Configure QRadar with OT Security

Overview

OT Security enables operational engineers and cybersecurity personnel to gain visibility into, and control over, Industrial Control System (ICS) networks. Through its policies and alerts mechanism, OT Security generates real-time alerts that are accurate, actionable, and customized for each network and its unique needs. OT Security detects unauthorized changes made to industrial processes in ICS networks. It can produce various alerts on changes in the configuration of controllers (PLC, DCS, IED), details, communications, and alert on a range of network attack vectors that may threaten industrial processes. OT Security also actively verifies the controllers’ configuration and alerts on changes made to them. OT Security reports these alerts to QRadar via Syslog. For each individual policy, users can decide whether an alert should be sent to QRadar via Syslog; this offers them maximum control over which information is being sent.

To configure QRadar with OT Security you must create a log source through the Log Source Management application for ingesting data from the Tenable platform.

Complete the following steps to configure the OT Security App For QRadar v2.0:

  1. Go to the QRadar Log Source Management application in the Admin panel.

    The Log Source Management page appears.

  2. Click + New Log Source in the upper-right.

    The Log Source Management page appears.

  3. Select Tenable.ot Platform as the Log Source type.

  4. Select Syslog as the protocol type.

  5. In the Configure Log Source Parameters section, enter the name of the log source in the Name box.

    1. Enable the log source by clicking the Enabled/Disabled switch to Enabled.
    2. Select TenableotPlatformCustom_ext as the log source extension.
    3. Disable Coalescing Events by clicking the Enabled/Disabled switch to Disabled

  6. In the Configure Protocol Parameters section, enter the Log Source Identifier. This Identifier is the hostname/IP address from the data to be forwarded.

  7. Click Finish.

What to do next: