IBM QRadar

DSM Configuration Guide

March 2024

IBM
Chapter 9. Protocol configuration options
Protocols in IBM QRadar provide the capability of collecting a set of data files by using various connection
options. These connections pull the data back or passively receive data into the event pipeline in QRadar.
Then, the corresponding Device Support Module (DSM) parses and normalizes the data.
The following standard connection options pull data into the event pipeline:
• JDBC
• FTP
• SFTP
• SCP
The following standard connection options receive data into the event pipeline:
• Syslog
• HTTP Receiver
• SNMP
QRadar also supports proprietary vendor-specific protocol API calls, such as Amazon Web Services.
Related information
Adding a log source

Akamai Kona REST API protocol configuration options

To receive events from your Akamai Kona Platform, configure a log source to use the Akamai Kona REST
API protocol.
The Akamai Kona REST API protocol is an outbound/active protocol that queries the Akamai Kona
Platform and sends events to the QRadar Console.
The following table describes the parameters that require specific values for Akamai KONA DSM event
collection.

Table 35. Akamai KONA DSM log source parameters

Parameter Value
Log Source Type Akamai KONA
Protocol Configuration Akamai Kona REST API
Log Source Identifier Type a unique name for the log source.
The Log Source Identifier can be any valid value
and does not need to reference a specific server.
It can also be the same value as the Log Source
Name. If you have more than one configured
Akamai KONA DSM log source, ensure that you give
each one a unique name.

Host The Host value is provided during the SIEM

OPEN API provisioning in the Akamai Luna Control
Center. The Host is a unique base URL that
contains information about the appropriate rights
to query the security events. This parameter is a
password field because part of the value contains
secret client information.

© Copyright IBM Corp. 2012, 2023 67

 Table 1048. QRadar Supported DSMs

Manufacturer Device name and version Protocol Recorded events and Auto Includes Includes
formats discovered? identity? custom
properties?

3Com 8800 Series Switch V3.01.30 Syslog Status and network condition Yes No No
events

AhnLab AhnLab Policy Center AhnLabPolicy Spyware detection No Yes No

CenterJdbc Virus detection
Audit

Akamai Akamai KONA HTTP Receiver Event format: JSON No No No

Akamai Kona REST API Recorded event types: All
security events

Alibaba Cloud Alibaba ActionTrail Alibaba Cloud Object Storage Event format: JSON Yes Yes No
Syslog

Amazon Amazon AWS Application Load Balancer Access Logs Amazon AWS S3 REST API Event format: Space Yes No No
delimited pre-defined fields
Recorded event types: Access
logs

Amazon Amazon AWS CloudTrail Amazon AWS S3 REST API Event versions 1.0, 1.02, Yes No No
1.03, 1.04, 1.05, 1.06 and
Amazon Web Services
1.08 events.

Amazon Amazon AWS Config Amazon AWS S3 REST API Event format: JSON Yes No No

Amazon Amazon AWS Elastic Kubernetes Service Amazon Web Services Event format: JSON Yes No No
Supported version: Kubernetes API 1.19 Recorded event types:
Amazon AWS Kubernetes

Amazon Amazon AWS Network Firewall Amazon AWS S3 REST API Event format: JSON No No No
Recorded event types:
Firewall Alert logs, Firewall
Flow logs

Amazon Amazon AWS Route 53 • Amazon Web Services (Resolver and Event format: Yes No No
Public DNS query logs)
• JSON (Resolver query
• Amazon AWS S3 REST API (Resolver logs)
query logs only)
• Space delimited pre-
• Syslog defined fields (Public DNS
query logs)
Recorded event types: Event
versions 1.0

Amazon Amazon AWS Security Hub Amazon Web Services Event format: JSON No No No
Recorded event types: AWS
Security Finding Format
(ASFF)

Amazon Amazon AWS WAFCentrif Amazon AWS S3 REST API Event format: JSON No No No
Recorded event types: Traffic
allow, Traffic block

Amazon Amazon CloudFront Amazon Web Services Event format: Tab Separated Yes No No
Value (TSV)
Recorded event types:
RealTime Log - TSV

Amazon Amazon GuardDuty Amazon Web Services Amazon GuardDuty Findings No No No

JSON

Amazon AWS Verified Access Amazon AWS S3 REST API, Syslog Event format: JSON Yes Yes Yes

Ambiron TrustWave ipAngel V4.0 Syslog Snort-based events No No No

Apache HTTP Server V1.3+ Syslog, Syslog-ng HTTP status Yes No No

APC UPS Syslog Smart-UPS series events No No No

Apple Apple Mac OS X version 10.12 Syslog Firewall, web server access, No Yes No
web server error, privilege,
and informational events

Application DbProtect V6.2, V6.3, V6.3sp1, V6.3.1, and v6.4 Syslog All events Yes No No
Security, Inc.

Arbor Networks Arbor Networks Pravail APS V3.1+ Syslog, TLS Syslog All events Yes No No

Arbor Networks Arbor Networks Peakflow SP V5.8 to V8.1.2 Syslog, TLS Syslog Denial of Service (DoS) Yes No No
Authentication
Exploit
Suspicious activity
System

Arpeggio SIFT-IT V3.1+ Syslog All events configured in the Yes No No

Software SIFT-IT rule set

Array Networks SSL VPN ArraySP v7.3 Syslog All events No Yes Yes

Aruba Networks Aruba ClearPass Policy Manager v6.5.0.71095 to Syslog Event format: LEEF Yes Yes No
v6.11.1
Event types: session, audit,
system, insight

Aruba Networks Mobility Controllers v2.5 + Syslog All events Yes No No

1646 IBM QRadar : QRadar DSM Configuration Guide

Table 1048. QRadar Supported DSMs (continued)

Manufacturer Device name and version Protocol Recorded events and Auto Includes Includes
formats discovered? identity? custom
properties?

Avaya Inc. Avaya VPN Gateway v9.0.7.2 Syslog All events Yes Yes No

BalaBit IT MicrosoftWindows Security Event Log V4.x Syslog Microsoft Event Log events Yes Yes No
Security

BalaBit IT Microsoft ISA V\v4.x Syslog and WinCollect Microsoft Event Log vents Yes Yes No
Security

Barracuda Spam & Virus Firewall v5.x and later Syslog All events Yes No No
Networks

Barracuda Web Application Firewall v7.0.x Syslog System, web firewall, access, Yes No No
Networks and audit events

Barracuda Web Filter v6.0.x+ Syslog Web traffic and web interface Yes No No
Networks events

BlueCat Adonis v6.7.1-P2+ Syslog DNS and DHCP events Yes No No

Networks

Blue Coat SG v4.x+ Syslog, Log File Protocol All events No No Yes

Blue Coat Web Security Service Blue Coat ELFF, Access No No No

Box Box Box REST API Event format: JSON No Yes No

RTC 256758
Event types: Administrator
and enterprise events, Box
Shield Alerts

Bridgewater AAA v8.2c1 Syslog All events Yes Yes No

Systems

Broadcom CA Access Control Facility (ACF2) (Formerly known as Log File Protocol All events No No Yes
CA Technologies ACF2)

Broadcom CA Top Secret (Formerly known as CA Technologies Top Log File Protocol All events No No Yes
Secret)

Broadcom Symantec SiteMinder (Formerly known as CA Syslog, Log File All events No Yes No
SiteMinder)

Brocade Fabric OS v7.x Syslog System and audit events Yes No No

Carbon Black Carbon Black v5.1 and later Syslog Watchlist hits Yes No No

Carbon Black Carbon Black Bit9 Parity Syslog LEEF Yes No

Carbon Black Carbon Black Bit9 Security Platform v6.0.2 Syslog All events Yes Yes No

Centrify Centrify Identity Platform

Now known as CyberArk Identity

Centrify Centrify Infrastructure Services 2017 Syslog and WinCollect WinCollect logs, Audit events Yes No No

Check Point Check Point versions NG, FP1, FP2, FP3, AI R54, AI Syslog or OPSEC LEA Event format: LEEF (versions Yes Yes Yes
R55, R65, R70, R75, R77, R80, R81, and NGX R77.30, R80.10, R80.20,
R81.10)
Event types: All events

Check Point VPN-1 versions NG, FP1, FP2, FP3, AI R54, AI R55, R65, Syslog or OPSEC LEA Event format: LEEF (versions Yes Yes No
R70, R77, R80, R81, and NGX R77.30, R80.10, R80.20,
R81.10)
Event types: All events

Check Point Check Point Multi-Domain Management (Provider-1) Syslog or OPSEC LEA Event format: LEEF (versions Yes Yes No
versions NG, FP1, FP2, FP3, AI R54, AI R55, R65, R70, R77.30, R80.10, R80.20,
R77, R80, R81, and NGX R81.10)
Event types: All events

Cilasoft Cilasoft QJRN/400 v5.14.K+ Syslog IBM audit events Yes Yes No

Cisco 4400 Series Wireless LAN Controller V7.2 Syslog All events No No No
SNMPv2

Cisco Cisco CallManager 8.x, 11.5 Syslog Application events Yes No No

Cisco ACS V4.1 and later if directly from ACS V3.x and later if Syslog Failed Access Attempts Yes Yes No
using ALE

Cisco Aironet V4.x+ Syslog Cisco Emblem Format Yes No No

Cisco ACE Firewall V12.2 Syslog All events Yes Yes No

Cisco Cisco AMP Cisco AMP All security events No No No

For a detailed list of
supported events, go to the
Cisco AMP for Endpoints API
documentation. (https://api-
docs.amp.cisco.com/
api_actions/details?
api_action=GET+
%2Fv1%2Fevent_types&amp
;api_host=api.amp.cisco.com
&api_resource=Event+T
ype&api_version=v1)
Note: Network traffic is
supported only for Data Flow
Control (DCF) events.

Chapter 176. QRadar supported DSMs 1647

 Table 1048. QRadar Supported DSMs (continued)

Manufacturer Device name and version Protocol Recorded events and Auto Includes Includes
formats discovered? identity? custom
properties?

Cisco ASA V7.x and later Syslog All events Yes Yes No

Cisco ASA V7.x+ NSEL Protocol All events No No No

Cisco CSA V4.x, V5.x and V6.x Syslog SNMPv1 SNMPv2 All events Yes Yes No

Cisco CatOS for catalyst systems V7.3+ Syslog All events Yes Yes No

Cisco Cloud Web Security (CWS) Amazon AWS S3 REST API W3C No No No
All web usage logs

Cisco Cisco Stealthwatch V6.8 Syslog Event format: LEEF Yes No No

Event types: Anomaly, Data
Hoarding, Exploitation, High
Concern, Index, High DDoS
Source Index, High Target
Index, Policy Violation,
Recon, High DDoS Target
Index, Data Exfilration, C&C

Cisco IPS V7.1.10 and later, V7.2.x, V7.3.x SDEE All events No No No

Cisco • Cisco IronPort V5.5, V6.5, V7.1, V7.5 (adds support Syslog, Log File protocol Event format: All events No No No
for access logs) Recorded event types:
• Cisco IronPort ESA: V10.0 Mail (syslog)
• Cisco IronPort WSA: V10.0 System (syslog)
Access (syslog)
Web content filtering (Log
File)
Important: Critical, Warning
and Information logs are
supported.

Cisco Cisco Duo Cisco Duo Event format: JSON Yes Yes No
Event types: Authentication
logs

Cisco Cisco Firepower Management Center V5.2 to V7.1 Cisco Firepower eStreamer protocol Discovery events No No No
(formerly known as Cisco FireSIGHT Management Correlation and White List
Center) events
Impact Flag alerts
User activity
Malware events
File events
Connection events
Intrusion events
Intrusion Event Packet Data
Intrusion Event Extra Data

Cisco Cisco Firepower Threat Defense Syslog Event format: Syslog, Yes Yes No
Comma-separated values
(CSV), Name-value pair (NVP)
Recorded event types:
Intrusion, Connection

Cisco Cisco Firewall Service Module (FWSM) v2.1+ Syslog All events Yes Yes Yes

Cisco Cisco Catalyst Switch IOS, 12.2, 12.5+ Syslog All events Yes Yes No

Cisco Cisco Meraki Syslog Event format: Syslog Yes No No

Event types:
Events
Flows
security_event_ids_alerted

Cisco Cisco NAC Appliance v4.x + Syslog Audit, error, failure, No No No

quarantine, and infected
events

Cisco Cisco Nexus v6.x Syslog Nexus-OS events Yes No No

Cisco Cisco PIX Firewall v5.x, v6.3+ Syslog Cisco PIX events Yes Yes Yes

Cisco Cisco Identity Services Engine V1.1 to V2.2 UDP Multiline Syslog Event format: Syslog No Yes No
Event types: Device events

Cisco Cisco IOS 12.2, 12.5+ Syslog All events Yes Yes No

Cisco Cisco Secure Workload Syslog Event format: JSON Yes No No

Cisco Cisco Umbrella Amazon AWS S3 REST API Event format: Cisco Umbrella No No No
CSV
Event types: DNS, Proxy, IP

Cisco Cisco VPN 3000 Concentrator versions VPN 3005, Syslog All events Yes Yes Yes
4.1.7.H

Cisco Cisco Wireless Services Modules (WiSM) V 5.1+ Syslog All events Yes No No

Citrix Citrix NetScaler V9.3 to V10.0 Syslog All events Yes Yes No

1648 IBM QRadar : QRadar DSM Configuration Guide

Table 1048. QRadar Supported DSMs (continued)

Manufacturer Device name and version Protocol Recorded events and Auto Includes Includes
formats discovered? identity? custom
properties?

Citrix Citrix Access Gateway V4.5 Syslog Access, audit, and diagnostic Yes No No
events

Cloudera Cloudera Navigator Syslog Audit events for HDFS, Yes No No

HBase, Hive, Hue, Cloudera
Impala, Sentry

Cloudflare Cloudflare Logs Amazon AWS S3 REST API Event format: JSON Yes No No
HTTP Receiver Event types: HTTP events,
Firewall events

CloudPassage CloudPassage Halo Syslog, Log file All events Yes No No

CrowdStrike CrowdStrike Falcon Syslog Incident, Incident summary, Yes No No

Detection summary,
LEEF
Authentication, Detection
status update, Uploaded
IoCs, Network containment,
IP whitelisting, Policy
management, CrowdStrike
store, Falcon firewall
management, Real time
response, Event streams

CrowdStrike Falcon Data Replicator Amazon AWS S3 REST API Event format: JSON Yes No No

CorreLog CorreLog Agent for IBM z/OS Syslog LEEF All events Yes No No

CRYPTOCard CRYPTO- Shield V6.3 Syslog All events No No No

CyberArk CyberArk Identity Centrify Redrock REST API Event format: JSON No No No
Important: The Centrify Identity Platform DSM name is Event types: SaaS, Core,
now the CyberArk Identity DSM. The DSM RPM name Internal and Mobile
remains as Centrify Identity Platform in QRadar.

CyberArk CyberArk Privileged Threat Analytics V3.1 Syslog Detected security events Yes No No

CyberArk CyberArk Vault V6.x Syslog All events Yes Yes No

CyberGuard Firewall/VPN KS1000 V5.1 Syslog CyberGuard events Yes No No

Damballa Failsafe V5.0.2+ Syslog All events Yes No No

Digital China DCS and DCRS Series switches V1.8.7 Syslog DCS and DCRS IPv4 events No No No
Networks

DG Technology DG Technology MEAS Syslog LEEF Mainframe events Yes No No

ESET ESET Remote Administrator V6.4.270 Syslog Threat events Yes Yes No
LEEF Firewall Aggregated Event
HIPS Aggregated Event
Audit events

Extreme Dragon V5.0, V6.x, V7.1, V7.2, V7.3, and V7.4 Syslog SNMPv1 SNMPv3 All relevant Extreme Dragon Yes No No
events

Extreme 800-Series Switch Syslog All events Yes No No

Extreme Matrix Router V3.5 Syslog SNMPv1 SNMPv2 SNMPv3 SNMP and syslog login, Yes No No
logout, and login failed events

Extreme NetSight Automatic Security Manager V3.1.2 Syslog All events Yes No No

Extreme Matrix N/K/S Series Switch V6.x, V7.x Syslog All relevant Matrix K-Series, Yes No No
N-Series and S-Series device
events

Extreme Stackable and Standalone Switches Syslog All events Yes Yes No

Extreme XSR Security Router V7.6.14.0002 Syslog All events Yes No No

Extreme HiGuard Wireless IPS 2R2.0.30 Syslog All events Yes No No

Extreme HiPath Wireless Controller 2R2.0.30 Syslog All events Yes No No

Extreme NAC 3.2 and 3.3 Syslog All events Yes No No

Chapter 176. QRadar supported DSMs 1649

 Table 1048. QRadar Supported DSMs (continued)

Manufacturer Device name and version Protocol Recorded events and Auto Includes Includes
formats discovered? identity? custom
properties?

Enterprise-IT- SF-Sherlock 8.1 and later LEEF All_Checks, Yes No No

Security.com DB2_Security_Configuration,
JES_Configuration,
Job_Entry_System_Attack,
Network_Parameter,
Network_Security, No_Policy,
Resource_Access_Viol,
Resource_Allocation,
Resource_Protection,
Running_System_Change,
Running_System_Security,
Running_System_Status,
Security_Dbase_Scan,
Security_Dbase_Specialty,
Security_Dbase_Status,
Security_Parm_Change,
Security_System_Attack,
Security_System_Software,
Security_System_Status, SF-
Sherlock, Sherlock_Diverse,
Sherlock_Diverse,
Sherlock_Information,
Sherlock_Specialties,
Storage_Management,
Subsystem_Scan,
Sysplex_Security,
Sysplex_Status,
System_Catalog,
System_File_Change,
System_File_Security,
System_File_Specialty,
System_Log_Monitoring,
System_Module_Security,
System_Process_Security,
System_Residence,
System_Tampering,
System_Volumes,
TSO_Status,
UNIX_OMVS_Security,
UNIX_OMVS_System,
User_Defined_Monitoring,
xx_Resource_Prot_Templ

Epic Epic SIEM, Versions Epic 2014, Epic 2015, and Epic LEEF Audit, Authentication Yes Yes No
2017

Exabeam Exabeam 1.7 and 2.0 not applicable Critical, Anomalous Yes No No

Extreme Extreme Ware 7.7 and XOS 12.4.1.x Syslog All events No Yes No
Networks

F5 Networks F5 Networks BIG-IP AFM 11.3 and 12.x to 14.x Syslog Network, network DoS, Yes Yes No
protocol security, DNS, and
DNS DoS events

F5 Networks F5 Networks BIG-IP LTM 9.42 to 14.x Syslog, CSV All events No Yes No

F5 Networks F5 Networks BIG-IP ASM 10.1 to 16.x Syslog Event formats: CEF (CEF:0 is Yes Yes No
supported), JSON
Recorded event types: All
security events

F5 Networks F5 Networks BIG-IP APM 10.x to 14.x Syslog All events Yes No No

F5 Networks FirePass 7.0 Syslog All events Yes Yes No

Fair Warning Fair Warning 2.9.2 Log File Protocol All events No No No

Fasoo Fasoo Enterprise DRM 5.0 JDBC NVP event format No No No

Usage events

Fidelis Security Fidelis XPS 7.3.x Syslog Alert events Yes No No

Systems

FireEye FireEye CMS, MPS, EX, AX, NX, FX, and HX Syslog, TLS Syslog Event formats: CEF (CEF:0 is Yes No No
supported), LEEF
Recorded event types: All
relevant events

FreeRADIUS FreeRADIUS 2.x Syslog All events Yes Yes No

Forcepoint Forcepoint Sidewinder 6.1 Syslog Forcepoint Sidewinder audit Yes No No

events
(formerly known as McAfee Firewall Enterprise 6.1)

Forcepoint Stonesoft Management Center 5.4 to 6.1 Syslog Event format: LEEF Yes No No
Event types: Management
Center, IPS, Firewall, and
VPN events

Forcepoint Forcepoint TRITON 7.7, and 8.2 Syslog Events for web content Yes No No
from several Forcepoint
(formerly known as Websense) LEEF
TRITON solutions, including
Web Security, Web Security
Gateway, Web Security
Gateway Anywhere, and V-
Series appliances.
All events

Forcepoint Forcepoint V-Series Data Security Suite (DSS) 7.1x Syslog All events Yes Yes Yes
(formerly known as Websense)

1650 IBM QRadar : QRadar DSM Configuration Guide

Table 1048. QRadar Supported DSMs (continued)

Manufacturer Device name and version Protocol Recorded events and Auto Includes Includes
formats discovered? identity? custom
properties?

Forcepoint Forcepoint V-Series Content Gateway V7.1x Log File Protocol All events No No No
(formerley known as Websense)

ForeScout CounterACT 7.x and later Syslog Denial of Service, system, No No No

exploit, authentication, and
suspicious events

Fortinet Fortinet FortiGate Security Gateway FortiOS 6.4 and Syslog All events Yes Yes Yes
earlier
Syslog Redirect

Foundry FastIron 3.x.x and 4.x.x Syslog All events Yes Yes No

genua genugate 8.2+ Syslog General error messages Yes Yes No

High availability
General relay messages
Relay-specific messages
genua programs/daemons
EPSI Accounting Daemon -
gg/src/acctd
Configfw FWConfig
ROFWConfig
User-Interface
Webserver

Google Google Cloud Audit Logs Google Cloud Pub/Sub Supported services: Yes No No

• Google Compute Engine

• Identity Access
Management

• Identity Platform

• Cloud Storage
Event format: JSON
Event types: Storage, list,
update

Google Google Cloud Platform Firewall Google Cloud Pub/Sub Event format: JSON No No No
Event types: Firewall Allow,
Firewall Deny

Google Google G Suite Activity Reports Google G Suite Activity Reports REST API Event format: JSON No No No
Recorded event types:
Admin, drive, login, user
accounts

Great Bay Beacon Syslog All events Yes Yes No

H3C H3C Comware Platform, H3C Switches, H3C Routers, Syslog NVP No No No
Technologies H3C Wireless LAN Devices, and H3C IP Security Devices
System
version 7 is supported

HBGary Active Defense 1.2 and later Syslog All events Yes No No

Hewlett Packard HPE Network Automation 10.11 Syslog All operational and Yes Yes No
Enterprise configuration network events.
LEEF

Hewlett Packard HPE ProCurve K.14.52 Syslog All events Yes No No

Enterprise

Hewlett Packard HPE Tandem Log File Protocol Safe Guard Audit file events No No No
Enterprise

Hewlett Packard HPE UX V11.x and later Syslog All events No Yes No
Enterprise

Honeycomb Lexicon File Integrity Monitor mesh service V3.1 and Syslog integrity events Yes No No
Technologies later

Huawei S Series Switch S5700, S7700, and S9700 using Syslog IPv4 events from S5700, No No No
V200R001C00 S7700, and S9700 Switches

Huawei AR Series Router (AR150, AR200, AR1200, AR2200, Syslog IPv4 events No No No
and AR3200 routers using V200R002C00)

IBM IBM AIX V6.1 and V7.1 Syslog, Log File protocol Configured audit events Yes No No

IBM IBM AIX 5.x, 6.x, and v7.x Syslog Authentication and operating Yes Yes No
system events

IBM IBM BigFixV8.2.x to 9.5.2 IBM BigFix SOAP Protocol Server events No Yes No
(formerly known as Tivoli EndPoint Manager)

IBM IBM BigFix Detect

Note: The IBM BigFix Detect DSM for QRadar is
deprecated.

IBM IBM Bluemix Platform (now known as IBM Cloud

Platform)

IBM IBM Cloud Activity Tracker Apache Kafka protocol Event format: JSON Yes No No

IBM IBM Cloud Identity

(now known as IBM Security Verify

Chapter 176. QRadar supported DSMs 1651

 Table 1048. QRadar Supported DSMs (continued)

Manufacturer Device name and version Protocol Recorded events and Auto Includes Includes
formats discovered? identity? custom
properties?

IBM IBM Cloud Platform (formerly known as IBM Bluemix Syslog, TLS Syslog All System (Cloud Foundry) Yes No No
Platform) events, some application
events

IBM IBM DLC Metrics Syslog, Forwarded Event format: LEEF Yes No No
Recorded event types: All
DLC Metrics event types

IBM IBM Federated Directory Server V7.2.0.2 and later LEEF FDS Audit Yes No No

IBM IBM Guardium 8.2p45 Syslog Policy builder events No No No

IBM IBM Security Guardium Insights Syslog Out of Box Policy Violation Yes No No
Rules

IBM IBM i DSM V5R4 and later Log File Protocol Event format: No Yes No
(formerly known as AS/400iSeries) • CEF (CEF:0 is supported.)

• LEEF (LEEF:1.0 is
supported.)
Recorded event types: All
security events

IBM IBM i - Robert Townsend Security Solutions V5R1 and Syslog Event format: Yes Yes No
later
• CEF (CEF:0 is supported.)
(formerly known as AS/400iSeries)
• LEEF (LEEF:1.0 is
supported.)
Recorded event types: All
security events

IBM IBM i - Powertech Interact V5R1 and later Syslog Event format: Yes Yes No
(formerly known as AS/400iSeries) • CEF (CEF:0 is supported.)

• LEEF (LEEF:1.0 is
supported.)
Recorded event types: All
security events

IBM IBM ISS Proventia M10 v2.1_2004.1122_15.13.53 SNMP All events No No No

IBM IBM Lotus Domino v8.5 SNMP All events No No No

IBM IBM Proventia Management SiteProtector v2.0 and v2.9 JDBC IPS and audit events No No No

IBM IBM RACF v1.9 to v1.13 Log File Protocol All events No No Yes

IBM IBM CICS v3.1 to v4.2 Log File Protocol All events No No Yes

IBM IBM DB2 v8.1 to v10.1 Log File Protocol All events No No Yes

IBM IBM DataPower FirmwareV6 and V7 Syslog All events Yes No No

(formerly known as WebSphere DataPower)

IBM IBM MaaS360 Security LEEF, JSON Compliance rule events No Yes No
(formerly known as IBM Fiberlink MaaS360) Device enrollment events
Action history events

IBM IBM QRadar Packet Capture Syslog, LEEF All events Yes No No
IBM QRadar Packet Capture V7.2.3 to V7.2.8
IBM QRadar Network Packet Capture V7.3.0

IBM IBM Red Hat OpenShift V5.2.4 Syslog Event format: JSON Yes No Yes
Event types: Audit and
Infrastructure

IBM IBM SAN Volume Controller Syslog CADF event format Yes No No
Activity, Control, and Monitor
audit events

IBM IBM z/OS v1.9 to v1.13 Log File Protocol All events No No Yes

IBM IBM Informix v11 Log File Protocol All events No No No

IBM IBM IMS Log File Protocol All events No No No

IBM Security Access Manager for Mobile (ISAM) TLS Syslog IBM_SECURITY_AUTHN Yes No No
IBM_SECURITY_TRUST
IBM_SECURITY_RUNTIME
IBM_SECURITY_CBA_AUDIT
_MGMT
IBM_SECURITY_CBA_AUDIT
_RTE
IBM_SECURITY_RTSS_AUDI
T_AUTHZ
IBM_SECURITY_SIGNING
CloudOE
Operations
Usage
IDaaS Appliance Audit
IDaaS Platform Audit

1652 IBM QRadar : QRadar DSM Configuration Guide

Table 1048. QRadar Supported DSMs (continued)

Manufacturer Device name and version Protocol Recorded events and Auto Includes Includes
formats discovered? identity? custom
properties?

IBM Security Identity Governance (ISIG) JDBC NVP event format No No No

Audit event type

IBM QRadar Network Security XGS v5.0 with fixpack 7 to Syslog System, access, and security Yes No No
v5.4 events

IBM Security Network IPS (GX) v4.6 and later Syslog Security, health, and system Yes No No
events

IBM Security Privileged Identity Manager V1.0.0 to V2.1.1 JDBC Audit, authentication and No No No
system events

IBM Security Identity Manager 6.0.x and later JDBC Audit and recertification No Yes No
events

IBM IBM Security Randori Recon IBM Security Randori REST API Event format: JSON Yes No No
Event types: Detections

IBM IBM Security QRadar EDR v3.9.0 IBM Security ReaQta REST API Event format: JSON Yes No Yes
(formerly known as IBM Security ReaQta) Event types: Alerts

IBM IBM Security Trusteer HTTP Receiver Event format: JSON Yes No No
Event types: Trusteer alerts

IBM IBM Security Trusteer Apex Advanced Malware Syslog/LEEF Malware Detection Yes Yes No
Protection
Log File Protocol Exploit Detection
Data Exfiltration Detection
Lockdown for Java Event
File Inspection Event
Apex Stopped Event
Apex Uninstalled Event
Policy Changed Event
ASLR Violation Event
ASLR Enforcement Event
Password Protection Event

IBM IBM Sense v1 Syslog LEEF Yes No No

IBM IBM SmartCloud Orchestrator v2.3 FP1 and later IBM SmartCloud Orchestrator REST API Audit Records No Yes No

IBM IBM Security Verify JSON Authentication No Yes Yes

(formerly known as IBM Cloud Identity) SSO
Management
Threat

IBM Tivoli Access Manager IBM Web Security Gateway v7.x Syslog audit, access, and HTTP Yes Yes No
events

IBM Tivoli Endpoint Manager

(now known asIBM BigFix)

IBM WebSphere Application Server v5.0 to v8.5 Log File Protocol All events No Yes No

IBM WebSphere DataPower

(now known as DataPower)
WebSphere DataPower

IBM zSecure Alert v1.13.x and later UNIX syslog Alert events Yes Yes No

IBM Security Access Manager v8.1 and v8.2 Syslog Audit, system, and Yes No No
authentication events

IBM Security Verify Directory v6.3.1 and later (formerly Syslog LEEF All events Yes Yes No
known as Security Directory Server)

Illumio Illumio Adaptive Security Platform Syslog Audit Yes No No

LEEF Traffic

Imperva Incapsula LEEF Access events and Security Yes No No

alerts

Imperva SecureSphere v6.2 and v7.x to v13 Release Enterprise Syslog Firewall policy events Yes No No
Edition (Syslog)
LEEF
SecureSphere v9.5 to v13 (LEEF)
cy

Infoblox NIOS Infoblox NIOS 6.x to 8.x Syslog ISC Bind No Yes No
Linux DHCP
Linux Server
Apache

Internet ISC BIND 9.9, 9.11, 9.12 Syslog All events Yes No No
Systems
Consortium
(ISC)

Intersect SNARE Enterprise Windows Agent Syslog Microsoft Event Logs Yes Yes No
Alliance

iT-CUBE agileSI 1.x SMB Tail AgileSI SAP events No Yes No

Chapter 176. QRadar supported DSMs 1653

 Table 1048. QRadar Supported DSMs (continued)

Manufacturer Device name and version Protocol Recorded events and Auto Includes Includes
formats discovered? identity? custom
properties?

Itron Openway Smart Meter Syslog All events Yes No No

Juniper AVT JDBC All events No No Yes

Networks

Juniper DDoS Secure No No

Networks
Juniper Networks DDoS Secure is now known as NCC
Group DDoS Secure.

Juniper DX Syslog Status and network condition Yes No Yes

Networks events
The Juniper Networks DX Platform product is end of life
(EOL), and is no longer supported by Juniper.

Juniper Infranet Controller

Networks
The Juniper Networks Infranet Controller DSM for
IBM QRadar is now known as Pulse Secure Infranet
Controller.

Juniper Firewall and VPN v5.5r3 and later Syslog NetScreen Firewall events Yes Yes Yes
Networks

Juniper Junos WebApp Secure v4.2.x Syslog Incident and access events Yes No No
Networks

Juniper IDP v4.0, v4.1 & v5.0 Syslog NetScreen IDP events Yes No Yes
Networks

Juniper Network and Security Manager (NSM) and Juniper SSG Syslog NetScreen NSM events Yes No Yes
Networks v2007.1r2 to 2007.2r2, 2008.r1, 2009r1.1, 2010.x

Juniper Junos OS 7.x to 10.x Ex Series Syslog or PCAP Syslog*** All events Yes** Yes Yes
Networks
Ethernet Switch DSM only supports 9.0 to 10.x

Juniper Secure Access Yes

Networks
Juniper Networks Secure Access is now known as Pulse
Secure Pulse Connect Secure.

Juniper Juniper Security Binary Log Collector Binary Audit, system, firewall, and No No Yes
Networks IPS events
SRX or J Series appliances at 12.1 or above

Juniper Steel-Belted Radius 5.x Log File All events Yes Yes Yes
Networks

Juniper vGW Virtual Gateway 4.5 Syslog Firewall, admin, policy and Yes No No
Networks IDS Log events
The Juniper Networks vGW Virtual Gateway product is
end of life (EOL), and is no longer supported by Juniper.

Juniper Wireless LAN Controller Syslog All events Yes No No

Networks
Wireless LAN devices with Mobility System Software
(MSS) V7.6 and later

Kisco Kisco Information Systems SafeNet/i 10.11 Log File All events No No No

Kubernetes Kubernetes Auditing Syslog Event format: JSON Yes No Yes

Recorded event
types: RequestReceived,
ResponseStarted,
ResponseComplete

Lastline Lastline Enterprise 6.0 LEEF Anti-malware Yes No No

Lieberman Random Password Manager 4.8x Syslog All events Yes No No

LightCyber LightCyber Magna 3.9 Syslog, LEEF C&C, exfilt, lateral, malware Yes No No
and recon

Linux Open Source Linux OS 2.4 and later Syslog Operating system events Yes Yes No

Linux DHCP Server 2.4 and later Syslog All events from a DHCP server Yes Yes No

Linux IPtables kernel 2.4 and later Syslog Accept, Drop, or Reject Yes No No
events

McAfee McAfee Application / Change Control v4.5.x JDBC Change management events No Yes No

McAfee McAfee ePolicy Orchestrator 3.5 to 5.10 JDBC: 3.5 to 5.9 AntiVirus events No No No
SNMPv1, SNMPv2, SNMPv3: 3.5 to 5.9
TLS Syslog: 5.10

McAfee McAfee MVISION Cloud 2.4 and 3.3 Syslog Event format: Yes No No
(formerly known as Skyhigh Networks Cloud Security Log Event Extended Format
Platform) (LEEF)
Recorded event types:
Privilege Access, Insider
Threat, Compromised
Account, Access, Admin,
Data, Policy, and Audit

McAfee McAfee Network Security Platform 2.x - 5.x Syslog Alert notification events Yes No No
(Formerly known as McAfee Intrushield) Important: Supported alert
notification events do not
include custom events with
IDs that begin with Oxc, Oxcc,
Oxe, or Oxee.

1654 IBM QRadar : QRadar DSM Configuration Guide

Table 1048. QRadar Supported DSMs (continued)

Manufacturer Device name and version Protocol Recorded events and Auto Includes Includes
formats discovered? identity? custom
properties?

McAfee McAfee Network Security Platform 6.x - 7.x and 8.x - Syslog Alert and fault notification Yes No No
10.x events
(Formerly known as McAfee Intrushield) Important: Supported alert
notification events do not
include custom events with
IDs that begin with Oxc, Oxcc,
Oxe, or Oxee.

McAfee McAfee Web Gateway 6.0.0 Syslog Event format: LEEF Yes No No
Log File protocol Recorded event types: All
events

MetaInfo MetaIP 5.7.00-6059 Syslog All events Yes Yes No

Microsoft Microsoft 365 Defender Microsoft Defender for Endpoint SIEM REST Event format: JSON Yes Yes No
API
Important: The Microsoft Windows Defender ATP DSM The Microsoft 365 Defender
is now the Microsoft 365 Defender DSM. The DSM RPM Microsoft Azure Event Hubs DSM supports the following
name remains as Microsoft Windows Defender ATP in events when you use the
Microsoft Graph Security API
QRadar. Microsoft Azure Event Hubs
protocol:
Alerts (Alerts are supported
only for Microsoft Defender
for Endpoint.):

• AlertInfo

• AlertEvidence
Device:

• DeviceInfo

• DeviceNetworkInfo

• DeviceProcessEvents

• DeviceNetworkEvents

• DeviceFileEvents

• DeviceRegistryEvents

• DeviceLogonEvents

• DeviceEvents

• DeviceFileCertificateInfo

• DeviceImageLoadEvents
Email:

• EmailEvents

• EmailAttachmentInfo

• EmailPostDeliveryEvents

• EmailUrlInfo
The Microsoft 365 Defender
DSM supports the following
events when you use
the Microsoft Defender for
Endpoint REST API protocol:

• Windows Defender ATP

• Windows Defender AV

• Third party TI

• Customer TI

• Bitdefender
The Microsoft 365 Defender
DSM supports the following
events when you use the
Microsoft Graph Security API
protocol:

• Microsoft Defender for

Endpoint Alerts V2

• Microsoft Defender for

Cloud App Security Alerts
V2

• Microsoft Defender for

Identity Alerts V2

• Microsoft Defender for

Office 365 Alerts V2

• Microsoft Defender for

Azure AD Identity
Protection Alerts V2

• Microsoft Defender for

Data Loss Prevention
Alerts V2

Microsoft Microsoft Entra ID (formerly Microsoft Azure Active Microsoft Azure Event Hubs Event format: JSON Yes No No
Directory)
Recorded event types: Sign-
In logs, Audit logs

Chapter 176. QRadar supported DSMs 1655

 Table 1048. QRadar Supported DSMs (continued)

Manufacturer Device name and version Protocol Recorded events and Auto Includes Includes
formats discovered? identity? custom
properties?

Microsoft Microsoft Azure Platform Microsoft Azure Event Hubs Event format: JSON Yes No No
Recorded event types:
Platform level activity logs
For more information
about Platform level
activity logs, see Azure
Resource Manager resource
provider operations (https://
docs.microsoft.com/en-us/
azure/role-based-access-
control/resource-provider-
operations).
Note: This DSM automatically
discovers only Activity Log
Events that are forwarded
directly from the Activity Log
to the Event Hub.

Microsoft Microsoft Defender for Cloud Microsoft Graph Security API Event format: JSON No No No
Important: The Microsoft Azure Security Center DSM is Microsoft Azure Event Hubs Recorded event types:
now the Microsoft Defender for Cloud DSM. The DSM Security alert
RPM name remains as Microsoft Azure Security Center
in QRadar.

Microsoft DNS Debug WinCollect Microsoft DNS Debug LEEF Yes Yes No
Supported versions:
Windows Server 2016, Windows Server 2012 R2,
Windows Server 2008 R2

Microsoft IIS 6.0, 7.0 and 8.x Syslog and WinCollect HTTP status code events Yes No No

Microsoft Internet and Acceleration (ISA) Server or Threat Syslog and WinCollect ISA or TMG events Yes No No
Management Gateway 2006

Microsoft Microsoft Exchange Server 2003, 2007, 2010, 2013, Windows Exchange Protocol Outlook Web Access events No No No
2016 and 2019 (OWA)
Simple Mail Transfer Protocol
events (SMTP
Message Tracking Protocol
events (MSGTRK)

Microsoft Endpoint Protection 2012 JDBC Malware detection events No No No

Microsoft Microsoft Hyper-V WinCollect All events No No No

supported versions:
Windows Server 2016
Windows Server 2012 (most recent)
Windows Server 2012 Core
Windows Server 2008 (most recent)
Windows Server 2008 Core
Windows 10 (most recent)
Windows 8 (most recent)
Windows 7 (most recent)
Windows Vista (most recent)

Microsoft IAS Server Syslog All events Yes No No

v2000, 2003, and 2008

Microsoft Microsoft Office 365 Office 365 REST API JSON No No No

Microsoft Microsoft Office 365 Message Trace Office 365 Message Trace REST API Event format: JSON No No No
Event types: Email security
threat classification

Microsoft Microsoft Windows Defender ATP Microsoft Defender for Endpoint REST API Event format: JSON No No No
Event types:
Windows Defender ATP
Windows Defender AV
Third Party TI
Customer TI
Bitdefender

Microsoft Microsoft Windows Security Event Log Syslog All events, including Sysmon Yes Yes Yes
and winlogbeats.json
supported versions: Forwarded
Windows Server 2016 TLS Syslog
Windows Server 2012 (most recent) TCP Multiline Syslog
Windows Server 2012 Core Windows Event Log (WMI)
Windows Server 2008 (most recent) Windows Event Log Custom (WMI)
Windows Server 2008 Core MSRPC
Windows 10 (most recent) WinCollect
Windows 8 (most recent) WinCollect NetApp Data ONTAP
Windows 7 (most recent)
Windows Vista (most recent)

Microsoft SQL Server 2008, 2012, 2014 (Enterprise editions only), Syslog, JDBC and WinCollect SQL Audit events No No No
and 2016

1656 IBM QRadar : QRadar DSM Configuration Guide

Table 1048. QRadar Supported DSMs (continued)

Manufacturer Device name and version Protocol Recorded events and Auto Includes Includes
formats discovered? identity? custom
properties?

Microsoft SharePoint 2010 and 2013 JDBC SharePoint audit, site, and file No No No
events

Microsoft DHCP Server 2000/2003 Syslog and WinCollect All events Yes Yes No

Microsoft Operations Manager 2005 JDBC All events No No No

Microsoft System Center Operations Manager 2007 JDBC All events No No No

Motorola Symbol AP firmware 1.1 to 2.1 Syslog All events No No No

NCC Group NCC Group DDos 5.13.1-2s to 516.1-0 Syslog Event format: LEEF Yes No No
Event types: All events

Niara Niara 1.6 Syslog Security Yes No Yes

System
Internal Activity
Exfiltration
Infection
Command & Control

NetApp Data ONTAP WinCollect NetApp Data ONTAP CIFS events Yes Yes No

Netgate Netgate pfSense Syslog System Yes Yes No

Firewall
DNS
DHCP (when you use the
Linux DHCP DSM)

Netskope Netskope Active Netskope Active REST API Alert, All events No Yes No
Important:
The IBM QRadar DSM for Netskope Active is
deprecated.
To continue taking advantage of this integration,
please download the Netskope Security Cloud
DSM from the IBM Security App Exchange
website (https://exchange.xforce.ibmcloud.com/hub/
extension/ff97aaadc10ed96b0e05d1a1f24af2f7).

NGINX NGINX HTTP Server 1.15.5 Syslog Syslog, Standard syslog Yes No No

Niksun NetVCR 2005 v3.x Syslog Niksun events No No No

Nokia Firewall NG FP1, FP2, FP3, AI R54, AI R55, NGX on Syslog or OPSEC LEA All events Yes Yes No
IPSO v3.8 and later

Nokia VPN-1 NG FP1, FP2, FP3, AI R54, AI R55, NGX on IPSO Syslog or OPSEC LEA All events Yes Yes No
v3.8 and later

Nominum Vantio v5.3

Note: The Nominum Vantio DSM for QRadar is
deprecated.

Nortel Contivity Syslog All events Yes No No

Nortel Application Switch v3.2 and later Syslog Status and network condition No Yes No
events

Nortel ARN v15.5 Syslog All events Yes No No

Nortel* Ethernet Routing Switch 2500 v4.1 Syslog All events No Yes No

Nortel* Ethernet Routing Switch 4500 v5.1 Syslog All events No Yes No

Nortel* Ethernet Routing Switch 5500 v5.1 Syslog All events No Yes No

Nortel Ethernet Routing Switch 8300 v4.1 Syslog All events No Yes No

Nortel Ethernet Routing Switch 8600 v5.0 Syslog All events No Yes No

Nortel VPN Gateway v6.0, 7.0.1 and later, v8.x Syslog All events Yes Yes No

Nortel Secure Router v9.3, v10.1 Syslog All events Yes Yes No

Nortel Secure Network Access Switch v1.6 and v2.0 Syslog All events Yes Yes No

Nortel Switched Firewall 5100 v2.4 Syslog or OPSEC All events Yes Yes No

Nortel Switched Firewall 6000 v4.2 Syslog or OPSEC All events Yes Yes No

Nortel Threat Protection System v4.6 and v4.7 Syslog All events No No No

Novell eDirectory v2.7 Syslog All events Yes No No

ObserveIT ObserveIT 5.7.x and later JDBC Alerts No Yes No

User Activity
System Events
Session Activity
DBA Activity

Okta Okta Identity Management Okta REST API JSON No Yes No

Chapter 176. QRadar supported DSMs 1657

 Table 1048. QRadar Supported DSMs (continued)

Manufacturer Device name and version Protocol Recorded events and Auto Includes Includes
formats discovered? identity? custom
properties?

Onapsis Onapsis Security Platform v1.5.8 and later Log Event Extended Format (LEEF) Assessment Yes No No
Attack signature
Correlation
Compliance

OpenBSD OpenBSD v4.2 and later Syslog All events No Yes No

Project

Open Suratica v6.0.3 and earlier Syslog Event format: JSON Yes No No
Information
TLS Syslog Recorded event types: Alerts
Security
Foundation
(OISF)

Open LDAP Open LDAP 2.4.x UDP Multiline Syslog All events No No No
Foundation

Open Source SNORT v2.x Syslog All events Yes No No

OpenStack OpenStack v2015.1 HTTP Reciever Audit events No No No

Oracle Oracle RDBMS Audit Record versions 9i, 10g, 11g, 12c JDBC, Syslog Event format: Name-Value Yes Yes No
(includes unified auditing) Pair
Recorded event types: Audit
records

Oracle Audit Vault V10.3 and V12.2 JDBC All audit records from No Yes No
the AVSYS.AV$ALERT_STORE
table for V10.3, or
from the custom
AVSYS.AV_ALERT_STORE_V
view for V12.2.

Oracle Oracle OS Audit 9i, 10g, and 11g Syslog Event format: name-value Yes Yes No
pair (NVP)
Event types: Oracle events

Oracle Oracle BEA WebLogic 12.2.1.3.0 Log File Oracle events No No No

Oracle Oracle Database Listener 9i, 10g, and 11g Syslog Oracle events Yes No No

Oracle Oracle Directory Server

(Formerly known as Sun ONE LDAP).

Oracle Oracle Fine Grained Auditing 9i and 10g JDBC Select, insert, delete, or No No No
update events for tables
configured with a policy

N/A osquery 3.3.2 Syslog Event format: JSON No No Yes

TCP Multiline Syslog Event type: Access Audit
Authentication System

OSSEC OSSEC 2.6 and later Syslog All relevant Yes No No

Palo Alto Palo Alto PA Series Syslog Event types: Yes Yes No
Networks
TLS Syslog Traffic
Threat
Config
System
HIP Match
Authentication
Tunnel Inspection (for PAN-
OS 8.0 - 9.1) or Tunnel (for
PAN-OS 10.0)
Correlation
SCTP
File Data
GTP
HIP Match
IP-Tag
Global Protect - Important:
To use this log type, you must
enable the EventStatus/
Status field on your Palo Alto
PA Series device.
Decryption
User ID
URL Filtering (for PAN-OS 8.0
- 9.1) or URL (for PAN-OS
10.0)
WildFire
Event Formats:
LEEF for PAN-OS v3.0 to
v10.2, and Prisma Access
v2.1
CEF for PAN-OS v4.0 to v6.1
(CEF:0 is supported)

1658 IBM QRadar : QRadar DSM Configuration Guide

Table 1048. QRadar Supported DSMs (continued)

Manufacturer Device name and version Protocol Recorded events and Auto Includes Includes
formats discovered? identity? custom
properties?

Palo Alto Palo Alto Endpoint Security Manager 3.4.2.17401 Syslog Agent Yes No No
Networks
Config
Policy
System
Threat
Event formats: CEF (CEF:0 is
supported), LEEF

Ping Identity PingFederate Syslog Event format: CEF Yes No No

Pirean Access: One 2.2 with DB2 9.7 JDBC Access management and No No No
authentication events

PostFix Mail Transfer Agent 2.6.6 and later UDP Multiline Protocol or Syslog Mail events No No No

ProFTPd ProFTPd 1.2.x, 1.3.x Syslog All events Yes Yes No

Proofpoint Proofpoint Enterprise Protection and Enterprise Privacy Syslog Event types: No No No
versions 7.0.2, 7.1, 7.2, 7.5, 8.0
Log File System
Email security threat
classification
Email audit and encryption

Pulse Secure Pulse Secure Infranet Controller 2.1, v3.1 and 4.0 Syslog All events No Yes Yes

Pulse Secure Pulse Secure Pulse Connect Secure 8.2R5 Syslog Event types: Yes Yes Yes
TLS Syslog Admin
Authentication
System
Network
Error

Radware AppWall 6.5.2 and 8.2 Syslog Event types: Yes No No

Administration
Audit
Learning
Security
System

Radware DefensePro 4.23, 5.01, 6.x and 7.x Syslog All events (Event mapping is Yes No No
required when Event IDs are
300,000 or more.)
Tip: If you have custom
events that display as
unknown in QRadar,
see the IBM Support
article about QRadar:
Custom events for Radware
DefensePro display 'parsed,
but not mapped' (https://
www.ibm.com/support/
pages/node/6960301).

Raz-Lee IBM i Firewall 15.7 and Audit 11.7 Syslog Security, compliance, firewall, Yes Yes No
iSecurity and audit events

Redback ASE 6.1.5 Syslog All events Yes No No

Networks

Red Hat Red Hat Advanced Cluster Security for Kubernetes HTTP Receiver JSON Yes No No
Recorded event types: audit
and alert events

Resolution1 Resolution1 CyberSecurity Log file Volatile Data, Memory No No No

Analysis Data, Memory
Formerly known as AccessData InSight
Acquisition Data, Collection
Resolution1 CyberSecurity. Data, Software Inventory,
Process Dump Data,
Threat Scan Data, Agent
Remediation Data

Riverbed SteelCentral NetProfiler JDBC Alert events No No No

Riverbed SteelCentral NetProfiler Audit Log file protocol Audit events No Yes No

RSA Authentication Manager 6.x, 7.x, and 8.x v6.x and v7.x use Syslog or Log File Protocol All events No No No
v8.x uses Syslog only

SafeNet DataSecure 6.3.0 and later Syslog All events Yes No No

Salesforce Salesforce Security Auditing Log File Setup Audit Records No No No

Chapter 176. QRadar supported DSMs 1659

 Table 1048. QRadar Supported DSMs (continued)

Manufacturer Device name and version Protocol Recorded events and Auto Includes Includes
formats discovered? identity? custom
properties?

Salesforce Salesforce Security Salesforce REST API Protocol Login History No Yes No
Account History
Case History
Entitlement History
Service Contract History
Contract Line Item History
Contract History
Contact History
Lead History
Opportunity History
Solution History
Salesforce Security Auditing
audit trail

Samhain Labs HIDS 2.4 Syslog All events Yes No No

JDBC

SAP SAP Enterprise Threat Detection V1.0 SP6 to V2.0 SP5 SAP Enterprise Threat Detection Alert API LEEF No No No

Seculert Seculert v1 Seculert Protection REST API Protocol All malware communication No No No
events

Seculert Seculert Seculert protection REST API Protocol All malware communication No No No
events

Sentrigo Hedgehog 2.5.3 Syslog All events Yes No No

Snowflake Snowflake JDBC Event format: Name value Yes Yes No

pair (NVP)

Skyhigh Skyhigh Networks Cloud Security Platform 2.4 and 3.3

Networks
(now known as McAfee MVISION Cloud 2.4 and 3.3)
(now known as
McAfee)

SolarWinds SolarWinds Orion 2011.2 Syslog All events No No No

SonicWALL UTM/Firewall/VPN Appliance 3.x and later Syslog All events Yes No No

Sophos Sophos Astaro Security Gateway 17.x Syslog All events Yes No No

Sophos Sophos Enterprise Console 4.5.1 and 5.1 Sophos Enterprise Console protocol All relevant anti-virus events No No No
JDBC protocol

Sophos Sophos PureMessage 3.1.0.0 for Microsoft Exchange JDBC Quarantined email events No No No
5.6.0 for Linux

Sophos Sophos Web Security Appliance 3.x Syslog Transaction log events Yes No No

Sourcefire Sourcefire Intrusion Sensor IS 500, 2.x, 3.x, 4.x Syslog All events Yes No No

Sourcefire Sourcefire Defense Center

(Now known as Cisco FireSIGHT Mangement Center)

Splunk MicrosoftWindows Security Event Log Windows-based event provided by Splunk All events No Yes No
Forwarders

Squid Squid Web Proxy 2.5 and later Syslog All cache and access log Yes No No
events

Startent Startent Networks Syslog All events Yes No No

Networks

STEALTHbits STEALTHbits File Activity Monitor Syslog LEEF File Activity Monitor Events
Technologies

STEALTHbits StealthINTERCEPT Syslog LEEF Active Directory Audit Events Yes No No

Technologies

STEALTHbits STEALTHbits StealthINTERCEPT Alerts Syslog LEEF Active Directory Alerts Events Yes No No
Technologies

STEALTHbits STEALTHbits StealthINTERCEPT Analytics Syslog LEEF Active Directory Analytics Yes No No
Technologies Events

Sun Sun Solaris DHCP 2.8 Syslog All events Yes Yes No

Sun Sun Solaris OS 5.8, 5.9 Syslog All events Yes Yes No

Sun Sun Solaris Sendmail 2.x Syslog All events Yes No No

Log File Protocol
Proofpoint 7.5 and 8.0 Sendmail log

Sun Sun Solaris Basic Security Mode (BSM) 5.10 and 5.11 Log File Protocol All events No Yes No

Sun Sun ONE LDAP v11.1 Log File Protocol All relevant access and LDAP No No No
events
(Known as Oracle Directory Server) UDP Multiline Syslog

Sybase Sybase ASE 15.0 and later JDBC All events No No No

Symantec Symantec Endpoint Protection 11, 12, and 14 Syslog All Audit and Security Logs Yes No Yes

Symantec Symantec SGS Appliance 3.x and later Syslog All events Yes No Yes

1660 IBM QRadar : QRadar DSM Configuration Guide

Table 1048. QRadar Supported DSMs (continued)

Manufacturer Device name and version Protocol Recorded events and Auto Includes Includes
formats discovered? identity? custom
properties?

Symantec Symantec SSC 10.1 JDBC All events Yes No No

Symantec Symantec Data Loss Prevention (DLP) 8.x Syslog All events No No No

Symantec Symantec Encryption Management Server 3.0x Syslog All events Yes No No
formerly known as PGP Universal Server

Symark Symark PowerBroker 4.0 Syslog All events Yes No No

SysFlow is an SysFlow 1.0 Syslog Event format: JSON Yes No No

open source
Recorded event types:
project initiated
SysFlow
by IBM.

ThreatGRID Malware Threat Intelligence Platform 2.0 Log file protocol Malware events No No No
Syslog

TippingPoint Intrusion Prevention System (IPS) 1.4.2 to 3.2.x Syslog All events No No No
TippingPoint SMS 5.2.0

TippingPoint X505/X506 2.5 and later Syslog All events Yes Yes No

Top Layer IPS 5500 4.1 and later Syslog All events Yes No No

Trend Micro Trend Micro Apex Central (version 1) Syslog, TLS syslog Event format: CEF Yes No No
Event types:
Attack discovery detection
logs
Behavior monitoring logs
C&C callback logs
Content security logs
Data loss prevention logs
Device access control logs
Endpoint application control
logs
Engine update status logs
Intrusion prevention logs
Network content inspection
logs
Pattern Update Status Logs
Predictive machine learning
logs
Sandbox detection logs
Spyware/Grayware logs
Suspicious file logs
Virus/Malware logs
Web security logs

Trend Micro Trend Micro Apex One 8.x and 10.x SNMPv2 All events No No No
Formerly known as Trend Micro Office Scan. The name
remains the same in QRadar.

Trend Micro Trend Micro Control Manager 5.0 or 5.5 with hotfix 1697 SNMPv1 All events Yes No No
or hotfix 1713 after SP1 Patch 1; 6.0 and 7.0.
SNMPv2
SNMPv3

Trend Micro Trend Micro Deep Discovery Analyzer 5.0, 5.5, 5.8 and Syslog Event format: LEEF Yes No No
6.0
Events: All events

Trend Micro Trend Micro Deep Discovery Director 3.0 Syslog Event format: LEEF Yes No No
Events: Trend Micro Deep
Discovery Inspector events

Trend Micro Trend Micro Deep Discovery Email Inspector 3.0 Syslog Event format: LEEF Yes No No
Events: Detections, Virtual
Analyzer Analysis logs,
System events, Alert events

Trend Micro Trend Micro Deep Discovery Inspector 3.0 to V3.8, 5.0 Syslog Event format: LEEF Yes No No
and 5.1
Events:
Malicious content
Malicious behavior
Suspicious behavior
Exploit
Grayware
Web reputation
Disruptive application
Sandbox
Correlation
System
Update

Chapter 176. QRadar supported DSMs 1661

 Table 1048. QRadar Supported DSMs (continued)

Manufacturer Device name and version Protocol Recorded events and Auto Includes Includes
formats discovered? identity? custom
properties?

Trend Micro Trend Micro Deep Security 9.6.1532 to 12.0 Syslog Event format: LEEF Yes No No
Events:
Anti-Malware
Deep Security
Firewall
Integrity Monitor
Intrusion Prevention
Log Inspection
System
Web Reputation

Tripwire Tripwire Enterprise Manager 5.2 and later Syslog Event format: CEF (CEF:0 is Yes No No
supported)
Event types: Resource
additions, removal, and
modification events

Tropos Tropos Control 7.7 Syslog Fault management, login/ No No No

Networks logout, provision, and device
image upload events

Trusteer Apex Local Event Aggregator 1304.x and later Syslog Malware, exploit, and data Yes No No
exfiltration detection events

Vectra Networks Vectra Networks Vectra v2.2 Syslog Host scoring, command Yes No No
and control, botnet
Important: The IBM QRadar DSM for Vectra Networks
activity, reconaissance,
Vectra is deprecated.
lateral movement, exfiltration
To continue taking advantage of this integration,
Event format: CEF (CEF:0 is
please download the Vectra Networks Vectra
supported)
DSM from the IBM Security App Exchange
website (https://exchange.xforce.ibmcloud.com/hub/
extension/47f3e9afff5e0281d6684bb633d769f2).

Verdasys Digital Guardian 6.0.x (Syslog only) Syslog Event format: LEEF Yes No No
Digital Guardian 6.1.1 and 7.2 (LEEF only) Events: All events

Vericept Content 360 up to 8.0 Syslog All events Yes No No

VMware VMware AppDefense 1.0 JSON All events No No No

VMWare AppDefense API protocol

VMware Carbon Black App Control 8.0.x to 8.5.x Syslog Event format: LEEF Yes Yes No
(Formerly known as Carbon Black Protection) Event types: computer
management, server
management, session
management, policy
management, policy
enforcement, internal events,
general management,
discovery

VMware VMware ESX or ESXi 3.x, 4.x, 5.x and 6.x Syslog Account Information Yes if syslog No No
EMC VMware protocol Notice
Warning
Error
System Informational
System Configuration
System Error
User Login
Misc Suspicious Event
Access Denied
License Expired
Information
Authentication
Session Tracking

VMware VMware vCenter v5.x and v6.x EMC VMware protocol Account Information No No No
Notice
Warning
Error
System Informational
System Configuration
System Error
User Login
Misc Suspicious Event
Access Denied
License Expired
Information
Authentication
Session Tracking

VMware VMware vCloud Director 5.1 - 10.0 VMware vCloud Director protocol All events No Yes No

VMware VMware vShield Syslog All events Yes No No

1662 IBM QRadar : QRadar DSM Configuration Guide

Table 1048. QRadar Supported DSMs (continued)

Manufacturer Device name and version Protocol Recorded events and Auto Includes Includes
formats discovered? identity? custom
properties?

Vormetric, Inc. Vormetric Data Security Syslog (LEEF) Audit Yes No No

Alarm
Warn
Learn Mode
System

Watchguard WatchGuard Fireware OS Syslog All events Yes No No

Websense
(now known as
Forcepoint)

Zscaler Zscaler Nanolog Streaming Service (Zscaler NSS) 6.0 Syslog Event format: LEEF Yes No No
HTTP receiver Event types: Web log events,
Firewall events (including
Important: When you use the HTTP receiver
DNS)
protocol with Zscaler NSS, you need a
certificate that is issued by a certificate
authority (CA). It can't be a self-signed
certificate because it must be validated by a
CA. For more information about certificates
and configuring the log source parameters for
HTTP receiver, see HTTP Receiver protocol
configuration options.

Zscaler Zscaler Private Access Syslog Event format: LEEF Yes No No

Event types: User Status, App
Connector Status, Audit, User
Activity

Chapter 176. QRadar supported DSMs 1663