IBM Sense
The IBM® QRadar® DSM for IBM Sense collects notable events from a local or external system that generates Sense events.
The following table describes the specifications for the IBM Sense DSM:
| Specification | Value |
|---|---|
| Manufacturer | IBM |
| DSM name | IBM Sense |
| RPM file name | DSM-IBMSense-Qradar_version-build_number.noarch.rpm |
| Supported versions | 1 |
| Protocol | Syslog |
| Event format | LEEF |
| Recorded event types |
User Behavior User Geography User Time User Access User Privilege User Risk Sense Offense Resource Risk |
| Automatically discovered? | Yes |
| Includes identity? | No |
| Includes custom properties? | No |
| More information | IBM website (http://www.ibm.com) |
To integrate IBM Sense with QRadar, complete the following steps:
- If automatic updates are not enabled, download and install the most recent version of the
following RPMs from the IBM Support Website onto your QRadar
Console:
- IBM Sense DSM RPM
- DSMCommon RPM
The following table shows a sample event message for IBM Sense:
| Event name | Low level category | Sample log message |
|---|---|---|
| Behavior Change | User Behavior | LEEF:2.0|IBM|Sense|1.0|Behavior Change|cat=User Behavior description= score=
scoreType= confidence= primaryEntity= primaryEntityType= additionalEntity= additionalEntityType=
beginningTimestamp= endTimestamp= sensorDomain= referenceId1= referenceId2= referenceId3=
referenceId4= referenceURL= originalSenseEventName= |