Browse Docs

IBM QRadar Integration

Overview

DefensX customer logs can be integrated with IBM QRadar using the Universal Cloud REST API protocol.

In this integration, QRadar acts as an active log source and periodically pulls logs from the DefensX Customer API. Retrieved logs are ingested into QRadar as events.

Collected log types:

  • URL Logs

  • DNS Logs

  • File Transfer Logs

  • Credential Logs

  • Consent Logs

  • RBI Logs

Prerequisites

  • IBM QRadar with support for the Universal Cloud REST API protocol

  • A valid DefensX Customer API key

Integration Files

The integration requires the following files, available for download on this page:

  • workflow.xml Defines API endpoints, pagination, bookmarking and event posting (Download)

  • parameters.xml Customer-specific values such as API key and log selection (Download)

Creating the Log Source in QRadar

Step 1: Create a new log source

  • Open the QRadar Admin interface

  • Navigate to Log Sources

  • Create a new log source

  • Select Universal Cloud REST API as the Protocol

The Universal Cloud REST API protocol uses a workflow-based model to actively retrieve logs from external systems.

Step 2: Configure the workflow

  • In the Workflow section of the log source configuration

  • Copy and paste the contents of workflow.xml

  • Do not modify the workflow unless explicitly required

The workflow controls how QRadar connects to the DefensX Customer API and how logs are retrieved and processed.

Step 3: Configure workflow parameters

In the Workflow Parameter Values section:

  • Copy and paste the contents of parameters.xml

  • Replace YOUR_API_KEY with your DefensX Customer API key

The following parameters are defined:

  • identifier: Identifier used as the log source name in QRadar. This value must match the Log Source Identifier configured for the log source.

  • host: DefensX API host address. Default value: cloud.defensx.com.

  • api_key: DefensX Customer API key used for authentication.

  • initial_historical_days: Number of days of historical logs collected during the first execution. Valid range: 0–90 days. After the initial run, log collection continues incrementally using bookmarks.

  • page_limit: Maximum number of records returned per API request. Maximum value: 5000.

  • enable_*_logs: Enables or disables individual log types: URL, DNS, File Transfer, Credential, Consent and RBI.

Step 4: Save, enable and schedule

  • Save the log source configuration

  • Enable the log source

  • Configure the execution schedule (recurrence)

After each successful execution, the workflow updates its bookmark to ensure that subsequent runs continue from the last processed timestamp.

QRadar begins collecting DefensX logs according to the defined schedule.

Log Ingestion and Interpretation

Logs retrieved by the workflow are ingested into QRadar under the newly created log source using the Universal Cloud REST API protocol.

Event parsing and normalization are performed on the QRadar side based on the configured Log Source Type, available DSMs and QRadar’s internal event processing logic.

After ingestion, customers may need to review how events are parsed, normalized and mapped to Event Types (QIDs) according to their own monitoring and correlation requirements.

Incoming events can be inspected in Log Activity and then used in searches, correlation rules and dashboards once the desired QRadar-side configuration is in place.