← Back to integrations
SIEM
QRadar
Trusteed Connector syncs IPs and metadata into QRadar Reference Tables, enriching offenses in air-gapped SOCs without internet exposure.
Prerequisites
- IBM QRadar SIEM (v7.4+)
- Trusteed account with IP Enrichment feed access
- Trusteed QRadar Connector (provided by Trusteed)
- API token for QRadar REST API
Setup Steps
1. Deploy the Connector
- Install the Trusteed Connector on a bridge server that has internet access and secure reachability to QRadar.
- Configure credentials in
config.yml(Trusteed API, QRadar API token, reference table name).
2. Fetch Trusteed Feed
- Connector automatically pulls the feed from Trusteed API:
3. Secure Transfer into QRadar
- The Connector securely pushes parsed data into QRadar’s Reference Table via the REST API.
- Table:
Trusteed_IP_Enrichment - Columns:
RiskScore,Category,FirstSeen,LastSeen
4. Automate Updates
- Connector runs as a scheduled service (systemd/cron).
- Default sync: every 15 minutes (configurable).
- Logs and alerts ensure visibility into feed status.
5. Build CRE Rules
Examples:
when the source IP is in Reference Table [Trusteed_IP_Enrichment]
and Trusteed_IP_Enrichment.RiskScore > 80
then generate offense "High-Risk IP Detected by Trusteed"
Blocklist Format Example
Trusteed IP Enrichment feed delivers IP + attributes:
192.168.38.187,95,Botnet,2025-09-01,2025-09-20
192.168.38.186,70,Scanner,2025-09-05,2025-09-19
Outcome
- QRadar remains fully air-gapped — no direct internet required.
- Analysts see IP + Risk Score + Category + Timeline in offense context.
- False positives shrink, high-risk signals rise to the surface.
- SOC productivity increases without additional headcount.
Next Steps
- Extend enrichment with Trusteed domain / URL feeds.
- Chain QRadar enrichment with SOAR playbooks for automated containment.
- Explore other Trusteed integrations in the catalog.