QRadar Log Insights overview

Edit online

IBM Security QRadar® Log Insights provides a platform to improve threat visibility and detection in your deployment by providing a workflow to collect and ingest essential event and alert data on all of your threat attack paths.

A rich set of capabilities enhances QRadar Log Insights by providing a unified analyst experience that ingests alerts from multiple sources, enriches the alerts with context that is used to prioritize those alerts, and correlates the alerts together into a case. High priority cases are provided to an analyst with recommended tasks for them to complete. A set of seamlessly integrated security applications and services that work together as one are delivered together on the platform. This set of capabilities is designed for security leaders, incident responders, security analysts, and data security specialists.

Connect your tools and data

By using open standards and IBM® innovations, QRadar Log Insights can securely access IBM and third-party tools to search for threat indicators across any location. Connect your workflows with a unified interface so that you can respond faster to security incidents. Then, use QRadar Log Insights to orchestrate and automate your security response so that you can save time and prioritize tasks. Connect and collect security telemetry within your environment and log alerts. QRadar Log Insights ingests alerts to normalize and store alert data for analysis.

QRadar Log Insights can also connect disparate data sources in your environment - to uncover hidden threats and make better risk-based decisions - while the data stays where it is.

Enrich, correlate, and prioritize alerts

QRadar Log Insights uses threat intelligence analytics to correlate alerts that are related to the same attack into a single case. It then prioritizes the cases based on calculated severity scores.

Priority cases are sent to the IBM Security Case Management application for security analyst review, while low value alerts are disposed of. As a result, analysts spend less time analyzing individual alerts and more time on higher value activities, such as case investigation.

Track, manage, and resolve cybersecurity incidents

IBM Security Case Management provides organizations with the ability to track, manage, and resolve cybersecurity incidents. Each cybersecurity incident is managed as a case in Case Management.

QRadar Log Insights improves accuracy and reduces duplication of effort and data by correlating and enriching alerts from your data sources. This capability reduces the investigation and triage that is involved in investigating alerts. QRadar Log Insights escalates to Case Management, and then Case Management creates a new case or merges with an existing case that has matching data. From Case Management, security teams can collaborate across their organization to rapidly and successfully respond to incidents.

Automate root cause analysis

IBM Security Threat Investigator automatically analyzes and investigates cases to help you make more informed decisions. By showing potential threats and the assets that are impacted, Threat Investigator can help determine the criticality of exposure, how many systems are at risk, and the level of remediation effort that is required. By viewing the timeline of threats within your organization, you can better understand dwell times and the stage of the threat.

Investigate details and search across your environment

IBM Security Data Explorer is an application that enables customers to do federated search and investigation across their hybrid, multi-cloud environment in a single interface and workflow. Data Explorer enables users to complete investigations in a timely manner without compromising visibility. Core underlying services include the following capabilities.
  • Federated data searches to unite silos of security data and provide complete visibility across security solutions, such as SIEM, Endpoint Detection and Response, Data Lake, and cloud infrastructures such as Azure, Amazon Web Services (AWS).
  • Single, unified interface and workflow to investigate threats and Indicators of Compromise into user-selected data sources.
  • In-context data enhancements from Connected Assets and Risk data sources and IBM Security Threat Intelligence Insights.
  • Workflows to track, append, create security cases from the native platform case management system.
  • Ability to drill into your data by using an advanced Kusto Query Language (KQL) query language. KQL helps you build various different types of queries from simple search queries to more complex aggregated queries.

Manage rules and use cases

IBM Detection and Response Center provides a unified overview of your organization's security posture through use cases from different security tools and platforms, saving you hours of gathering the same insights by using individual tools. Detection and Response Center supports rules and use cases from IBM QRadar and the Sigma Community. Sigma rules, which are enhanced by STIX patterns, are used by Threat Investigator in its investigations. You can also run the STIX patterns in Data Explorer.

IBM content contains enrichment and correlation rules that work together to group similar alerts together into cases for security analysts to investigate.

Enrichment adds more information to the normalized alerts (findings) that come in from the separate tools to determine the severity of the alert. The IBM X-Force Threat Intelligence Service provides the risk score for the observables in an alert (files, IP addresses, URLs, domains). The enrichment rules from IBM look for specific observables in alerts that adjust the risk score.

Correlation occurs after enrichment. QRadar Log Insights correlates similar findings that are collected from supported tools (data sources), and combines them into one case, with related alerts, for analysts to further investigate. If an alert matches a previous one based on the condition (properties), they are correlated together, based on cumulative risk score, into a case for the analyst to investigate.

Access the latest threat intelligence

IBM Security Threat Intelligence Insights is an application that delivers unique, actionable, and timely threat intelligence. The application provides the following IBM X-Force® Exchange functions:

  • IBM-derived threat intelligence that crosses threat activity, threat groups, malware, and industries.
  • Continuous and automated Am I Affected searches that cross connected data sources to proactively identify your most relevant threats.
  • Analytical and adaptive threat-scoring to help prioritize threats for further investigation and response.

Gain insights through data visualization

Use dashboards to communicate insights and analysis about your network. Take the pulse of your SOC with dynamic real-time dashboards that provide meaningful insights into your security posture and threat landscape. Security dashboards include the following key capabilities:
  • The homepage dashboard efficiently summarizes information from log sources and installed apps. Depending on your user permissions and which apps are installed, you see information from Threat Intelligence Insights, log sources, and Cases.
  • Create unique dashboards to track and communicate insights and analysis about your network.
  • Fine-tune your display with complete flexibility in dashboard layout and dashboard item refresh rates.
  • Expand dashboard items to display in a multi-screen SOC.
  • Stay informed with single click drill-down to underlying data.
  • The predefined Threat Intelligence Insights dashboard provides a summary of data that is integrated from different data sources that are connected to the platform.