Sending Tenable.ot Alerts to QRadar

Overview

In order to send Tenable.ot alerts to QRadar, you first need to configure Tenable.ot for your QRadar system. Then, for each relevant Policy, you can specify QRadar as a target for receiving alerts.

Connecting QRadar to Tenable.ot

To connect your QRadar Syslog server to Tenable.ot:

  1. In the Tenable.ot console, under Local Settings, go to the Servers > Syslog Servers screen.
  2. Click + Add Syslog Server. The Syslog Server configuration window is displayed.

  3. In the Server Name field, enter a name for your QRadar system.
  4. In the Hostname\IP field, enter the IP address of your QRadar system.

  5. In the Port field, enter the port number on the QRadar system to which the events will be sent. (Default value is 514)

  6. In the Transport field, select from the dropdown list the transport protocol to be used. (Options are TCP or UDP)

  7. Click Send Test Message to send a test message to verify that the configuration was successful, and check if the message has arrived. If the message did not arrive, then troubleshoot to discover the cause of the problem and correct it.

  8. Click Save.

Specifying QRadar as a Target for Policy Alerts

To configure a policy to send alerts to QRadar:

  1. Create a new Policy or edit an existing Policy.
  2. Fill in all fields as needed.
  3. On the Policy Actions page, under Syslog, select your QRadar system.

  4. Click Create (or Save if you are editing a Policy).

To configure multiple Policies (bulk process) to send alerts to QRadar:

  1. On the Policies screen, select the checkbox next each of the desired Policies.
  2. Click on the Bulk Actions menu and select Edit from the dropdown list.

  3. The Bulk Edit screen is shown with the Policy Actions available for bulk editing.

  4. Under Syslog, select the checkbox next to your QRadar system.

  5. Click Save.

    The Policies are saved with the new configuration.