IBM QRadar Integration
Integrate TigerAccess with IBM QRadar for enterprise-grade SIEM and security intelligence. Export privileged access events in LEEF format, create custom offenses, and leverage QRadar's correlation engine to detect and respond to security threats targeting your critical infrastructure.
Enterprise SIEM Integration
Connect privileged access management with enterprise security intelligence and threat detection.
LEEF Log Format
Native support for Log Event Extended Format (LEEF) ensuring seamless integration with QRadar log sources.
Real-Time Events
Stream privileged access events to QRadar in real-time via syslog or direct API integration.
Offense Mapping
Automatically create QRadar offenses from TigerAccess security alerts and anomalous access patterns.
SOAR Integration
Integrate with QRadar SOAR for automated incident response and access revocation workflows.
Comprehensive QRadar Features
TigerAccess Events in QRadar
Comprehensive mapping of TigerAccess events to QRadar LEEF format with suggested offense rules.
| TigerAccess Event | LEEF Fields | Suggested Offense |
|---|---|---|
| user.login | devTime, src, suser, realm, authMethod, mfa | Failed authentication attempts |
| session.start | devTime, src, suser, dst, dstPort, proto, sessionID | Unusual session patterns |
| session.command | devTime, suser, dst, command, exitCode, sessionID | Dangerous command execution |
| access.request | devTime, suser, resource, requestID, duration, reason | Unusual access requests |
| access.denied | devTime, suser, resource, reason, riskScore | Multiple access denials |
| certificate.issued | devTime, suser, certType, ttl, principals, extensions | Suspicious certificate activity |
| ai.agent.action | devTime, agentID, action, resource, outcome, rateLimit | AI agent anomalies |
Integration Setup Guide
Follow these steps to integrate TigerAccess with your QRadar deployment.
Configure Log Source
Create a new log source in QRadar for TigerAccess using the custom DSM or Universal DSM with LEEF parsing.
# QRadar Log Source Configuration
Log Source Type: Syslog
Protocol: UDP
Port: 514
Log Source Identifier: TigerAccess
DSM: Custom DSM (TigerAccess)
Format: LEEF 2.0Enable LEEF Export
Configure TigerAccess to export audit events in LEEF format to your QRadar log collector.
# TigerAccess QRadar Configuration
tacctl integrations add qradar \
--host=qradar.company.com \
--port=514 \
--protocol=udp \
--format=leef \
--event-types=session,access,auth,adminCreate Custom Properties
Map TigerAccess fields to QRadar custom properties for advanced searching and correlation.
# QRadar Custom Property Examples
privilegedAccessUser -> Custom Text Property
targetResource -> Custom Text Property
sessionID -> Custom Text Property
accessRequestID -> Custom Text Property
riskScore -> Custom Numeric Property
aiAgentID -> Custom Text PropertyConfigure Offense Rules
Create QRadar rules to detect suspicious privileged access patterns and generate offenses.
# Example QRadar Rule: Multiple Failed Access Attempts
when the event(s) match all of the following:
- Event Name is "AccessDenied"
- Log Source is "TigerAccess"
and the number of events is at least 5
in 5 minutes
Create an offense with:
- Severity: 7 (High)
- Category: Suspicious Activity
- Description: Multiple failed privileged access attemptsVerify Integration
Test the integration by performing a privileged access operation and verifying the event appears in QRadar.
# Perform a test access
tac ssh user@production-server
# Search in QRadar
Log Activity -> Search:
- Log Source: TigerAccess
- Event Name: SessionStart
- Time Range: Last 5 minutesQRadar Integration Scenarios
Privileged Access Monitoring
Correlate TigerAccess events with network traffic, system logs, and threat intelligence to detect anomalous privileged access patterns and insider threats.
Compliance Reporting
Generate comprehensive compliance reports combining TigerAccess audit logs with QRadar analytics for SOC 2, PCI DSS, HIPAA, and GDPR requirements.
Threat Correlation
Leverage QRadar's correlation engine to connect privileged access events with indicators of compromise, malware detections, and network anomalies.
Automated Response
Configure QRadar offenses to trigger automated workflows that revoke access, isolate systems, or escalate incidents based on TigerAccess events.
Frequently Asked Questions
What log format does TigerAccess use for QRadar?
TigerAccess exports events in Log Event Extended Format (LEEF) 2.0, which is natively supported by QRadar. LEEF provides structured key-value pairs that QRadar can parse and normalize automatically.
Can I create custom QRadar offenses based on TigerAccess events?
Yes. TigerAccess events include rich metadata like user identity, target resource, session details, and risk scores. You can create custom QRadar rules and building blocks to correlate these events and trigger offenses based on your security policies.
How does TigerAccess integrate with QRadar SOAR?
TigerAccess provides REST APIs that QRadar SOAR playbooks can call to revoke access, lock users, or terminate sessions in response to security incidents. You can also use webhooks to trigger SOAR playbooks when TigerAccess detects anomalies.
Does TigerAccess support QRadar reference sets?
Yes. You can configure TigerAccess to populate QRadar reference sets with lists like privileged users, crown jewel resources, or AI agents. These reference sets can be used in correlation rules for more precise threat detection.
What network protocols are supported for log forwarding?
TigerAccess supports syslog over UDP (default), TCP, and TLS for secure log forwarding. You can also use the QRadar Log Source REST API for direct event submission.
Can I correlate TigerAccess sessions with network flows?
Yes. TigerAccess events include source IP, destination IP, and port information that QRadar can correlate with network flows from switches, firewalls, and IDS/IPS systems to build a complete picture of privileged access activity.
Ready to Secure Your Infrastructure?
Join thousands of security-conscious teams using TigerAccess to protect their critical infrastructure and AI agents.
No credit card required • 14-day free trial • Enterprise support available