Universal Data Insights connectors

A data source for IBM Security QRadar® Suite Software is the source of the data that you want to work with, such as a database or XML file. Connect a data source to QRadar Suite Software to enable your applications and dashboards to analyze security data to help your organization manage and respond to security threats.

Edge Gateway

To use the IBM® Security Edge Gateway to host the containers that are required for communication between the data sources and IBM Security QRadar Suite Software, you must install the Edge Gateway software in your own environment. For more information, see Edge Gateway.

Data sources

You can connect data sources to QRadar Suite Software by using connectors. Use a connector to configure each data source connection.

STIX Bundle

Structured Threat Information eXpression (STIX) is a language and serialization format that organizations can use to exchange cyberthreat intelligence. A STIX Bundle can be used in place of a data source connector to share cyberthreat intelligence by using STIX Objects. With the STIX Bundle as a data source you can search for any attack pattern, campaign, course of action, identity, indicator, intrusion set, malware, report, threat actor, tool, and vulnerability.

Configuring a data source connection

To see the Data Sources page and configure data source connections, you must have the Data Sources Admin role.

A data source connection is a record that represents a physical box that holds information on how to connect to the source and to access its data. Different users can use the data source connection; the configuration includes setting up credentials. You can configure multiple connections to a data source.

It is important to connect to a data source during the initial setup of QRadar Suite Software. Then, when you start to use an application or a dashboard, QRadar Suite Software has a source from which to retrieve the data to be displayed.

For example, to run a query with Data Explorer, you must have data sources that are connected. Then, the application can run queries and retrieve results across a unified set of data sources. The search results vary depending on your configured data sources.

Tip: After the data source is connected, it takes some time for the initial data retrieval based on the frequency that is specified in the Frequency parameter. During this time, the data source appears as unavailable. After the data retrieval is complete, the data source shows as connected. To maintain the connection status, a polling mechanism is initiated to verify the connection periodically.

Procedure overview

To connect a data source to QRadar Suite Software:

  1. Define the general details about the connection to allow QRadar Suite Software to connect to the data source.
  2. Set the parameters to control the behavior of the search query on the data source.
  3. Optionally, from QRadar and QRadar on Cloud, set up the data source connection to regularly import asset data into QRadar Suite Software.
  4. Supply the unique identifier of the data source that you want to establish connection with. It is required to authenticate the connection request.
  5. As a security measure, define who can access the data source.
Important: Details of steps, fields, and descriptions vary depending on the selected data source.

STIX attributes

For more information about the STIX attributes for each of the available connectors, see STIX objects and properties.