In the IT vendor space, there is often debate on which is better: one solution that handles everything, or best-of-breed solutions that each solve different problems. This pendulum constantly swings back and forth. The tradeoff is clear: if you pick one solution that does everything, you lose the feature-richness of a specialized tool. On the other hand, if you pick all specialized tools, your full-time job might become managing those tools… or worse, they won’t be used to their fullest potential.  

The key to balance is making sure that if you go the best-of-breed route, those solutions can communicate with each other. Scrutinizer specializes in collecting network metadata from sources such as NetFlow, IPFIX, streaming services like Amazon VPC, Cisco FireSIGHT, and more. That said, Scrutinizer is not a syslog collector or a full packet capture solution.

We have always found it to our customers’ benefit to integrate with 3rd-party systems like Splunk, CounterACT, Endace, etc. We recently developed a QRadar NetFlow integration.

How to Integrate QRadar and Scrutinizer

Step 1: Sending QRadar data to Scrutinizer

Navigate to the Admin Tab – > Definitions – > 3rd Party Integration. Under the ‘Existing Integration’ dropdown, select QRadar and let the fields populate.

QRadar NetFlow Integration

Replace the x.x.x.x portion of the URL with the IP address of your QRadar server. Uncheck the ‘disabled’ checkbox, then hit save. Now if you navigate to the status tab in Scrutinizer, you should see QRadar show up in the device explorer. This provides a click-through operation that will query that device within the QRadar system.

QRadar in Scrutinizer

Step 2: Sending Scrutinizer data to QRadar

For the second part of this integration, Scrutinizer can be configured to export all of its alarm and threshold data to a remote syslog server. To start, navigate to the Admin Tab – > Settings -> Syslog server. You will need to choose the log format, facility, host, port and priority then click the save button.

Syslog NetFlow integration

Completing this portion of the integration will forward all logs generated by Scrutinizer to your QRadar deployment. Note that Scrutinizer supports CEF-based, text-based, or JSON-based logs.

You could even configure Scrutinizer to only send logs for specific events by creating a Notification Profile and applying it to a specific algorithm or threshold. This is a niche use case, but it’s important to understand that it is possible.

If you go to the Admin – > Definitions – > Notification Manager, you can create a syslog alert. This notification can then be applied to any algorithm or threshold you like.

Integrating QRadar with Scrutinizer gives security analysts a complete picture of an incident during investigation. Contact our support team if you want to learn more about these integrations, or need help with any of the above configurations.

Brian Davenport

Brian is experienced in Advanced IPFIX and Flexible NetFlow collection, reporting, security analysis, and threat detection. Since 2012 he has been immersed in many types of flow-related solutions. Brian also enjoys fishing.

Related