This document includes information on the supported data collection methods, IBM QRadar SIEM and VMware SASE software versions, IBM QRadar SIEM Device Support Modules, and SIEM license requirements.
Data Collection Methods supported from VMware SASE
VMware SASE consists of multiple services. In this guide, we will describe integration between the SD-WAN Edge appliances and IBM QRadar SIEM, using Syslog and IPFIX Data. Other types of integrations might be delivered in the future. This guide will use the following network connectivity between SD-WAN Edges and QRadar Collector Nodes
Software Version Matrix
The following table shows the versions of both VMware SASE and IBM QRadar used in this guide:
| VMware SASE & IBM QRadar Versions Tested | |
|---|---|
| IBM QRadar | 7.3.3 Field Patch 6 or higher |
| IBM Log Source Management | 7.0.1 or higher |
| VMware SASE Orchestrator | 5.2.0.0 or higher |
| VMware SD-WAN Edge | 5.2.0.0 or higher |
IBM QRadar SIEM Device Support Module (DSM) for VMware SASE
The QRadar DSM (Device Support Module) software component lets QRadar collect data from various devices, such as firewalls, intrusion detection systems, and web proxies. The DSM provides a standardized interface for collecting data from these devices, which makes it easier for QRadar to ingest and analyze the data.
The QRadar DSM also has many features that help improve the performance of QRadar, such as data compression and filtering. This can help reduce the amount of data that QRadar needs to store and process, which can improve the system's performance.
For VMware SASE, you can download proprietary DSM modules from the VMware Developer portal or IBM X-Force App Exchange. The DSM modules make sure that QRadar can format and display messages from VMware SASE services such as SD-WAN Edge devices. The DSM also contains event mappings to inject various VMware SASE events in a standard format message in your enterprise’s overall IT security ecosystem.
IBM QRadar SIEM License Requirements
You do not need a special license to receive events from VMware SASE. The integration will use both events per second (EPS) and flow per minute (FPM) licenses:
- SD-WAN Edge logs: QRadar EPS (Events per Second) license required.
- SD-WAN Edge Traffic Telemetry via IPFIX: QRadar FPM (Flows per Minute) license required.
Please make sure the event collectors that collect logs and flow data have enough license allocations in IBM QRadar. After you onboard the service, monitor the license requirements and adjust allocations as needed under (QRadar) .
Please see this IBM KB Article for more information on event and flow capacity management.
