QRadar XDR

Expand all | Collapse all

Need advise for First level support

  • 1.  Need advise for First level support

    Posted Sun September 12, 2021 09:53 AM
    Hi All,

    There is a requirement where we would be replacing the Company A with Company B for our first level Monitoring which is done by using Qradar, So currently Company A is doing Level 1 monitoring from last few hours for us (We are customer to them) Now as the contract is going to expire we will be replacing their services with Company B mean this new company will be doing level monitoring for us.

    I need to understand what all changes will occur and Can you think of any issues/risk associated when such contract changes happens.
    So even if we are changing the service providing companies but Qradar will remain the same as SIEM tool (Both companies use the same tool).

    I have few questions,
    1) How a new  (Company B) company will access our infra structure for monitoring.
    2) Do we need to reintegrate all the log sources all over again?
    3) How to establish a communication with new company.

    Any additional information from your end.


    I know this is non technical but in my role I need to understand this

    Asif Siddiqui Senior Security Analyst

  • 2.  RE: Need advise for First level support

    Posted Wed September 15, 2021 05:43 AM
    this is exiting! I have seen this happen a couple of times in my career and I sincerely hope you get better monitoring service than you got before. Typically this is not the case from my experience, as long as your SLAs are not adopted to your real needs an s small team of security devops on site define what you really need.
    You say "SIEM tool (Both companies use the same tool)." Does this mean you got no QRadar component on prem at all? If this is the case you have to start all over again. If your new service provider knows about how to migrate installs (e.g. using CMT for data transfer) its less of a problem. If not it is severe!
    Most providers using QRadar are using onsite collectors fo gathering all the data SIEM needs. If that will be replaced there will probably a 1st step for onboarding your log sources. If SIEM configuration for logsources is well documented its straight forward if the new collector is setup as a clone to the old one. This however requires a collector on site. If your logsources point to their QRadar, you have to go through the onboarding process again and change each device config to define new target IP address for instance. Typically VPN is used for establishing communication to your service company regardless of using collectors onsite or not. This involves private IPs at the VPN tunnel end which are similar but different for each provider. If public IPs are used IPs are different anyway.
    My recommendation: think about a QRadar of your own and just outsource the monitoring service. This makes provider change much easier. Of course you will need some more budget :-) Hope I could answer most of your questions.

    [Karl] [Jaeger] [Business Partner]
    [QRadar Specialist]
    [Karlsruhe] [Germany]