Configuring a Flat File Feed service

For IBM QRadar to retrieve log files from IBM® Security Trusteer Apex Advanced Malware Protection, you must set up a flat file feed service on an intermediary SFTP-enabled server. The service enables the intermediary server to host the flat files that it receives from IBM Security Trusteer Apex Advanced Malware Protection and allows for connections from external devices so that QRadar can retrieve the log files.

To configure IBM Security Trusteer® Apex Advanced Malware Protection to send flat file feed to the intermediary server, contact IBM Trusteer support.

About this task

Flat file feed use a CSV format. Each feed item is written to the file on a separate line, which contains several comma-separated fields. Each field contains data that describes the feed item. The first field in each feed line contains the feed type.

Procedure

  1. Enable an SFTP-enabled server and ensure that external devices can reach it.
  2. Log in to the SFTP-enabled server.
  3. Create a user account on the server for IBM Security Trusteer Apex™ Advanced Malware Protection.
  4. Create a user account for QRadar.
  5. Optional: Enable SSH key-based authentication.

What to do next

After you set up the intermediary server, record the following details:

  • Target SFTP server name and IP addresses
  • SFTP server port (standard port is 22)
  • The file path for the target directory
  • SFTP user name if SSH authentication is not configured
  • Upload frequency (from 1 minute to 24 hours)
  • SSH public key in RSA format

IBM Trusteer support uses the intermediary server details when they configure IBM Security Trusteer Apex Advanced Malware Protection to send flat file feed.