QRadar supported DSMs
IBM QRadar can collect events from your security products by using a plug-in file that is called a Device Support Module (DSM).
QRadar can receive logs from systems and devices by using the Syslog protocol, which is a standard protocol. Supported DSMs can use other protocols, as mentioned in the Supported DSM table. You can try to configure third-party applications to send logs to QRadar through the Syslog protocol. For more information, see Adding a log source.
If you want to send logs by using a supported DSM that is not supported by the auto discovery feature in QRadar, you need to manually add a log source. For more information about adding a log source in QRadar, see Adding a log source.
What do you do if the product version or device you have is not listed in the DSM Configuration Guide?
Sometimes a version of a vendor product or a device is not listed as supported. If the product or device is not listed, follow these guidelines:
- Version not listed
-
If the DSM for your product is officially supported by QRadar, but your product version is not listed in the IBM QRadar DSM Configuration Guide, you have the following options:
- Try the DSM to see whether it works. The product versions that are listed in the guide are tested by IBM®, but newer untested versions can also work.
- If you tried the DSM and it didn’t work, open a support ticket for a review of the log source to
troubleshoot and rule out any potential issues. Tip: In most cases, no changes are necessary, or perhaps a minor update to the IBM QRadar® Identifier (QID) Map might be all that is required. Software updates by vendors might on rare occasions add or change event formats that break the DSM, requiring an RFE for the development of a new integration. This is the only scenario where an RFE is required.
- Device not listed
- When a device is not officially supported, you have the following options:
- Open a request for enhancement (RFE) to have your device become officially supported.
- Go to the QRadar SIEM RFE page (https://ibm.biz/BdRPx5).
- Log in to the support portal page.
- Click the Submit tab and type the necessary information.Tip: If you have event logs from a device, attach the event information and include the product version of the device that generated the event log.
- Write a log source extension to parse events for your device. For more information, see Log source extensions and the DSM Editor.
- You can use content extensions for sending events to QRadar that are provided by some third-party vendors. They can be found on the IBM Security App Exchange (https://exchange.xforce.ibmcloud.com/hub/). These third-party DSM integrations are supported by the vendor, not by IBM. For a list of available third-party DSMs, see DSMs supported by third-party vendors.
- Open a request for enhancement (RFE) to have your device become officially supported.
The following table lists supported DSMs for third-party and IBM QRadar solutions.
Manufacturer | Device name and version | Protocol | Recorded events and formats | Auto discovered? | Includes identity? | Includes custom properties? |
---|---|---|---|---|---|---|
3Com | 8800 Series Switch V3.01.30 | Syslog | Status and network condition events | Yes | No | No |
AhnLab | AhnLab Policy Center | AhnLabPolicy CenterJdbc |
Spyware detection Virus detection Audit |
No | Yes | No |
Akamai | Akamai KONA | HTTP Receiver Akamai Kona REST API |
Event format: JSON Recorded event types: All security events |
No | No | No |
Alibaba Cloud | Alibaba ActionTrail |
Alibaba Cloud Object Storage Syslog |
Event format: JSON |
Yes | Yes | No |
Amazon | Amazon AWS Application Load Balancer Access Logs | Amazon AWS S3 REST API | Event format: Space delimited pre-defined fields Recorded event types: Access logs |
Yes | No | No |
Amazon |
Amazon AWS CloudTrail |
Amazon AWS S3 REST API Amazon Web Services |
Event versions 1.0, 1.02, 1.03, 1.04, 1.05, 1.06 and 1.08 events. |
Yes | No | No |
Amazon |
Amazon AWS Config |
Amazon AWS S3 REST API | Event format: JSON | Yes | No | No |
Amazon | Amazon AWS Elastic Kubernetes Service Supported version: Kubernetes API 1.19 |
Amazon Web Services |
Event format: JSON Recorded event types: Amazon AWS Kubernetes |
Yes | No | No |
Amazon | Amazon AWS Network Firewall | Amazon AWS S3 REST API |
Event format: JSON Recorded event types: Firewall Alert logs, Firewall Flow logs |
No | No | No |
Amazon | Amazon AWS Route 53 |
|
Event format:
Recorded event types: Event versions 1.0 |
Yes | No | No |
Amazon | Amazon AWS Security Hub | Amazon Web Services |
Event format: JSON Recorded event types: AWS Security Finding Format (ASFF) |
No | No | No |
Amazon | Amazon AWS WAFCentrif | Amazon AWS S3 REST API |
Event format: JSON Recorded event types: Traffic allow, Traffic block |
No | No | No |
Amazon | Amazon CloudFront | Amazon Web Services | Event format: Tab Separated Value (TSV) Recorded event types: RealTime Log - TSV |
Yes | No | No |
Amazon | Amazon GuardDuty | Amazon Web Services |
Amazon GuardDuty Findings JSON |
No | No | No |
Amazon | AWS Verified Access | Amazon AWS S3 REST API, Syslog | Event format: JSON | Yes | Yes | Yes |
Ambiron | TrustWave ipAngel V4.0 | Syslog | Snort-based events | No | No | No |
Apache | HTTP Server V1.3+ | Syslog, Syslog-ng | HTTP status | Yes | No | No |
APC | UPS | Syslog | Smart-UPS series events | No | No | No |
Apple | Apple Mac OS X version 10.12 | Syslog | Firewall, web server access, web server error, privilege, and informational events | No | Yes | No |
Application Security, Inc. | DbProtect V6.2, V6.3, V6.3sp1, V6.3.1, and v6.4 | Syslog | All events | Yes | No | No |
Arbor Networks | Arbor Networks Pravail APS V3.1+ | Syslog, TLS Syslog | All events | Yes | No | No |
Arbor Networks | Arbor Networks Peakflow SP V5.8 to V8.1.2 | Syslog, TLS Syslog |
Denial of Service (DoS) Authentication Exploit Suspicious activity System |
Yes | No | No |
Arpeggio Software | SIFT-IT V3.1+ | Syslog | All events configured in the SIFT-IT rule set | Yes | No | No |
Array Networks | SSL VPN ArraySP v7.3 | Syslog | All events | No | Yes | Yes |
Aruba Networks | Aruba ClearPass Policy Manager v6.5.0.71095 to v6.11.1 | Syslog | Event format: LEEF Event types: session, audit, system, insight |
Yes | Yes | No |
Aruba Networks | Mobility Controllers v2.5 + | Syslog | All events | Yes | No | No |
Avaya Inc. | Avaya VPN Gateway v9.0.7.2 | Syslog | All events | Yes | Yes | No |
BalaBit IT Security | MicrosoftWindows Security Event Log V4.x | Syslog | Microsoft Event Log events | Yes | Yes | No |
BalaBit IT Security | Microsoft ISA V\v4.x | Syslog and WinCollect | Microsoft Event Log vents | Yes | Yes | No |
Barracuda Networks | Spam & Virus Firewall v5.x and later | Syslog | All events | Yes | No | No |
Barracuda Networks | Web Application Firewall v7.0.x | Syslog | System, web firewall, access, and audit events | Yes | No | No |
Barracuda Networks | Web Filter v6.0.x+ | Syslog | Web traffic and web interface events | Yes | No | No |
BlueCat Networks | Adonis v6.7.1-P2+ | Syslog | DNS and DHCP events | Yes | No | No |
Blue Coat | SG v4.x+ | Syslog, Log File Protocol | All events | No | No | Yes |
Blue Coat | Web Security Service | Blue Coat ELFF, Access | No | No | No | |
Box |
Box | Box REST API | Event format: JSON RTC 256758Event types: Administrator and enterprise events, Box Shield Alerts |
No | Yes | No |
Bridgewater Systems | AAA v8.2c1 | Syslog | All events | Yes | Yes | No |
Broadcom | CA Access Control Facility (ACF2) (Formerly known as CA Technologies ACF2) | Log File Protocol | All events | No | No | Yes |
Broadcom | CA Top Secret (Formerly known as CA Technologies Top Secret) | Log File Protocol | All events | No | No | Yes |
Broadcom | Symantec SiteMinder (Formerly known as CA SiteMinder) | Syslog, Log File | All events | No | Yes | No |
Brocade | Fabric OS v7.x | Syslog | System and audit events | Yes | No | No |
Carbon Black | Carbon Black v5.1 and later | Syslog | Watchlist hits | Yes | No | No |
Carbon Black | Carbon Black Bit9 Parity | Syslog | LEEF | Yes | No | |
Carbon Black | Carbon Black Bit9 Security Platform v6.0.2 | Syslog | All events | Yes | Yes | No |
Centrify | Centrify Identity Platform Now known as CyberArk Identity |
|||||
Centrify | Centrify Infrastructure Services 2017 | Syslog and WinCollect | WinCollect logs, Audit events | Yes | No | No |
Check Point |
Check Point versions NG, FP1, FP2, FP3, AI R54, AI R55, R65, R70, R75, R77, R80, R81, and NGX |
Syslog or OPSEC LEA | Event format: LEEF (versions R77.30, R80.10, R80.20, R81.10) Event types: All events |
Yes | Yes | Yes |
Check Point | VPN-1 versions NG, FP1, FP2, FP3, AI R54, AI R55, R65, R70, R77, R80, R81, and NGX | Syslog or OPSEC LEA | Event format: LEEF (versions R77.30, R80.10, R80.20, R81.10) Event types: All events |
Yes | Yes | No |
Check Point | Check Point Multi-Domain Management (Provider-1) versions NG, FP1, FP2, FP3, AI R54, AI R55, R65, R70, R77, R80, R81, and NGX | Syslog or OPSEC LEA | Event format: LEEF (versions R77.30, R80.10, R80.20, R81.10) Event types: All events |
Yes | Yes | No |
Cilasoft | Cilasoft QJRN/400 v5.14.K+ | Syslog | IBM audit events | Yes | Yes | No |
Cisco | 4400 Series Wireless LAN Controller V7.2 |
Syslog SNMPv2 |
All events | No | No | No |
Cisco |
Cisco CallManager 8.x, 11.5 |
Syslog | Application events | Yes | No | No |
Cisco | ACS V4.1 and later if directly from ACS V3.x and later if using ALE | Syslog | Failed Access Attempts | Yes | Yes | No |
Cisco | Aironet V4.x+ | Syslog | Cisco Emblem Format | Yes | No | No |
Cisco | ACE Firewall V12.2 | Syslog | All events | Yes | Yes | No |
Cisco | Cisco AMP | Cisco AMP |
All security events For a detailed list of supported events, go to the Cisco AMP for Endpoints API documentation. (https://api-docs.amp.cisco.com/api_actions/details?api_action=GET+%2Fv1%2Fevent_types&api_host=api.amp.cisco.com&api_resource=Event+Type&api_version=v1) Note: Network traffic is supported only for Data Flow Control (DCF) events.
|
No | No | No |
Cisco | ASA V7.x and later | Syslog | All events | Yes | Yes | No |
Cisco | ASA V7.x+ | NSEL Protocol | All events | No | No | No |
Cisco | CSA V4.x, V5.x and V6.x | Syslog SNMPv1 SNMPv2 | All events | Yes | Yes | No |
Cisco | CatOS for catalyst systems V7.3+ | Syslog | All events | Yes | Yes | No |
Cisco | Cloud Web Security (CWS) | Amazon AWS S3 REST API |
W3C All web usage logs |
No | No | No |
Cisco | Cisco Stealthwatch V6.8 | Syslog |
Event format: LEEF Event types: Anomaly, Data Hoarding, Exploitation, High Concern, Index, High DDoS Source Index, High Target Index, Policy Violation, Recon, High DDoS Target Index, Data Exfilration, C&C |
Yes | No | No |
Cisco | IPS V7.1.10 and later, V7.2.x, V7.3.x | SDEE | All events | No | No | No |
Cisco |
|
Syslog, Log File protocol | Event format: All events Recorded event types: Mail (syslog) System (syslog) Access (syslog) Web content filtering (Log File) Important: Critical, Warning and Information logs are supported.
|
No | No | No |
Cisco | Cisco Duo | Cisco Duo | Event format: JSON Event types: Authentication logs |
Yes | Yes | No |
Cisco |
Cisco Firepower Management Center V5.2 to V7.1 (formerly known as Cisco FireSIGHT Management Center) |
Cisco Firepower eStreamer protocol |
Discovery events Correlation and White List events Impact Flag alerts User activity Malware events File events Connection events Intrusion events Intrusion Event Packet Data Intrusion Event Extra Data |
No | No | No |
Cisco | Cisco Firepower Threat Defense | Syslog |
Event format: Syslog, Comma-separated values (CSV), Name-value pair (NVP) Recorded event types: Intrusion, Connection |
Yes | Yes | No |
Cisco | Cisco Firewall Service Module (FWSM) v2.1+ | Syslog | All events | Yes | Yes | Yes |
Cisco | Cisco Catalyst Switch IOS, 12.2, 12.5+ | Syslog | All events | Yes | Yes | No |
Cisco | Cisco Meraki | Syslog |
Event format: Syslog Event types: Events Flows security_event_ids_alerted |
Yes | No | No |
Cisco | Cisco NAC Appliance v4.x + | Syslog | Audit, error, failure, quarantine, and infected events | No | No | No |
Cisco | Cisco Nexus v6.x | Syslog | Nexus-OS events | Yes | No | No |
Cisco | Cisco PIX Firewall v5.x, v6.3+ | Syslog | Cisco PIX events | Yes | Yes | Yes |
Cisco |
Cisco Identity Services Engine V1.1 to V2.2 |
UDP Multiline Syslog |
Event format: Syslog Event types: Device events |
No | Yes | No |
Cisco | Cisco IOS 12.2, 12.5+ | Syslog | All events | Yes | Yes | No |
Cisco | Cisco Secure Workload | Syslog | Event format: JSON | Yes | No | No |
Cisco | Cisco Umbrella | Amazon AWS S3 REST API |
Event format: Cisco Umbrella CSV Event types: DNS, Proxy, IP |
No | No | No |
Cisco | Cisco VPN 3000 Concentrator versions VPN 3005, 4.1.7.H | Syslog | All events | Yes | Yes | Yes |
Cisco | Cisco Wireless Services Modules (WiSM) V 5.1+ | Syslog | All events | Yes | No | No |
Citrix | Citrix NetScaler V9.3 to V10.0 | Syslog | All events | Yes | Yes | No |
Citrix | Citrix Access Gateway V4.5 | Syslog | Access, audit, and diagnostic events | Yes | No | No |
Cloudera | Cloudera Navigator | Syslog | Audit events for HDFS, HBase, Hive, Hue, Cloudera Impala, Sentry | Yes | No | No |
Cloudflare | Cloudflare Logs | Amazon AWS S3 REST API HTTP Receiver |
Event format: JSON Event types: HTTP events, Firewall events |
Yes | No | No |
CloudPassage | CloudPassage Halo | Syslog, Log file | All events | Yes | No | No |
CrowdStrike | CrowdStrike Falcon |
Syslog LEEF |
Incident, Incident summary, Detection summary, Authentication, Detection status update, Uploaded IoCs, Network containment, IP whitelisting, Policy management, CrowdStrike store, Falcon firewall management, Real time response, Event streams |
Yes | No | No |
CrowdStrike | Falcon Data Replicator | Amazon AWS S3 REST API | Event format: JSON | Yes | No | No |
CorreLog | CorreLog Agent for IBM z/OS® | Syslog LEEF | All events | Yes | No | No |
CRYPTOCard | CRYPTO- Shield V6.3 | Syslog | All events | No | No | No |
CyberArk | CyberArk Identity Important: The Centrify Identity Platform DSM name is now the CyberArk Identity DSM. The
DSM RPM name remains as Centrify Identity Platform in QRadar.
|
Centrify Redrock REST API | Event format: JSON Event types: SaaS, Core, Internal and Mobile |
No | No | No |
CyberArk | CyberArk Privileged Threat Analytics V3.1 | Syslog | Detected security events | Yes | No | No |
CyberArk | CyberArk Vault V6.x | Syslog | All events | Yes | Yes | No |
CyberGuard | Firewall/VPN KS1000 V5.1 | Syslog | CyberGuard events | Yes | No | No |
Damballa | Failsafe V5.0.2+ | Syslog | All events | Yes | No | No |
Digital China Networks | DCS and DCRS Series switches V1.8.7 | Syslog | DCS and DCRS IPv4 events | No | No | No |
DG Technology | DG Technology MEAS | Syslog LEEF | Mainframe events | Yes | No | No |
ESET | ESET Remote Administrator V6.4.270 | Syslog LEEF |
Threat events Firewall Aggregated Event HIPS Aggregated Event Audit events |
Yes | Yes | No |
Extreme | Dragon V5.0, V6.x, V7.1, V7.2, V7.3, and V7.4 | Syslog SNMPv1 SNMPv3 | All relevant Extreme Dragon events | Yes | No | No |
Extreme | 800-Series Switch | Syslog | All events | Yes | No | No |
Extreme | Matrix Router V3.5 | Syslog SNMPv1 SNMPv2 SNMPv3 | SNMP and syslog login, logout, and login failed events | Yes | No | No |
Extreme | NetSight Automatic Security Manager V3.1.2 | Syslog | All events | Yes | No | No |
Extreme | Matrix N/K/S Series Switch V6.x, V7.x | Syslog | All relevant Matrix K-Series, N-Series and S-Series device events | Yes | No | No |
Extreme | Stackable and Standalone Switches | Syslog | All events | Yes | Yes | No |
Extreme | XSR Security Router V7.6.14.0002 | Syslog | All events | Yes | No | No |
Extreme | HiGuard Wireless IPS 2R2.0.30 | Syslog | All events | Yes | No | No |
Extreme | HiPath Wireless Controller 2R2.0.30 | Syslog | All events | Yes | No | No |
Extreme | NAC 3.2 and 3.3 | Syslog | All events | Yes | No | No |
Enterprise-IT-Security.com | SF-Sherlock 8.1 and later | LEEF | All_Checks, DB2_Security_Configuration, JES_Configuration, Job_Entry_System_Attack, Network_Parameter, Network_Security, No_Policy, Resource_Access_Viol, Resource_Allocation, Resource_Protection, Running_System_Change, Running_System_Security, Running_System_Status, Security_Dbase_Scan, Security_Dbase_Specialty, Security_Dbase_Status, Security_Parm_Change, Security_System_Attack, Security_System_Software, Security_System_Status, SF-Sherlock, Sherlock_Diverse, Sherlock_Diverse, Sherlock_Information, Sherlock_Specialties, Storage_Management, Subsystem_Scan, Sysplex_Security, Sysplex_Status, System_Catalog, System_File_Change, System_File_Security, System_File_Specialty, System_Log_Monitoring, System_Module_Security, System_Process_Security, System_Residence, System_Tampering, System_Volumes, TSO_Status, UNIX_OMVS_Security, UNIX_OMVS_System, User_Defined_Monitoring, xx_Resource_Prot_Templ |
Yes | No | No |
Epic | Epic SIEM, Versions Epic 2014, Epic 2015, and Epic 2017 | LEEF | Audit, Authentication | Yes | Yes | No |
Exabeam | Exabeam 1.7 and 2.0 | not applicable | Critical, Anomalous | Yes | No | No |
Extreme Networks | Extreme Ware 7.7 and XOS 12.4.1.x | Syslog | All events | No | Yes | No |
F5 Networks | F5 Networks BIG-IP AFM 11.3 and 12.x to 14.x | Syslog | Network, network DoS, protocol security, DNS, and DNS DoS events | Yes | Yes | No |
F5 Networks | F5 Networks BIG-IP LTM 9.42 to 14.x | Syslog, CSV | All events | No | Yes | No |
F5 Networks |
F5 Networks BIG-IP ASM 10.1 to 16.x |
Syslog |
Event formats: CEF (CEF:0 is supported), JSON Recorded event types: All security events |
Yes | Yes | No |
F5 Networks | F5 Networks BIG-IP APM 10.x to 14.x | Syslog | All events | Yes | No | No |
F5 Networks | FirePass 7.0 | Syslog | All events | Yes | Yes | No |
Fair Warning | Fair Warning 2.9.2 | Log File Protocol | All events | No | No | No |
Fasoo | Fasoo Enterprise DRM 5.0 | JDBC | NVP event format Usage events |
No | No | No |
Fidelis Security Systems | Fidelis XPS 7.3.x | Syslog | Alert events | Yes | No | No |
FireEye | FireEye CMS, MPS, EX, AX, NX, FX, and HX |
Syslog, TLS Syslog | Event formats: CEF (CEF:0 is supported), LEEF Recorded event types: All relevant events |
Yes | No | No |
FreeRADIUS | FreeRADIUS 2.x | Syslog | All events | Yes | Yes | No |
Forcepoint | Forcepoint Sidewinder 6.1 (formerly known as McAfee Firewall Enterprise 6.1) |
Syslog | Forcepoint Sidewinder audit events | Yes | No | No |
Forcepoint | Stonesoft Management Center 5.4 to 6.1 | Syslog | Event format: LEEF Event types: Management Center, IPS, Firewall, and VPN events |
Yes | No | No |
Forcepoint |
Forcepoint TRITON 7.7, and 8.2 (formerly known as Websense) |
Syslog LEEF |
Events for web content from several Forcepoint TRITON solutions, including Web Security, Web
Security Gateway, Web Security Gateway Anywhere, and V-Series appliances. All events |
Yes | No | No |
Forcepoint |
Forcepoint V-Series Data Security Suite (DSS) 7.1x (formerly known as Websense) |
Syslog | All events | Yes | Yes | Yes |
Forcepoint |
Forcepoint V-Series Content Gateway V7.1x (formerley known as Websense) |
Log File Protocol | All events | No | No | No |
ForeScout | CounterACT 7.x and later | Syslog | Denial of Service, system, exploit, authentication, and suspicious events | No | No | No |
Fortinet |
Fortinet FortiGate Security Gateway FortiOS 6.4 and earlier |
Syslog Syslog Redirect |
All events | Yes | Yes | Yes |
Foundry | FastIron 3.x.x and 4.x.x | Syslog | All events | Yes | Yes | No |
genua | genugate 8.2+ | Syslog | General error messages High availability General relay messages Relay-specific messages genua programs/daemons EPSI Accounting Daemon - gg/src/acctd Configfw FWConfig ROFWConfig User-Interface Webserver |
Yes | Yes | No |
Google Cloud Audit Logs | Google Cloud Pub/Sub |
Supported services:
Event format: JSON Event types: Storage, list, update |
Yes | No | No | |
Google Cloud Platform Firewall | Google Cloud Pub/Sub |
Event format: JSON Event types: Firewall Allow, Firewall Deny |
No | No | No | |
Google G Suite Activity Reports | Google G Suite Activity Reports REST API |
Event format: JSON Recorded event types: Admin, drive, login, user accounts |
No | No | No | |
Great Bay | Beacon | Syslog | All events | Yes | Yes | No |
H3C Technologies |
H3C Comware Platform, H3C Switches, H3C Routers, H3C Wireless LAN Devices, and H3C IP Security Devices version 7 is supported |
Syslog |
NVP System |
No | No | No |
HBGary | Active Defense 1.2 and later | Syslog | All events | Yes | No | No |
Hewlett Packard Enterprise | HPE Network Automation 10.11 |
Syslog LEEF |
All operational and configuration network events. | Yes | Yes | No |
Hewlett Packard Enterprise | HPE ProCurve K.14.52 |
Syslog |
All events | Yes | No | No |
Hewlett Packard Enterprise | HPE Tandem | Log File Protocol | Safe Guard Audit file events | No | No | No |
Hewlett Packard Enterprise | HPE UX V11.x and later | Syslog | All events | No | Yes | No |
Honeycomb Technologies | Lexicon File Integrity Monitor mesh service V3.1 and later | Syslog | integrity events | Yes | No | No |
Huawei | S Series Switch S5700, S7700, and S9700 using V200R001C00 | Syslog | IPv4 events from S5700, S7700, and S9700 Switches | No | No | No |
Huawei | AR Series Router (AR150, AR200, AR1200, AR2200, and AR3200 routers using V200R002C00) | Syslog | IPv4 events | No | No | No |
IBM | IBM AIX® V6.1 and V7.1 | Syslog, Log File protocol | Configured audit events | Yes | No | No |
IBM | IBM AIX 5.x, 6.x, and v7.x | Syslog | Authentication and operating system events | Yes | Yes | No |
IBM |
IBM BigFixV8.2.x to 9.5.2 (formerly known as Tivoli EndPoint Manager) |
IBM BigFix SOAP Protocol | Server events | No | Yes | No |
IBM | IBM
BigFix Detect Note: The IBM
BigFix Detect DSM for QRadar is
deprecated.
|
|||||
IBM | IBM Bluemix Platform (now known as IBM Cloud® Platform) | |||||
IBM | IBM Cloud Activity Tracker | Apache Kafka protocol | Event format: JSON | Yes | No | No |
IBM |
IBM Cloud Identity (now known as IBM Security Verify |
|||||
IBM | IBM Cloud Platform (formerly known as IBM Bluemix Platform) | Syslog, TLS Syslog | All System (Cloud Foundry) events, some application events | Yes | No | No |
IBM | IBM DLC Metrics | Syslog, Forwarded | Event format: LEEF Recorded event types: All DLC Metrics event types |
Yes | No | No |
IBM | IBM Federated Directory Server V7.2.0.2 and later | LEEF | FDS Audit | Yes | No | No |
IBM | IBM Guardium® 8.2p45 | Syslog | Policy builder events | No | No | No |
IBM | IBM Security® Guardium Insights | Syslog | Out of Box Policy Violation Rules | Yes | No | No |
IBM | IBM i DSM V5R4 and
later (formerly known as AS/400iSeries) |
Log File Protocol | Event format:
Recorded event types: All security events |
No | Yes | No |
IBM | IBM i - Robert Townsend
Security Solutions V5R1 and later (formerly known as AS/400iSeries) |
Syslog | Event format:
Recorded event types: All security events |
Yes | Yes | No |
IBM | IBM i - Powertech Interact
V5R1 and later (formerly known as AS/400iSeries) |
Syslog | Event format:
Recorded event types: All security events |
Yes | Yes | No |
IBM | IBM ISS Proventia M10 v2.1_2004.1122_15.13.53 | SNMP | All events | No | No | No |
IBM | IBM Lotus Domino v8.5 | SNMP | All events | No | No | No |
IBM | IBM Proventia Management SiteProtector v2.0 and v2.9 | JDBC | IPS and audit events | No | No | No |
IBM | IBM RACF® v1.9 to v1.13 | Log File Protocol | All events | No | No | Yes |
IBM | IBM CICS® v3.1 to v4.2 | Log File Protocol | All events | No | No | Yes |
IBM | IBM DB2® v8.1 to v10.1 | Log File Protocol | All events | No | No | Yes |
IBM |
IBM DataPower® FirmwareV6 and V7 (formerly known as WebSphere® DataPower) |
Syslog | All events | Yes | No | No |
IBM |
IBM MaaS360® Security (formerly known as IBM Fiberlink® MaaS360) |
LEEF, JSON |
Compliance rule events Device enrollment events Action history events |
No |
Yes |
No |
IBM | IBM QRadar Packet Capture IBM QRadar Packet Capture V7.2.3 to V7.2.8 IBM QRadar Network Packet Capture V7.3.0 |
Syslog, LEEF | All events | Yes | No | No |
IBM | IBM Red Hat® OpenShift® V5.2.4 | Syslog | Event format: JSON Event types: Audit and Infrastructure |
Yes | No | Yes |
IBM | IBM SAN Volume Controller | Syslog | CADF event format Activity, Control, and Monitor audit events |
Yes | No | No |
IBM | IBM z/OS v1.9 to v1.13 | Log File Protocol | All events | No | No | Yes |
IBM | IBM Informix® v11 | Log File Protocol | All events | No | No | No |
IBM | IBM IMS | Log File Protocol | All events | No | No | No |
IBM | Security Access Manager for Mobile (ISAM) | TLS Syslog | IBM_SECURITY_AUTHN IBM_SECURITY_TRUST IBM_SECURITY_RUNTIME IBM_SECURITY_CBA_AUDIT _MGMTIBM_SECURITY_CBA_AUDIT _RTE IBM_SECURITY_RTSS_AUDI T_AUTHZ IBM_SECURITY_SIGNING CloudOE Operations Usage IDaaS Appliance Audit IDaaS Platform Audit |
Yes | No | No |
IBM | Security Identity Governance (ISIG) | JDBC | NVP event format Audit event type |
No | No | No |
IBM | QRadar Network Security XGS v5.0 with fixpack 7 to v5.4 | Syslog | System, access, and security events | Yes | No | No |
IBM | Security Network IPS (GX) v4.6 and later | Syslog | Security, health, and system events | Yes | No | No |
IBM | Security Privileged Identity Manager V1.0.0 to V2.1.1 | JDBC | Audit, authentication and system events | No | No | No |
IBM | Security Identity Manager 6.0.x and later | JDBC | Audit and recertification events | No | Yes | No |
IBM | IBM Security Randori Recon | IBM Security Randori REST API | Event format: JSON Event types: Detections |
Yes | No | No |
IBM | IBM Security
QRadar EDR
v3.9.0 (formerly known as IBM Security ReaQta) |
IBM Security ReaQta REST API |
Event format: JSON Event types: Alerts |
Yes | No | Yes |
IBM | IBM Security Trusteer® | HTTP Receiver | Event format: JSON Event types: Trusteer alerts |
Yes | No | No |
IBM | IBM Security Trusteer Apex Advanced Malware Protection | Syslog/LEEF Log File Protocol |
Malware Detection Exploit Detection Data Exfiltration Detection Lockdown for Java™ Event File Inspection Event Apex Stopped Event Apex Uninstalled Event Policy Changed Event ASLR Violation Event ASLR Enforcement Event Password Protection Event |
Yes | Yes | No |
IBM |
IBM Sense v1 |
Syslog |
LEEF |
Yes |
No |
No |
IBM | IBM SmartCloud Orchestrator v2.3 FP1 and later | IBM SmartCloud Orchestrator REST API | Audit Records | No | Yes | No |
IBM | IBM Security Verify (formerly known as IBM Cloud Identity) |
JSON |
Authentication SSO Management Threat |
No | Yes | Yes |
IBM | Tivoli® Access Manager IBM Web Security Gateway v7.x | Syslog | audit, access, and HTTP events | Yes | Yes | No |
IBM |
Tivoli Endpoint Manager (now known asIBM BigFix) |
|||||
IBM | WebSphere Application Server v5.0 to v8.5 | Log File Protocol | All events | No | Yes | No |
IBM | WebSphere DataPower (now known as DataPower) WebSphere DataPower |
|||||
IBM | zSecure Alert v1.13.x and later | UNIX syslog | Alert events | Yes | Yes | No |
IBM | Security Access Manager v8.1 and v8.2 | Syslog | Audit, system, and authentication events | Yes | No | No |
IBM | Security Verify Directory v6.3.1 and later (formerly known as Security Directory Server) | Syslog LEEF | All events | Yes | Yes | No |
Illumio | Illumio Adaptive Security Platform | Syslog LEEF |
Audit Traffic |
Yes | No | No |
Imperva | Incapsula | LEEF | Access events and Security alerts | Yes | No | No |
Imperva | SecureSphere v6.2 and v7.x to v13 Release Enterprise Edition (Syslog) SecureSphere v9.5 to v13 (LEEF) cy |
Syslog LEEF |
Firewall policy events | Yes | No | No |
Infoblox NIOS | Infoblox NIOS 6.x to 8.x | Syslog | ISC Bind Linux® DHCP Linux Server Apache |
No | Yes | No |
Internet Systems Consortium (ISC) |
ISC BIND 9.9, 9.11, 9.12 |
Syslog | All events | Yes | No | No |
Intersect Alliance | SNARE Enterprise Windows Agent | Syslog | Microsoft Event Logs | Yes | Yes | No |
iT-CUBE | agileSI 1.x | SMB Tail | AgileSI SAP events | No | Yes | No |
Itron | Openway Smart Meter | Syslog | All events | Yes | No | No |
Juniper Networks | AVT | JDBC | All events | No | No | Yes |
Juniper Networks | DDoS Secure Juniper Networks DDoS Secure is now known as NCC Group DDoS Secure. |
No | No | |||
Juniper Networks | DX The Juniper Networks DX Platform product is end of life (EOL), and is no longer supported by Juniper. |
Syslog | Status and network condition events | Yes | No | Yes |
Juniper Networks | Infranet Controller The Juniper Networks Infranet Controller DSM for IBM QRadar is now known as Pulse Secure Infranet Controller. |
|||||
Juniper Networks | Firewall and VPN v5.5r3 and later | Syslog | NetScreen Firewall events | Yes | Yes | Yes |
Juniper Networks | Junos WebApp Secure v4.2.x | Syslog | Incident and access events | Yes | No | No |
Juniper Networks | IDP v4.0, v4.1 & v5.0 | Syslog | NetScreen IDP events | Yes | No | Yes |
Juniper Networks | Network and Security Manager (NSM) and Juniper SSG v2007.1r2 to 2007.2r2, 2008.r1, 2009r1.1, 2010.x | Syslog | NetScreen NSM events | Yes | No | Yes |
Juniper Networks | Junos OS 7.x to 10.x Ex Series Ethernet Switch DSM only supports 9.0 to 10.x |
Syslog or PCAP Syslog*** | All events | Yes** | Yes | Yes |
Juniper Networks | Secure Access Juniper Networks Secure Access is now known as Pulse Secure Pulse Connect Secure. |
Yes | ||||
Juniper Networks | Juniper Security Binary Log Collector SRX or J Series appliances at 12.1 or above |
Binary | Audit, system, firewall, and IPS events | No | No | Yes |
Juniper Networks | Steel-Belted Radius 5.x | Log File | All events | Yes | Yes | Yes |
Juniper Networks | vGW Virtual Gateway 4.5 The Juniper Networks vGW Virtual Gateway product is end of life (EOL), and is no longer supported by Juniper. |
Syslog | Firewall, admin, policy and IDS Log events | Yes | No | No |
Juniper Networks | Wireless LAN Controller Wireless LAN devices with Mobility System Software (MSS) V7.6 and later |
Syslog | All events | Yes | No | No |
Kisco | Kisco Information Systems SafeNet/i 10.11 | Log File | All events | No | No | No |
Kubernetes | Kubernetes Auditing | Syslog |
Event format: JSON Recorded event types: RequestReceived, ResponseStarted, ResponseComplete |
Yes | No | Yes |
Lastline | Lastline Enterprise 6.0 | LEEF | Anti-malware | Yes | No | No |
Lieberman | Random Password Manager 4.8x | Syslog | All events | Yes | No | No |
LightCyber | LightCyber Magna 3.9 | Syslog, LEEF | C&C, exfilt, lateral, malware and recon | Yes | No | No |
Linux | Open Source Linux OS 2.4 and later | Syslog | Operating system events | Yes | Yes | No |
Linux | DHCP Server 2.4 and later | Syslog | All events from a DHCP server | Yes | Yes | No |
Linux | IPtables kernel 2.4 and later | Syslog | Accept, Drop, or Reject events | Yes | No | No |
McAfee | McAfee Application / Change Control v4.5.x | JDBC | Change management events | No | Yes | No |
McAfee |
McAfee ePolicy Orchestrator 3.5 to 5.10 |
JDBC: 3.5 to 5.9 SNMPv1, SNMPv2, SNMPv3: 3.5 to 5.9 TLS Syslog: 5.10 |
AntiVirus events | No | No | No |
McAfee | McAfee MVISION Cloud 2.4 and 3.3 (formerly known as Skyhigh Networks Cloud Security Platform) |
Syslog | Event format: Log Event Extended Format (LEEF) Recorded event types: Privilege Access, Insider Threat, Compromised Account, Access, Admin, Data, Policy, and Audit |
Yes | No | No |
McAfee | McAfee Network Security Platform 2.x - 5.x (Formerly known as McAfee Intrushield) |
Syslog | Alert notification events Important: Supported alert notification events do not include custom events with IDs
that begin with Oxc, Oxcc, Oxe, or Oxee.
|
Yes | No | No |
McAfee | McAfee Network Security Platform 6.x - 7.x and 8.x - 10.x (Formerly known as McAfee Intrushield) |
Syslog | Alert and fault notification events Important: Supported alert notification events do not include custom events with IDs
that begin with Oxc, Oxcc, Oxe, or Oxee.
|
Yes | No | No |
McAfee | McAfee Web Gateway 6.0.0 | Syslog Log File protocol |
Event format: LEEF Recorded event types: All events |
Yes | No | No |
MetaInfo | MetaIP 5.7.00-6059 | Syslog | All events | Yes | Yes | No |
Microsoft | Microsoft 365 Defender Important: The Microsoft Windows Defender ATP DSM is now the Microsoft 365 Defender DSM. The DSM RPM name remains as Microsoft Windows Defender ATP in QRadar.
|
Microsoft Defender for Endpoint SIEM REST API Microsoft Azure Event Hubs Microsoft Graph Security API |
Event format: JSON The Microsoft 365 Defender DSM supports the following events when you use the Microsoft Azure Event Hubs protocol: Alerts (Alerts are supported only for Microsoft Defender for Endpoint.):
Device:
Email:
The Microsoft 365 Defender DSM supports the following events when you use the Microsoft Defender for Endpoint REST API protocol:
The Microsoft 365 Defender DSM supports the following events when you use the Microsoft Graph Security API protocol:
|
Yes | Yes | No |
Microsoft | Microsoft Entra ID (formerly Microsoft Azure Active Directory) | Microsoft Azure Event Hubs |
Event format: JSON Recorded event types: Sign-In logs, Audit logs |
Yes | No | No |
Microsoft
|
Microsoft Azure Platform | Microsoft Azure Event Hubs |
Event format: JSON Recorded event types: Platform level activity logs For more information about Platform level activity logs, see Azure Resource Manager resource provider operations (https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations). Note: This DSM automatically discovers only Activity Log Events that are forwarded directly from the
Activity Log to the Event Hub.
|
Yes | No | No |
Microsoft |
Microsoft Defender for Cloud Important: The Microsoft Azure Security Center DSM is now the Microsoft Defender for Cloud DSM. The DSM RPM name remains as Microsoft Azure Security Center in QRadar.
|
Microsoft Graph Security API Microsoft Azure Event Hubs |
Event format: JSON Recorded event types: Security alert |
No | No | No |
Microsoft | DNS Debug Supported versions: Windows Server 2016, Windows Server 2012 R2, Windows Server 2008 R2 |
WinCollect Microsoft DNS Debug | LEEF | Yes | Yes | No |
Microsoft | IIS 6.0, 7.0 and 8.x |
Syslog and WinCollect | HTTP status code events | Yes | No | No |
Microsoft | Internet and Acceleration (ISA) Server or Threat Management Gateway 2006 | Syslog and WinCollect | ISA or TMG events | Yes | No | No |
Microsoft | Microsoft Exchange Server 2003, 2007, 2010, 2013, 2016 and 2019 | Windows Exchange Protocol |
Outlook Web Access events (OWA) Simple Mail Transfer Protocol events (SMTP Message Tracking Protocol events (MSGTRK) |
No | No | No |
Microsoft | Endpoint Protection 2012 | JDBC | Malware detection events | No | No | No |
Microsoft | Microsoft Hyper-V supported versions: Windows Server 2016 Windows Server 2012 (most recent) Windows Server 2012 Core Windows Server 2008 (most recent) Windows Server 2008 Core Windows 10 (most recent) Windows 8 (most recent) Windows 7 (most recent) Windows Vista (most recent) |
WinCollect | All events | No | No | No |
Microsoft | IAS Server v2000, 2003, and 2008 |
Syslog | All events | Yes | No | No |
Microsoft | Microsoft Office 365 | Office 365 REST API | JSON | No | No | No |
Microsoft | Microsoft Office 365 Message Trace | Office 365 Message Trace REST API |
Event format: JSON Event types: Email security threat classification |
No | No | No |
Microsoft | Microsoft Windows Defender ATP | Microsoft Defender for Endpoint REST API |
Event format: JSON Event types: Windows Defender ATP Windows Defender AV Third Party TI Customer TI Bitdefender |
No | No | No |
Microsoft | Microsoft
Windows Security Event Log supported versions: Windows Server 2016 Windows Server 2012 (most recent) Windows Server 2012 Core Windows Server 2008 (most recent) Windows Server 2008 Core Windows 10 (most recent) Windows 8 (most recent) Windows 7 (most recent) Windows Vista (most recent) |
Syslog Forwarded TLS Syslog TCP Multiline Syslog Windows Event Log (WMI) Windows Event Log Custom (WMI) MSRPC WinCollect WinCollect NetApp Data ONTAP |
All events, including Sysmon and winlogbeats.json | Yes | Yes | Yes |
Microsoft |
SQL Server 2008, 2012, 2014 (Enterprise editions only), and 2016 |
Syslog, JDBC and WinCollect | SQL Audit events | No | No | No |
Microsoft |
SharePoint 2010 and 2013 |
JDBC | SharePoint audit, site, and file events | No | No | No |
Microsoft | DHCP Server 2000/2003 | Syslog and WinCollect | All events | Yes | Yes | No |
Microsoft | Operations Manager 2005 | JDBC | All events | No | No | No |
Microsoft | System Center Operations Manager 2007 | JDBC | All events | No | No | No |
Motorola | Symbol AP firmware 1.1 to 2.1 | Syslog | All events | No | No | No |
NCC Group | NCC Group DDos 5.13.1-2s to 516.1-0 | Syslog |
Event format: LEEF Event types: All events |
Yes | No | No |
Niara | Niara 1.6 | Syslog |
Security System Internal Activity Exfiltration Infection Command & Control |
Yes | No | Yes |
NetApp | Data ONTAP | WinCollect NetApp Data ONTAP | CIFS events | Yes | Yes | No |
Netgate | Netgate pfSense | Syslog |
System Firewall DNS DHCP (when you use the Linux DHCP DSM) |
Yes | Yes | No |
Netskope |
Netskope Active Important:
The IBM QRadar DSM for Netskope Active is deprecated. To continue taking advantage of this integration, please download the Netskope Security Cloud DSM from the IBM Security App Exchange website (https://exchange.xforce.ibmcloud.com/hub/extension/ff97aaadc10ed96b0e05d1a1f24af2f7). |
Netskope Active REST API | Alert, All events | No | Yes | No |
NGINX | NGINX HTTP Server 1.15.5 | Syslog | Syslog, Standard syslog | Yes | No | No |
Niksun | NetVCR 2005 v3.x | Syslog | Niksun events | No | No | No |
Nokia | Firewall NG FP1, FP2, FP3, AI R54, AI R55, NGX on IPSO v3.8 and later | Syslog or OPSEC LEA | All events | Yes | Yes | No |
Nokia | VPN-1 NG FP1, FP2, FP3, AI R54, AI R55, NGX on IPSO v3.8 and later | Syslog or OPSEC LEA | All events | Yes | Yes | No |
Nominum |
Vantio v5.3 Note: The Nominum Vantio DSM for QRadar is deprecated.
|
|||||
Nortel | Contivity | Syslog | All events | Yes | No | No |
Nortel | Application Switch v3.2 and later | Syslog | Status and network condition events | No | Yes | No |
Nortel | ARN v15.5 | Syslog | All events | Yes | No | No |
Nortel* | Ethernet Routing Switch 2500 v4.1 | Syslog | All events | No | Yes | No |
Nortel* | Ethernet Routing Switch 4500 v5.1 | Syslog | All events | No | Yes | No |
Nortel* | Ethernet Routing Switch 5500 v5.1 | Syslog | All events | No | Yes | No |
Nortel | Ethernet Routing Switch 8300 v4.1 | Syslog | All events | No | Yes | No |
Nortel | Ethernet Routing Switch 8600 v5.0 | Syslog | All events | No | Yes | No |
Nortel | VPN Gateway v6.0, 7.0.1 and later, v8.x | Syslog | All events | Yes | Yes | No |
Nortel | Secure Router v9.3, v10.1 | Syslog | All events | Yes | Yes | No |
Nortel | Secure Network Access Switch v1.6 and v2.0 | Syslog | All events | Yes | Yes | No |
Nortel | Switched Firewall 5100 v2.4 | Syslog or OPSEC | All events | Yes | Yes | No |
Nortel | Switched Firewall 6000 v4.2 | Syslog or OPSEC | All events | Yes | Yes | No |
Nortel | Threat Protection System v4.6 and v4.7 | Syslog | All events | No | No | No |
Novell | eDirectory v2.7 | Syslog | All events | Yes | No | No |
ObserveIT | ObserveIT 5.7.x and later | JDBC | Alerts User Activity System Events Session Activity DBA Activity |
No | Yes | No |
Okta | Okta Identity Management | Okta REST API | JSON | No | Yes | No |
Onapsis | Onapsis Security Platform v1.5.8 and later | Log Event Extended Format (LEEF) |
Assessment Attack signature Correlation Compliance |
Yes | No | No |
OpenBSD Project | OpenBSD v4.2 and later | Syslog | All events | No | Yes | No |
Open Information Security Foundation (OISF) | Suratica v6.0.3 and earlier | Syslog TLS Syslog |
Event format: JSON Recorded event types: Alerts |
Yes | No | No |
Open LDAP Foundation | Open LDAP 2.4.x | UDP Multiline Syslog | All events | No | No | No |
Open Source | SNORT v2.x | Syslog | All events | Yes | No | No |
OpenStack | OpenStack v2015.1 | HTTP Reciever | Audit events | No | No | No |
Oracle | Oracle RDBMS Audit Record versions 9i, 10g, 11g, 12c (includes unified auditing) | JDBC, Syslog | Event format: Name-Value Pair Recorded event types: Audit records |
Yes | Yes | No |
Oracle | Audit Vault V10.3 and V12.2 | JDBC |
All audit records from the AVSYS.AV$ALERT_STORE table for V10.3, or from the custom AVSYS.AV_ALERT_STORE_V view for V12.2. |
No | Yes | No |
Oracle |
Oracle OS Audit 9i, 10g, and 11g |
Syslog | Event format: name-value pair (NVP) Event types: Oracle events |
Yes | Yes | No |
Oracle | Oracle BEA WebLogic 12.2.1.3.0 | Log File | Oracle events | No | No | No |
Oracle | Oracle Database Listener 9i, 10g, and 11g | Syslog | Oracle events | Yes | No | No |
Oracle |
Oracle Directory Server (Formerly known as Sun ONE LDAP). |
|||||
Oracle | Oracle Fine Grained Auditing 9i and 10g | JDBC | Select, insert, delete, or update events for tables configured with a policy | No | No | No |
N/A | osquery 3.3.2 |
Syslog TCP Multiline Syslog |
Event format: JSON Event type: Access Audit Authentication System |
No | No | Yes |
OSSEC | OSSEC 2.6 and later | Syslog | All relevant | Yes | No | No |
Palo Alto Networks | Palo Alto PA Series | Syslog TLS Syslog |
Event types: Traffic Threat Config System HIP Match Authentication Tunnel Inspection (for PAN-OS 8.0 - 9.1) or Tunnel (for PAN-OS 10.0) Correlation SCTP File Data GTP HIP Match IP-Tag Global Protect - Important: To use this log type, you must enable the EventStatus/Status field on your Palo Alto PA Series device. Decryption User ID URL Filtering (for PAN-OS 8.0 - 9.1) or URL (for PAN-OS 10.0) WildFire Event Formats: LEEF for PAN-OS v3.0 to v10.2, and Prisma Access v2.1 CEF for PAN-OS v4.0 to v6.1 (CEF:0 is supported) |
Yes | Yes | No |
Palo Alto Networks | Palo Alto Endpoint Security Manager 3.4.2.17401 | Syslog | Agent Config Policy System Threat Event formats: CEF (CEF:0 is supported), LEEF |
Yes | No | No |
Ping Identity | PingFederate | Syslog | Event format: CEF | Yes | No | No |
Pirean | Access: One 2.2 with DB2 9.7 | JDBC | Access management and authentication events | No | No | No |
PostFix | Mail Transfer Agent 2.6.6 and later | UDP Multiline Protocol or Syslog | Mail events | No | No | No |
ProFTPd | ProFTPd 1.2.x, 1.3.x | Syslog | All events | Yes | Yes | No |
Proofpoint | Proofpoint Enterprise Protection and Enterprise Privacy versions 7.0.2, 7.1, 7.2, 7.5, 8.0 | Syslog Log File |
Event types: System Email security threat classification Email audit and encryption |
No | No | No |
Pulse Secure | Pulse Secure Infranet Controller 2.1, v3.1 and 4.0 | Syslog | All events | No | Yes | Yes |
Pulse Secure | Pulse Secure Pulse Connect Secure 8.2R5 |
Syslog TLS Syslog |
Event types: Admin Authentication System Network Error |
Yes | Yes | Yes |
Radware | AppWall 6.5.2 and 8.2 | Syslog |
Event types: Administration Audit Learning Security System |
Yes | No | No |
Radware | DefensePro 4.23, 5.01, 6.x and 7.x | Syslog | All events (Event mapping is required when Event IDs are 300,000 or more.) Tip: If you have custom events that display as unknown in QRadar, see the IBM Support article about QRadar: Custom events for Radware DefensePro display 'parsed,
but not mapped' (https://www.ibm.com/support/pages/node/6960301).
|
Yes | No | No |
Raz-Lee iSecurity | IBM i Firewall 15.7 and Audit 11.7 | Syslog | Security, compliance, firewall, and audit events | Yes | Yes | No |
Redback Networks | ASE 6.1.5 | Syslog | All events | Yes | No | No |
Red Hat | Red Hat Advanced Cluster Security for Kubernetes | HTTP Receiver | JSON Recorded event types: audit and alert events |
Yes | No | No |
Resolution1 | Resolution1 CyberSecurity Formerly known as AccessData InSight Resolution1 CyberSecurity. |
Log file |
Volatile Data, Memory Analysis Data, Memory Acquisition Data, Collection Data, Software Inventory, Process Dump Data, Threat Scan Data, Agent Remediation Data |
No | No | No |
Riverbed | SteelCentral NetProfiler | JDBC | Alert events | No | No | No |
Riverbed | SteelCentral NetProfiler Audit | Log file protocol | Audit events | No | Yes | No |
RSA | Authentication Manager 6.x, 7.x, and 8.x |
v6.x and v7.x use Syslog or Log File Protocol v8.x uses Syslog only |
All events | No | No | No |
SafeNet | DataSecure 6.3.0 and later | Syslog | All events | Yes | No | No |
Salesforce | Salesforce Security Auditing | Log File | Setup Audit Records | No | No | No |
Salesforce | Salesforce Security | Salesforce REST API Protocol | Login History Account History Case History Entitlement History Service Contract History Contract Line Item History Contract History Contact History Lead History Opportunity History Solution History Salesforce Security Auditing audit trail |
No | Yes | No |
Samhain Labs | HIDS 2.4 | Syslog JDBC |
All events | Yes | No | No |
SAP | SAP Enterprise Threat Detection V1.0 SP6 to V2.0 SP5 | SAP Enterprise Threat Detection Alert API | LEEF | No | No | No |
Seculert | Seculert v1 | Seculert Protection REST API Protocol | All malware communication events | No | No | No |
Seculert | Seculert | Seculert protection REST API Protocol | All malware communication events | No | No | No |
Sentrigo | Hedgehog 2.5.3 | Syslog | All events | Yes | No | No |
Snowflake | Snowflake | JDBC | Event format: Name value pair (NVP) | Yes | Yes | No |
Skyhigh Networks (now known as McAfee) |
Skyhigh Networks Cloud Security Platform 2.4 and 3.3 (now known as McAfee MVISION Cloud 2.4 and 3.3) |
|||||
SolarWinds | SolarWinds Orion 2011.2 | Syslog | All events |
No |
No | No |
SonicWALL | UTM/Firewall/VPN Appliance 3.x and later | Syslog | All events | Yes | No | No |
Sophos |
Sophos Astaro Security Gateway 17.x |
Syslog | All events | Yes | No | No |
Sophos | Sophos Central | Sophos Central | Event format: JSON | Yes | No | No |
Sophos | Sophos Enterprise Console 4.5.1 and 5.1 | Sophos Enterprise Console protocol JDBC protocol |
All relevant anti-virus events | No | No | No |
Sophos | Sophos PureMessage 3.1.0.0 for Microsoft Exchange 5.6.0 for Linux | JDBC | Quarantined email events | No | No | No |
Sophos | Sophos Web Security Appliance 3.x | Syslog | Transaction log events | Yes | No | No |
Sourcefire | Sourcefire Intrusion Sensor IS 500, 2.x, 3.x, 4.x | Syslog | All events | Yes | No | No |
Sourcefire | Sourcefire Defense Center (Now known as Cisco FireSIGHT Mangement Center) |
|||||
Splunk | MicrosoftWindows Security Event Log | Windows-based event provided by Splunk Forwarders | All events | No | Yes | No |
Squid | Squid Web Proxy 2.5 and later | Syslog | All cache and access log events | Yes | No | No |
Startent Networks | Startent Networks | Syslog | All events | Yes | No | No |
STEALTHbits Technologies | STEALTHbits File Activity Monitor | Syslog LEEF | File Activity Monitor Events | |||
STEALTHbits Technologies | StealthINTERCEPT | Syslog LEEF | Active Directory Audit Events | Yes | No | No |
STEALTHbits Technologies | STEALTHbits StealthINTERCEPT Alerts | Syslog LEEF | Active Directory Alerts Events | Yes | No | No |
STEALTHbits Technologies | STEALTHbits StealthINTERCEPT Analytics | Syslog LEEF | Active Directory Analytics Events | Yes | No | No |
Sun | Sun Solaris DHCP 2.8 | Syslog | All events | Yes | Yes | No |
Sun | Sun Solaris OS 5.8, 5.9 | Syslog | All events | Yes | Yes | No |
Sun | Sun Solaris Sendmail 2.x | Syslog Log File Protocol Proofpoint 7.5 and 8.0 Sendmail log |
All events | Yes | No | No |
Sun | Sun Solaris Basic Security Mode (BSM) 5.10 and 5.11 | Log File Protocol | All events | No | Yes | No |
Sun |
Sun ONE LDAP v11.1 (Known as Oracle Directory Server) |
Log File Protocol UDP Multiline Syslog |
All relevant access and LDAP events | No | No | No |
Sybase | Sybase ASE 15.0 and later | JDBC | All events | No | No | No |
Symantec |
Symantec Endpoint Protection 11, 12, and 14 |
Syslog | All Audit and Security Logs | Yes | No | Yes |
Symantec | Symantec SGS Appliance 3.x and later | Syslog | All events | Yes | No | Yes |
Symantec | Symantec SSC 10.1 | JDBC | All events | Yes | No | No |
Symantec | Symantec Data Loss Prevention (DLP) 8.x | Syslog | All events | No | No | No |
Symantec |
Symantec Encryption Management Server 3.0x formerly known as PGP Universal Server |
Syslog | All events | Yes | No | No |
Symark | Symark PowerBroker 4.0 | Syslog | All events | Yes | No | No |
SysFlow is an open source project initiated by IBM. | SysFlow 1.0 | Syslog | Event format: JSON Recorded event types: SysFlow |
Yes | No | No |
ThreatGRID | Malware Threat Intelligence Platform 2.0 | Log file protocol Syslog |
Malware events | No | No | No |
TippingPoint |
Intrusion Prevention System (IPS) 1.4.2 to 3.2.x TippingPoint SMS 5.2.0 |
Syslog | All events | No | No | No |
TippingPoint | X505/X506 2.5 and later | Syslog | All events | Yes | Yes | No |
Top Layer | IPS 5500 4.1 and later | Syslog | All events | Yes | No | No |
Trend Micro | Trend Micro Apex Central (version 1) | Syslog, TLS syslog | Event format: CEF Event types: Attack discovery detection logs Behavior monitoring logs C&C callback logs Content security logs Data loss prevention logs Device access control logs Endpoint application control logs Engine update status logs Intrusion prevention logs Network content inspection logs Pattern Update Status Logs Predictive machine learning logs Sandbox detection logs Spyware/Grayware logs Suspicious file logs Virus/Malware logs Web security logs |
Yes | No | No |
Trend Micro | Trend Micro Apex One 8.x and 10.x Formerly known as Trend Micro Office Scan. The name remains the same in QRadar. |
SNMPv2 | All events | No | No | No |
Trend Micro | Trend Micro Control Manager 5.0 or 5.5 with hotfix 1697 or hotfix 1713 after SP1 Patch 1; 6.0 and 7.0. | SNMPv1 SNMPv2 SNMPv3 |
All events | Yes | No | No |
Trend Micro |
Trend Micro Deep Discovery Analyzer 5.0, 5.5, 5.8 and 6.0 |
Syslog | Event format: LEEF Events: All events |
Yes | No | No |
Trend Micro | Trend Micro Deep Discovery Director 3.0 | Syslog | Event format: LEEF Events: Trend Micro Deep Discovery Inspector events |
Yes | No | No |
Trend Micro |
Trend Micro Deep Discovery Email Inspector 3.0 |
Syslog | Event format: LEEF Events: Detections, Virtual Analyzer Analysis logs, System events, Alert events |
Yes | No | No |
Trend Micro | Trend Micro Deep Discovery Inspector 3.0 to V3.8, 5.0 and 5.1 | Syslog |
Event format: LEEF Events: Malicious content Malicious behavior Suspicious behavior Exploit Grayware Web reputation Disruptive application Sandbox Correlation System Update |
Yes | No | No |
Trend Micro |
Trend Micro Deep Security 9.6.1532 to 12.0 |
Syslog |
Event format: LEEF Events: Anti-Malware Deep Security Firewall Integrity Monitor Intrusion Prevention Log Inspection System Web Reputation |
Yes | No | No |
Tripwire | Tripwire Enterprise Manager 5.2 and later | Syslog |
Event format: CEF (CEF:0 is supported) Event types: Resource additions, removal, and modification events |
Yes | No | No |
Tropos Networks | Tropos Control 7.7 | Syslog | Fault management, login/logout, provision, and device image upload events | No | No | No |
Trusteer | Apex Local Event Aggregator 1304.x and later | Syslog | Malware, exploit, and data exfiltration detection events | Yes | No | No |
Vectra Networks |
Vectra Networks Vectra v2.2 Important: The IBM
QRadar DSM for Vectra Networks
Vectra is deprecated.
To continue taking advantage of this integration, please download the Vectra Networks Vectra DSM from the IBM Security App Exchange website (https://exchange.xforce.ibmcloud.com/hub/extension/47f3e9afff5e0281d6684bb633d769f2). |
Syslog |
Host scoring, command and control, botnet activity, reconaissance, lateral movement, exfiltration Event format: CEF (CEF:0 is supported) |
Yes |
No |
No |
Verdasys |
Digital Guardian 6.0.x (Syslog only) Digital Guardian 6.1.1 and 7.2 (LEEF only) |
Syslog | Event format: LEEF Events: All events |
Yes | No | No |
Vericept | Content 360 up to 8.0 | Syslog | All events | Yes | No | No |
VMware | VMware AppDefense 1.0 |
JSON VMWare AppDefense API protocol |
All events | No | No | No |
VMware | Carbon Black App Control 8.0.x to 8.5.x (Formerly known as Carbon Black Protection) |
Syslog | Event format: LEEF Event types: computer management, server management, session management, policy management, policy enforcement, internal events, general management, discovery |
Yes | Yes | No |
VMware | VMware ESX or ESXi 3.x, 4.x, 5.x and 6.x | Syslog EMC VMware protocol |
Account Information Notice Warning Error System Informational System Configuration System Error User Login Misc Suspicious Event Access Denied License Expired Information Authentication Session Tracking |
Yes if syslog | No | No |
VMware | VMware vCenter v5.x and v6.x | EMC VMware protocol |
Account Information Notice Warning Error System Informational System Configuration System Error User Login Misc Suspicious Event Access Denied License Expired Information Authentication Session Tracking |
No | No | No |
VMware | VMware vCloud Director 5.1 - 10.0 | VMware vCloud Director protocol | All events | No | Yes | No |
VMware | VMware vShield | Syslog | All events | Yes | No | No |
Vormetric, Inc. | Vormetric Data Security | Syslog (LEEF) | Audit Alarm Warn Learn Mode System |
Yes | No | No |
Watchguard | WatchGuard Fireware OS | Syslog | All events | Yes | No | No |
Websense (now known as Forcepoint) |
||||||
Zscaler | Zscaler Nanolog Streaming Service (Zscaler NSS) 6.0 | Syslog HTTP receiver
Important: When you use the HTTP receiver protocol with Zscaler
NSS, you need a certificate that is issued by a certificate authority (CA). It can't be a
self-signed certificate because it must be validated by a CA. For more information about
certificates and configuring the log source parameters for HTTP receiver, see HTTP
Receiver protocol configuration options.
|
Event format: LEEF Event types: Web log events, Firewall events (including DNS) |
Yes | No | No |
Zscaler | Zscaler Private Access | Syslog | Event format: LEEF Event types: User Status, App Connector Status, Audit, User Activity |
Yes | No | No |