IBM QRadar Tools by ScienceSoft

Through years of hands-on experience in IBM QRadar implementation, customization and tuning, ScienceSoft SIEM professionals acquired invaluable expertise and comprehension of customers’ needs that resulted in a variety of unique specialized solutions with the main goal of eliminating shortage of IBM QRadar capabilities.

Once created for internal use or upon clients’ requests, these tools are now available for the entire community of IBM QRadar users. ScienceSoft custom applications automate, facilitate and speed up processes and operations on different levels, save time and efforts of IBM QRadar administrators and analysts, cover gaps and enhance IBM QRadar standard functionality, and improve overall security posture of ScienceSoft clients.

Custom QRadar tools by ScienceSoft address:

  • Analytics & Reporting
  • Data Integration
  • Deployment & Environment

[PDF] ScienceSoft Apps for IBM Security Qradar SIEM

This guide describes a set of custom solutions created within last 15+ years for IBM Security Qradar SIEM by ScienceSoft.

If you cannot find a solution that would fit your requirements, feel free to share your thoughts and suggestions by contacting us at qlean@scnsoft.com, and ScienceSoft QRadar development team will reach out to you shortly.

ANALYTICS & REPORTING

The current set of tools enriches IBM QRadar SIEM by providing advanced means of reporting, notifying and analyzing both collected data and its processing results.

QLEAN for QRadar Tuning & Health Check

The advanced monitoring tool for IBM QRadar self-audit and fine-tuning with over 60 behavioral metrics and 25 health markers. QLEAN delivers a 360-degree view of your SIEM adding unique value to deployments of all sizes, identifies low performing components, and helps create actionable remediation steps. The product has a proven track record reducing both risk and cost by freeing up time (up to 250-300 hours per year per client) and eliminating time-consuming routine maintenance and investigations.

QSM Session Manager

ScienceSoft application that enhances IBM QRadar functionality by making it easy to manage user sessions and actions. QSM investigates security events via session information even when user name is not available in log messages. The tool saves up to three hours daily for analysts who perform and process all searches manually due to the absence of such functionality in native QRadar.

QIN Incident Notifier

QIN is the most effective and flexible alternative to the part of the native IBM QRadar functionality responsible for notifying users about security incidents. It is a highly customizable tool for triggering and assigning offenses to analysts based on a variety of key metrics. The application simplifies performing administrators’ tasks and sending alerts not only via email but also using Jira, MS Teams, Slack, Twilio SMS, and Telegram.

QOR Offense Reporter

QOR creates a full snapshot of all Offenses in IBM QRadar representing an entire history of changes. The tool’s main function is to generate Excel reports for Offenses by schedule and send them via email. QOR exports various useful data into its complex reports, including notes, closing reasons, offense rule name, etc.

QLSI Log Source Inventory

The most effortless way to get a full picture of Log Sources by generating periodical configurable reports in the Excel format and receiving them via email. Advanced QLSI reports are convenient for analysis and contain unique information not available from standard exports, e.g. EPS values per each log source.

DATA INTEGRATION

This set of IBM QRadar extensions improves security visibility through additional configurable data feeds and includes cheaper and more lightweight alternatives to solutions with similar functionaliy.

QMEA Microsoft Exchange Audit

The best solution for collecting data in near-real time from MS Exchange Admin and Mailbox Audit which is not available via standard IBM QRadar protocols. QMEA does not just show raw statistics as-is, it processes, transforms, and represents valuable information in an easy-to-view format via Syslog.

QVTI VirusTotal Integration

QVTI is meant to facilitate checking process hashes against the VirusTotal database not extracting them manually but using its public API. The application enriches IBM QRadar with important data for malicious software relying on the Sysmon log data collected with WinCollect agents.

QDATA LDAP Data Enrichment

The extension for IBM QRadar that synchronizes Active Directory and LDAP-based storage information with QRadar Reference Sets and Tables. Multitasking QDATA covers periodic and scheduled sync-ups, complex LDAP queries and configuration, per-task statistics, and in-app logging. The tool is vital for developing rules that depend on a specific account type or a group of users.

QTOR TOR Darknet Monitoring

ScienceSoft tool designed for monitoring inbound and outbound connections to Darknet via TOR relay and exit nodes. QTOR automates daily manual routine related to gathering and processing information from public sources. The solution combines an IBM QRadar application with two custom rules required for a continuous check of various TOR connections.

QDGA DGA Analyzer

QDGA is designed to gather rules and reference sets and detect suspicious domain names created by Domain Generation Algorithms. This application is a lightweight alternative to QRadar DNS Analyzer application that works with processing DGA.

DEPLOYMENT & ENVIRONMENT

The following QRadar applications are designed to automate time-consuming routines and unveil useful information not available through the standard user interface.

QWAD WinCollect Assisted Deployment

A breakthrough among IBM QRadar extensions that helps users automatically install and configure unmanaged IBM WinCollect agents and corresponding Log Sources. QWAD saves a huge amount of time and efforts in manual labor, which can be invested into use case development instead, and makes the integration of third-party agents into the corporate network an easy process.

QMLA Missing Logs Alert

Another ScienceSoft solution in the line-up of IBM QRadar notification tools. QMLA shows users comprehensive information about Log Sources that stopped receiving events, and precise time when it happened. The application uses QRadar log source groups and specifies a timeout for each group individually generating and sending notifications via a set of rules shipped with the software package.

QSSA Slow Search Alert

A new solution for IBM QRadar SIEM by ScienceSoft that detects and notifies in time users via email about long-lasting active searches in the system. QSSA features are not currently available in the native QRadar and enhance its functionality.

QLED Log Source EPS Details

One of ScienceSoft key solutions created for monitoring the number of events received by each log source and exceeding a configurable EPS threshold. Top QLED features allow users to request information via IBM QRadar API, store EPS statistics data in a built-in database and visualize it via charts in a new QRadar tab.

QFSO Find Similar Offenses Button

The application for IBM QRadar designed for creating a list of all offenses generated by a specific rule. QFSO is useful for speeding up offense investigations and rules tuning. Its functionality is unique as QRadar does not have such features and analysts would have to manually search for similar offenses.

QEFC Exclude from Correlation Button

QEFC by ScienceSoft allows users to temporarily prevent rules from generating new offenses for specific offense sources (username, IP address, etc.). This extension for IBM QRadar is useful when the incident response team has already identified a compromised host or username and do not need further notifications for the same source until the asset is fully recovered.