IBM Security QRadar

 View Only
  • 1.  QRadar Data Lake

    Posted Thu November 03, 2022 01:10 PM

    Hello,

    We have a QRadar structure, with some EC's and DLC's sending to a QRadar Console.However, we have a lot of logs from various log sources that are being sent to QRadar that we don't need for Use Cases. They are just being stored for searches etc.... With that, we want to keep receiving those logs that we don't need but before they reach the QRadar Console we want to filter them in order to have just the ones we need for use cases being sent to the QRadar Console for correlation.

    In case we need the others we would need to access the Data Lake and search for them.

    What we need here is a Data Lake solution where all the logs pass through it and stay stored in it, but the ones that are needed for use cases are sent to the QRadar Console. I attached a diagram so that you can have an idea of what we need.

    Is there any viable Data Lake solution to introduce in the middle of the current structure?

    Is there a solution to accomplish this goal, like something from IBM or any partner?

    Is there any other way to implement this kind of solution without using the log-only feature?

    Forwarding the logs to the data lake from the QRadar is not a solution for us also. We have to receive the logs on QRadar already filtered.

    If its not possible to set a Data Lake solution between QRadar and the EC's/DLC's is that any other way to do it? Or something similar?

    Can anyone help us with this situation?

    Thank you very much.

    diagram


    ------------------------------
    Gonçalo Barbosa
    ------------------------------


  • 2.  RE: QRadar Data Lake

    IBM Champion
    Posted Mon November 07, 2022 09:08 AM
    Gonçalo,
    data lake is what you need. You just need another instance of event processor you can forward your filtered events to.

    Is there any viable Data Lake solution to introduce in the middle of the current structure? Yes! EP without offense rules.

    Is there a solution to accomplish this goal, like something from IBM or any partner? QRadar will do the Job.

    Is there any other way to implement this kind of solution without using the log-only feature? Yes. See above. Forward your filtered events to your 2nd EP for those use cases you really need on top of your searches on EP1.

    Forwarding the logs to the data lake from the QRadar is not a solution for us also. We have to receive the logs on QRadar already filtered. Yes. That's why you need a 2nd EP in a row.

    If its not possible to set a Data Lake solution between QRadar and the EC's/DLC's is that any other way to do it? Or something similar? It is possible.



    ------------------------------
    [Karl] [Jaeger] [Business Partner]
    [QRadar Specialist]
    [pro4bizz]
    [Karlsruhe] [Germany]
    [4972190981722]
    ------------------------------



  • 3.  RE: QRadar Data Lake

    Posted Mon November 07, 2022 10:00 AM
    Hello Karl,

    Thank you so much for your answer.
    Just to clarify, you are saying that we will need two event processors where one will have the events that we need for the use cases as well as the offense rules and the other will just be a repository of events that we don't need for use cases?
    How do we configure a new Event Processor to not be a EP with offense rules and just a repository for searches?
    Are you saying that we receive all the events on EP1 (the one with the use cases) but use a routing rule to forward the ones we don't want to the EP2?

    Best regards,
    Gonçalo Barbosa

    ------------------------------
    Gonçalo Barbosa
    ------------------------------



  • 4.  RE: QRadar Data Lake

    Posted Mon November 07, 2022 10:23 AM
    Hello Karl,

    To give you more context, the goal is to lower the level of EPS that we are receiving. Is it possible to accomplish that with the solution you provided?
    We were thinking if we are receiving 20k EPS on our customers EC's and if we have an infrastructure of 15k EPS, by having that second EP you mentioned we will still need to have the same license applied, correct?


    Thanks.
    Regards,
    Gonçalo Barbosa

    ------------------------------
    Gonçalo Barbosa
    ------------------------------



  • 5.  RE: QRadar Data Lake

    IBM Champion
    Posted Mon November 07, 2022 02:07 PM
    Gonçalo

    I will try to answer this one by one.
    ..." we will need two event processors where one will have the events that we need for the use cases as well as the offense rules and the other will just be a repository of events that we don't need for use cases?"
    exactly - there are two reasons for that. Pls use log only feature for EP1. Your license is assigned to EP2. So you can decide which logsources/events are beeing forwarded in your logsource configuration on EP1 or EP2, i.e. where you gonna store your events. Potential problem: You are still limited to your 15K EPS, so make sure you have got your additional data lake license.

    "How do we configure a new Event Processor to not be a EP with offense rules and just a repository for searches?"
    Rules are applied on all event processors using full deployment. So you have to add domain definition to your default rules to be able to differentiate.

    ".. we receive all the events on EP1 (the one with the use cases) but use a routing rule to forward the ones we don't want to the EP2?"
    Its just the other way round. Everything is stored on EP1 and only those forwarded to EP2 thats needed for your rules and use cases. If you dont want to use the design discussed above where you statically distribute logsources to EP1 and EP2 you can use this design as an alternative approach. You will need some EPS license assigned to this EP to be able to forward events to EP2.

    "...if we are receiving 20k EPS on our customers EC's and if we have an infrastructure of 15k EPS, by having that second EP you mentioned we will still need to have the same license applied, correct?"
    yes you can still use your 15K license rather than distribute 7.5K to each of the EPS. Please use measurements for calculation on overall EPS license needed. Only the use of data store option and logsource filtering will save EPS.

    Regards


    ------------------------------
    [Karl] [Jaeger] [Business Partner]
    [QRadar Specialist]
    [pro4bizz]
    [Karlsruhe] [Germany]
    [4972190981722]
    ------------------------------



  • 6.  RE: QRadar Data Lake

    Posted Tue November 08, 2022 07:16 AM
    Hello Karl,

    Thank you so much for your help on this.

    Best regards,
    Gonçalo Barbosa

    ------------------------------
    Gonçalo Barbosa
    ------------------------------