IBM Security Verify

Recipe for Integrating QRadar and IBM Security Verify

By Vandana Verma Sehgal posted Thu January 28, 2021 02:14 AM


IBM Security Verify and IBM QRadar Integration


IBM® QRadar® is Security Information and Event Management (SIEM) which helps security teams accurately detect and prioritise threats across the enterprise, and it provides intelligent insights that enable teams to respond quickly to reduce the impact of incidents. By consolidating log events and network flow data from thousands of devices, endpoints and applications distributed throughout your network, QRadar correlates all this different information and aggregates related events into single alerts to accelerates incident analysis and remediation. 

IBM Security Verify is an Identity-as-a-service (IDaaS) platform that provides SSO, risk-based MFA and adaptive access, user lifecycle management, and identity analytics. Verify delivers a modernised, modular IAM platform that leverages unparalleled context for decisions about who should be able to access what, with AI-powered, risk-based authentication. It takes a highly consumable, API-first approach with a robust, guided developer experience to fit custom needs, while integrating with comprehensive security workflows including threat management and incident response. Verify delivers smart identity for the hybrid multi-cloud world.

In this paper, we would like to highlight some of the benefits of integrating these two products.

Context Setting

The IBM Qradar DSM for IBM Security Verify collects JSON events from an IBM Security Verify service.

The two products IBM Security Verify and QRadar can now co-exist and can speak to each other. The integration takes the identity management to reach the next level of managing the alerts and malicious activities generated by access controls from the user’s accounts.

Use Cases

  • Detection of Multiple User creation in a short span of time
  • Malicious activities from any identities i.e login from multiple locations, device change or login from a malicious system
  • Risks with the elevated privileges.



The Architecture includes two major components viz. IBM Security Verify and IBM QRadar. QRadar is monitoring the events from different logs sources and identities the malicious events, IBM Security Verify is an Identity management solution to manage the identities, roles and application access.  IBM QRadar is connected to IBM Security Verify via REST API by leveraging the DSM available.




Initialize the setup

Step 1: Access the Qradar and check if the Cloud Identity DSM RPM is installed. If the DSM is not installed, RPMs are available for download from the IBM support website. (


Download and install the most recent version of the following RPMs on the QRadar Console:

  • Protocol Common RPM
  • IBM Security VerifyEvent Service Protocol RPM
  • IBM Security VerifyDSM RPM


RPM file name - DSM-IBMCloudIdentity-QRadar_version-build_number.noarch.rpm


Step 2 : Go to Admin -> Data Souces -> Log Sources  or Click on Qradar Log Source Management

 Click on Add to add the new Log Source to Qradar log

Step 3:
DSM Adapter Installation/Configuration

Log Source type

IBM Cloud Identity Event Service

Protocol Configuration

IBM Cloud Identity Service

Log Source Identifier

https://<your tenant>


Step 4:



Step 6: Add an IBM Security Verify log source on the QRadar Console.



Step 7 : Select the IBM Security Verify (Cloud Identity) Service


Step 8 : Enable the Log Sources



Step 9 : Add the Target Event Collector



Step 10 : We need to get the Client ID and Client Secret from the IBM Security Verify


Configure IBM Security Verify

Configure your IBM Security Verify server to get the API to send events to QRadar.  

Step 1: Login to IBM Security Verify Administrative console:-

Step 2 : Switch to admin

Step 3 :Click on Configuration

Step 4 : Click the Add API client button above the table

Step 5: Specify the API Name  ->  Enable the API Client


Credentials will be generated once we save the API


We need to select individual accesses rather than the approach of “select all”. There are two (2) Manage and Read Reports accesses required for the adapter out of a total of 49 in the security verify.


Step 6 :
Save the new API Client to create the API/ Connector


Step 7 : For the ClientID and Client Secret, we can open (edit) the API client you specified before

  • Scroll down to the Client ID field and click the copy to clipboard icon to the right
  • Return to the IGI UI and past the field in For the Client Secret
  • Scroll down to the Client Secret field and click the copy to clipboard icon to the right
  • Return to the IGI UI and past the field in


Configure IBM Qradar with Rest API

We can go back to QRadar DSM screen and provide the Client ID and Client Secret which we received from IBM Security Verify


Provide the protocols that will be used for authentication and authorisation of API use.


Once the log source is configured, Test the configuration



Now we can see the events has started coming, we can click on the Finish icon.



We can see the new log source as added in QRadar


We can check the Real Time logs under the Log Activity.



Logs have started coming to QRadar from IBM Security Verify




Events from IBM Security Verify - IAM (identity and access management) can be sent to QRadar - Security information and event management (SIEM) for the monitoring the identities and to detect any malicious activity at the same time. This helps in keeping the steppingstone towards building the Zero Trust.

Resources: -

Knowledge Center URL:

Supported Connectors:-

QRadar DSM:-

Thank You
Vandana Verma Sehgal- IBM ISL - GSI Labs
Betala Shanbag - IBM ISL - GSI Labs