IBM Support

QRadar Security Content Pack: IBM Security Access Manager for Mobile

Question & Answer


A new security content extension is available for IBM Security Access Manager for Mobile. This tech note outlines the changes and provides installation instructions for administrators.



IBM Security Access Manager for Mobile supports TLS Syslog events for IBM Security Access Manager for Mobile and IBM IDaaS events in LEEF format. This Syslog data allows administrators to collect authentication, trust, runtime, audit, signing, CloudOE, operations, usage, and IDaaS audit information for QRadar. The security content pack for IBM Security Access Manager for Mobile contains 38 new custom event properties for important fields that can be leveraged by administrators in reports or searches, which were not available in the original DSM release.

Custom event properties added by the IBM Security Access Manager for Mobile extension

Property name Description
Action   Default custom extraction of Action.
Policy ID   Default custom extraction of Policy ID.
Resource Info   Default custom extraction of Resource Information.
Session ID   Default custom extraction of Session ID.
Access Decision   Default custom extraction of Access Decision.
User Session ID   Default custom extraction of User Session ID.
Detected Malware IDs   Default custom extraction of Detected Malware IDs.
Evaluated Risk Score   Default custom extraction of Evaluated Risk Score.
Malware Present   Default custom extraction of Malware Present.
Event Timestamp   Default custom extraction of Event Timestamp.
Detection Error Code   Default custom extraction of Detection Error Code.
Detection Error   Default custom extraction of Detection Error.
Authenticated user   Default custom extraction of Authenticated user.
Subject   Default custom extraction of Subject.
User Distinguished Name   Default custom extraction of User Distinguished Name.
Browser info   Default custom extraction of Browser info.
Obligations   Default custom extraction of Obligations.
Login Risk Score   Default custom extraction of Login Risk Score.
Login Recommendation   Default custom extraction of Login Recommendation.
Login Reason Code   Default custom extraction of Login Reason Code.
Login Reason   Default custom extraction of Login Reason.
Payee Risk Score   Default custom extraction of Payee Risk Score.
Payee Recommendation   Default custom extraction of Payee Recommendation.
Payee Reason Code   Default custom extraction of Payee Reason Code.
Payee Reason   Default custom extraction of Payee Reason.
Transaction Risk Score   Default custom extraction of Transaction Risk Score.
Transaction Recommendation   Default custom extraction of Transaction Recommendation.
Transaction Reason Code   Default custom extraction of Transaction Reason Code.
Transaction Reason   Default custom extraction of Transaction Reason.
Agent Key   Default custom extraction of Agent Key.
Device OS   Default custom extraction of Device Operating System.
OS Patch Level   Default custom extraction of Device Operating System Patch Level.
Installation Timestamp   Default custom extraction of Installation Timestamp.
Infected Device   Default custom extraction of Infected Device.
Installation Source   Default custom extraction of Installation Source.
Jail Broken Device   Default custom extraction of Jail Broken Device.
Calculated Risk Score   Default custom extraction of Calculated Risk Score.
Version   Default custom extraction of Version.

To install a security content pack, an administrator must download the RPM from IBM Fix Central, then install the content pack on the Console appliance. The Console replicates the changes from the install of the content pack to all managed hosts in the deployment.


  1. Download the IBM Security Access Manager for Mobile content pack from the IBM Fix Central website for your QRadar version:
  2. Using SSH, log in to your Console as the root user.

  3. Copy the security content pack to the /tmp directory on the QRadar Console.

  4. Note: If space in the /tmp directory is limited, copy the fix pack to another location that has sufficient space.

  5. To install the security content pack, type one the following command:
    • For QRadar 7.1, type: rpm -Uvh ContentPackage-CustomProperties-IBMSecurityAccessManagerForMobile-7.1-1444222119.x86_64.rpm
    • For QRadar 7.2, type: rpm -Uvh ContentPackage-CustomProperties-IBMSecurityAccessManagerForMobile-7.2-1444222119.x86_64.rpm

  6. Log in to the QRadar Console as an administrator.

  7. Click the Admin tab.

  8. Before you continue: Restarting the web server will restart the user interface and load the new custom event properties. This action will log out existing users, stop reports in progress, and halt event exports in process. It is recommended that administrators restart the user interface during a maintenance window for the appliance.

  9. Click Advanced > Restart Web Server.

  10. Click OK to restart the QRadar user interface.


Results After the user interface restarts, the installation is complete. The administrator should review the Bit9 Security Platform custom event properties to determine if any of the values need to be enabled, disabled, or optimized in the QRadar interface.

Installing a QRadar Extension

The Extension Management window in QRadar is used to add applications to your deployment to improve the functionality or add customize content to QRadar. Extensions can contain content, such as rules, reports, searches, reference sets, and dashboards or extensions can install applications that deliver specific new functionality to QRadar. The About tab of this article will outline the contents of the extension being added to QRadar.


  1. Log in to the QRadar Console as an administrator. If you have not downloaded the extension yet, you can download files from

  2. Click the Admin tab.

  3. Click the Extension Management icon.

  4. To upload an extension, click Add and select the extension to upload.

  5. Note:The extension (zip) must be downloaded to your local computer before it can be uploaded to the Console appliance.

  6. To install the extension immediately, select the Install immediately check box and then click Add.

  7. A preview of the application content is displayed. You can choose how existing content items are handled.

  8. To preview the contents of an extension after it is added and before it is installed, select it from the list of extensions, and click More Details.

  9. Before the extension is installed, the content items are compared to content items that are already in the deployment. If the content items exist, you can choose to overwrite them or to keep the existing data.

    After the extension is added, a yellow caution icon in the Status column indicates potential issues with the digital signature. Hover the mouse over the triangle for more information. Extensions that are unsigned or are signed by the developer, but not validated by your vendor, might cause compatibility issues in your deployment.

Related Information

[{"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Component":"Integrations - IBM","Platform":[{"code":"PF016","label":"Linux"}],"Version":"7.1;7.2","Edition":"","Line of Business":{"code":"LOB24","label":"Security Software"}}]

Document Information

Modified date:
02 April 2020