QLEAN suite QRadar extensions boost functionality, enhance user experience, and often replace costly commercial alternatives. These additions significantly improve system efficiency and user workflow.
Customizable notifications via:
Automates WinCollect agent (v7.3.1-22) deployment and configuration:
Syncs QRadar reference data with Active Directory and LDAP stores.
Integrates VirusTotal's API with IBM QRadar SIEM to analyze process hashes, detect malicious software, and generate offenses.
QVTI requires Sysmon log data collected by WinCollect agents.
Extends QRadar to manage network hierarchy backups and restoration.
Provides comprehensive context by attaching various artifacts, including files, images, and links, directly to offenses.
Monitors Tor network connections, fetching Tor relay and exit node data from onionoo.torproject.org
Includes the app and detection rules.
Improves log source monitoring by allowing user-defined timeout values for different log source groups.
Enables MS Exchange Admin and Mailbox Audit logs collection via Syslog.
Automatically re-allocates licenses across Managed hosts to handle EPS and FPM spikes.
Proactively notifies administrators via email about stalled searches.
Fetches EPS statistics per log source, based on user-defined thresholds. Visualizes EPS trends in a dedicated QRadar tab, enabling users to analyze and drill down into EPS spikes.
Leverages Sysmon logs such as process creation, network connections, and file access, to provide correlation rules aligned with the MITRE ATT&CK framework.
Uses auditd logs to cover MITRE ATT&CK tactics and techniques.
Auditd configuration guide included.
Identifies potentially malicious domains created by Domain Generation Algorithms (DGAs) by analyzing DNS query logs.
Streamlines user session tracking and investigation, even when usernames are missing in logs (e.g., firewall, IDS/IPS, web server, OS, database). Allows searching by username or IP (right-click integration in the Log Activity tab) and specify a timeframe to retrieve session data.
Generates automated, scheduled Excel reports to track log source activity, using a default 12-hour timeout and a custom 72-hour timeout to distinguish between short-term and long-term inactivity.
Generates configurable, domain-separated Excel reports covering all offenses (active, inactive, closed), including key details such as closing date and reason, notes, and closed-by user.
Speeds up offense investigations and rule tuning with a button to quickly find similar offenses (triggered by the same rule).
Adds a button to temporarily whitelist offense source values (e.g., IP, username) directly from the offense page, reducing repeated notifications during investigation or recovery.
