Integrations
SIEM Integrations
IBM QRadar Integration

IBM QRadar Integration

IBM QRadar Integration Guide

Forward Keycloak authentication events and logs to IBM QRadar for enterprise security monitoring, threat detection, and compliance reporting.

Overview

This guide shows you how to configure Skycloak to send security events to IBM QRadar using syslog with LEEF (Log Event Extended Format). QRadar is ideal for enterprises requiring advanced threat intelligence and regulatory compliance.

What You’ll Achieve

  • Real-time authentication event forwarding to QRadar
  • Automatic event categorization and normalization
  • Integration with QRadar’s threat detection rules
  • Compliance reporting for audit requirements

Prerequisites

Before starting, ensure you have:

  1. Skycloak Requirements

    • Enterprise plan with SIEM Integration add-on
    • Workspace Owner or Admin permissions
    • Network connectivity from Skycloak to your QRadar console

  2. QRadar Requirements

    • IBM QRadar 7.3+ (SIEM or XDR)
    • Administrative access to create log sources
    • Network access to receive syslog data

Step 1: Create QRadar Log Source

Using QRadar Console UI

  1. Log in to QRadar Console
  2. Navigate to AdminData Sources
  3. Click Log SourcesAdd
  4. Configure the log source:

Log Source Details:

  • Log Source Name: Skycloak Keycloak Events
  • Log Source Description: Authentication events from Skycloak managed Keycloak
  • Log Source Type: Syslog
  • Protocol Configuration:
    • Select Syslog
    • Choose your protocol: TCP (recommended) or UDP
  • Log Source Identifier: Leave empty (auto-detect from hostname)

Log Source Parameters:

  • Coalescing Events: True (recommended)
  • Store Event Payload: True (for detailed forensics)
  • Enabled: Check this box
  1. Click SaveDeploy Changes

Using QRadar CLI (Alternative)

SSH into your QRadar console and run:

# Create syslog log source
/opt/qradar/bin/logSourceManagement.pl -a create \
  -name "Skycloak Keycloak Events" \
  -type "Syslog" \
  -protocol "TCP" \
  -port 514 \
  -enabled true

# Deploy configuration
/opt/qradar/bin/contentManagement.pl -a deploy

Step 2: Configure QRadar Syslog Listener

Enable Syslog Reception

  1. Navigate to AdminSystem Configuration

  2. Select your Event Collector

  3. Click Syslog tab

  4. Configure:

    • Listen on Port: 514 (standard) or custom port
    • Protocol: TCP (recommended) or UDP
    • TLS Encryption: Enable for secure transmission

  5. Click SaveDeploy Changes

Firewall Configuration

Ensure QRadar can receive syslog traffic:

# Check firewall rules
iptables -L INPUT -n | grep 514

# If needed, add rule (run as root):
iptables -I INPUT -p tcp --dport 514 -j ACCEPT
service iptables save

Step 3: Configure Skycloak SIEM Destination

  1. Log in to your Skycloak dashboard
  2. Navigate to SIEM Integration in the left sidebar
  3. Click Add Destination
  4. Configure the destination:

Basic Information

  • Name: Production QRadar
  • Destination Type: Syslog

Connection Details

  • Syslog Host: Your QRadar console hostname or IP (e.g., qradar.company.com or 10.0.1.100)
  • Port: Match your QRadar syslog port (default: 514)
  • Protocol: TCP (recommended) or TLS for encryption
  • Format: LEEF (Log Event Extended Format - optimized for QRadar)

Event Filtering

Select events to forward:

  • LOGIN - Successful logins
  • LOGIN_ERROR - Failed login attempts
  • LOGOUT - User logouts
  • UPDATE_PASSWORD - Password changes
  • UPDATE_EMAIL - Email changes
  • REGISTER - New user registrations
  • CODE_TO_TOKEN - Token exchanges
  • REFRESH_TOKEN - Token refreshes

Include Server Logs: Enable if you need detailed application logs for troubleshooting

Batching Configuration

  • Batch Size: 500 (recommended for QRadar)
  • Batch Interval: 120 seconds
  1. Click Complete Setup
  2. Toggle Enable to start forwarding events

Step 4: Verify Data Flow

Check Log Source Status

  1. In QRadar, navigate to Log Activity tab
  2. Click Log Sources
  3. Find your Skycloak Keycloak Events log source
  4. Verify:
    • Status: Green (receiving events)
    • Events per Second: Should show activity
    • Last Event Time: Should be recent

Search for Keycloak Events

Use QRadar’s search to find events:

  1. Navigate to Log Activity tab
  2. Use Advanced Search with this AQL query:
SELECT * FROM events
WHERE "Log Source" = 'Skycloak Keycloak Events'
LAST 10 MINUTES

Test with Login Event

  1. Log in to one of your Keycloak realms
  2. Wait 2-3 minutes for batch processing
  3. Run this search:
SELECT username, sourceip, eventname, DATEFORMAT(starttime, 'YYYY-MM-dd HH:mm:ss') as event_time
FROM events
WHERE "Log Source" = 'Skycloak Keycloak Events'
AND eventname ILIKE '%LOGIN%'
LAST 5 MINUTES

Step 5: Create Custom Rules

Example: Detect Brute Force Attacks

  1. Navigate to OffensesRules
  2. Click ActionsNew Event Rule
  3. Configure:

Rule Details:

  • Rule Name: Keycloak Brute Force Attempt
  • Rule Type: Event

Rule Test:

SELECT * FROM events
WHERE "Log Source" = 'Skycloak Keycloak Events'
AND eventname = 'LOGIN_ERROR'
AND username IS NOT NULL

Rule Response:

  • Create Offense: When the rule tests true
  • Offense Name: Potential Brute Force Attack on Keycloak
  • Credibility: 5
  • Severity: 7
  • Category: Authentication

Group By: username, sourceip

Time Window: Count events where there are 5 or more events in 5 minutes

  1. Click Save

Example: Detect Privileged Account Changes

Alert on password changes for admin accounts:

SELECT * FROM events
WHERE "Log Source" = 'Skycloak Keycloak Events'
AND eventname = 'UPDATE_PASSWORD'
AND (username ILIKE '%admin%' OR username ILIKE '%root%')

Example: Multiple Failed Login Locations

Detect logins from multiple geographic locations:

SELECT username, COUNT(DISTINCT sourceip) as unique_ips
FROM events
WHERE "Log Source" = 'Skycloak Keycloak Events'
AND eventname = 'LOGIN'
GROUP BY username
HAVING COUNT(DISTINCT sourceip) > 3
LAST 1 HOUR

Step 6: Create Custom Dashboards

Example: Authentication Overview Dashboard

  1. Navigate to Dashboard tab
  2. Click Create Dashboard
  3. Add widgets:

Widget 1: Login Success Rate

  • Type: Pie Chart
  • Search:
SELECT eventname, COUNT(*) as count
FROM events
WHERE "Log Source" = 'Skycloak Keycloak Events'
AND eventname IN ('LOGIN', 'LOGIN_ERROR')
GROUP BY eventname
LAST 24 HOURS

Widget 2: Top Failed Login Users

  • Type: Bar Chart
  • Search:
SELECT username, COUNT(*) as failures
FROM events
WHERE "Log Source" = 'Skycloak Keycloak Events'
AND eventname = 'LOGIN_ERROR'
GROUP BY username
ORDER BY failures DESC
LAST 24 HOURS

Widget 3: Login Activity Timeline

  • Type: Time Series
  • Search:
SELECT DATEFORMAT(starttime, 'YYYY-MM-dd HH:00') as hour, COUNT(*) as logins
FROM events
WHERE "Log Source" = 'Skycloak Keycloak Events'
AND eventname = 'LOGIN'
GROUP BY hour
LAST 7 DAYS

LEEF Format Reference

Format Structure

Skycloak sends events in LEEF 2.0 format optimized for QRadar:

LEEF:2.0|Skycloak|Keycloak|1.0|LOGIN|devTime=Jan 15 2024 14:30:00|src=203.0.113.42|usrName=john.doe|realm=production|identSrc=web-app

Field Mapping

LEEF Field Description Example
devTime Event timestamp Jan 15 2024 14:30:00
src Source IP address 203.0.113.42
usrName Username john.doe
realm Keycloak realm production
identSrc Client application web-app
eventId Unique event ID evt_123abc
cat Event category Authentication

QRadar Field Extraction

QRadar automatically extracts LEEF fields into normalized properties:

  • usrName → Username
  • src → Source IP
  • realm → Custom Property 1
  • identSrc → Custom Property 2

Useful QRadar Queries

Recent Failed Logins 

SELECT DATEFORMAT(starttime, 'YYYY-MM-dd HH:mm:ss') as time,
       username, sourceip, realm
FROM events
WHERE "Log Source" = 'Skycloak Keycloak Events'
AND eventname = 'LOGIN_ERROR'
ORDER BY starttime DESC
LAST 1 HOUR

User Login History 

SELECT username, sourceip,
       DATEFORMAT(starttime, 'YYYY-MM-dd HH:mm:ss') as login_time
FROM events
WHERE "Log Source" = 'Skycloak Keycloak Events'
AND eventname = 'LOGIN'
AND username = 'john.doe'
ORDER BY starttime DESC
LAST 30 DAYS

Login Activity by Realm 

SELECT realm, COUNT(*) as login_count
FROM events
WHERE "Log Source" = 'Skycloak Keycloak Events'
AND eventname = 'LOGIN'
GROUP BY realm
ORDER BY login_count DESC
LAST 7 DAYS

Offenses Related to Keycloak 

SELECT offense_id, description, severity,
       DATEFORMAT(start_time, 'YYYY-MM-dd HH:mm:ss') as offense_time
FROM offense_view
WHERE log_source_name = 'Skycloak Keycloak Events'
ORDER BY start_time DESC
LAST 30 DAYS

Troubleshooting

No Events in QRadar

  1. Check log source status:

    • Navigate to AdminLog Sources
    • Verify status is green and last event time is recent

  2. Check Skycloak destination:

    • Go to SIEM Integration page
    • Verify “Healthy” status
    • Check “Events Sent” metric

  3. Test network connectivity:

    # From Skycloak network (if accessible):
telnet qradar.company.com 514

  4. Check QRadar system logs:

    tail -f /var/log/qradar.log | grep -i syslog

Events Not Creating Offenses

  1. Verify rules are enabled:

    • Navigate to OffensesRules
    • Check rule status
    • Test rule manually

  2. Check rule logic:

    • Use rule search query directly in Log Activity
    • Verify events match rule criteria

  3. Review rule responses:

    • Ensure “Create Offense” is selected
    • Check credibility and severity thresholds

Performance Issues

If QRadar is slow processing Keycloak events:

  1. Check event collector CPU/memory: Navigate to AdminSystemEvent Collector
  2. Reduce batch size: Lower to 200-300 events
  3. Filter events: Only forward critical event types
  4. Tune coalescing: Adjust log source coalescing settings

LEEF Parsing Issues

If fields aren’t being extracted:

  1. Check DSM (Device Support Module):

    • Navigate to AdminDSM Editor
    • Search for Keycloak or Syslog
    • Create custom parsing if needed

  2. Verify LEEF version: Ensure QRadar supports LEEF 2.0

  3. Check field names: Review event payload for correct LEEF syntax

Best Practices

  1. Use TCP Protocol: More reliable than UDP for QRadar
  2. Enable TLS: Encrypt syslog traffic for sensitive data
  3. Create Custom Properties: Map Keycloak-specific fields (realm, client_id) to QRadar custom properties
  4. Set Up Building Blocks: Create reusable rule building blocks for common patterns
  5. Regular Offense Review: Schedule daily reviews of Keycloak-related offenses
  6. Tune Rules: Adjust rule thresholds based on your environment’s baseline
  7. Archive Old Events: Configure retention policies based on compliance requirements

Next Steps

  • Create custom rules for your security requirements
  • Build comprehensive dashboards for security team
  • Integrate with QRadar incident response playbooks
  • Configure email/SNMP notifications for critical offenses
  • Review QRadar Use Case Manager for pre-built Keycloak rules

Support

For assistance:

Splunk IntegrationAzure Sentinel Integration