Cisco IDS/IPS

You can integrate a Cisco IDS/IPS security device with IBM QRadar.

The Cisco IDS/IPS DSM for IBM QRadar collects Cisco IDS/IPS for events by using the Security Device Event Exchange (SDEE) protocol.

The SDEE specification defines the message format and the protocol that is used to communicate the events that are generated by your Cisco IDS/IPS security device. QRadar supports SDEE connections by polling directly to the IDS/IPS device and not the management software, which controls the device.

Note: You must have security access or web authentication on the device before you connect to QRadar.

After you configure your Cisco IDS/IPS device, you must configure the SDEE protocol in QRadar. When you configure the SDEE protocol, you must define the URL that is used to access the device. An example of a URL that defines the device is https//www.example.com/cgi-bin/sdee-server.

You must use http or https in the URL, which is specific to your Cisco IDS version.

When you use RDEP (for Cisco IDS 4.0), ensure that the URL has /cgi-bin/event-server at the end of the URL. An example URL is https://www.example.com/cgi-bin/event-server.
When you use SDEE/CIDEE (for Cisco IDS 5.x and later), ensure that the URL has /cgi-bin/sdee-server at the end of the URL. An example URL is https://www.example/cgi-bin/sdee-server.