Integrating multiple Cortex XDR with QRadar

Edmund66 — Fri, 22 Jan 2021 12:42:02 GMT

Hi,

Thought I would give livecommunity a shot on this. We have been looking into integrating several Cortex XDR instances into a single QRadar instance but have come across an issue where it does not seem to let us change the syslog identifier name on any of them. This leads to a problem distinguishing the different XDR tenants from each other as they are all showing up with cortexxdr as the identifier.

All the XDR forwarding will be done over Syslog TLS.

Normally, when configuring syslog for other services we are able to change this, but that does not seem to be the case for XDR. But then again, we have not worked that much with XDR so hoping someone might have found a way of solving this.

Anyone had any luck implementing multiple XDR instances into their SIEM tool through syslog?

Edit: Think we may have found a way of doing this, without involving a new server with rsyslog or similar. Will feedback if it works.

Re: Integrating multiple Cortex XDR with QRadar

dfalcon — Fri, 22 Jan 2021 13:54:08 GMT

Hi @Edmund66-

Please let me know if your approach does not work at which time I'd like to gather a little more info to take to Product Management.

topic Re: Integrating multiple Cortex XDR with QRadar in Cortex XDR Discussions

Integrating multiple Cortex XDR with QRadar

Re: Integrating multiple Cortex XDR with QRadar