Configure IBM QRadar Connector

IBM QRadar® is a security intelligence platform that provides a unified architecture for integrating security information and event management solutions. Create a QRadar connector to send selected event data in QRadar LEEF format.

  1. In the BeyondInsight Console, go to Configuration > General > Connectors.
  2. In the Connectors pane, click Create New Connector.
  3. Enter a name for the connector.
  1. Select IBM QRadar from the Connector Type list.
  2. Click Create Connector.
  3. Leave Active (yes) enabled.
  4. Provide the required details for the IBM QRadar server:
    • Select the protocol from the Available Output Pipelines list: TCP, TCP-SSL, or UDP.
    • Enter Host Name and Port.
  5. Select the formatter from the dropdown list.
    • LEEF Format V1 uses a static identifier per event type.
    • LEEF Format V2 uses a unique event identifier generated per event type.
  1. If you selected LEEF Format V2 in the previous step, select the Facility from the dropdown list. This option is not available for LEEF Format V1.
  2. Expand Event Filters, and then select the events that you want to forward.
  3. Click Test Connector to send a test event message.
  4. Click Create Connector.

If an event is received from Password Safe Cloud, a Resource Zone can now be associated with any connector that sends data using syslog. If selected, Password Safe Cloud proxies the syslog data through the Resource Brokers associated with that Resource Zone.

Unique identifiers are preset, but can be customized if desired, using a setting in the BeyondInsight database table:

dbo.ConfigurationItem BeyondTrust.Configuration.ProductConfigurations.LeefFormatterConfig

Password Safe QRadar Fields

Field Value Type Description
Category String System/Change
EventName String System / Functional / Managed / Change
LogID Integer PMMLogSystem/PMMLogChange table reference ID
LogTime DateTime Time of event
Details String

Miscellaneous additional information

UserName String Username associated with the event
RoleUsed String Role used
ObjectTypeID Integer Object Type reference ID
ObjectType String Object Type (e.g. Functional Account, System, Session)
ObjectID Integer Object reference ID
Operation String Operation (e.g.. Add, Update, Approve)
Failed Boolean True / False
Target String Describes the asset acted upon (e.g. Asset:testasset Account:testaccount)
UserID Integer User ID associated with the event
IPAddress String IP address of the system
ManagedAccountID Integer Managed Account reference ID
FunctionalAccountID Integer Functional Account reference ID
ManagedSystemID Integer Managed System reference ID
ChangeDt DateTime Time of password change
ChangeReasonCd String

Reason for password change:

A = Password change by API

F = Forced password reset

M = Password reset on mismatch

N = Manual password entry for new account

O = Initial onboarding via smart rule

P = Change by EPM agent

R = Post release password reset

S = Scheduled password change

T = Ticket approval release password reset

U = Manual password entry

V = Approval release password reset

X = Synced password with primary

Y = Un-synced password from primary

Z = Forced password sync with primary

Result String Password change result: (S)uccess or (F)ailed
Comment String Miscellaneous additional information
ReleaseID Integer Password release reference ID
RequestID Integer Request reference ID
WorkgroupID Integer Workgroup reference ID
Workgroup String Workgroup name
AccountName String Account name
NextChangeDate DateTime Next scheduled change date
ElevationCommand String Elevation command used, if any