BlogIBM QRadar SIEM provides security teams with a platform for correlating events and intelligence from throughout the IT environment, and coordinating detection and response workflows. However, the modern attack surface is vast and permeable. When an attacker makes it inside your network, SIEM tools need to detect the subtle behaviors that indicate an attack in progress, especially when it comes to unknown threats. That's why leading SIEM vendors recommend augmenting your existing data with network traffic analysis to protect critical assets and drive proactive security.
The ExtraHop app for IBM QRadar SIEM is engineered to make your professional life easier and your organization more secure by seamlessly integrating ExtraHop Reveal(x), network traffic analysis for the enterprise, with IBM QRadar. Reveal(x) applies machine learning and other analysis to east-west traffic for real-time detection of known and unknown threats, complementing QRadar's existing dataset with rich transactional data from the network, advanced behavioral analytics, and guided investigations.
How It Works + Why It's Valuable + How to Get Started
How It Works
There are two components to the integration:
- The ExtraHop App for QRadar contains a "Device Support Module" for Reveal(x) detections that provides a data model allowing QRadar to parse the message it receives from ExtraHop, and it allows you to save detections as QRadar log events.
- The ExtraHop Detection SIEM Connector bundle contains a trigger which executes every time the ExtraHop appliance creates or updates a detection. The trigger formats a message containing the detection data and sends it to QRadar via the Syslog protocol.
Why It's Valuable
The ExtraHop App for IBM QRadar combines what Reveal(x) does best — providing complete visibility, real-time detection, and guided investigation — with IBM QRadar's best-in-class security information and event management capabilities.
By automatically importing real-time Reveal(x) detections to a tab conveniently located in your QRadar user interface, you gain a complete picture of suspicious or anomalous behavior anywhere in your enterprise environment:
When you need to dig deeper, you can easily pivot to ExtraHop and drill down into context-rich packets for forensic detail:
How to Get Started
To start using the ExtraHop App for IBM QRadar:
- Visit the ExtraHop Bundles Gallery to download the ExtraHop Detection SIEM Connector bundle.
- Visit the IBM Security App Exchange to download the ExtraHop App for IBM QRadar.
- Be sure to check out our ExtraHop and IBM QRadar SIEM Integration Video.
If you would like more information about the ExtraHop App for IBM QRadar, please visit our QRadar integration page.
