QRadar Integration

Security teams rely on SIEM platforms to maintain visibility, detect threats, and ensure compliance across their IT environment. IBM QRadar is a leading SIEM solution that collects, correlates, and analyzes security events from multiple systems, helping organizations quickly identify and respond to potential risks.

This document explains how to integrate Scalefusion with QRadar. As a Unified Endpoint Management (UEM) platform, Scalefusion generates detailed device and user activity logs. Sending these events to QRadar allows you to analyze endpoint activity alongside other security data, providing a unified and more complete view of your organization’s security landscape.

This integration enhances visibility, supports compliance reporting, and strengthens your overall security posture.

Integrating Qradar with Scalefusion

1. On the Scalefusion dashboard, navigate to Integrations > ITSM/SIEM Tools.

2. Here, click Activate for QRadar.
   

   

Configuration on QRadar Console

To integrate Scalefusion with IBM QRadar, you must create a Log Source within the QRadar Console. Follow the steps below to complete the configuration.

Step 1: Create a New Log Source

1. Log in to your QRadar console.

2. Go to the Admin tab.

3. Click Log Sources.

   

4. In the Log Sources page, click Log Sources again if prompted.

   

5. Click New Log Source.
   

   

6. Next, choose Single Log Source.
   

   

7. Select Universal DSM as the log source type, then click Step 2.
   

   

8. For the protocol, select HTTP Receiver, then click Step 3.
   

   

Step 2: Provide Basic Log Source Details

1. Enter a Name for the log source.

2. Leave the remaining fields at their default values.

3. Click Step 4.

   

Step 3: Configure Log Protocol

In this step, define the protocol settings across the next four screens.

a. Log Identifier, Port, and Protocol

• Enter a Log Identifier name.

• Specify a Port Number that QRadar will listen on.

• Select the Protocol:

  • HTTPS (recommended for secure communication)

  • HTTP (not secure; may be used in restricted on-premise environments)

  

b. HTTP Listener Configuration

If you selected HTTPS, you may upload a certificate.

Certificate Notes:

• You may generate a self-signed certificate using tools such as OpenSSL or Keychain Access (macOS).

• You can also request a certificate from your DevOps team.

• If using a self-signed certificate, keep the public key accessible for later use.

  

c. Authentication Parameters

1. Enable Authentication Token Header.

2. Set:

   • Header Name: Use the value shown in the Scalefusion Dashboard (typically Bearer).

   • Header Value: Enter the Authentication Token displayed in the Scalefusion Dashboard.

   

d. Event Parsing Method

1. Select Event Per JSON Array as the parsing method.

2. JSON Path Expression: Enter "/events"

   
   

Step 4: Test and Save

• Click on Start Test to test the parameters using QRadar's built-in test utility.
  

  

• If everything validates successfully, click Save.

You have now completed the QRadar log source configuration for Scalefusion.

Configuring QRadar Integration in Scalefusion

Server Details

On the Scalefusion dashboard, enter the following under Server Details

1. Host URL

2. Port: Enter the port on which QRadar will receive incoming logs.

3. Authentication Header Name: This is set to Bearer. This is the header name used for token-based authentication.

4. Authentication Token Value: Use this token when configuring authentication on the QRadar Log Source. Clicking on Rotate icon generates a new authentication token.

5. Event Parsing Method: Event Per JSON Array. This indicates how QRadar should parse events received from Scalefusion.

6. JSON Path Expression: Specifies the JSON path where QRadar should look for event objects. This is set to events

7. The SSL Certificate is optional. However, if you are using a self-signed certificate for hosting your Qradar instance, please upload the same.

8. Click Next to go to the Dashboard Access Events tab.
   

   

Dashboard Access Events

1. Turn on the toggle to sync the Dashboard sign-in events generated when an administrator signs in to the portal.

2. The Configure Topic Name is auto-populated.

3. Click Next.
   

   

This is the format in which dashboard access events are generated:

{
 "topic/slug/source": "as configured in dashboard : example: dashboard_access_events",
 "event": {
   "useremail": Email of the Admin trying to perform activity
   "username": Name of the Admin trying to to perform activity
   "source_ip": The IP from which they tried to to perform activity
   "timestamp": The time in UTC at which this was peformed
   "activity": user_login or user_logout or password_change or admin_and_roles
   "activity_result": Success or Failed
   "activity_event_meta"
      "user_login_success"
      "password_updated"
      "password_change_request"
      "user_login_fail_username"
      "user_login_fail_password"
      "user_login_otp_fail"
      "user_logout"
      "user_login_fail_expired_creds"
      "admin_added_success"
      "adming_deleted_success"
      "role_updated"
   "admin_name": Null or a value if the activity is if type admin_and_roles
   "admin_email": Null or a value if the activity is if type admin_and_roles
   "message": 
     "Successful user login"
     "Invalid user"
     "Invalid credentials"
     "Invalid OTP login attempt"
     "Expired user account attempted login"
     "Password change request initiated"
     "Password changed successfully"
     "Admin added successfully"
     "Admin deleted successfully"
     "Admin updated successfully"
 }
}

Account Activity Events

1. Turn on the toggle to sync the Account Activity events generated as per the account activity reports. The events will be synced every 24 hours.

2. The Configure Source Type is auto-populated.

3. Select an event(s) that you would like to sync to your QRadar portal.

4. Click Next.
   

   

This is the format in which account activity events are generated:

{
"topic/slug/source": as configured in Dashboard
"events": [
 {
 "username": The name of the user who performed the activity
 "useremail": The email of the user who performed the activity
 "category": The category to which the action belongs to
 "activity": The short description of the activity that was performed
 "message": The message that is shown in account activity
 "source_ip": The IP from which the request was performed
 "timestamp": The time at which the action was performed in UTC format
 "impact": The count of devices it has impact on or N/A
 "queued_for_approval": true if this event was queued for approval, false if it was approved or changed
 }
]

Device Management Events

1. Turn on the toggle to sync the Enable Device Management events to sync the various device management actions performed on the Dashboard. The events will be synced every 24 hours.

2. The Configure Source Type is auto-populated.

3. Select an event(s) that you would like to sync to your QRadar portal.

4. Click Next.
   

   

This is the format in which device management events are generated:

{
 topic/slug":as configured in Dashboard for example device_management_events
 "event": one of the below
 	"device_enrolled"
 	"device_deleted"
 	"device_unamanaged"
 	"device_locked_policies_applied"
 	"device_unlocked_policies_relaxed"
 	"device_marked_as_lost"
 	"device_marked_as_found"
 	"factory_reset_device"
 	"device_shutdown"
 	"device_reboot"
 	"device_policy_updated"
"username": The name of the Admin
"useremail": The email of the Admin
"source_ip": The IP which originated this action
"timestamp": As per UTC
"device_id": Scalefusion Device ID
android_id: xxxxxxxxxxxxxxx
app_version_name: 17.6.0-IC
avbl_wifi_ssids: [ 
Tata -5GHz,00:04:95:ba:23:e0
 PromobiManage,04:ba:d6:cd:47:e0
 ProMobi_5GHz,00:04:95:b7:d6:da
 kanix_5G,9c:a2:f4:b2:77:54
 Promobi Guest ,a0:0f:37:43:f9:a3
 PromobiRADA5,04:ba:d6:cd:47:e3
 PromobiRAD,04:ba:d6:cd:47:e1
 PromobiRADInt,04:ba:d6:cd:47:e2
 ProMobi_2.4GHz,00:04:95:b7:d6:d9
 ProMobi,a0:0f:37:3a:d5:ae
]
battery_charging: null
battery_status: 45
battery_temp_in_celsius: 31
benchmark_details: {
 benchmark: null
 compliance_percentage: 30.3
 compliance_status: N
 mode: null
 policy_group: null
 variant: null
}
bluetooth_mac: null
build_serial_no: xxxxxxxxxxxxxx
charging: null
connected_wifi_mac_address: a0:0f:37:3a:d5:ae
connected_wifi_ssid: xxxxxxx
cpu_temp_in_celsius: 52.65
cpu_usage: null
custom_properties: [
{ 
   data_type: String
   name: mode
   value: null
 }
]
d_build_version: TQ3A.230805.001.S2
data_roaming_enabled: false
data_roaming_enabled_2: false
device_generated_bypass_code: null
device_group: {
 id: null
 name: null
 parent_group_id: null
}
device_profile: {
 id: null
 name: null
}
enrollment_date: 2025-07-23 14:21:12 UTC
enrollment_method: 6-times tap
exit_password: 2323
firewall_enabled: -1
gsm_serial_no: unknown
gsuite_account: N/A
iccid_no: xxxxxxxxxxxxxxxxxxxx
iccid_no_2:
id: xxxxxxx
imei_no: xxxxxxxxxxxxxxx
imei_no_2: null
imsi_no: xxxxxxxxxxxxxxx
imsi_no_2:
in_trial: true
ip_address: xxx.xxx.xx.xx
last_connected_at: 2025-07-23 14:30:58 UTC
licence_active: true
licence_expires_at: 1787011200
licence_name: test
license: {
 code: xxxxxxxxxxxxxx
 expire_date: 2026-08-18
}
location: {
 address: xxxx+xxx, xxxxx xxxxx, xxxxx xxxx, Pune, Maharashtra 411014, India
 created_at: 2025-07-23 14:29:34 UTC
 date_time: 1753280974449
 lat: xx.xxxxx
 lng: xx.xxxxxx
}
locked: true
make: Google
marked_as_lost: null
mdm_generated_bypass_code: null
model: Pixel 4a
name: xxxxxxxxxxx
os_version: 13
phone_no: +91123456789
phone_no_2:
power_status: null
ram_usage: 0
rooted: no
screen_temp_in_celsius: 35.95
serial_no: xxxxxxxxxxxxxx
sim1_network_type: null
sim2_network_type: null
sim_network: null
sim_network_2: null
sim_signal_strength: null
sim_signal_strength_2: null
status: LICENSED
storage_info: {
 bitlocker_passwords: {
 }
 total_external_storage: null
 total_external_storage_avbl: null
 total_internal_storage: null
 total_internal_storage_avbl: null
}

total_ram_size: 5603
udid: null
unique_id: b98ec11a9f7ee277
voice_roaming_enabled: false
voice_roaming_enabled_2: false
wifi_mac_address: null
}

Device Activity Events

1. Turn on the toggle to sync the device activity events, such as device login/logoff. The events will be synced every 24 hours.

2. The Configure Source Type is auto-populated.

3. Select event(s) that you would like to sync to your QRadar portal.

4. Click Save.
   

   

This is the format in which device activity events are generated:

{
  "slug": "device_activity_events",
  "event": "value",
  "duration_in_mins": gives duration,
  "location": "N/A",
  "device_id": gives device id,
  "user_name": "Account name of the user",
  "device_name": "name of the device",
  "activity_type": "user_activity_details",
  "event_end_time": "the time at which event ends",
  "event_start_time": "the time at which event starts"
}

Viewing Details in the Scalefusion dashboard

After the setup is complete, the status and details will be visible on the Scalefusion dashboard. You will also have the option to modify the configuration if needed, or delete it entirely.

1. If an Event is synced successfully, the Last Sync Status in the View Details card will show as Configured.

2. If a sync issue occurs, it will be indicated as 'Failure' on the View Details card. You can click 'View Error' to see the specific reason for the failure.
   

   1. Scalefusion will attempt to sync an event up to 10 times. If it remains unsuccessful, manual reactivation of the event will be required.

3. If any Event is not configured in the setup, it will show the status as Not Configured, and that event will not be synced with the QRadar portal.
   
   

4. You will also be able to see the activities in the Account Activity report. Navigate to Reports & Workflows > Reports > Account Activity.
   

   

   
   

Viewing Events in QRadar portal

1. Under Log Activity click on Add Filter
   

   
   

2. Select the Log Source Group and click on Add Filter to view the logs.