back caretBlog

How to Add Behavioral Threat Detection to Your SIEM

The ExtraHop App for IBM QRadar

IBM QRadar SIEM provides security teams with a platform for correlating events and intelligence from throughout the IT environment, and coordinating detection and response workflows. However, the modern attack surface is vast and permeable. When an attacker makes it inside your network, SIEM tools need to detect the subtle behaviors that indicate an attack in progress, especially when it comes to unknown threats. That's why leading SIEM vendors recommend augmenting your existing data with network traffic analysis to protect critical assets and drive proactive security.

The ExtraHop app for IBM QRadar SIEM is engineered to make your professional life easier and your organization more secure by seamlessly integrating ExtraHop Reveal(x), network traffic analysis for the enterprise, with IBM QRadar. Reveal(x) applies machine learning and other analysis to east-west traffic for real-time detection of known and unknown threats, complementing QRadar's existing dataset with rich transactional data from the network, advanced behavioral analytics, and guided investigations.

How It Works + Why It's Valuable + How to Get Started

How It Works

There are two components to the integration:

  1. The ExtraHop App for QRadar contains a "Device Support Module" for Reveal(x) detections that provides a data model allowing QRadar to parse the message it receives from ExtraHop, and it allows you to save detections as QRadar log events.
  2. The ExtraHop Detection SIEM Connector bundle contains a trigger which executes every time the ExtraHop appliance creates or updates a detection. The trigger formats a message containing the detection data and sends it to QRadar via the Syslog protocol.

Why It's Valuable

The ExtraHop App for IBM QRadar combines what Reveal(x) does best — providing complete visibility, real-time detection, and guided investigation — with IBM QRadar's best-in-class security information and event management capabilities.

By automatically importing real-time Reveal(x) detections to a tab conveniently located in your QRadar user interface, you gain a complete picture of suspicious or anomalous behavior anywhere in your enterprise environment:

ExtraHop tab in IBM QRadar

When you need to dig deeper, you can easily pivot to ExtraHop and drill down into context-rich packets for forensic detail:

ExtraHop tab in IBM QRadar

How to Get Started

To start using the ExtraHop App for IBM QRadar:

If you would like more information about the ExtraHop App for IBM QRadar, please visit our QRadar integration page.

Related Blogs

Sign Up to Stay Informed