IBM Support

QRadar Security Content Pack: IBM Security Access Manager Enterprise Single Sign-On

Question & Answer


A new security content extension is available for IBM Security Access Manager Enterprise Single Sign-On. This tech note outlines the changes and provides installation instructions for administrators.



IBM Security Access Manager for Enterprise Single Sign-On creates events are read from the IMSLOGUserService, IMSLOGUserAdminActivity, and IMSLOGUserActivity database tables and forwarded to QRadar using Syslog using UDP on port 514. All events that are forwarded to QRadar from IBM Security Access Manager for Enterprise Single Sign-On use ### as a Syslog field-separator. The security content pack contains 7 custom event properties for important fields that can be leveraged by administrators in reports or searches, which were not available in the original DSM release.

Custom event properties added by the IBM Security Access Manager for ESSO extension

Description Regex for the custom event property Enabled after installation
Action Result ###Description.+?;.*?;.*?;.*?;.*?;([-0-9]*).*?### Yes
Client Application ###Description.+?;.*?;.*?;.*?;(.*?);.*?### Yes
Client Hostname ###Description.*?\) ([^ ]*) ; Yes
Credential ID ###Description.+?;.*?;.*?;(.*?);.*?;.*?### Yes
Credential Pool ###Description.+?;.*?;(.*?);.*?;.*?;.*?### Yes
Recording ID ###Description.+?;.*?;.*?;.*?;.*?;.*?;([0-9a-zA-Z]*)### Yes
Resource Name ###Description.+?;(.*?);.*?;.*?;.*?;.*?### Yes

To install a security content pack, an administrator must download the RPM from IBM Fix Central, then install the content pack on the Console appliance. The Console replicates the changes from the install of the content pack to all managed hosts in the deployment.


  1. Download the Bit9 Security Platform Security Content Pack from the IBM Fix Central website for your QRadar version:
  2. Using SSH, log in to your Console as the root user.

  3. Copy the security content pack to the /tmp directory on the QRadar Console.

  4. Note: If space in the /tmp directory is limited, copy the fix pack to another location that has sufficient space.

  5. To install the security content pack, type one the following command:
    • For QRadar 7.1, type: rpm -Uvh ContentPackage-CustomProperties-IBMSecurityAccessManagerESSO-7.1-1432699256.x86_64.rpm
    • For QRadar 7.2, type: rpm -Uvh ContentPackage-CustomProperties-IBMSecurityAccessManagerESSO-7.2-1432699256.x86_64.rpm

  6. Log in to the QRadar Console as an administrator.

  7. Click the Admin tab.

  8. Before you continue: Restarting the web server will restart the user interface and load the new custom event properties. This action will log out existing users, stop reports in progress, and halt event exports in process. It is recommended that administrators restart the user interface during a maintenance window for the appliance.

  9. Click Advanced > Restart Web Server.

  10. Click OK to restart the QRadar user interface.


Results After the user interface restarts, the installation is complete. The administrator should review the Bit9 Security Platform custom event properties to determine if any of the values need to be enabled, disabled, or optimized in the QRadar interface.

Installing a QRadar Extension

The Extension Management window in QRadar is used to add applications to your deployment to improve the functionality or add customize content to QRadar. Extensions can contain content, such as rules, reports, searches, reference sets, and dashboards or extensions can install applications that deliver specific new functionality to QRadar. The About tab of this article will outline the contents of the extension being added to QRadar.


  1. Log in to the QRadar Console as an administrator. If you have not downloaded the extension yet, you can download files from

  2. Click the Admin tab.

  3. Click the Extension Management icon.

  4. To upload an extension, click Add and select the extension to upload.

  5. Note:The extension (zip) must be downloaded to your local computer before it can be uploaded to the Console appliance.

  6. To install the extension immediately, select the Install immediately check box and then click Add.

  7. A preview of the application content is displayed. You can choose how existing content items are handled.

  8. To preview the contents of an extension after it is added and before it is installed, select it from the list of extensions, and click More Details.

  9. Before the extension is installed, the content items are compared to content items that are already in the deployment. If the content items exist, you can choose to overwrite them or to keep the existing data.

    After the extension is added, a yellow caution icon in the Status column indicates potential issues with the digital signature. Hover the mouse over the triangle for more information. Extensions that are unsigned or are signed by the developer, but not validated by your vendor, might cause compatibility issues in your deployment.

[{"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Component":"Integrations - IBM","Platform":[{"code":"PF016","label":"Linux"}],"Version":"7.1;7.2","Edition":"","Line of Business":{"code":"LOB24","label":"Security Software"}}]

Document Information

Modified date:
02 April 2020