Skip to content

Home

Jump to bottom
balajikadambi edited this page Sep 19, 2018 · 6 revisions

Welcome to the Monitor device events using QRadar wiki!

Short Name

Monitor device events using QRadar

Short Description

Demonstrates a methodology to monitor device events with an integration between QRadar and Watson IoT Platform.

Offering Type

Security

Introduction

Monitoring and preventing security or policy related incidents is an important goal for any organization.

IBM QRadar Security Information and Event Management (SIEM) can help achieve the security goals of an organization. It can consolidate log events and network flow data from thousands of devices, endpoints and applications distributed throughout your network. It correlates all this different information and aggregates related events into single alerts to accelerates incident analysis and remediation.

With the increasing adoption of IoT, a number of security related incidents can be detected from the data generated by embedded IoT devices.

IBM Watson IoT platform provides IoT devices a mechanism to securely register and sent events. These events can be stored and processed. With an integration between the IBM Watson IoT platform and IBM QRadar, an organization can bring a huge number of devices under the monitoring umbrella.

Author

By Rahul Reddy Ravipally, Balaji Kadambi

Code

Demo

Video

Overview

The security and policy related events can be monitored through various sources. A Security information and event management (SIEM tool) monitors logs and events from various sources to provide threat monitoring, event correlation and incident response. With the increasing adoption of IoT, a number of security related incidents can be detected from the data generated by embedded IoT devices. A large number of devices can be brought under the SIEM tool monitoring with an integration between an IoT Platform and the SIEM tool.

This code pattern covers a methodology to integrate Watson IoT Platform with IBM QRadar.

When the reader has completed this pattern, they will understand how to use the Universal DSM support available in QRadar to monitor device events from Watson IoT Platform.

The following aspects will be demonstrated in this pattern:

  • Create an Universal DSM log source in QRadar.
  • Create a rule to detect offense in QRadar.
  • Subscribe to device events from Watson IoT platform and send them to QRadar in RFC_3164 or RFC_5424 format using Syslog client at https://github.com/CloudBees-community/syslog-java-client.
  • Monitor offences if any from the devices on QRadar Log Activity.

Flow

  1. Subscribe to device events from Watson IoT Platform.
  2. Use the Syslog client to create a message in RFC_3164 or RFC_5424 format.
  3. Send message to QRadar. The pre-created rules are automatically run on the message and an offence is generated for violations.

Included components

  • IBM Watson IoT Platform: IBM Watson™ IoT Platform for IBM Cloud gives you a versatile toolkit that includes gateway devices, device management, and powerful application access. By using Watson IoT Platform, you can collect connected device data and perform analytics on real-time data from your organization.

  • Liberty for Java:Develop, deploy, and scale Java web apps with ease. IBM WebSphere Liberty Profile is a highly composable, ultra-fast, ultra-light profile of IBM WebSphere Application Server designed for the cloud.

  • IBM QRadar version 7.3.1: QRadar Community Edition is a free version of QRadar that is based off of the core enterprise SIEM.

  • Syslog Java Client: Client library written in Java to send messages to a Syslog server from CloudBees community(https://github.com/CloudBees-community).

Note: Please read the licensing terms for usage of the Syslog Java Client at - https://github.com/CloudBees-community/syslog-java-client. It is downloaded as part of the maven build in this code pattern.

Featured technologies

  • SIEM: In the field of computer security, security information and event management (SIEM) software products and services combine security information management (SIM) and security event management (SEM). They provide real-time analysis of security alerts generated by applications and network hardware.

  • Java: Java is a general-purpose computer-programming language that is concurrent, class-based and object-oriented.

  • Internet of Things: The Internet of Things (IoT) is the network of physical devices, vehicles, home appliances, and other items embedded with electronics, software, sensors, actuators, and connectivity which enables these things to connect and exchange data,[1][2][3][4] creating opportunities for more direct integration of the physical world into computer-based systems, resulting in efficiency improvements, economic benefits, and reduced human exertions.

Blog

Title - Monitor for security and policy related events from any source

There is an increasing adoption of technologies by organizations. With this, there is an increase in the number and type of security and policy related incidents. A Security information and event management (SIEM tool) monitors logs and events from various sources to provide threat monitoring, event correlation and incident response. There is a need to bring in more event sources under the monitoring umbrella with the increase in technology adoption.

On a parallel note, the large scale technology adoption is driven by IoT. Connected vehicles, Smart Factory or Smart Workplace are examples. A number of security related incidents can be detected from the data generated by embedded IoT devices which is a new source for the SIEM tool. The events from these devices are usually aggregated on an IoT platform. The monitoring of IoT events on an SIEM tool requires an integration between the two.

IBM QRadar Security Information and Event Management provides the ability to monitor events from unknown sources through a Universal DSM support. This can be used to send events from new sources to IBM QRadar.

IBM Watson IoT Platform provides a mechanism for IoT devices and gateways to securely connect and send events.

The code pattern Monitor devices using QRadar demonstrates a methodology to integrate IBM QRadar and IBM Watson IoT Platform with a sample use case. Please refer the link for more information.

Links

  • SIEM: In the field of computer security, security information and event management (SIEM) software products and services combine security information management (SIM) and security event management (SEM). They provide real-time analysis of security alerts generated by applications and network hardware.

  • IBM QRadar version 7.3.1: QRadar Community Edition is a free version of QRadar that is based off of the core enterprise SIEM.

  • IBM QRadar 7.3.1 documentation

Clone this wiki locally