Universal Cloud REST API protocol

The Universal Cloud REST API protocol is an outbound, active protocol for IBM® QRadar®. You can customize the Universal Cloud REST API protocol to collect events from various REST APIs, including data sources that do not have a specific DSM or protocol.

The Universal Cloud REST API protocol behavior is defined by a workflow XML document. You can create your own XML document, or you can get it from IBM Fix Central, or from third parties on GitHub.

Important: The Universal Cloud REST API protocol is supported on QRadar 7.3.2 or later, and the QRadar Log Source Management app must be installed. For more information about how to install the app, see Installing the QRadar Log Source Management app.

For Universal Cloud REST API protocol examples, see GitHub samples (https://github.com/ibm-security-intelligence/IBM-QRadar-Universal-Cloud-REST-API).

Tip: IBM supports only the workflows that are directly referenced in the DSM Configuration Guide. The workflows on GitHub can be used as educational resources but are not supported by IBM.

The following table describes the protocol-specific parameters for the Universal Cloud REST API protocol.

Table 1. Universal Cloud REST API protocol parameters
Parameter Description
Log Source Identifier

Type a unique name for the log source.

The Log Source Identifier can be any valid value and does not need to reference a specific server. It can also be the same value as the Log Source Name. If you have more than one configured Universal Cloud REST API log source, ensure that you give each one a unique name.


The XML document that defines how the protocol instance collects events from the target API.

For more information, see Workflow.

Workflow Parameter Values

The XML document that contains the parameter values used directly by the workflow.

For more information, see Workflow Parameter Values.

Allow Untrusted Certificates If you enable this parameter, the protocol can accept self-signed and otherwise untrusted certificates that are located within the /opt/qradar/conf/trusted_certificates/ directory. If you disable the parameter, the scanner trusts only certificates that are signed by a trusted signer.

The certificates must be in PEM or RED-encoded binary format and saved as a .crt or .cert file.

If you modify the workflow to include a hardcoded value for the Allow Untrusted Certificates parameter, the workflow overrides your selection in the UI. If you do not include this parameter in your workflow, then your selection in the UI is used.

Use Proxy If the API is accessed by using a proxy, select this checkbox.

Configure the Proxy IP or Hostname, Proxy Port, Proxy Username, and Proxy Password fields. If the proxy does not require authentication, you can leave the Proxy Username and Proxy Password fields blank.

Recurrence Specify how often the log collects data. The value can be in Minutes (M), Hours (H), or Days (D). The default is 10 minutes.
EPS Throttle

The maximum number of events per second that QRadar ingests.

If your data source exceeds the EPS throttle, data collection is delayed. Data is still collected and then it is ingested when the data source stops exceeding the EPS throttle.

The default is 5000.