Skip to main content
Solved

How can we configure on-prem QRadar (SIEM) to push alerts to Chronicle SOAR

  • August 1, 2024
  • 4 replies
  • 70 views
D
Forum|alt.badge.img+1

Hello Community Members,

To integrate Google Chronicle SOAR with on-premises QRadar, there is an out-of-the-box application available in the Marketplace. This application connector operates on a pull mechanism, meaning that the connector within Chronicle SOAR initiates requests to QRadar at defined intervals and pulls alerts into Chronicle SOAR.

However, in my situation, the client restricts inbound connections to their on-premises QRadar SIEM, but they are open to having alerts pushed from QRadar to Chronicle SOAR. Can anyone suggest a solution to achieve this? Thanks in advance.

Best answer by SoarAndy

Qradar Connector can be configured to use a Remote Agent

 

 

4 replies

dnehoda
Staff
Forum|alt.badge.img+16
  • dnehoda
  • Staff
  • August 1, 2024

Hello,  

You can use a SOAR remote agent that runs on prem which will have secure comms to the SecOps SOAR instance. 

D
Forum|alt.badge.img+1
  • dhirajkumar07
  • Author
  • New Member
  • August 1, 2024

Hello,  

You can use a SOAR remote agent that runs on prem which will have secure comms to the SecOps SOAR instance. 


Hey @dnehoda  - Thank you for your response. However, based on my understanding of the Chronicle documentation, the primary function of the remote agent is to collect raw data from on-premises devices. It is not intended to interact with other security tools like QRadar to fetch alert data.

Could you kindly provide high-level steps on how the SOAR remote agent could collect alerts from on-premises QRadar and send them to Chronicle SOAR?

dnehoda
Staff
Forum|alt.badge.img+16
  • dnehoda
  • Staff
  • August 1, 2024

Hey @dnehoda  - Thank you for your response. However, based on my understanding of the Chronicle documentation, the primary function of the remote agent is to collect raw data from on-premises devices. It is not intended to interact with other security tools like QRadar to fetch alert data.

Could you kindly provide high-level steps on how the SOAR remote agent could collect alerts from on-premises QRadar and send them to Chronicle SOAR?


Ahh I misunderstood your ask here. 


It is intended to pull in events from on prem security tools and the associated events for potential enrichment opportunities.  

Youre looking for a connector that would generate cases based on alerts from Qradar.  The connector is in fact pull and would require  some kind of allowance inbound the retrieve that data.  

SoarAndy
Staff
Forum|alt.badge.img+12
  • SoarAndy
  • Staff
  • Answer
  • August 9, 2024

Qradar Connector can be configured to use a Remote Agent

 

 

D
Terms & ConditionsCookie settingsAccessibility statement
Privacy Policy Terms of Service Gen AI Policy Community Guidelines Cookie Settings

© 2025 Google. All rights reserved.