Configure QRadar with Tenable Identity Exposure

Overview

Tenable Identity Exposure features allow users to anticipate threats, detect breaches, and respond to incidents and attacks. Through its policies and alerts mechanism, Tenable Identity Exposure generates real-time alerts that are accurate, actionable, and customized for each network and its unique needs. Tenable Identity Exposure reports these alerts to QRadar via Syslog. For each individual policy, users can decide whether an alert should be sent to QRadar via Syslog; this offers them maximum control over which information is being sent.

To configure QRadar with Tenable Identity Exposure you must create a log source through the Log Source Management application for ingesting data from the Tenable platform.

Complete the following steps to configure the Tenable Identity Exposure App For QRadar:

  1. Go to the QRadar Log Source Management application in the Admin panel.

    The Log Source Management page appears.

  2. Click + New Log Source in the upper-right.

    The Add a Single Log Source page appears.

  3. Select Tenable.ad as the Log Source type.

  4. Select Syslog as the protocol type.

  5. In the Configure Log Source Parameters section, enter the name of the log source in the Name box.

    1. Enable the log source by clicking the Enabled/Disabled switch to Enabled.
    2. Select TenableadCustom_ext as the log source extension.
    3. Disable Coalescing Events by clicking the Enabled/Disabled switch to Disabled.

  6. In the Configure Protocol Parameters section, enter the Log Source Identifier. This Identifier is the hostname/IP address from the data to be forwarded.

  7. Click Finish.

What to do next: