Introduction to QRadar integration
The Centrify for QRadar Integration Guide is written to assist Centrify customers with the task of easily integrating event data in Centrify Authentication Service, Privilege Elevation Service, and Audit & Monitoring Service with QRadar.
You can leverage the Centrify Add-on for QRadar to normalize Centrify events in QRadar.
This integration guide applies to the following QRadar versions and Centrify Authentication Service, Privilege Elevation Service, and Audit & Monitoring Service releases:
QRadar Versions |
Centrify Authentication Service, Privilege Elevation Service, and Audit & Monitoring Service Releases |
|
7.2.8 and above |
2016 |
|
|
2016.1 2016.2 2017 2017.1 2017.2 2017.3 |
QRadar Components
The following diagram illustrates the QRadar components that interact with the Centrify Add-on for QRadar:
Important Information About This Guide
Some sections in this document apply to:
-
Windows installations only
-
*Nix installations only
-
All operating systems
In cases where different steps are required for Windows versus *Nix, two separate sections are provided, one for each operating system (OS). In those sections that only pertain to *Nix, Linux examples are used. If you use a different *Nix OS, see the documentation for your system for more information.
WinCollect Agent
The WinCollect agent collects Centrify audit trail events from the Windows machine and forwards them to the QRadar Console. You can download the WinCollect agent from IBM Fix Central at:
https://www.945.ibm.com/support/fixcentral/swg/selectFixes?product=ibm%2FOther+software%2FIBM+Security+QRadar+SIEM&fixids=7.2.0-QRADAR-wincollect-7.2.5-27.x64.exe&source=dbluesearch&function=fixId&parent=IBM%20Security
Syslog Daemon
The syslog daemon collects Centrify audit trail events from a Linux machine and forwards them to the QRadar Console.
Centrify Infrastructure Services Device Support Module (DSM)
The Centrify Infrastructure Services DSM (formerly the Centrify Server Suite DSM) collects Centrify events on the QRadar Console. You can get this DSM from: https://www.ibm.com/support/knowledgecenter/en/SS42VS_DSM/c_dsm_guide_Centrify_Server_Suite_overview.html
Centrify Add-on for QRadar
The Centrify Add-on for QRadar (in CentrifyForQRadar.zip) consists of approximately 120 Custom Event Properties for parsing different fields from the Centrify audit trail events. You can get the Centrify Add-on for QRadar from the Centrify web site.