Tenable.ot Log Extension for QRadar

Overview

Tenable.ot enables operational engineers and cybersecurity personnel to gain visibility into, and control over, Industrial Control System (ICS) networks. Through its policies and alerts mechanism, Tenable.ot generates real-time alerts that are accurate, actionable, and customized for each network and its unique needs.

Tenable.ot detects unauthorized changes made to industrial processes in ICS networks. It can produce various alerts on changes in the configuration of controllers (PLC, DCS, IED), details, communications, and alert on a range of network attack vectors that may threaten industrial processes. Tenable.ot also actively verifies the controllers’ configuration and alerts on changes made to them.

Tenable.ot reports these alerts to QRadar via Syslog. For each individual policy, users can decide whether an alert should be sent to QRadar via Syslog; this offers them maximum control over which information is being sent.

Installing the Tenable.ot Extension

In order to integrate Tenable.ot with your QRadar system, you need to download the Tenable.ot extension from the IBM X-Force Exchange and install it.

To download and install the extension:

1. In the IBM QRadar console, open the Admin tab.

2. In the System Configuration section, click on Extension Management.

   

3. In the Extension Management window, click Add and select the TenableotCustom_ext archive file.

4. Select the Install Immediately checkbox to install the extension immediately. Before the extension is installed, a preview list of the content items is displayed.

Configuring a Tenable.ot Log Source

To configure Tenable.ot as a log source:

1. In the Data Sources section of the Admin tab, click on Log Sources.

   

2. In the Log Source window click on Add.

   

3. The Add a log source window opens.

   

4. In the Log Source Type field, select Tenable.ot.

5. In the Log Source Extension field, select TenableotCustom_ext.

6. Fill in the additional fields as needed and click Save.

For information on how to send alerts to QRadar, see Sending Tenable.ot Alerts to QRadar.