Integration workflow example

After user and group information is collected and stored in a reference data collection, there are many ways in which you can use the data in IBM QRadar SIEM.

You can create meaningful reports and alerts that characterize user adherence to your company's security policies.

Consider the following example:

To ensure activities that are performed by privileged ISIM users comply with your security policies, you can complete the following tasks:

Create a log source to collect and parse audit data for each ISIM server from which the logs are collected. For more information about how to create a log source, see the Managing Log Sources Guide.
  1. Create a user information source for the ISIM server and collect ISIM Administrators user group information. This step creates a reference data collection that is called ISIM Administrators.
  2. Configure a building block to test for events in which the source IP address is the ISIM server and the user name is listed in the ISIM administrator reference data collection. For more information about building blocks, see the User Guide for your product.
  3. Create an event search that uses the custom building block as a filter. For more information about event searches, see the IBM QRadar User Guide for your product.
  4. Create a custom report that uses the custom event search to generate daily reports on the audit activity of the privileged ISIM users. These generated reports indicate whether any ISIM administrator activity breaches your security policy. For more information about reports, see the IBM QRadar User Guide for your product.
Note: If you want to collect application security logs, you must create a Device Support Module (DSM). For more information, see the IBM QRadar DSM Configuration Guide.