Sirius recently worked with a national retailer to provide a customized security SIEM solution. The client wanted a solution that would allow them to “Splunk” all their events and then send a subset of events and alerts to IBM QRadar. This approach allowed the retailer to have full coverage of their security and operational data in Splunk while still feeding necessary events and alerts to their QRadar SIEM solution.
To help the client, Sirius Principal Solutions Architect Tim Riddell created two new Splunk add-ons that are available in Splunkbase, an application and add-on center for Splunk users. The two customized add-ons were used to send both CEF and raw events from Splunk to QRadar. Tim built in specific support for sending Windows events from Splunk to QRadar to accommodate the product-level integration that already exists (raw Windows events wouldn’t work without this extra support). CEF-formatted events were used when alerts were needed in QRadar and the underlying raw events were not required or supported by QRadar. Mike Jiencke, a senior solutions architect at Sirius, designed and set up the QRadar side of this integration.
Both add-ons are custom search commands written in the Go programming language. Go was chosen for both its high-performance characteristics and its simple deployment model. One add-on is available for sending formatted CEF events, and another for sending raw Splunk events. Both solutions can send out to the network over TCP or UDP.
Click the links below to download and begin using these two Splunk add-ons designed to integrate with third-party applications like IBM QRadar.
SendCEF:
https://splunkbase.splunk.com/app/3623/
https://github.com/triddell/TA-sendcef
SendRaw:
https://splunkbase.splunk.com/app/3624/
https://github.com/triddell/TA-sendraw
Our talented architects provide customized business solutions for clients. Read our Splunk Overview to learn how we can help you with your Splunk solutions.
