IBM QRadar Connector
Configure IBM QRadar connector
IBM QRadar® is a security intelligence platform that provides a unified architecture for integrating security information and event management solutions. Create a QRadar connector to send selected event data in QRadar LEEF format.
- In BeyondInsight, go to Configuration > General > Connectors.
- From the Connectors pane, click Create New Connector.
- Enter a name for the connector.
- Select IBM QRadar from the Connector Type list.
- Click Create Connector.
- Leave Active (yes) enabled.
- Provide the required details for the IBM QRadar server:
- Select the protocol from the Available Output Pipelines list: TCP, TCP-SSL, or UDP.
- Enter Host Name and Port.
- Select the formatter from the dropdown list.
- LEEF Format V1 uses a static identifier per event type.
- LEEF Format V2 uses a unique event identifier generated per event type.
- If you selected LEEF Format V2 in the previous step, select the Facility from the dropdown list. This option is not available for LEEF Format V1.
- Expand Event Filters, and then select the events that you want to forward.
- Click Test Connector to send a test event message.
- Click Create Connector.
Note
If an event is received from Password Safe Cloud, a Resource Zone can now be associated with any connector that sends data using syslog. If selected, Password Safe Cloud proxies the syslog data through the Resource Brokers associated with that Resource Zone.
Note
Unique identifiers are preset, but can be customized if desired, using a setting in the BeyondInsight database table:
dbo.ConfigurationItem BeyondTrust.Configuration.ProductConfigurations.LeefFormatterConfig
Password Safe QRadar fields
| Field | Value Type | Description |
|---|---|---|
| Category | String | System/Change |
| EventName | String | System / Functional / Managed / Change |
| LogID | Integer | PMMLogSystem/PMMLogChange table reference ID |
| LogTime | DateTime | Time of event |
| Details | String | Miscellaneous additional information |
| UserName | String | Username associated with the event |
| RoleUsed | String | Role used |
| ObjectTypeID | Integer | Object Type reference ID |
| ObjectType | String | Object Type (e.g. Functional Account, System, Session) |
| ObjectID | Integer | Object reference ID |
| Operation | String | Operation (e.g.. Add, Update, Approve) |
| Failed | Boolean | True / False |
| Target | String | Describes the asset acted upon (e.g. Asset:testasset Account:testaccount) |
| UserID | Integer | User ID associated with the event |
| IPAddress | String | IP address of the system |
| ManagedAccountID | Integer | Managed Account reference ID |
| FunctionalAccountID | Integer | Functional Account reference ID |
| ManagedSystemID | Integer | Managed System reference ID |
| ChangeDt | DateTime | Time of password change |
| ChangeReasonCd | String | Reason for password change: A = Password change by API F = Forced password reset M = Password reset on mismatch N = Manual password entry for new account O = Initial onboarding via smart rule P = Change by EPM agent R = Post release password reset S = Scheduled password change T = Ticket approval release password reset U = Manual password entry V = Approval release password reset X = Synced password with primary Y = Un-synced password from primary Z = Forced password sync with primary |
| Result | String | Password change result: (S)uccess or (F)ailed |
| Comment | String | Miscellaneous additional information |
| ReleaseID | Integer | Password release reference ID |
| RequestID | Integer | Request reference ID |
| WorkgroupID | Integer | Workgroup reference ID |
| Workgroup | String | Workgroup name |
| AccountName | String | Account name |
| NextChangeDate | DateTime | Next scheduled change date |
| ElevationCommand | String | Elevation command used, if any |
Updated 14 days ago