QRadar – The Intelligent SIEM for Splunk

By Sophia McCarthy posted Fri January 04, 2019 01:31 PM


Many large enterprises today are aware of the importance of monitoring and responding to threats detected within their network. These organizations have security analysts who are responsible for reporting on the log and network activity that occurs within their organizations. There are multiple solutions available today that provide log management capabilities for event data reporting.

Splunk and QRadar are both log management platforms that showcase different attributes. Splunk log management platform provides great generic log management capabilities in search and reporting. Whereas, QRadar’s focus is on easy to use, accurate, fast threat detection and response, streamlining security operations with built-in security intelligence, integration and automation.

Splunk is excellent in silos at executing simple use cases across domains. However, the security domain is far from simple with extremely sophisticated and persistent adversaries. Hence, security analysts understand the importance of having a platform that can consume this data from multiple domains and correlating this data in its advanced threat detection platform. QRadar makes complex security use cases easy to implement and maintain due to its focus on the security domain.


We have now made it easier! QRadar Security Intelligence Platform offers an innovative tool to retrieve forwarded logs from one or more Splunk Instances to a QRadar deployment through delivery of an App, the IBM QRadar App for Splunk Data Forwarding, that is now available through the IBM Security App Exchange.


How can QRadar with Splunk help?


Splunk event data is forwarded to QRadar in its raw syslog format, and QRadar’s data intelligence platform has the ability to take Splunk’s raw data, send it through QRadar’s Traffic Analysis Engine to be parsed and normalized from over 500 types of devices.


Additionally, if event data is forwarded in Splunk’s native logging format, QRadar’s platform offers the functionality to parse and normalize the data using log source extension and mapping event data. This can be accomplished using QRadar’s DSM Editor that is designed to extract fields, define custom properties, categorize events, and define new event mapping definition.


For analysts to effectively mitigate risks and accurately detect and respond to threats, they need to be armed with the tools that work together to support the entire response lifecycle.


QRadar provides accurate real-time insights through the attack cycle to help you predict and detect threats faster. As a result, you can respond faster, reduce the impact of a threat and recover more quickly.


Integrating QRadar and Splunk


This integration offers the ability to configure automatic forwarding of logs from one or more Splunk Universal and/or Heavy Forwarders to a QRadar deployment and includes automatic syncing of Splunk data sources. The application generates notifications after every sync operation (including manual and automatic sync) to highlight Splunk Sources that were added or removed from configured Splunk Instances. The following image highlights the app’s simplicity in connecting to Splunk Forwarders.



With both platforms integrated, we have visibility into which source types are monitored on the specified Splunk Instance.




QRadar’s data intelligence platform allows fast onboarding and managing of log sources to parse and normalize the collected data through existing Device Support Modules (DSMs) and associated custom properties. The following image highlights the analytics-ready data, enriched with enterprise context and security taxonomy in QRadar’s Log Activity.


Are you ready for seamless integration?


What makes this app unique and powerful is its seamless integration with the Splunk platform to provide real-time data streaming, rapid onboarding of multiple data sources for advanced and automated analytics and correlation of event data, eliminating the need for manual configuration of individual data sources.

1 comment



Thu March 21, 2019 02:54 PM

I really like that we have a process to formally take in Splunk as customers will appropriately use it for IT-OPs log management rather than security.  Many of my customers in Public Sector have Splunk and will want to keep it in place.