QRadar CEF integration

Forward Penaxtra findings to IBM QRadar (and other SIEMs that accept CEF) via syslog with the Common Event Format payload. Each finding becomes a single CEF record with framework references in extension fields.

Configure the forwarder

1. In Penaxtra, Integrations → SIEM forwarders → New target. Choose Syslog (CEF).
2. Set the collector address, e.g. udp://qradar-collector.internal:514 or tcp://qradar-collector.internal:514 (TCP recommended for reliability).
3. Pick a severity floor (only forward findings at or above that severity).
4. Click Test connection. A synthetic record with cef_signature=penaxtra-test is emitted.

CEF record format

CEF:0|Penaxtra|AISPM|1.0|penaxtra-finding|Indirect prompt injection via RAG corpus|7|
  cs1Label=probeId cs1=rag_indirect_v2
  cs2Label=endpointId cs2=ep_2026_abc123
  cs3Label=scanId cs3=scan_2026_xyz789
  cs4Label=findingId cs4=fnd_2026_xxxxxx
  cs5Label=frameworks cs5=OWASP_LLM01,MITRE_ATLAS_AML_T0051,EU_AI_ACT_Art15
  rt=1747800000000
  request=https://penaxtra.com/app/findings/fnd_2026_xxxxxx

CEF severity values:

QRadar mapping

Create a Universal DSM with the following property mappings:

• cs1Label / cs1 → custom property Probe ID
• cs2Label / cs2 → custom property Endpoint ID
• cs5Label / cs5 → custom property Frameworks (multi-value, comma-delimited)

A pre-built DSM XML is available on request from [[email protected]](mailto:[email protected]).

Common errors

Security notes

• TLS-wrapped syslog (TCP/6514) is supported; pick tcps:// URL scheme.
• Record payload does NOT include raw prompts; only finding metadata + redacted excerpt.
• The forwarder runs at most-once delivery for UDP, at-least-once for TCP with the platform's retry queue.

Related

• Splunk HEC integration
• Findings API
• Webhook signature verification

Last reviewed: 2026-06-13. Reviewed by: Engineering. Content type: Developer documentation. Reach the maintainers: [email protected] .