← Back to Documentation
IBM

IBM QRadar Integration

Advanced security correlation and automated incident response

Overview

IBM QRadar provides enterprise-grade SIEM capabilities with advanced security analytics and automated incident response. TYCHON Quantum Readiness integrates with QRadar through custom DSM (Device Support Module) and log source configuration.

Enterprise SIEM: Advanced correlation rules, automated threat hunting, compliance reporting, and integration with IBM Security ecosystem.

QRadar Log Source Setup

1. Create Custom DSM for TYCHON

Configure QRadar to recognize and parse TYCHON Quantum Readiness output

DSM Pattern Configuration

<?xml version="1.0" encoding="UTF-8"?>
<device-extension xmlns="event_parsing/device_extension">
    <pattern id="TychonCertEvent" xmlns="event_parsing/pattern">
        <![CDATA[
        ^(?<timestamp>\S+)\s+(?<hostname>\S+)\s+TYCHON:\s+(?<event_data>.+)$
        ]]>
    </pattern>
    
    <event-match-single pattern-id="TychonCertEvent" xmlns="event_parsing/event_match">
        <!-- Certificate Discovery Event -->
        <event category-id="6003" severity-id="5">
            <!-- Map certificate data to QRadar fields -->
            <property-mapping>
                <property name="SourceIP" xpath="/event_data/observer/ip"/>
                <property name="DestinationIP" xpath="/event_data/target_host/address"/>
                <property name="DestinationPort" xpath="/event_data/target_host/port"/>
                <property name="EventName" value="Certificate Discovery"/>
                <property name="Message" xpath="/event_data"/>
            </property-mapping>
        </event>
    </event-match-single>
</device-extension>

2. Configure Log Source

Syslog Collection

  1. 1. Navigate to Admin → Data Sources → Log Sources
  2. 2. Click Add Log Source
  3. 3. Select Syslog as protocol type
  4. 4. Set Log Source Type: TYCHON Quantum Readiness
  5. 5. Configure Log Source Identifier

File Collection

  1. 1. Select Log File as protocol type
  2. 2. Configure Log Source Type: TYCHON Quantum Readiness
  3. 3. Set file path: /var/log/tychon/*.json
  4. 4. Enable Recursive Directory Scan
  5. 5. Set parsing: Single Line Event

Scanner Configuration for QRadar

Syslog Integration

Windows Linux macOS 
# Configure Windows Event Log forwarding to QRadar
.\certscanner-windows-amd64.exe -host production-hosts.txt -cipherscan `
  -outputformat eventlog `
  -tags "qradar,production,siem"

# Alternative: Direct syslog to QRadar
.\certscanner-windows-amd64.exe -host production-hosts.txt -cipherscan `
  -outputformat flatndjson `
  -logfile "\\.\pipe\qradar-syslog" `
  -tags "qradar,production"

# Scheduled scanning with QRadar integration
$action = New-ScheduledTaskAction -Execute "C:\Tools\certscanner.exe" `
  -Argument "-mode local -scanmemory -scanfilesystem -outputformat eventlog -tags 'qradar,scheduled'"
$trigger = New-ScheduledTaskTrigger -Daily -At 2:00AM
Register-ScheduledTask -Action $action -Trigger $trigger -TaskName "TYCHON QRadar Integration"
# Configure rsyslog to forward to QRadar
# Add to /etc/rsyslog.conf:
# *.* @qradar-collector.company.com:514

# Scanner with syslog integration
./certscanner-linux-x64 -host production-hosts.txt -cipherscan \
  -outputformat flatndjson \
  -output /dev/stdout | \
  logger -t TYCHON -p local0.info

# Direct file output for QRadar collection
./certscanner-linux-x64 -host production-hosts.txt -cipherscan \
  -outputformat tychon \
  -output "/var/log/tychon/scan-$(date +%Y%m%d_%H%M%S).json" \
  -tags "qradar,production"

# Scheduled scanning with automatic forwarding
echo "0 2 * * * root /opt/tychon/certscanner -mode local -scanmemory -scanfilesystem -outputformat tychon -output /var/log/tychon/local-scan.json -tags 'qradar,scheduled' && logger -t TYCHON -f /var/log/tychon/local-scan.json" | crontab -
# Configure syslog forwarding to QRadar (Intel Macs)
./certscanner-darwin-amd64 -host production-hosts.txt -cipherscan \
  -outputformat flatndjson \
  -output /dev/stdout | \
  logger -t TYCHON

# File-based collection for QRadar (Apple Silicon)
./certscanner-darwin-arm64 -host production-hosts.txt -cipherscan \
  -outputformat tychon \
  -output "/var/log/tychon/scan-$(date +%Y%m%d_%H%M%S).json" \
  -tags "qradar,production"

# Create launchd plist for scheduled scanning
sudo launchctl load /Library/LaunchDaemons/com.tychon.qradar.plist

Custom Rules & Correlation

QRadar Custom Rules

Create correlation rules for crypto security events and certificate management

Certificate Expiration Rule

-- QRadar AQL Rule: Certificate Expiration Alert
SELECT 
    "Log Source" as log_source,
    "Destination IP" as target_host,
    "Message" as scan_data,
    DATEFORMAT(devicetime,'YYYY-MM-dd HH:mm:ss') as scan_time
FROM events 
WHERE 
    "Log Source Type" = 'TYCHON Quantum Readiness'
    AND JSON_EXTRACT("Message", '$.certificate.not_after') IS NOT NULL
    AND DATEADD('day', 30, CURRENT_TIMESTAMP) > 
        CAST(JSON_EXTRACT("Message", '$.certificate.not_after') AS TIMESTAMP)
GROUP BY 
    "Destination IP", 
    JSON_EXTRACT("Message", '$.certificate.subject.common_name')
HAVING 
    COUNT(*) > 0
LAST 1 DAYS

Weak Cipher Detection Rule

-- QRadar AQL Rule: Weak Cipher Suite Alert
SELECT 
    "Destination IP" as vulnerable_host,
    JSON_EXTRACT("Message", '$.cipher.name') as cipher_name,
    JSON_EXTRACT("Message", '$.cipher.intel.security_level') as security_level,
    COUNT(*) as occurrence_count
FROM events 
WHERE 
    "Log Source Type" = 'TYCHON Quantum Readiness'
    AND JSON_EXTRACT("Message", '$.cipher') IS NOT NULL
    AND (
        JSON_EXTRACT("Message", '$.cipher.intel.security_level') = 'low'
        OR JSON_EXTRACT("Message", '$.cipher.intel.pqc_ready') = 'false'
    )
GROUP BY 
    "Destination IP",
    JSON_EXTRACT("Message", '$.cipher.name')
HAVING 
    COUNT(*) > 0
LAST 1 DAYS

Offense Rules

High-Risk Crypto Events

  • Rule Name: TYCHON High-Risk Crypto Detection
  • Test: Weak cipher suite discovery
  • Response: Create offense with high magnitude
  • Threshold: 3+ vulnerable hosts in 1 hour

Certificate Compliance

  • Rule Name: TYCHON Certificate Compliance
  • Test: Expired or expiring certificates
  • Response: Generate compliance violation offense
  • Threshold: 1+ compliance violation

Integration Methods

Method 1: Windows Event Log

Best for Windows environments with WinCollect agent

# Configure scanner for Event Log output
.\certscanner.exe -mode local -outputformat eventlog

# WinCollect configuration automatically forwards events
# Event Source: "TYCHON Quantum Readiness"
# Event IDs: 1001-1004

Method 2: Syslog Forwarding

Universal method for all platforms

# Scanner outputs to syslog
./certscanner -host targets.txt -outputformat flatndjson \
  -output /dev/stdout | logger -t TYCHON

# Syslog forwards to QRadar collector
# Protocol: UDP/TCP 514 or TLS 6514

Method 3: File Collection

Direct file monitoring with QRadar Log Source

# Scanner outputs to monitored directory
./certscanner -host targets.txt -outputformat tychon \
  -output /var/log/tychon/scan.json

# QRadar monitors /var/log/tychon/*.json
# Log Source Type: Custom TYCHON DSM

Method 4: REST API

Direct API integration for real-time events

# Custom integration script
curl -X POST "https://qradar.company.com/api/siem/offenses" \
  -H "SEC: $QRADAR_TOKEN" \
  -H "Content-Type: application/json" \
  -d @tychon-scan-results.json

Dashboards & Reports

Custom Dashboard Creation

-- TYCHON Certificate Inventory Dashboard
SELECT 
    JSON_EXTRACT("Message", '$.certificate.subject.common_name') AS certificate_name,
    JSON_EXTRACT("Message", '$.certificate.issuer.common_name') AS issuer,
    JSON_EXTRACT("Message", '$.certificate.not_after') AS expiration_date,
    JSON_EXTRACT("Message", '$.target_host.address') AS host_ip,
    CASE 
        WHEN CAST(JSON_EXTRACT("Message", '$.certificate.not_after') AS TIMESTAMP) < CURRENT_TIMESTAMP 
        THEN 'EXPIRED'
        WHEN DATEADD('day', 30, CURRENT_TIMESTAMP) > CAST(JSON_EXTRACT("Message", '$.certificate.not_after') AS TIMESTAMP)
        THEN 'EXPIRING_SOON'
        ELSE 'VALID'
    END AS status
FROM events 
WHERE 
    "Log Source Type" = 'TYCHON Quantum Readiness'
    AND JSON_EXTRACT("Message", '$.certificate') IS NOT NULL
ORDER BY expiration_date ASC
LAST 7 DAYS

Compliance Reports

PQC Readiness Report

SELECT 
    "Destination IP" as host,
    JSON_EXTRACT("Message", '$.cipher.name') as cipher,
    JSON_EXTRACT("Message", '$.cipher.intel.pqc_ready') as pqc_ready,
    COUNT(*) as usage_count
FROM events 
WHERE 
    "Log Source Type" = 'TYCHON Quantum Readiness'
    AND JSON_EXTRACT("Message", '$.cipher.intel.pqc_ready') = 'false'
GROUP BY "Destination IP", JSON_EXTRACT("Message", '$.cipher.name')
ORDER BY usage_count DESC
LAST 30 DAYS

Security Level Distribution

SELECT 
    JSON_EXTRACT("Message", '$.cipher.intel.security_level') as security_level,
    COUNT(DISTINCT "Destination IP") as host_count,
    COUNT(*) as total_instances
FROM events 
WHERE 
    "Log Source Type" = 'TYCHON Quantum Readiness'
    AND JSON_EXTRACT("Message", '$.cipher') IS NOT NULL
GROUP BY JSON_EXTRACT("Message", '$.cipher.intel.security_level')
ORDER BY total_instances DESC
LAST 7 DAYS

Automated Incident Response

Response Actions

Certificate Expiration Response

  • • Create ServiceNow ticket for certificate renewal
  • • Send email notification to certificate owners
  • • Update asset inventory with expiration status
  • • Trigger automated certificate monitoring

Weak Cipher Response

  • • Flag host for security policy review
  • • Trigger vulnerability scan on affected systems
  • • Create compliance violation offense
  • • Initiate automated remediation workflow

Custom Actions

#!/bin/bash
# QRadar Custom Action Script: /opt/qradar/actions/tychon_response.sh

# Parse QRadar offense data
OFFENSE_ID=$1
HOST_IP=$2
SECURITY_EVENT=$3

# Trigger additional TYCHON scan for detailed analysis
/opt/tychon/certscanner -host "$HOST_IP" -cipherscan -outputformat tychon \
  -output "/var/log/tychon/incident-${OFFENSE_ID}-${HOST_IP}.json" \
  -tags "incident-response,offense-${OFFENSE_ID}"

# Send results back to QRadar
curl -X POST "https://qradar.company.com/api/siem/offenses/${OFFENSE_ID}/notes" \
  -H "SEC: $QRADAR_TOKEN" \
  -H "Content-Type: application/json" \
  -d "{
    \"note_text\": \"TYCHON follow-up scan completed for ${HOST_IP}\",
    \"fields\": {
      \"scan_file\": \"/var/log/tychon/incident-${OFFENSE_ID}-${HOST_IP}.json\",
      \"scan_timestamp\": \"$(date -Iseconds)\"
    }
  }"

# Log action completion
logger -t QRADAR-TYCHON "Custom action completed for offense $OFFENSE_ID on host $HOST_IP"

Step-by-Step Deployment

1

Install QRadar DSM

Upload custom TYCHON DSM to QRadar console

# Access QRadar Admin Console → DSM Editor
# Import TYCHON-ACDI-Scan-Engine.xml DSM configuration
# Test pattern matching with sample events
2

Configure Log Sources

Set up log collection from TYCHON scanner nodes

# Admin → Data Sources → Log Sources → Add Log Source
# Protocol: Syslog, File, or Windows Event
# Log Source Type: TYCHON Quantum Readiness
3

Deploy Custom Rules

Import TYCHON-specific correlation rules

# Offenses → Rules → New Rule
# Import certificate expiration and weak cipher rules
# Enable rules and set appropriate testing intervals
4

Configure Scanners

Deploy TYCHON scanners with QRadar integration

# Configure scanners to output in QRadar-compatible format
./certscanner -host targets.txt -outputformat flatndjson \
  -output /var/log/tychon/qradar-feed.json
5

Test and Validate

Verify event ingestion and rule triggering

# Run test scan and verify events in QRadar
./certscanner -host test-host.com -cipherscan -outputformat flatndjson

# Check QRadar Log Activity tab for parsed events
# Verify custom properties are populated correctly