Introduction to QRadar integration

The Centrify for QRadar Integration Guide is written to assist Centrify customers with the task of easily integrating event data in Centrify Authentication Service, Privilege Elevation Service, and Audit & Monitoring Service with QRadar.

You can leverage the Centrify Add-on for QRadar to normalize Centrify events in QRadar.

This integration guide applies to the following QRadar versions and Centrify Authentication Service, Privilege Elevation Service, and Audit & Monitoring Service releases:

QRadar Versions

Centrify Authentication Service, Privilege Elevation Service, and Audit & Monitoring Service Releases

7.2.8 and above

2016

 

 

2016.1

2016.2

2017

2017.1

2017.2

2017.3

 

QRadar Components

The following diagram illustrates the QRadar components that interact with the Centrify Add-on for QRadar:


 

Important Information About This Guide

Some sections in this document apply to:

  • Windows installations only

  • *Nix installations only

  • All operating systems

In cases where different steps are required for Windows versus *Nix, two separate sections are provided, one for each operating system (OS). In those sections that only pertain to *Nix, Linux examples are used. If you use a different *Nix OS, see the documentation for your system for more information.

WinCollect Agent

The WinCollect agent collects Centrify audit trail events from the Windows machine and forwards them to the QRadar Console. You can download the WinCollect agent from IBM Fix Central at:
https://www.945.ibm.com/support/fixcentral/swg/selectFixes?product=ibm%2FOther+software%2FIBM+Security+QRadar+SIEM&fixids=7.2.0-QRADAR-wincollect-7.2.5-27.x64.exe&source=dbluesearch&function=fixId&parent=IBM%20Security

Syslog Daemon

The syslog daemon collects Centrify audit trail events from a Linux machine and forwards them to the QRadar Console.

Centrify Infrastructure Services Device Support Module (DSM)

The Centrify Infrastructure Services DSM (formerly the Centrify Server Suite DSM) collects Centrify events on the QRadar Console. You can get this DSM from: https://www.ibm.com/support/knowledgecenter/en/SS42VS_DSM/c_dsm_guide_Centrify_Server_Suite_overview.html

Centrify Add-on for QRadar

The Centrify Add-on for QRadar (in CentrifyForQRadar.zip) consists of approximately 120 Custom Event Properties for parsing different fields from the Centrify audit trail events. You can get the Centrify Add-on for QRadar from the Centrify web site.