Fariz,
there is an intense discussion of the features provided here with valuable tips and links from Erwin.
https://community.ibm.com/community/user/discussion/integrate-kubernetes-k8s-with-qradar Pls have a look 1st.
Check DSM guide for logsource setup. Chapter 90. Kubernetes Auditing
The IBM QRadar DSM for Kubernetes collects auditing events from a Kubernetes master node Kubeapiserver.
To integrate Kubernetes with QRadar, complete the following steps
There are multiple options available for cutting down the number of events inside Qradar, but pls start with a full set of logs, cause without you dont know what can be skipped. The general best practive is to use policies for identifying security issues. Example: someone shuts down your container. Is that a secrurity issue? Maybe! It depends if someone hacked into your host or the admin is trying to fix something in your environment.
BR
------------------------------
[Karl] [Jaeger] [#ibmchampion]
[QRadar Specialist]
------------------------------
Original Message:
Sent: Thu June 12, 2025 02:12 AM
From: Fariz Pirmatov
Subject: Integrating Kubernetes Logs with QRadar – Security-Focused Approach
Hi everyone, I'm working on integrating Kubernetes logs with QRadar SIEM, but I'm not sure where to begin. My main goal is to capture only security-relevant logs-such as access attempts, privilege escalations, container breakout attempts, and suspicious API activity-without flooding QRadar with excessive operational or non-security data.
If anyone has experience forwarding Kubernetes logs to QRadar, I'd really appreciate your input on:
How to filter and forward just the key security logs
Tips for parsing and log source setup in QRadar
Any relevant DSMs or best practices
Any tips, documentation, examples would be really appreciated!
------------------------------
Fariz Pirmatov
------------------------------