QIN Incident Notifier

The main purpose of all SIEM systems is to know as soon as possible about all security incidents.

IBM QRadar SIEM parses and correlates events from all kinds of sources and creates offenses whenever any security incident happens. There are out-of-the-box mechanisms, such as GUI and email notifications, that allow QRadar to notify security analysts about offenses.

While out-of-the-box email notifications work fine, they still lack some flexibility and require some technical knowledge to create or edit an email template. In addition, by using vanilla QRadar an offense cannot be assigned to a specific analyst based on its type or content.

QIN Incident Notifier by ScienceSoft allows administrators to perform these tasks simply and configure notifications to be sent not only via email (incl. custom templates) but also via Twillio SMS, Telegram, and Slack messaging services.

QIN uses rules to make decisions on where and how to send notifications and to assign offenses to analysts, as well as templates to determine the amount of information included in the message.

Every rule is based on a regex that can be applied to offense description, name of the rule that has triggered the offense, offense category, or the actual payload of related events and/or flows. Integrated Rule Manager and Template Editor make it so easy to configure the app.

Out-of-the-box QRadar offense notification mechanism is limited and cannot assign offenses. Email template modification requires root access and does not support HTML tags. Native email notification cannot send offense ID and event details in the same notification, and there is no option to include several related events/flows, rule(s) details, and asset information.

QIN is a commercial application by ScienceSoft with some of its functionality available for free. The free version has the following restrictions:

  • Users can use only one rule
  • Only email notification type available
  • Every email notification contains “Free version” announcement
  • Backup configuration available only in commercial version