Note: This pattern is part of a composite pattern. These are code patterns that can be stand-alone applications or might be a continuation of another code pattern. This composite pattern consists of:
- Monitor device events using QRadar (this pattern)
- Manage security insights and incidence response effectively
An organization monitors security and policy-related events through various sources. A Security Information and Event Management (SIEM) tool is used to monitors logs and events from various sources to provide threat monitoring, event correlation, and incident response. With the increasing adoption of the Internet of Things (IoT), a number of security-related incidents are on the rise. You can stay ahead of threats by detecting them from the data that is generated by embedded IoT devices. A large number of devices can be brought under the SIEM tool monitoring with an integration between an IoT platform and your SIEM tool.
This code pattern covers a methodology to integrate the Watson™ IoT Platform with IBM QRadar®.
When you complete this code pattern, you’ll understand how to:
- Create an Universal DSM log source in QRadar.
- Create a rule to detect offense in QRadar.
- Subscribe to device events from the Watson IoT platform and send them to QRadar in RFC_3164 or RFC_5424 format using the Syslog client at https://github.com/CloudBees-community/syslog-java-client.
- Monitor offenses if any from the devices on QRadar Log Activity.
- Subscribe to device events from the Watson IoT Platform.
- Use the Syslog client to create a message in RFC_3164 or RFC_5424 format.
- Send message to QRadar. The pre-created rules are automatically run on the message and an offence is generated for violations.
- Install QRadar community edition.
- Create IBM Cloud services.
- Register a device on Watson IoT platform.
- Create log sources and rules on QRadar.
- Deploy the web application.
Ready to put this pattern to use? Complete details on how to get started running and using this application are in the README.