Hi everyone,
I'm working on a project to integrate IBM QRadar SIEM with Elastic Security. The goal is to use Elastic specifically for its SOAR capabilities (Case Management, Automation, Response Actions) while keeping QRadar as the primary log collector.
The setup:
-
All logs are currently ingested by QRadar.
-
I want to forward these logs to Elastic without redeploying agents (like Elastic Agent) to the endpoints.
-
Elastic should act as the incident management and orchestration layer.
My questions:
-
Ingestion Strategy: What is the best practice for forwarding data from QRadar? Should I use a standard Syslog Destination (LEEF format) or poll the QRadar API for Offenses/Events via Logstash?
-
ECS Mapping: Does anyone have experience mapping QRadar LEEF fields to Elastic Common Schema (ECS)? I'm looking for Logstash configurations or Ingest Pipelines to ensure the "Security" app in Elastic correctly recognizes the data.
-
SOAR Efficiency: Since I won't have Elastic Agents on the hosts for "Response Actions" (like host isolation), how far can I get with Webhook/Rest API connectors for automated response?
Any advice, architecture diagrams, or common pitfalls would be greatly appreciated. Thanks!