Forward ICDx events via Syslog CEF forwarder

book

Article ID: 179391

calendar_today

Updated On:

Products

ICDx

Issue/Introduction

 

Resolution

GOAL: Forward events from Integrated Cyber Defense eXchange (ICDx) to one of the data structures listed below:

  • IBM QRadar
  • CyberSponse CyOps
  • Exabeam

 

 

To integrate ICDx with IBM QRadar

  1. In ICDx UI, on Configuration> Forwarders, add a Syslog CEF forwarder which points to the IBM QRadar instance.
  2. From IBM, download and install the Symantec ICDx Content Pack For QRadar, here:
    https://exchange.xforce.ibmcloud.com/hub/extension/9bf92ae332571cac2476dfa8b1003ddc

     
  3. For additional assistance on installing the Symantec ICDx Content Pack for QRadar, see:
    https://www.ibm.com/support/pages/ibm-qradar-content-extension-symantec-endpoint-protection-custom-properties

 

NOTE: Reaching these resources may require an IBMid.

 

 

To integrate ICDx with other products listed above

  1. In ICDx UI, on Configuration> Forwarders, add a Syslog CEF forwarder which points to the server where you seek to forward ICDx events
  2. Consult the vendor of the other product for any additional steps needed to transform events into the non-ICDx data structure