← Back to integrations
SIEM

QRadar

Trusteed Connector syncs IPs and metadata into QRadar Reference Tables, enriching offenses in air-gapped SOCs without internet exposure.

Prerequisites

  • IBM QRadar SIEM (v7.4+)
  • Trusteed account with IP Enrichment feed access
  • Trusteed QRadar Connector (provided by Trusteed)
  • API token for QRadar REST API

Setup Steps

1. Deploy the Connector

  • Install the Trusteed Connector on a bridge server that has internet access and secure reachability to QRadar.
  • Configure credentials in config.yml (Trusteed API, QRadar API token, reference table name).

2. Fetch Trusteed Feed

  • Connector automatically pulls the feed from Trusteed API:

3. Secure Transfer into QRadar

  • The Connector securely pushes parsed data into QRadar’s Reference Table via the REST API.
  • Table: Trusteed_IP_Enrichment
  • Columns: RiskScore, Category, FirstSeen, LastSeen

4. Automate Updates

  • Connector runs as a scheduled service (systemd/cron).
  • Default sync: every 15 minutes (configurable).
  • Logs and alerts ensure visibility into feed status.

5. Build CRE Rules

Examples:

when the source IP is in Reference Table [Trusteed_IP_Enrichment]   
 and Trusteed_IP_Enrichment.RiskScore > 80
 then generate offense "High-Risk IP Detected by Trusteed"

Blocklist Format Example

Trusteed IP Enrichment feed delivers IP + attributes:

192.168.38.187,95,Botnet,2025-09-01,2025-09-20
192.168.38.186,70,Scanner,2025-09-05,2025-09-19

Outcome

  • QRadar remains fully air-gapped — no direct internet required.
  • Analysts see IP + Risk Score + Category + Timeline in offense context.
  • False positives shrink, high-risk signals rise to the surface.
  • SOC productivity increases without additional headcount.

Next Steps

  • Extend enrichment with Trusteed domain / URL feeds.
  • Chain QRadar enrichment with SOAR playbooks for automated containment.
  • Explore other Trusteed integrations in the catalog.