QRadar Upgrade and Data Migration for a Global Distribution System Provider
The Customer is a provider of a global distribution system (GDS) for the travel and tourism industry. They offer search, pricing, booking and other processing services to travel companies.
The Customer had an outdated version of the IBM QRadar SIEM system. The Customer commissioned ScienceSoft to upgrade their legacy QRadar SIEM solution as well as perform data migration to a new system without losing the data collected for the past year.
At the first stage of the project implementation, the SIEM specialists wrote a script to automate the data migration process, thus significantly simplifying data migration and reducing the migration time.
As a part of the QRadar upgrade process, ScienceSoft’s SIEM team installed All-In-One QRadar SIEM Console in a high availability (HA) cluster in order to ensure continuous data collection and availability. ScienceSoft’s SIEM specialists installed and configured QRadar Network Insights (QNI) appliance to conduct fundamental analysis of the collected traffic flows.
Following the Customer’s requirements, all the data collected for the past year was transferred from the legacy SIEM system into the new one. Moreover, as a part of the migration process, the Customer’s legacy log sources also migrated to the updated system to maintain continuous searches on the migrated data.
After carrying out these actions, ScienceSoft’s SIEM team successfully replaced unsupported Adaptive Log Exporter (ALE) with the latest WinCollect Agent for collecting and processing Microsoft Windows security event data. This improved the control and management of the collected data.
In order to additionally improve the Customer’s event monitoring system, ScienceSoft’s SIEM specialists introduced a new audit baseline for Linux systems. The previous audit baseline configuration led to producing a lot of information noise that the correlation engine ignored. Therefore, the Customer got too much information useless for systems monitoring. The improvements implemented by ScienceSoft’s SIEM team allowed filtering 2,000,000 events a day. Consequently, the information noise level significantly decreased, and the Customer’s personnel received only the events required to conduct quality monitoring.
The Customer got the upgraded IBM QRadar SIEM solution. The Customer’s legacy data collected for the past year, together with the event sources, was successfully transferred into the updated system. As a result of the extra efforts of ScienceSoft’s SIEM team, the Customer received an improved event monitoring system.
Technologies and Tools
IBM QRadar SIEM 7.3.1, PostgreSQL, Python, Shell script, Ansible script, RegEx