The Lazy Genius

Security News & Brain Dumps from Xavier Ashe, a Bit9 Client Partner

Transitioning from TSOM to QRadar – Terminology

Posted by Xavier Ashe on February 21, 2012

I am getting close to my first draft of the Tivoli Security Operations Manager (TSOM) to QRadar. Here’s a peek of one useful chart, Transition Terminology. Feedback is appreciated!

Tivoli Security Operations Manager QRadar

Action (rules)

Response

Audit (internal audit)

Audit

Atomic Threat Score

Magnitude

Auto Configuration (EAM)

Auto Discovery

Central Management Server (CMS)

Console

Condition (rules)

Condition

Conduit

Protocol

Correlation Engine

Magistrate

Device Rules

Device Support Module

Event Aggregation Module

Event Processor and Event Collector

Event Class

Category (low-level and high-level)

Event Console

No term, but its the default view once click on the Log Activity Tab

Event Element (rules)

Event Property

Event Filter (EAM)

Routing Rule

Event Filter (Powergrid, Event Viewer)

Search, Saved Search

Event Filter (Event Class)

Classification is handle automatically

Event Filter (Rules)

Rule Test

Event Rate

Events per Second (EPS)

Event Severity

Severity

Event Type

Event Name

Firewall Blocking (OPSEC)

Trusted Networking Computing (TNC) and Interface For Metadata Access Points (IF-MAP)

Geoserver

Geographic Networks

Group (user)

No equivalent

Host

Asset

Host Asset Weight

Asset Weight

Host Criticality Weight

Asset Weight

Host Investigation Tool

Right Click Menu

Host Query (rule condition)

Host Profile Tests

Keystore

No equivalent, automatically managed

Knowledge Base

Offense Notes

Location

Location

Master Netblock

No equivalent

Meta-event

Dispatch New Event

Netblock

Network (Network Hierarchy or Remote Network)

Netblock Asset Weight

Network Weight

Netblock Source Threat

Network Weight

Password Policy

No equivalent

PowerGrid

No term, but you view events in the Log Activity tab. Once you group log data using the Display list box, the log view operates similar to the PowerGrid

Reports

Reports

Role (user)

Role

Security Content (import script)

Content comes preloaded and is updated via Automatic Update.

Security Domain

Network Hierarchy

Sensor

Log Source

Sensor Class

Log Source Group

Sensor Type

Log Source Type

Simple Condition (rule)

Rule Test

State Action (complex state)

Handled automatically when you create a Function Test

State Condition (complex)

Function – Sequence Test

State Condition (simple)

Function – Counter Test

State Table

Handled automatically when you create a Function Test

Stateful Action

Handled automatically when you create a Function Test

Stateful Rules

Rules

System Configuration

System Configuration

System Status

System Monitoring Dashboard

Threat Correlation (statistical correlation)

No term, but the Magnitude is calculated in a similar manner as the Threat Score.

Threat Parameter

No Equivalent – Handled automatically

Ticket

Offense

Token

No Equivalent

Top Sources and Top Destinations

Can be viewed in the Log Activity tab

Universal Collection Agent

Adaptive Log Exporter and tail2syslog script

User Account

User Account

Vulnerability

Vulnerability

Vulnerability Import

Vulnerability Assessment

Watchlist

Reference Set

Advertisements

2 Responses to “Transitioning from TSOM to QRadar – Terminology”

  1. David B. said

    Hi,
    I am interessting if you have some feedback concerning migration from TSOM to QRadar… or some other stuff about this topic 🙂
    And thanks this terminology table.
    Regards,

    Like

  2. binarylime said

    Excellent job, sir. I think you missed a spot? Oh, wait – you didn’t!

    Like

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

 
%d bloggers like this: