I want to walk through how to write a QRadar app, specifically to collect logs from a log source that only allows the use of an API and that QRadar does not natively support. Examples at the time of writing include Duo Security and Trend Micro Apex Central, but there are potentially thousands of others you might run into.
No, I’m not talking about QRadar on Cloud (QRoC) or even running QRadar in a cloud environment. I’m talking about how to manage a QRadar system when a number of your log sources are sitting in the cloud.
Writing QRadar apps isn’t always the most straightforward task. I learned a lot of stuff the hard way. Here’s the most important things.
The Maginot Line in World War II was the French defense against invading German forces. It covered almost the entire perimeter of the country, was impervious to attacks from the air or ground, and had backup supply lines on the inside of the perimeter. It was well staffed with trained and experienced soldiers. It was hugely expensive, state-of-the-art, and considered…
(At the time I wrote this (2017), I had never heard of “zero trust networking”. Looking back, that’s what I’m describing in this post. If you’re interested in these concepts, please read up on zero trust) The way we are dealing with security is all wrong. No one can deny it, but no one is doing anything about it. Why?…