IBM Security Identity Governance

The IBM QRadar DSM for IBM® Security Identity Governance collects audit events from IBM Security Governance servers.

The following table identifies the specifications for the IBM Security Identity Governance DSM:
Table 1. IBM Security Identity Governance (ISIG) DSM specifications
Specification Value
Manufacturer IBM
DSM name IBM Security Identity Governance
RPM file name DSM-IBMSecurityIdentityGovernance-QRadar_version-build_number.noarch.rpm
Supported versions IBM Security Identity Governance V5.1.1
Protocol JDBC
Event format NVP
Recorded event types Audit
Automatically discovered? No
Includes identity? No
Includes custom properties? No
More information IBM website (https://www.ibm.com)
To integrate IBM Security Identity Governance with QRadar, complete the following steps:
  1. If automatic updates are not enabled, download and install the most recent version of the following RPMs from the IBM Support Website onto your QRadar Console. If multiple DSM RPMs are required, the integration sequence must reflect the DSM RPM dependency.
    • IBM Security Identity Governance (ISIG) DSM RPM
    • JDBC Protocol RPM
  2. Configure a JDBC log source to poll for events from your IBM Security Identity Governance database.
  3. Ensure that no firewall rules block communication between QRadar and the database that is associated with IBM Security Identity Governance.
  4. If QRadar does not automatically detect the log source, add an IBM Security Identity Governance log source on the QRadar Console. The following table describes the parameters that require specific values for IBM Security Identity Governance event collection:
    Table 2. IBM Security Identity Governance DSM log source parameters
    Parameter Value
    Log Source Name Type a unique name for the log source.
    Log Source Description Type a description for the log source.
    Log Source Type IBM Security Identity Governance
    Protocol Configuration JDBC
    Log Source Identifier

    Type a name for the log source. The name can't contain spaces and must be unique among all log sources of the log source type that is configured to use the JDBC protocol.

    If the log source collects events from a single appliance that has a static IP address or host name, use the IP address or host name of the appliance as all or part of the Log Source Identifier value; for example, 192.168.1.1 or JDBC192.168.1.1. If the log source doesn't collect events from a single appliance that has a static IP address or host name, you can use any unique name for the Log Source Identifier value; for example, JDBC1, JDBC2.

    Database Type Select Oracle or DB2 for the database that you want to use as the event source.
    Database Name The name of the database to which you want to connect.
    IP or Hostname The IP address or host name of the IBM Security Governance database server.
    Port

    Enter the JDBC port. The JDBC port must match the listener port that is configured on the remote database. The database must permit incoming TCP connections. The valid range is 1 - 65535.

    The defaults are:

    • MSDE - 1433
    • Postgres - 5432
    • MySQL - 3306
    • Sybase - 1521
    • Oracle - 1521
    • Informix® - 9088
    • DB2® - 50000

    If a database instance is used with the MSDE database type, you must leave the Port field blank.

    Username A user account for QRadar in the database.
    Password The password that is required to connect to the database.
    Predefined Query

    Select a predefined database query for the log source. If a predefined query is not available for the log source type, administrators can select the none option.

    Table Name AUDIT_LOG
    Select List *
    Compare Field ID
    Use Prepared Statements Enable the check box.
    Start Date and Time The initial date and time for database polling.
    Polling Interval The amount of time, in seconds, between queries to the database table. The default polling interval is 10 seconds.
    EPS Throttle

    The maximum number of events per second that QRadar ingests.

    If your data source exceeds the EPS throttle, data collection is delayed. Data is still collected and then it is ingested when the data source stops exceeding the EPS throttle.

    The default is 20,000 EPS.

    Security Mechanism

    From the list, select the security mechanism that is supported by your DB2 server. If you don't want to select a security mechanism, select None.

    The default is None.

    For more information about security mechanisms that are supported by DB2 environments, see the IBM Support website (https://www.ibm.com/support/knowledgecenter/en/SSEPGG_11.1.0/com.ibm.db2.luw.apdv.java.doc/src/tpc/imjcc_cjvjcsec.html)

    Use Oracle Encryption

    Oracle Encryption and Data Integrity settings is also known as Oracle Advanced Security.

    If selected, Oracle JDBC connections require the server to support similar Oracle Data Encryption settings as the client.

For more information about configuring JDBC parameters, see c_logsource_JDBCprotocol.html