Connecting data sources for federated search and querying

Edit online

A data source is the source of the data that you want to work with, such as a database or XML file. Connect a data source to the platform to enable your applications and dashboards to analyze security data to help your organization manage and respond to security threats.

Important: You must have the Admin user role to connect and configure data sources for an account.
Note: If the target data source has been configured to accept a privately signed, or self signed SSL certificate, it must be provided when configuring the data source in IBM® Security QRadar® Suite.

Edge Gateway

To use the IBM Security Edge Gateway to host the containers that are required for communication between the data sources and the platform, you must install the Edge Gateway software in your own environment. For more information, see Edge Gateway.

Data sources

You can connect data sources to the platform by using Universal Data Insights connectors. Use a connector to configure each data source connection.

For more information about data sources and connectors in the platform, see Supported third party data sources.

STIX Bundle

Structured Threat Information eXpression (STIX) is a language and serialization format that organizations can use to exchange cyberthreat intelligence. A STIX Bundle can be used in place of a data source connector to share cyberthreat intelligence by using STIX Objects. With the STIX Bundle as a data source you can search for any attack pattern, campaign, course of action, identity, indicator, intrusion set, malware, report, threat actor, tool, and vulnerability.

Configuring a data source connection

To see the Data Sources page and configure data source connections, you must have the Data Sources Admin role.

A data source connection is a record that represents a physical box that holds information on how to connect to the source and to access its data. Different users can use the data source connection; the configuration includes setting up credentials. You can configure multiple connections to a data source.

It is important to connect to a data source during the initial setup of the platform. Then, when you start to use an application or a dashboard, the platform has a source from which to retrieve the data to be displayed.

For example, to run a query with Data Explorer, you must have data sources that are connected. Then, the application can run queries and retrieve results across a unified set of data sources. The search results vary depending on your configured data sources.

When you add a data source, it might take a few minutes before the data source shows as being connected.
Tip: After you connect a data source, it might take up to 30 seconds to retrieve the data. Before the full data set is returned, the data source might display as unavailable. After the data is returned, the data source shows as being connected, and a polling mechanism occurs to validate the connection status. The connection status is valid for 60 seconds after every poll.

Procedure overview

To connect a data source, follow these steps:

  1. Define the general details about the connection to allow the platform to connect to the data source.
  2. Set the parameters to control the behavior of the search query on the data source.
  3. Optionally, from QRadar and QRadar on Cloud, set up the data source connection to regularly import asset data into the platform.
  4. Supply the unique identifier of the data source that you want to establish connection with. It is required to authenticate the connection request.
  5. As a security measure, define who can access the data source.
Important: Details of steps, fields, and descriptions vary depending on the selected data source.

STIX attributes

For more information about the STIX attributes for each of the available connectors, see STIX objects and properties.