Send OT Security Alerts to QRadar
In order to send OT Security alerts to QRadar, you first need to configure OT Security for your QRadar system. Then, for each relevant policy, you can specify QRadar as a target for receiving alerts.
To connect your QRadar Syslog server to OT Security:
- In the OT Security console, under Local Settings, go to the Servers > Syslog Servers screen.
-
Click + Add Syslog Server. The Syslog Server configuration window is displayed.
- In the Server Name field, enter a name for your QRadar system.
-
In the Hostname\IP field, enter the IP address of your QRadar system.
-
In the Port field, enter the port number on the QRadar system to which the events will be sent. (Default value is 514)
-
In the Transport field, select from the drop-down list the transport protocol to be used. (Options are TCP or UDP)
-
Click Send Test Message to send a test message to verify that the configuration was successful, and check if the message has arrived. If the message did not arrive, then troubleshoot to discover the cause of the problem and correct it.
-
Click Save.
Specifying QRadar as a Target for Policy Alerts
To configure a policy to send alerts to QRadar:
- Create a new Policy or edit an existing Policy.
- Fill in all fields as needed.
-
On the Policy Actions page, under Syslog, select your QRadar system.
-
Click Create (or Save if you are editing a Policy).
To configure multiple Policies (bulk process) to send alerts to QRadar:
- On the Policies screen, select the check box next each of the desired Policies.
-
Click on the Bulk Actions menu and select Edit from the drop-down list.
-
The Bulk Edit screen is shown with the Policy Actions available for bulk editing.
-
Under Syslog, select the check box next to your QRadar system.
-
Click Save.
The Policies are saved with the new configuration.