By Robert MacAdams on Sunday, 19 May 2019
Category: IBM QRadar

QRadar vs Splunk SIEM What You Need To Know BEFORE switching in 2019

This QRadar vs Splunk comparison will help anyone planning on switching in 2019 from Splunk to QRadar SIEM. It will also help anyone just curious to see the additional functionality QRadar has in comparison to Splunk.

First Get the FREE Splunk to QRadar SIEM App!

You should check out the free Splunk to QRadar SIEM App that enables forwarding of Splunk Enterprise raw data using both the Heavy and Universal Forwarder for QRadar to analyze. Once the Splunk to IBM QRadar SIEM app connects, the Splunk forwarding app will display all the log sources which you can select, and the app will edit the Splunk configuration files to start forwarding these event logs to QRadar in LEEF format. The QRadar SIEM will parse event logs from Splunk the same way it parses event logs from other data sources, with preexisting auto detection settings that work as expected. This forwarding app is a great way to see the differences of Splunk vs QRadar, and help you determine which SIEM performs better for automation, false positive alerts, AI Cybersecurity, internal user threats and other important features you would expect from an enterprise SOC.

QRadar Out of the Box Benefits

The QRadar SIEM App For Splunk Data Forwarding makes the process very quick and simple for the user, simply enter the IP of your Splunk instance, and it discovers the collected event logs forwarded from your Splunk environment. QRadar utilizes Machine Learning, Cybersecurity AI and User Behavior Analytics to automate most of the security tasks your operators are performing today to investigate threats and minimize false positives. The QRadar app works with both the universal forwarder and heavy forwarder.

Getting Started
The QRadar SIEM app setup is a bit faster and straight forward for companies not using Splunk's heavy or universal forwarder, and can simply follow the wizard. All content retrieval is done from the app database. The very first step is to set sendCookedData to false to tell the Splunk forwarder to send raw data to QRadar. You will need to create and use authentication token to authenticate the QRadar API calls that the app makes to Splunk from the Manage Authorized Services window on the Admin tab.

The port number that you use in the Splunk Forwarder must match the port you use for QRadar. Every QRadar listening port accepts up to 50 inbound forwarder connections, and you can create multiple Splunk Forwarder log sources on different ports. This port connection limit is not the number of log sources; it is only a limit to the number of forwarder connections. If your source's event log data is all on a single line, use port 514 to forward the logs to QRadar. If the source's event log data is on multiple lines, use port 12468.

One of the first screens in the Splunk forwarding app wizard will show a list of event log sources you can choose to forward. You can minimize the list of Splunk instances by searching for sources based on location, description or types. Although if no source types have been defined by the Splunk admin, data sources may appear in the list as 'Not defined'. The Splunk forwarding app also allows for some simple aggregation of the logs in case you want to combine multiline events by identifying a message ID pattern and joining them to create a single event log using. Before you start forwarding event logs to QRadar, you can preview how the logs will be seen in QRadar. You can also copy the data to your clip board for sharing with an administrator to edit the Splunk instance files (props.conf, transforms.conf, outputs.conf).

Companies using Splunk's Universal Forwarders to send data to QRadar cannot route filtered or specific data sets based on its contents from a particular data source, all data must be forwarded.

Companies using Splunk's heavy forwarder, an app called qradar_forwarding_app is added in the Splunk apps directory and may install up to three configuration files (props.conf, transforms.conf, outputs.conf), which will determine how event logs are forwarded to QRadar. If no forwarding conditions exist, confirm there are no conflicting higher priority rules that would prevent forwarding to the QRadar SIEM. If an existing forwarding group is already setup, any changes made in the app might change Splunk transforms.conf and props.conf files, but will display a warning if any forwarding groups already exist. You may also need to check if any blacklist settings will prevent forwarding of your event logs, which you can view the outputs.conf configuration file for any errors. Splunk's Enterprise Troubleshooting Manual would be your best source to confirm your setup is correct

Splunk will only being forwarding the event logs to QRadar after the app initiates a restart of the Splunk instance.

https://www.youtube.com/watch?v=e21eHgvwnyU

Sometimes the grass really is greener! Download the QRadar SIEM App For Splunk Data Forwarding from the xForce App Exchange and start comparing! To get started, you will first need to QRadar environment set up likely using the free community edition version. At the time of this App's release, it only supports a local QRadar SIEM deployment. Check back for updates if you are interested in a cloud deployment which this Splunk Forwarding app does not support.

Contact us if you have any questions or need assistance getting started! 

Related Posts