Configuring QRadar systems to forward data to other systems

You can configure IBM® QRadar® systems to forward data to one or more vendor systems, such as ticketing or alerting systems. You can also forward normalized data to other QRadar systems. The target system that receives the data from QRadar is known as a forwarding destination.

Restriction: QRadar on Cloud users must open a support ticket to forward data to other systems. For more information, see QRadar on Cloud work items that require a support ticket.

With exception of domain tagging, QRadar systems ensure that all forwarded data is unaltered. Domain information is removed from forwarded data. Events and flows that contain domain information are automatically assigned to the default domain on the receiving system.

To avoid compatibility problems when sending event and flow data, ensure that the deployment receiving the data is the same version or higher than the deployment that is sending the data.

  1. Configure one or more forwarding destinations.
  2. To determine what data you want to forward, configure routing rules, custom rules, or both.
  3. Configure the routing options to apply to the data.

For example, you can configure all data from a specific event collector to forward to a specific ticketing system. You can also bypass correlation by removing the data that matches a routing rule.