Sending Tenable Identity Exposure Alerts to QRadar

Overview

In order to send Tenable Identity Exposure alerts to QRadar, you first need to configure Tenable Identity Exposure for your QRadar system. Then, for each relevant policy, you can specify QRadar as a target for receiving alerts.

Connecting QRadar to Tenable Identity Exposure

To connect your QRadar Syslog server to Tenable Identity Exposure:

  1. In the Tenable Identity Exposure console, under Local Settings, go to the Servers > Syslog Servers screen.
  2. Click + Add Syslog Server.

    The Syslog Server configuration window appears.

  3. In the Server Name field, enter a name for your QRadar system.
  4. In the Hostname\IP field, enter the IP address of your QRadar system.

  5. In the Port field, enter the port number on the QRadar system to which the events will be sent. (Default value is 514)

  6. In the Transport field, select from the drop-down list the transport protocol to be used. (Options are TCP or UDP)

  7. Click Send Test Message to send a test message to verify that the configuration was successful, and check if the message has arrived. If the message did not arrive, then troubleshoot to discover the cause of the problem and correct it.

  8. Click Save.

Specifying QRadar as a Target for Policy Alerts

To configure a policy to send alerts to QRadar:

  1. Create a new Policy or edit an existing Policy.
  2. Fill in all fields as needed.
  3. On the Policy Actions page, under Syslog, select your QRadar system.

  4. Click Create (or Save if you are editing a Policy).

To configure multiple Policies (bulk process) to send alerts to QRadar:

  1. On the Policies screen, select the check box next each of the desired Policies.
  2. Click on the Bulk Actions menu and select Edit from the drop-down list.

  3. The Bulk Edit screen is shown with the Policy Actions available for bulk editing.

  4. Under Syslog, select the check box next to your QRadar system.

  5. Click Save.

    The Policies are saved with the new configuration.