IBM Security Privileged Identity Manager

The IBM QRadar DSM for IBM® Security Privileged Identity Manager collects events by using the JDBC protocol.

The following table identifies the specifications for the IBM Security Privileged Identity Manager DSM:
Table 1. IBM Security Privileged Identity Manager DSM specifications
Specification Value
Manufacturer IBM
DSM name IBM Security Privileged Identity Manager
RPM file name DSM-IBMSecurityPrivilegedIdentityManager-QRadar_version-build_number.noarch.rpm
Supported versions V1.0.0 to V2.1.1
Protocol JDBC
Recorded event types Audit

Authentication

System

Automatically discovered? No
Includes identity? No
Includes custom properties? No
More information IBM Security Privileged Identity Manager website (https://www.ibm.com/support/knowledgecenter/en/SSRQBP/welcome.html)
To collect events from IBM Security Privileged Identity Manager, complete the following steps:
  1. If automatic updates are not enabled, download and install the most recent version of the following RPMs from the IBM Support Website onto yourQRadar Console:
    • JDBC Protocol Rational® Portfolio Manager
    • IBM Security Privileged Identity Manager DSM RPM
  2. Configure IBM Security Privileged Identity Manager to communicate with QRadar.
  3. Add an IBM Security Privileged Identity Manager log source on the QRadar Console. The following table describes the parameters that require specific values for event collection:
    Table 2. IBM Security Privileged Identity Manager JDBC log source parameters
    Parameter Value
    Log Source Name Type a unique name for the log source.
    Log Source Description (Optional) Type a description for the log source.
    Log Source type IBM Security Privileged Identity Manager
    Protocol Configuration JDBC
    Log Source Identifier

    Type a name for the log source. The name can't contain spaces and must be unique among all log sources of the log source type that is configured to use the JDBC protocol.

    If the log source collects events from a single appliance that has a static IP address or host name, use the IP address or host name of the appliance as all or part of the Log Source Identifier value; for example, 192.168.1.1 or JDBC192.168.1.1. If the log source doesn't collect events from a single appliance that has a static IP address or host name, you can use any unique name for the Log Source Identifier value; for example, JDBC1, JDBC2.

    Database Type MSDE
    Database Name The database name must match the database name that is specified in the Log Source Identifier field.
    IP or Hostname Must match the value in the Hostname field in IBM Security Privileged Identity Manager.
    Port Must match the value in the Port field in IBM Security Privileged Identity Manager.
    Username Must match the value in the Database administrator ID field in IBM Security Privileged Identity Manager.
    Password The password that is used to connect to the database.
    Authentication Domain

    If you did not select Use Microsoft JDBC, Authentication Domain is displayed.

    The domain for MSDE databases that are a Windows domain. If your network does not use a domain, leave this field blank.

    Database Instance The database instance, if required. MSDE databases can include multiple SQL server instances on one server.

    When a non-standard port is used for the database or access is blocked to port 1434 for SQL database resolution, the Database Instance parameter must be blank in the log source configuration.

    Predefined Query Select None.
    Table Name <DB2ADMIN>.V_PIM_AUDIT_EVENT

    Replace DB2ADMIN with the actual database schema name as identified in the Database Administrator ID parameter in IBM Security Privileged Identity Manager.

    Select List Type an asterisk (*) to select all fields from the table or view.
    Compare Field Identifies new events that are added to the table between queries. Type TIMESTAMP.
    Use Prepared Statements Prepared statements enable the JDBC protocol source to set up the SQL statement, and run the SQL statement numerous times with different parameters. Select this check box.
    Start Date and Time (Optional) Type the start date and time for database polling in the following format: yyyy-MM-dd HH:mm with HH specified by using a 24-hour clock. If the start date or time is clear, polling begins immediately and repeats at the specified polling interval.
    Polling Interval The amount of time between queries to the event table. Use the default Polling Interval value of 10.
    EPS Throttle

    The maximum number of events per second that QRadar ingests.

    If your data source exceeds the EPS throttle, data collection is delayed. Data is still collected and then it is ingested when the data source stops exceeding the EPS throttle.

    The default is 20,000.

    Use Named Pipe Communication

    If you did not select Use Microsoft JDBC, Use Named Pipe Communication is displayed.

    MSDE databases require the user name and password field to use a Windows authentication user name and password and not the database user name and password. The log source configuration must use the default that is named pipe on the MSDE database.

    Database Cluster Name If you selected Use Named Pipe Communication, the Database parameter displays. If you are running your SQL server in a cluster environment, define the cluster name to ensure named pipe communication functions properly.
    Use NTLMv2

    If you did not select Use Microsoft JDBC, Use NTLMv2 is displayed.

    Select this option if you want MSDE connections to use the NTLMv2 protocol when they are communicating with SQL servers that require NTLMv2 authentication. This option does not interrupt communications for MSDE connections that do not require NTLMv2 authentication.

    Does not interrupt communications for MSDE connections that do not require NTLMv2 authentication.

    Use SSL Select this option if your connection supports SSL.
    Microsoft SQL Server Hostname

    If you selected Use Microsoft JDBC and Use SSL, the Microsoft SQL Server Hostname parameter is displayed.

    You must type the host name for the Microsoft SQL server.