IBM QRadar

Neel Jotani posted Wed February 26, 2025 08:12 AM

Hello,

Yes, the qradar in the disaster recovery site can work as a normal SIEM to collect extra logs from the devices at the disaster recovery site. It can also view the data from the Main site before activating the Disaster Recovery. This is possible because the qradar at the disaster recovery site has access to the data from the main site through established network connections and data transfer protocols. The data is securely transferred and accessed at the disaster recovery site for analysis and monitoring.

Thank you

Karim Atef posted Wed February 26, 2025 08:40 AM

Hi @Neel Jotani 

Thank you for your support.

In a QRadar Disaster Recovery (DR) setup, can the DR site function normally and remain fully operational before a disaster occurs, even with a DR license? I came across an article mentioning that DR site services might be suppressed in such cases.

https://community.ibm.com/community/user/security/blogs/joel-violette1/2020/09/08/ibm-qradar-data-sync-app

In my scenario, I have a fully operational main site and have purchased a DR license for the DR site. Some services are running separately at the DR site, and I want to configure it as a DR for the main site while still collecting logs from those independent services.

Could you clarify how this setup impacts the DR SOC team in the event of a failover? Would they continue their operations as usual, or would their workflows change? Additionally, in a failover scenario, would the DR SOC team still have access to historical data from the main site, or would they be limited to data replicated before the failure?

Please mention what Data is viewed in the DR for each phase 

Looking forward to your insights.

Neel Jotani posted Wed February 26, 2025 08:45 AM

Yes, the qradar in the disaster recovery site can work as a normal SIEM to collect extra logs from the devices at the disaster recovery site. It can also access the data from the MAIN site and view it before activating the Disaster Recovery.