Symantec's ICDm integration via QRadar makes use of the QRadar-provided Universal Cloud REST API protocol for ingestion of Endpoint Events, Incidents, and Incident Events. This integration also includes the Device Support Module (DSM) for QRadar to interpret the ingested event data.

You would like to know what options are available for Qradar log ingestion from ICDM.

Endpoint Security

IBM Qradar.

1- Event export has been deprecated, only old setups continue for sometime to be operational, new setups will not be able to use the function.

2- Event Stream isn't an option for log ingestion to Qradar, due to some limitations from Qradar. Qradar has not been enhanced by IBM to support the streaming API.

We have developed a Q-Radar "plugin" that works with  S3 Bucket Push (AWS),  it's available on the TIPP portal. Our recommendation would be to use Bucket Push and the plug-in, or you can also Configuring an External Kafka event stream type.

To access the resources and further guides, please login to the TIPP portal.

Symantec ICDM REST API Guide.