IBM QRadar Integration
Forward database audit events to IBM QRadar SIEM for enterprise-grade security monitoring. Leverage QRadar's advanced correlation engine and threat intelligence for comprehensive database security.
Advanced Correlation
Correlate database events with network, endpoint, and identity data for comprehensive threat detection.
Offense Management
Automatically create offenses from database security incidents for SOC investigation.
AQL Queries
Analyze database activity using Ariel Query Language for deep forensic investigation.
Configuration Reference
1 Connection Settings
| Field | Type | Required | Default | Description |
|---|---|---|---|---|
| name | string | Yes | - | A unique name for this SIEM connection (e.g., "qradar-prod") |
| provider | select | Yes | qradar | SIEM provider - select "IBM QRadar" |
| enabled | boolean | No | true | Enable or disable event forwarding |
| console_url | string | Yes | - | QRadar Console URL (e.g., "https://qradar.example.com") |
| api_token | password | Yes | - | QRadar API token with event ingestion permissions |
2 QRadar-Specific Settings
| Field | Type | Required | Default | Description |
|---|---|---|---|---|
| log_source_id | string | No | - | Log source identifier for event routing (auto-created if not specified) |
| log_source_type | string | No | Universal LEEF | Log source type in QRadar |
| verify_ssl | boolean | No | true | Verify QRadar server SSL certificate |
| use_syslog | boolean | No | false | Send events via syslog instead of API |
| syslog_host | string | No | - | Syslog receiver hostname (if use_syslog is true) |
| syslog_port | number | No | 514 | Syslog receiver port |
3 Event Filtering
| Field | Type | Required | Default | Description |
|---|---|---|---|---|
| event_types | multiselect | No | all | Event types to forward: audit_events, alerts, ai_detections, policy_violations, classification_findings |
| severity_filter | multiselect | No | all | Filter by severity: critical, warning, info |
| database_filter | array | No | - | Limit to specific databases (empty = all databases) |
4 Batching & Reliability
| Field | Type | Required | Default | Description |
|---|---|---|---|---|
| batch_size | number | No | 100 | Number of events per batch (1-1000) |
| flush_interval_seconds | number | No | 30 | Maximum time between flushes (5-300 seconds) |
| retry_attempts | number | No | 3 | Number of retry attempts on failure |
Setup Instructions
Create API Token
Create an authorized service token in QRadar for DB Audit integration.
# Create API token via QRadar Console:
# 1. Log in to QRadar Console
# 2. Navigate to Admin → Authorized Services
# 3. Click "Add Authorized Service"
# 4. Enter a name (e.g., "DBaudit Integration")
# 5. Select "Admin" role or create custom role with required permissions
# 6. Copy the generated token
# Required API permissions:
# - eventcollector - For event ingestion
# - logsources - For log source management (optional)
Test API Connection
Verify the API token works by querying the QRadar system info.
# Test QRadar API connectivity
curl -X GET "https://qradar.example.com/api/system/about" \
-H "SEC: YOUR_API_TOKEN" \
-H "Accept: application/json"
# Expected response:
{
"build_version": "7.5.0",
"external_version": "7.5.0",
...
}
Configure in DB Audit
Add the IBM QRadar integration in the DB Audit dashboard.
- Navigate to Integrations → SIEM in DB Audit
- Click Add SIEM Integration
- Select IBM QRadar as the provider
- Enter your QRadar console URL and API token
- Configure log source settings (or let DB Audit auto-create)
- Select event types to forward
- Test the connection and save
Create Custom Rules (Optional)
Create offense rules to detect suspicious database activity.
# Create custom offense rule for suspicious database activity
# Navigate to: Offenses → Rules → Actions → New Event Rule
Rule Name: Suspicious Database Data Exfiltration
Rule Description: Detects queries returning large amounts of data
# Test conditions:
when the event(s) were detected by one or more of DB Audit
and when any of rowsAffected is greater than 10000
and when any of action is one of the following SELECT
# Rule response:
Create an offense indexed on username, sourceip
Set offense name to "Potential Data Exfiltration - %username%"
Set offense severity to High
Event Format (LEEF)
Events are sent to QRadar in LEEF (Log Event Extended Format) for optimal parsing and correlation.
LEEF:2.0|DBaudit|DBaudit|1.0|audit_event|
devTime=Jan 15 2024 10:30:45|
devTimeFormat=MMM dd yyyy HH:mm:ss|
sev=5|
cat=Database Audit|
src=10.0.1.50|
dst=db.example.com|
usrName=app_user|
srcPort=45678|
dstPort=5432|
proto=TCP|
action=SELECT|
object=customers|
schema=public|
dbType=postgresql|
dbName=production-postgres|
rowsAffected=1500|
statement=SELECT * FROM customers WHERE...|
containsPII=true|
dataTypes=email,phone
Sample AQL Queries
Use these Ariel Query Language (AQL) queries to analyze DB Audit events in QRadar.
-- Query DB Audit events
SELECT * FROM events
WHERE LOGSOURCENAME(logsourceid) = 'DB Audit'
ORDER BY starttime DESC
LAST 24 HOURS
-- Filter by severity
SELECT * FROM events
WHERE LOGSOURCENAME(logsourceid) = 'DB Audit'
AND severity >= 5
LAST 24 HOURS
-- Find large data access
SELECT username, sourceip, COUNT(*) as query_count
FROM events
WHERE LOGSOURCENAME(logsourceid) = 'DB Audit'
AND "rowsAffected" > 10000
GROUP BY username, sourceip
LAST 24 HOURS
-- Failed authentication attempts
SELECT sourceip, COUNT(*) as failures
FROM events
WHERE LOGSOURCENAME(logsourceid) = 'DB Audit'
AND eventid = 'auth_failure'
GROUP BY sourceip
HAVING COUNT(*) > 5
LAST 1 HOURS
Troubleshooting
API authentication failed (401)
Verify the API token is correct and not expired. Check that the authorized service is enabled in QRadar.
Events not appearing in QRadar
Check the log source status in Admin → Log Sources. Ensure the event collector is processing events.
Log source not auto-created
Manually create a log source with type "Universal LEEF" and configure DB Audit with the log source ID.
SSL certificate error
Either install the QRadar CA certificate on the DB Audit server, or set verify_ssl to false (not recommended for production).
Ready to Integrate with IBM QRadar?
Start forwarding database audit events to QRadar in minutes.