5 Leaving No Data Behind

In the previous chapter, we learned how event data is collected and consumed by QRadar. We learned that protocols are needed to collect data while Device Support Modules (DSMs) are required to parse data. Consider a scenario where we want to ingest event data into QRadar but there is no supported DSM. The first thing is to know what the supported DSMs are.

Every month, IBM releases a new DSM guide, a document on how to integrate log sources with QRadar. If your log source is not a part of this DSM guide, then the event data ingested is either categorized as Stored or Unknown. The event data is not parsed. That does not help us with correlation when it comes to matching events with rules. So, whatever event data we are ...

Get Building a Next-Gen SOC with IBM QRadar now with the O’Reilly learning platform.

O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.

Start your free trial

Building a Next-Gen SOC with IBM QRadar by Ashish M Kothekar, Sandeep Patil

5

Leaving No Data Behind

Don’t leave empty-handed

It’s yours, free.

Check it out now on O’Reilly