posted Tue July 19, 2022 08:55 AM


IBM Security® QRadar® Security Information and Event Management (SIEM) helps security teams detect, prioritize and respond to threats across the enterprise. As an integral part of your XDR and zero trust strategies, it automatically aggregates and analyzes log and flow data from thousands of devices, endpoints and apps across your network, providing single, prioritized alerts to speed incident analysis and remediation. QRadar SIEM is available for on-premises and cloud environments.

XDR Connect is a platform to help organizations connect their security controls and automate their SOC to free up time for what matters most. It is part of the QRadar XDR product suite, runs on Cloud Pak for Security, and combines the capabilities of Cases, Threat Investigator, Threat Intelligence Insights, Data Explorer, and Detection & Response Center into a seamless workflow.

QRadar SIEM and Cloud Pak for Security integrations are addressing following usecases:

  1. Visibility to Events & Flows, from multiple QRadar instances on Single pane of glass: With UDI connector configuration, one can use Data Explorer application to run federated search across multiple QRadar instances, to get results on a single pane of glass.

Data Explorer also provides capabilities such as initiating an AQL query at multiple QRadar instances and developing Threat Hunting using Kestrel – an opensource threat hunting language.


  1. Visibility to analytics and operational data: By configuring QRadar Proxy authentication token, one can get the analytics and operational data from IBM QRadar on the Cloud Pak for Security dashboards. There are QRadar specific dashboards –

QRadar SIEM Analytics dashboard:  To view summary information such as events per user, top log sources, and top rules.

QRadar SIEM Monitoring dashboard: To view QRadar operational data such as peak and average event rate (EPS) and disk usage.

User Behavior Analytics dashboard: That provides a summary of data from QRadar and the QRadar User Behavior Analytics app.

These dashboards are populated using Widgets that contain a QRadar query and a chart. The widgets can be modified to add more charts as different views, such as a pie or bar chart.

The widgets can also be used to create custom dashboard, to derive at focused analytics.


  1. Visibility to QRadar Asset Database: Configuring CAR connector synchronizes the contents of the QRadar® asset databases with the data that is managed by the Connected Assets and Risk service. The asset data helps in below usecases:

The asset data is fed into Risk Manager, that provides early visibility into potential security risks by correlating insights from multiple vectors to help you prioritize remedial actions based on prescriptive recommendations. CAR connection provides asset and vulnerability details for IoC such as hostname and host IP.

  1. Visibility to User Behavior Analytics: Setting up the connection to QRadar from QRadar Proxy, one can get UBA Overview page populated with overall risk data for users in your network and on drill down provides details for the selected user. This provides complete insights around users and user risk

  1. Respond to offenses: With configuring IBM SOAR QRadar Plugin/App on QRadar, offenses are escalated from QRadar into Cases application of Cloud Pak for Security. SOAR platform generates a detailed, incident-specific response plan that enables team members to quickly respond.


  1. Offense Data Enrichment: The IBM Security QRadar Enhanced Offense Data integration with IBM Security Case Management provides the ability to view all QRadar offense data in a case tab on the Case Management application. This helps to simplify case management and response by locating all key case information in a central and consistent location.
  1. Visibility to Usecases/Rules: With Detection and Response Center application on Cloud Pak for Security, one can (i) Validate QRadar rules by filtering different properties (ii)Determine rules that might need update (iii) Visualize the coverage of MITRE ATT&CK tactics and techniques that the rules provide and (iv) MITRE heat map to visualize rule mappings to a tactic or technique.


With this blog I have listed the possible use-cases of integrating IBM QRadar SIEM with XDR connect. GSI Ecosystem Lab Security team is actively developing more such use cases and deep dive demonstrations.

If you have any questions regarding any of the points mentioned above or want to discuss this further, feel free to get in touch.

Betala R. Shanbhag: