The Lazy Genius

Security News & Brain Dumps from Xavier Ashe, a Bit9 Client Partner

Transitioning from TSIEM to QRadar – Terminology

Posted by Xavier Ashe on May 21, 2012

The transition guide from IBM Tivoli Security Information and Event Manager (TSIEM) to IBM QRadar is essentially complete. I still have to get it formatted to the standard template, though. We are also figuring out internally where to post it officially, but once I fix the formatting, it will be available here.

Until then, you can wet your appetite with this terminology chart.

TSIEM

QRadar

Agent Adaptive Log Exporter, Event Processor
Agent group Log Source Group
Alerts Rule Response
Archiving Data Backup & Restore
Audited machine Asset and/or Log Source
Backup & Restore Backup & Restore
Chunk No equivalent – data is stored together in Ariel
Compliance Dashboard Dashboard
Compliance Management Module No equivalent – all reports are included in QRadar
Consolidation component Magistrate
Credential Store Credentials are stored in Postgres
Depot Ariel
Distribution Email distribution is configured within the report definition
Enterprise Server 31xx console in a distributed deployment
Event Source Log Source
Forensics component Payload search (with optional indexing)
Group Definitions Building Block
GSL Parser Universal Device Support Module (uDSM) XML file
GML Mapper Map Event – available in the GUI
Launchpad (Tivoli Integrated Portal) Console GUI
Log Continuity Report No equivalent due to use of syslog for most log sources
Log History Report QRadar report called “Errors and Failures”
Log Manager Dashboard Log Sources in the Admin tab
Log Management Activity Report QRadar report: (Daily, Weekly, or Monthly) Log/Event Distribution by Category
Log Management component QRadar Log Manager
Log Management Depot Investigation

Tool

Payload search (with optional indexing)
Log Management Retrieval Tool >“Raw Log” view in Log Activity
Normalization component Built-in to QRadar, required part of the event processor
Policy Building Block
Policy Explorer/Editor Rules/Building Blocks Editor
Policy Generator QRadar Tuning Guide
Regulations Contained within QRadar reports
Reporting Database No equivalent – QRadar is real-time, with all data going into the same Ariel datastore
Security Information Management (SIM) component Security Information and Event Management (SIEM) component
Security Group All QRadar deployments use one User store, the console appliance, unless external authentication is configured
Scoping User Role (scope by network hierarchy) and User Account (scope by Log Sources)
Significance Magnitude
Special Attention Rule Building Block or Rule
Standard Server All-in-one Console
Trending Time Series
User Information Source Reference Set
User Roles User Roles
W7 No equivalent term, but QRadar has a standard normalization scheme as well
Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

 
%d bloggers like this: