IBM Proventia Management SiteProtector

The IBM® Proventia® Management SiteProtector DSM for IBM QRadar® accepts SiteProtector events by polling the SiteProtector database.

The DSM allows QRadar to record Intrusion Prevention System (IPS) events and audit events directly from the IBM SiteProtector database.

Note: The IBM Proventia Management SiteProtector DSM requires the latest JDBC Protocol to collect audit events.

The IBM Proventia Management SiteProtector DSM for IBM QRadar can accept detailed SiteProtector events by reading information from the primary SensorData1 table. The SensorData1 table is generated with information from several other tables in the IBM SiteProtector database. SensorData1 remains the primary table for collecting events.

IDP events include information from SensorData1, along with information from the following tables:

SensorDataAVP1
SensorDataReponse1

Audit events include information from the following tables:

AuditInfo
AuditTrail

Audit events are not collected by default and make a separate query to the AuditInfo and AuditTrail tables when you select the Include Audit Events check box. For more information about your SiteProtector database tables, see your vendor documentation.

Before you configure QRadar to integrate with SiteProtector, we suggest that you create a database user account and password in SiteProtector for QRadar.

Your QRadar user must have read permissions for the SensorData1 table, which stores SiteProtector events. The JDBC - SiteProtector protocol allows QRadar to log in and poll for events from the database. Creating a QRadar account is not required, but it is recommended for tracking and securing your event data.

Note: Ensure that no firewall rules are blocking the communication between the SiteProtector console and QRadar.