Incident Response Perspective: SureLog SIEM vs. IBM QRadar
When responding to an incident, you’re in a race against time to investigate and resolve it before damage is done.
SureLog SIEM allows SOC analysts to save up to 70% of their time if the threat detection scenario is advanced or have multiple steps. Consider the following 3 steps scenario as an example:
· A user is created.
· Then, this user logs into another machine.
· Afterward, an attempt is made to access the internet from this machine, but it is blocked by the Firewall.
In this case, as an SOC analyst, in the incoming alarm email, I would like to see the following information ready and in a collective form, so as not to waste time searching multiple times in the logs:
• The created user and the username that created this user.
• The machine logged into in the second step.
• The URL blocked in the last step and the raw logs of all three steps.
It would cause significant time loss for the SOC analyst to manually find this information by examining the rule related to the alarm and looking at the related rules.
In contrast, when comparing SureLog SIEM with IBM QRadar, we can see that SureLog SIEM can provide a time-saving of up to 70% by presenting all this information and the related raw logs to the SOC analyst in one go in the alarm email. On the other hand, in QRadar, the SOC analyst needs to manually find this information by examining the rule related to the alarm and looking at the related rules and searching in the logs. In IBM QRadar, you can add information according to a mail template you choose from the Rule Response screen.
The data, values, and information that can be added to the IBM QRadar mail template are limited and restricted. The limits and restrictions are shown in the screenshots below [1,2].
In SureLog SIEM, the way threat detection (correlation rules) actions which are called Rule Responses in QRadar are executed is different from how Rule Responses work in IBM QRadar. SureLog SIEM uses a visual approach for configuration, which means there’s no need to manually edit XML files. This is especially useful for complex or multi-step threat detection algorithms, as you can easily integrate data, values, fields, and information for each step without any limitations. In the screenshots below, you’ll see that the parameters (fields of the event/parsed log, including the raw log) for each step of the threat detection/correlation rule are marked in red, with each step of the correlation rule labeled as [1], [2], [3].
Here’s a breakdown of the steps:
· Step [1]: A user is created. You can visually select the fields of the event/parsed log, including the raw log, from the red [1] section of the rule action.
· Step [2]: The user logs into another machine. Fields of the event/parsed log, including the raw log, can be selected from the red [2] section of the rule action visually.
· Step [3]: An attempt is made to access the internet from this machine, but it is blocked by the Firewall. Fields of the event/parsed log, including the raw log, can be selected from the red [3] section of the rule action visually.
After the desired parameters or values for each step are selected visually, they are automatically added to the incident management system, just like they are received by email. This way, the SOC analyst does not have to waste time searching for information, parameters, or the original log at each step, and gains critical time to respond to the incident quickly.
IBM QRadar has a successful correlation capability, but this capability is limited by the restrictions of the third-party correlation engine it uses. IBM QRadar has been using the old version of a correlation engine called Eventgnosis, which has had no activity since 2015. Below, you can see this on the main screen of QRadar.
You can also see this on the main screen of the Eventgnosis website.
With this advantage, especially in the incident response phase, if your threat detection algorithm consists of multiple steps, SureLog SIEM significantly speeds up the process for the SOC analyst or SIEM administrator to find critical data to resolve the entire incident compared to IBM QRadar. If this threat detection algorithm is multi-step, this acceleration can go up to 70%.
References
1- https://www.ibm.com/docs/en/qradar-on-cloud?topic=notifications-configuring-event-flow-custom-email
2- https://www.ibm.com/docs/en/qradar-on-cloud?topic=notifications-configuring-custom-offense-email
