Integrating IBM QRadar SIEM

This integration enables the Delinea Platform to forward JSON-formatted event logs to IBM QRadar SIEM using HTTPS webhooks. Logs are received by QRadar through an HTTP Receiver log source and parsed using a Universal DSM and Log Source Extension (LSX), allowing administrators to search and review Delinea Platform events in QRadar.

Benefits

This integration offers the following benefits:

• Forwards Delinea Platform events to IBM QRadar SIEM.

• Enables parsing of Delinea webhook JSON payloads in QRadar.

• Allows searching of Delinea events by event name, username, and related fields.

Prerequisites

The integration of IBM Qradar SIEM with the Delinea Platform requires that the following requirements be met:

Delinea Platform

• The Delinea Platform is properly provisioned and configured in your environment.

• You have administrator permissions for managing webhooks in the Delinea Platform.

IBM QRadar

• You have a QRadar instance with permissions to create incoming webhooks.

• Admin access to the QRadar Console

• HTTP Receiver log source capability (port open, TLS if required)

• Access to DSM Editor and Log Source Extension (LSX)

Configuration

To enable the integration between IBM QRadar SIEM and the Delinea Platform, complete the following steps.

Step 1: Create an HTTP Receiver Log Source in QRadar

1. Log in to the QRadar Console.

2. Navigate to Admin > Log Sources > Add.

3. Configure the log source with the following settings:

   1. Log Source Type: Universal DSM

   2. Protocol: HTTP Receiver

   3. Port: 12435 (example)

   4. Method: POST

   5. Coalescing: Off

4. Save the log source.

5. Copy the generated REST endpoint, for example: https://<qradar-ip>:12435.

Step 2: Configure a Webhook in the Delinea Platform

1. In the Delinea Platform, navigate to Settings > General settings > Webhooks.

2. Click Create Webhook.

3. On the Create Webhook page, complete the following fields:

   • Name: Forward to IBM QRadar SIEM

   • Target: Paste the webhook URL copied from IBM QRadar SIEM

   • Description: Optional (for example, “Forwards audit events to IBM QRadar SIEM”)

   • Webhook State: Enabled

4. Under Triggers, select the service(s) and event levels (Info, Warning, Error) to forward.

5. (Optional) If authentication is required, add a custom header:

   • Key: Authorization

   • Value: Bearer

6. Click Save to complete the configuration.

Step 3: Validate Event Data

1. In the Delinea Platform, go to Settings > General settings > Webhooks.

2. Select the QRadar webhook.

3. Click View Webhook Logs.

4. Select a log entry and click View Payload.

Example Delinea Webhook Payload

{
"event_type": "SecretAccessed",
"service": "Secret Management",
"level": "info",
"details": {
"user": "frank",
"secret_id": "A1B2C3",
"timestamp": "2025-09-16T16:55:00Z"
}
}

This payload is sent to QRadar via the HTTP Receiver and parsed using a Universal DSM with a Log Source Extension (LSX).

Step 4: Create and Configure a Log Source Extension (LSX)

Create the Log Source Extension

1. In QRadar, navigate to Admin > Log Source Extensions > Create.

2. Select Universal DSM.

3. Choose JSON as the file type.

4. Upload a sample Delinea webhook JSON payload.

5. Save the LSX.

Map JSON Fields to QRadar Properties

Example field mapping:

Assign the LSX to the Log Source

1. Navigate to Admin >Log Sources.

2. Edit the HTTP Receiver log source.

3. Assign the LSX.

4. Deploy the changes.

Verification

To verify that the integration works:

1. In the Delinea Platform, click Verify Webhook or trigger an event.

2. In QRadar, navigate to Log Activity > Search.

3. Search by Event Name or Username.

4. Confirm that:

   • Events are received in QRadar.

   • JSON fields are parsed correctly.

   • Fields are searchable.

Troubleshooting

The following table provides troubleshooting guidance for common issues you may encounter when integrating the Delinea Platform with IBM Qradar SIEM.