Splunk Enterprise Security
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Equivalence between QRadar Event Category and Splunk

SIEMStudent
Path Finder
‎11-12-2021 01:42 AM

Hi everybody.

Currently, we have a task which involve QRadar correlation rules translation to SPlunk ones.
The Splunk rules will be used in a Splunk Enterprise Security environment.

The big issue we are facing is the following: we got some elements in QRadar for what is not clear if we have a corresponding element in SPlunk. One of this is the event category: the QRadar definition of this element is the following one:

https://www.ibm.com/docs/en/qsip/7.4?topic=administration-event-categories

In a nutshell, this mechanism categorize the events in high level category which contains lover/more specific category. For example, we have the macro category Malware wich contains Backdor, Spyware and so on.

So, my question is: have we, in Splunk, a similar mechanis?

For example, in a QRadar rule I may have, between the filters, "when the event category for the event is one of the following: Potential Exploit.Potential Botnet Connection" ; how can I check this in SPlunk?
If there is not a mechanism to automatize this and we have to set this check manually, what could be the best way to got the category?

0 Karma
Reply
Get Updates on the Splunk Community!

Your Guide to SPL2 at .conf24!

So, you’re headed to .conf24? You’re in for a good time. Las Vegas weather is just *chef’s kiss* beautiful in ...

Get ready to show some Splunk Certification swagger at .conf24!

Dive into the deep end of data by earning a Splunk Certification at .conf24. We're enticing you again this ...

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Now On-Demand Join us to learn more about how you can leverage Service Level Objectives (SLOs) and the new ...