
IBM QRadar Integration In this document Overview Prerequisites Integration Files Creating the Log Source in QRadar Step 1: Create a new log source Step 2: Configure the workflow Step 3: Configure workflow parameters Step 4: Save, enable and schedule Log Ingestion and Interpretation Overview DefensX customer logs can be integrated with IBM QRadar using the Universal Cloud REST API protocol. In this integration, QRadar acts as an active log source and periodically pulls logs from the DefensX Customer API. Retrieved logs are ingested into QRadar as events. Collected log types: URL Logs DNS Logs File Transfer Logs Credential Logs Consent Logs RBI Logs Prerequisites IBM QRadar with support for the Universal Cloud REST API protocol A valid DefensX Customer API key Integration Files The integration requires the following files, available for download on this page: workflow.xml Defines API endpoints, pagination, bookmarking and event posting (Download) parameters.xml Customer-specific values such as API key and log selection (Download) Creating the Log Source in QRadar Step 1: Create a new log source Open the QRadar Admin interface Navigate to Log Sources Create a new log source Select Universal Cloud REST API as the Protocol The Universal Cloud REST API protocol uses a workflow-based model to actively retrieve logs from external systems. Step 2: Configure the workflow In the Workflow section of the log source configuration Copy and paste the contents of workflow.xml Do not modify the workflow unless explicitly required The workflow controls how QRadar connects to the DefensX Customer API and how logs are retrieved and processed. Step 3: Configure workflow parameters In the Workflow Parameter Values section: Copy and paste the contents of parameters.xml Replace `YOUR_API_KEY` with your DefensX Customer API key The following parameters are defined: identifier: Identifier used as the log source name in QRadar. This value must match the Log Source Identifier configured for the log source. host: DefensX API host address. Default value: cloud.defensx.com. api_key: DefensX Customer API key used for authentication. initial_historical_days: Number of days of historical logs collected during the first execution. Valid range: 0–90 days. After the initial run, log collection continues incrementally using bookmarks. page_limit: Maximum number of records returned per API request. Maximum value: 5000. *enable__logs: Enables or disables individual log types: URL, DNS, File Transfer, Credential, Consent and RBI. Step 4: Save, enable and schedule Save the log source configuration Enable the log source Configure the execution schedule (recurrence) After each successful execution, the workflow updates its bookmark to ensure that subsequent runs continue from the last processed timestamp. QRadar begins collecting DefensX logs according to the defined schedule. Log Ingestion and Interpretation Logs retrieved by the workflow are ingested into QRadar under the newly created log source using the Universal Cloud REST API protocol. Event parsing and normalization are performed on the QRadar side based on the configured Log Source Type, available DSMs and QRadar’s internal event processing logic. After ingestion, customers may need to review how events are parsed, normalized and mapped to Event Types (QIDs) according to their own monitoring and correlation requirements. Incoming events can be inspected in Log Activity** and then used in searches, correlation rules and dashboards once the desired QRadar-side configuration is in place.

IBM QRadar Integration

In this document

Overview
Prerequisites
Integration Files
Creating the Log Source in QRadar
Log Ingestion and Interpretation

Overview

DefensX customer logs can be integrated with IBM QRadar using the Universal Cloud REST API protocol.

In this integration, QRadar acts as an active log source and periodically pulls logs from the DefensX Customer API. Retrieved logs are ingested into QRadar as events.

Collected log types:

URL Logs
DNS Logs
File Transfer Logs
Credential Logs
Consent Logs
RBI Logs

Prerequisites

IBM QRadar with support for the Universal Cloud REST API protocol
A valid DefensX Customer API key

Integration Files

The integration requires the following files, available for download on this page:

workflow.xml Defines API endpoints, pagination, bookmarking and event posting (Download)
parameters.xml Customer-specific values such as API key and log selection (Download)

Creating the Log Source in QRadar

Step 1: Create a new log source

Open the QRadar Admin interface
Navigate to Log Sources
Create a new log source
Select Universal Cloud REST API as the Protocol

The Universal Cloud REST API protocol uses a workflow-based model to actively retrieve logs from external systems.

Step 2: Configure the workflow

In the Workflow section of the log source configuration
Copy and paste the contents of workflow.xml
Do not modify the workflow unless explicitly required

The workflow controls how QRadar connects to the DefensX Customer API and how logs are retrieved and processed.

Step 3: Configure workflow parameters

In the Workflow Parameter Values section:

Copy and paste the contents of parameters.xml
Replace YOUR_API_KEY with your DefensX Customer API key

The following parameters are defined:

identifier: Identifier used as the log source name in QRadar. This value must match the Log Source Identifier configured for the log source.
host: DefensX API host address. Default value: cloud.defensx.com.
api_key: DefensX Customer API key used for authentication.
initial_historical_days: Number of days of historical logs collected during the first execution. Valid range: 0–90 days. After the initial run, log collection continues incrementally using bookmarks.
page_limit: Maximum number of records returned per API request. Maximum value: 5000.
enable_*_logs: Enables or disables individual log types: URL, DNS, File Transfer, Credential, Consent and RBI.

Step 4: Save, enable and schedule

Save the log source configuration
Enable the log source
Configure the execution schedule (recurrence)

After each successful execution, the workflow updates its bookmark to ensure that subsequent runs continue from the last processed timestamp.

QRadar begins collecting DefensX logs according to the defined schedule.

Log Ingestion and Interpretation

Logs retrieved by the workflow are ingested into QRadar under the newly created log source using the Universal Cloud REST API protocol.

Event parsing and normalization are performed on the QRadar side based on the configured Log Source Type, available DSMs and QRadar’s internal event processing logic.

After ingestion, customers may need to review how events are parsed, normalized and mapped to Event Types (QIDs) according to their own monitoring and correlation requirements.

Incoming events can be inspected in Log Activity and then used in searches, correlation rules and dashboards once the desired QRadar-side configuration is in place.