Skip to content

[ibm_qradar] Initial release of IBM QRadar #15302

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 3 commits into
base: main
Choose a base branch
from
Open

[ibm_qradar] Initial release of IBM QRadar #15302

wants to merge 3 commits into from
+4,419 −0

Conversation

akshraj-crest
Copy link

Proposed commit message

The initial release includes offense data stream, associated dashboards
and visualizations.

IBM QRadar fields are mapped to their corresponding ECS fields where possible.

Test samples were derived from documentation and live data samples,
which were subsequently sanitized.

Checklist

  • I have reviewed tips for building integrations and this pull request is aligned with them.
  • I have verified that all data streams collect metrics or logs.
  • I have added an entry to my package's changelog.yml file.
  • I have verified that Kibana version constraints are current according to guidelines.
  • I have verified that any added dashboard complies with Kibana's Dashboard good practices

How to test this PR locally

  • Clone integrations repo.
  • Install elastic package locally.
  • Start elastic stack using elastic-package.
  • Move to integrations/packages/ibm_qradar directory.
  • Run the following command to run tests.

elastic-package test

Run asset tests for the package
--- Test results for package: ibm_qradar - START ---
╭────────────┬─────────────┬───────────┬─────────────────────────────────────────────────────────────────────┬────────┬──────────────╮
│ PACKAGE    │ DATA STREAM │ TEST TYPE │ TEST NAME                                                           │ RESULT │ TIME ELAPSED │
├────────────┼─────────────┼───────────┼─────────────────────────────────────────────────────────────────────┼────────┼──────────────┤
│ ibm_qradar │             │ asset     │ dashboard ibm_qradar-f8f1ddd1-3d71-4833-a10e-87d4119aac56 is loaded │ PASS   │      2.624µs │
│ ibm_qradar │             │ asset     │ search ibm_qradar-21073f01-84bf-4ba8-a8fd-855a660b1ba8 is loaded    │ PASS   │        143ns │
│ ibm_qradar │ offense     │ asset     │ index_template logs-ibm_qradar.offense is loaded                    │ PASS   │        175ns │
│ ibm_qradar │ offense     │ asset     │ ingest_pipeline logs-ibm_qradar.offense-0.1.0 is loaded             │ PASS   │        221ns │
╰────────────┴─────────────┴───────────┴─────────────────────────────────────────────────────────────────────┴────────┴──────────────╯
--- Test results for package: ibm_qradar - END   ---
Done
Run pipeline tests for the package
--- Test results for package: ibm_qradar - START ---
╭────────────┬─────────────┬───────────┬─────────────────────────────────────────────┬────────┬──────────────╮
│ PACKAGE    │ DATA STREAM │ TEST TYPE │ TEST NAME                                   │ RESULT │ TIME ELAPSED │
├────────────┼─────────────┼───────────┼─────────────────────────────────────────────┼────────┼──────────────┤
│ ibm_qradar │ offense     │ pipeline  │ (ingest pipeline warnings test-offense.log) │ PASS   │ 341.149718ms │
│ ibm_qradar │ offense     │ pipeline  │ test-offense.log                            │ PASS   │  355.20242ms │
╰────────────┴─────────────┴───────────┴─────────────────────────────────────────────┴────────┴──────────────╯
--- Test results for package: ibm_qradar - END   ---
Done
Run policy tests for the package
--- Test results for package: ibm_qradar - START ---
No test results
--- Test results for package: ibm_qradar - END   ---
Done
Run static tests for the package
--- Test results for package: ibm_qradar - START ---
╭────────────┬─────────────┬───────────┬──────────────────────────┬────────┬──────────────╮
│ PACKAGE    │ DATA STREAM │ TEST TYPE │ TEST NAME                │ RESULT │ TIME ELAPSED │
├────────────┼─────────────┼───────────┼──────────────────────────┼────────┼──────────────┤
│ ibm_qradar │ offense     │ static    │ Verify sample_event.json │ PASS   │  105.87793ms │
╰────────────┴─────────────┴───────────┴──────────────────────────┴────────┴──────────────╯
--- Test results for package: ibm_qradar - END   ---
Done
Run system tests for the package
2025/09/12 17:55:32  INFO Installing package...
2025/09/12 17:55:45  INFO Running test for data_stream "offense" with configuration 'default'
2025/09/12 17:55:54  INFO Setting up independent Elastic Agent...
2025/09/12 17:56:04  INFO Setting up service...
2025/09/12 18:01:53  INFO Tearing down service...
2025/09/12 18:01:54  INFO Write container logs to file: /root/integrations/build/container-logs/ibm_qradar-1757680314710614720.log
2025/09/12 18:01:57  INFO Tearing down agent...
2025/09/12 18:01:57  INFO Write container logs to file: /root/integrations/build/container-logs/elastic-agent-1757680317375289428.log
2025/09/12 18:02:07  INFO Uninstalling package...
--- Test results for package: ibm_qradar - START ---
╭────────────┬─────────────┬───────────┬───────────┬────────┬────────────────╮
│ PACKAGE    │ DATA STREAM │ TEST TYPE │ TEST NAME │ RESULT │   TIME ELAPSED │
├────────────┼─────────────┼───────────┼───────────┼────────┼────────────────┤
│ ibm_qradar │ offense     │ system    │ default   │ PASS   │ 6m7.827676604s │
╰────────────┴─────────────┴───────────┴───────────┴────────┴────────────────╯
--- Test results for package: ibm_qradar - END   ---
Done

Related issues

Screenshots

Screenshot 2025-09-12 175308 Screenshot 2025-09-12 175333

@akshraj-crest akshraj-crest requested a review from a team as a code owner September 12, 2025 12:45
@cla-checker-service CLA Checker Service
Copy link

cla-checker-service bot commented Sep 12, 2025
edited
Loading

💚 CLA has been signed

@andrewkroh andrewkroh added New Integration Issue or pull request for creating a new integration package. dashboard Relates to a Kibana dashboard bug, enhancement, or modification. documentation Improvements or additions to documentation. Applied to PRs that modify *.md files. labels Sep 12, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
dashboard Relates to a Kibana dashboard bug, enhancement, or modification. documentation Improvements or additions to documentation. Applied to PRs that modify *.md files. New Integration Issue or pull request for creating a new integration package.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

[New Integration] IBM QRadar
2 participants
@akshraj-crest @andrewkroh