Qradar (IBM SIEM Components)
Qradar Components:
IBM QRadar collects, processes, aggregates, and stores network data in real time. QRadar uses that data to manage network security by providing real-time information and monitoring, alerts and offenses, and responses to network threats.
Event collector:
The event collector collects events from local and remote log sources, Normalizes raw log source events to format them for use by qradar.
Protocol: receives data off of the wire from log source protocols (syslog, JDBC, OPSEC, Log File, SNMP)
Throttle: monitors the number of incoming events to the system to manage input queues and licensing.
Parsing: takes the raw events from the source device and parse the fields as qradar friendly events.
Log Source traffic analysis & auto Discovery: Applies the parsed events data (Normalize) to the possible DSMs that support automatic discovery.
Coalescing: events are parsed and then Coalesced based on common patterns across events, once 4 events are seen with same source IP, Destination IP, Destination port and user name, subsequent messages for up to 10 seconds of the same pattern are coalesced together. This is done to reduce duplicate data being stored.
Event Forwarding: Applies routing rules for the system such as sending data to offsite target, external syslog system, JSON System, other SIEMs, etc
Event processing:
The Event Processor component completes the following functions:
Custom Rules Engine (CRE) : CRE is responsible for processing events that are received by QRadar and comparing them against defined rules, when events match a rule then Rule/Response Sections will be executed.
The Magistrate component on the QRadar Console creates and manages offenses. When rules are triggered, responses or actions such as notifications, syslog, SNMP, email messages, new events, and offenses are generated.
Streaming: Sends real-time event data to the QRadar Console when a user is viewing events from the Log Activity tab with Real time (streaming). Streamed events are not provided from the database.
Event storage (Ariel) : A time-series database for events where data is stored on a minute by minute basis. Data is stored where the event is processed. The Event Collector sends normalized event data to the Event.
Magistrate:
The Magistrate Processing Core (MPC) is responsible for correlating offences with event notification from multiple Event Processor (EP) Components. Only the console will have a Magistrate Component.
Offense rules: Monitors and acts on offenses, such as generating email notifications.
Offense management : Updates active offenses, changes statuses of offenses, and provides user access to offense information from the Offenses tab.
Offense storage: Writes offense data to a Postgres database.
offenses, asset and identity information is stored in master PostgresSQL database on the console.
SSH between application in a Distributed Environment is supported.
Qradar Architecture for 2020:
A walk through of how things have changed and what has stated the same in QRadar architecture
Offense rules: Monitors and acts on offenses, such as generating email notifications.
Offense management : Updates active offenses, changes statuses of offenses, and provides user access to offense information from the Offenses tab.
Offense storage: Writes offense data to a Postgres database.
Remember:
Flow and Events data is stored on the ariel database on the processors.offenses, asset and identity information is stored in master PostgresSQL database on the console.
SSH between application in a Distributed Environment is supported.
Qradar Architecture for 2020:
A walk through of how things have changed and what has stated the same in QRadar architecture
Comments
Post a Comment