IBM Security Verify Event Service protocol configuration options
IBM® Security Verify Event Service protocol is formerly known as IBM Cloud® Identity Event Service protocol.
To receive events from IBM Security Verify, configure a log source in IBM QRadar to use the IBM Security Verify Event Service protocol.
The IBM Security Verify protocol is an outbound/active protocol.
When you use the IBM Security Verify Event Service protocol, there are specific parameters that you must use.
Before you can add a log source in QRadar®, you must configure IBM Security Verify server to send events to QRadar. For more information, see Configuring IBM Security Verify server to send events to QRadar.
| Parameter | Value |
|---|---|
| Log Source Type | IBM Security Verify |
| Protocol Configuration | IBM Security Verify Event Service |
| Log Source Identifier |
Type a unique name for the log source. The Log Source Identifier can be any valid value and does not need to reference a specific server. It can also be the same value as the Log Source Name. If you have more than one configured IBM Security Verify Event Service log source, ensure that you give each one a unique name. |
| Authorization End Point | https://<your tenant>.ice.ibmcloud.com |
| Client ID | The Client ID that you recorded when you completed the steps to generate credentials for use with the REST API in IBM Security Verify. For more information, see Configuring IBM Security Verify server to send events to QRadar. |
| Client Secret | The Client Secret that you recorded when you completed the steps to generate credentials for use with the REST API in IBM Security Verify. For more information, see Configuring IBM Security Verify server to send events to QRadar. |
| Management Events | To collect management events, enable this option. The default is enabled. If the All Events parameter is enabled, this option is hidden. |
| Authentication Events | To collect authentication events, enable this option. The default is enabled. If the All Events parameter is enabled, this option is hidden. |
| SSO Events | To collect Single Sign-On events, enable this option. The default is enabled. If the All Events parameter is enabled, this option is hidden. |
| Enable Advanced Options |
If you want to configure advanced protocol parameters, enable this option. The default is disabled. |
| Advanced Event Types |
If you want to collect more event types, enable this option. The default is disabled. If the All Events parameter is enabled, this option is hidden. |
| Event Types |
Enter the additional event types that you want to collect. Use a comma-separated list of custom event names. For example, event_type1, event_type2, event_type3 If Advanced Event Types is disabled, this option is hidden. |
| All Events | To collect all event types that are stored on your tenant, enable this option. The default is disabled. If the Enable Advanced Options parameter is disabled, this option is hidden. |
| Use Proxy | Select True or False. The default is False. |
| Proxy IP or Hostname | The IP address or host name of the proxy server. If the Use Proxy parameter is False, this option is hidden. |
| Proxy Port |
The port number that is used to communicate with the proxy. The default is 8080. If the Use Proxy parameter is False, this option is hidden. |
| Proxy Username |
The username that is used to access the proxy. If Use Proxy is set to False, this option is hidden. |
| Proxy Password |
The password that is used to access the proxy. If the Use Proxy parameter is set to False, this option is hidden. |
| Recurrence |
The time interval between log source queries to IBM Security Verify for new events. The time interval can be in minutes (M), hours (H), or days (D). For example, 1M, 3H, 5D. The default is 1M. |
| EPS Throttle |
The maximum number of events per second that QRadar ingests. If your data source exceeds the EPS throttle, data collection is delayed. Data is still collected and then it is ingested when the data source stops exceeding the EPS throttle. The default is 5000. |