IBM QRadar

Has anyone ever successfully setup logging ingestion for Slack audit logs? If so, can you describe how you did it? Thanks

Soon, I am going to be working on an integration attempting to use the QRadar's Universal Cloud Connector to connect to Slack's API and pull events in through a custom Universal Cloud REST API Protocol uDSM . And then work on parsing and mapping the events that get pulled.

Slack's documentation:

https://api.slack.com/admins/audit-logs

(Article) Introducing the Universal Cloud Connector

https://community.ibm.com/community/user/security/blogs/sophia-sampath1/2020/10/05/introducing-the-universal-cloud-connector

(Webinar) Introducing Universal Cloud Connector for IBM Security QRadar

https://community.ibm.com/community/user/security/events/event-description?CalendarEventKey=dab3047c-cb4a-4723-b2cb-e3ef549e0f69&CommunityKey=f9ea5420-0984-4345-ba7a-d93b4e2d4864&Home=%2Fcommunity%2Fuser%2Fsecurity%2Fevents%2Fevent-description

QRadar Universal Cloud REST API Protocol

https://www.securitylearningacademy.com/course/view.php?id=5626

Universal Cloud REST API protocol DSM guide:

https://www.ibm.com/docs/en/qsip/7.4?topic=configuration-universal-cloud-rest-api-protocol

https://www.ibm.com/docs/en/dsm?topic=configuration-universal-cloud-rest-api-protocol

PDF: http://public.dhe.ibm.com/software/security/products/qradar/documents/iTeam_addendum/b_dsm_guide.pdf

Sample Workflows on GitHub:

https://github.com/ibm-security-intelligence/IBM-QRadar-Universal-Cloud-REST-API

Jose Bravo: The Universal Cloud REST API Protocol (Part One)

https://youtu.be/fqoank4ZtRA

Jose Bravo: Universal Cloud REST API Protocol (Part Two)

https://youtu.be/MqSxJShrHDg

Have you been successful in integrating Slack using QRadar's Universal Cloud Connector? I have a potential customer looking into integrating those logs but I have no experience with scripting at all. Thanks.

I wound up not using the cloud connector at all. I came up with a very home-grown solution.

1. I created a curl command that could query the events I'm looking for from Slack and then dump the data as a text file to a Windows server. The curl command is actually executed from my Windows server. A co-worker of mine found a DOS shell curl.exe command that can do curl commands for you in a Windows/DOS environment. The text file the curl command creates is a single file that actually has several (sometimes many) events all in the same file.
2. Once I have the text file saved on my Windows server, I wrote a VB.net program that will examine the single file the curl command created, and the program will parse out all the individual events from the one big file and create a bunch of single text files with each text file containing the data for just a single event.
3. I setup the Windows server for FTP services so that QRadar could import those "children" text files into QRadar.

If you have further questions on this, feel free to contact me directly at tim

I love QRadar and I think it's a great product. But I believe this is a big reason why Splunk is gaining the market share in the SIEM world. Splunk came up with an app in 2020 for Slack integration. IBM has yet to provide any support for a Slack API.