Transcript of April 2021 DSM Guide - ibm.com
IBM QRadar : QRadar DSM Configuration GuideIBM
Note
Before using this information and the product that it supports,
read the information in “Notices” on page 1495.
Product information
This document applies to IBM® QRadar® Security Intelligence
Platform V7.2.1 and subsequent releases unless superseded by an
updated version of this document. © Copyright International
Business Machines Corporation 2012, 2022. US Government Users
Restricted Rights – Use, duplication or disclosure restricted by
GSA ADP Schedule Contract with IBM Corp.
Contents
Chapter 1. Event collection from third-party
devices.................................................................................
3 Adding a
DSM..........................................................................................................................................4
Matcher
(matcher)..........................................................................................................................
21 JSON matcher
(json-matcher).......................................................................................................
26 LEEF matcher
(leef-matcher).........................................................................................................
30 CEF matcher
(cef-matcher)............................................................................................................
31 Name Value Pair matcher
(namevaluepair-matcher)....................................................................
31 Generic List matcher
(genericlist-matcher)...................................................................................
33 XML Matcher
(xml-matcher)...........................................................................................................34
Multi-event modifier
(event-match-multiple)........................................................................35
Single-event modifier
(event-match-single)..........................................................................
35
Common regular expressions
........................................................................................................39
Building regular expression patterns
............................................................................................
40 Uploading extension documents to
QRadar..................................................................................
42
iii
Amazon Web Services protocol configuration
options........................................................................81
Apache Kafka protocol configuration
options.....................................................................................
90
the Pub/Sub
Subscription.......................................................................................................
108 Populating a Pub/Sub topic with
data..........................................................................................111
Adding a Google Cloud Pub/Sub log source in
QRadar...............................................................
112
HCL BigFix SOAP protocol configuration options (formerly known as
IBM BigFix)......................... 115 HTTP Receiver protocol
configuration
options..................................................................................116
IBM Cloud Object Storage protocol configuration
options...............................................................
117 IBM Fiberlink REST API protocol configuration
options...................................................................
120 IBM Security Verify Event Service protocol configuration
options................................................... 122 JDBC
protocol configuration
options.................................................................................................124
JDBC - SiteProtector protocol configuration
options........................................................................128
Juniper Networks NSM protocol configuration
options....................................................................
130 Juniper Security Binary Log Collector protocol configuration
options............................................. 130 Log File
protocol configuration
options.............................................................................................
131 Microsoft Azure Event Hubs protocol configuration
options............................................................
133
Microsoft Defender for Endpoint SIEM REST API protocol
configuration options...........................146 Microsoft DHCP
protocol configuration
options................................................................................148
Microsoft Exchange protocol configuration
options..........................................................................151
Microsoft Graph Security API protocol configuration
options..........................................................
154
Configuring Microsoft Graph Security API to communicate with
QRadar.................................. 155 Microsoft IIS protocol
configuration
options....................................................................................
156 Microsoft Security Event Log protocol configuration
options...........................................................
158
Microsoft Security Event Log over MSRPC
Protocol....................................................................
159
iv
Troubleshooting the Office 365 Message Trace REST API
protocol........................................... 164 Okta REST
API protocol configuration
options.................................................................................
168 OPSEC/LEA protocol configuration
options.......................................................................................168
Oracle Database Listener protocol configuration
options................................................................
170 PCAP Syslog Combination protocol configuration
options...............................................................
172 SDEE protocol configuration
options.................................................................................................174
SMB Tail protocol configuration
options............................................................................................174
SNMPv2 protocol configuration
options............................................................................................176
SNMPv3 protocol configuration
options............................................................................................177
Seculert Protection REST API protocol configuration
options..........................................................177
Sophos Enterprise Console JDBC protocol configuration
options................................................... 179
Sourcefire Defense Center eStreamer protocol
options...................................................................181
Syslog Redirect protocol
overview....................................................................................................
181 TCP multiline syslog protocol configuration
options.........................................................................182
TLS Syslog protocol configuration
options........................................................................................
187
Part 3.
DSMs......................................................................................................231
Chapter 15. Amazon AWS Application Load Balancer Access
Logs.......................................................245
Amazon AWS Application Load Balancer Access Logs DSM
specifications..................................... 245 Publishing
flow logs to an S3
bucket.................................................................................................246
Create an SQS queue and configure S3 ObjectCreated
notifications...............................................246
Finding the S3 bucket that contains the data that you want to
collect.......................................247 Creating the SQS
queue that is used to receive ObjectCreated
notifications.............................247 Setting up SQS queue
permissions..............................................................................................
248 Creating ObjectCreated
notifications...........................................................................................249
Configuring security credentials for your AWS user
account............................................................254
Amazon AWS S3 REST API log source parameters for Amazon AWS
Application Load Balancer
Access
Logs...................................................................................................................................255
Amazon AWS Application Load Balancer Access Logs sample event
message...............................255
protocol.........................................................................................................................................
258 Configuring an Amazon AWS CloudTrail log source that uses an S3
bucket with an SQS
queue.......................................................................................................................................
258 Configuring an Amazon AWS CloudTrail log source that uses an S3
bucket with a directory
prefix........................................................................................................................................
270 Configuring an Amazon AWS CloudTrail log source by using the
Amazon Web Services protocol. 276
Configuring an Amazon AWS CloudTrail log source by using the Amazon
Web Services protocol and Kinesis Data
Streams.........................................................................................277
Configuring an Amazon AWS CloudTrail log source by using the Amazon
Web Services protocol and CloudWatch
Logs...............................................................................................
282
Amazon AWS CloudTrail sample event
messages............................................................................
287
Chapter 18. Amazon AWS Network
Firewall...........................................................................................297
Amazon AWS Network Firewall DSM
specifications.........................................................................
297 Create an SQS queue and configure S3 ObjectCreated
notifications...............................................298
Finding the S3 bucket that contains the data that you want to
collect.......................................298 Creating the SQS
queue that is used to receive ObjectCreated
notifications.............................298
vi
Chapter 19. Amazon AWS Route
53........................................................................................................309
Amazon AWS Route 53 DSM
specifications......................................................................................
309 Configuring an Amazon AWS Route 53 log source by using the
Amazon Web Services protocol
and CloudWatch
logs....................................................................................................................
310 Configuring public DNS query
logging..........................................................................................311
Configuring Resolver query
logging..............................................................................................311
Creating an Identity and Access Management (IAM) user in the AWS
Management Console.. 312 Configuring security credentials for your
AWS user
account...................................................... 312
Creating a log group in Amazon CloudWatch Logs to retrieve logs in
QRadar............................313 Amazon Web Services log
source parameters for Amazon AWS Route
53................................ 313
Configuring an Amazon AWS Route 53 log source by using an S3 bucket
with an SQS queue....... 318 Configuring Resolver query
logging..............................................................................................318
Create an SQS queue and configure S3 ObjectCreated
notifications......................................... 319 Finding
the S3 bucket that contains the data that you want to
collect.......................................319 Creating the SQS
queue that is used to receive ObjectCreated
notifications.............................319 Setting up SQS queue
permissions..............................................................................................
320 Creating ObjectCreated
notifications...........................................................................................322
Creating an Identity and Access Management (IAM) user in the AWS
Management Console.. 326 Configuring security credentials for your
AWS user
account...................................................... 327
Amazon AWS S3 REST API log source parameters for Amazon AWS Route
53 when using
an SQS
queue..........................................................................................................................
327 Configuring an Amazon AWS Route 53 log source by using an S3
bucket with a directory prefix.. 331
Configuring Resolver query
logging..............................................................................................331
Finding an S3 bucket name and directory
prefix.........................................................................
332 Creating an Identity and Access Management (IAM) user in the
AWS Management Console.. 332 Configuring security credentials for
your AWS user
account...................................................... 333
Amazon AWS S3 REST API log source parameters for Amazon AWS Route
53 when using a
directory
prefix........................................................................................................................
333 Amazon AWS Route 53 sample event
messages..............................................................................337
Chapter 21. Amazon AWS
WAF...............................................................................................................345
Amazon AWS WAF DSM
specifications..............................................................................................345
Configuring Amazon AWS WAF to communicate with
QRadar......................................................... 346
Configuring security credentials for your AWS user
account............................................................346
Amazon AWS S3 REST API log source parameters for Amazon AWS
WAF......................................347 Amazon AWS WAF sample
event
messages.....................................................................................
348
Chapter 22. Amazon
GuardDuty.............................................................................................................
351 Configuring an Amazon GuardDuty log source by using the Amazon
Web Services protocol......... 351 Creating an EventBridge rule for
sending
events..............................................................................
354 Creating an Identity and Access (IAM) user in the AWS
Management Console.............................. 355 Configuring an
Amazon GuardDuty log source by using the Amazon AWS S3 REST API
protocol..355 Configuring Amazon GuardDuty to forward events to an
AWS S3 Bucket....................................... 358 Amazon
GuardDuty sample event
messages....................................................................................358
Chapter 23. Amazon VPC Flow
Logs.......................................................................................................
363
Chapter 24. Ambiron TrustWave ipAngel
...............................................................................................369
Chapter 25. APC
UPS...............................................................................................................................371
Configuring your APC UPS to forward syslog
events.........................................................................372
APC UPS sample event
messages.....................................................................................................
372
Chapter 28. Application Security
DbProtect..........................................................................................
381 Installing the DbProtect LEEF Relay
Module.....................................................................................382
Configuring the DbProtect LEEF
Relay...............................................................................................382
Configuring DbProtect
alerts..............................................................................................................383
Arbor Networks
Pravail......................................................................................................................
388 Configuring your Arbor Networks Pravail system to send events
to IBM QRadar...................... 389 Arbor Networks Pravail
sample event
message..........................................................................
390
Chapter 30. Arpeggio
SIFT-IT................................................................................................................
391 Configuring a SIFT-IT
agent...............................................................................................................
391 Syslog log source parameters for Arpeggio
SIFT-IT.........................................................................
392 Additional
information.......................................................................................................................
392
Chapter 32. Aruba
Networks...................................................................................................................397
Aruba ClearPass Policy
Manager.......................................................................................................
397
Aruba
Introspect................................................................................................................................
407 Configuring Aruba Introspect to communicate with
QRadar......................................................
408
Chapter 34. BalaBit IT
Security...............................................................................................................415
BalaBit IT Security for Microsoft Windows
Events............................................................................415
Chapter 35.
Barracuda............................................................................................................................
423 Barracuda Spam & Virus
Firewall......................................................................................................
423
devices that do not support LEEF
..........................................................................................
426 Barracuda Web
Filter.........................................................................................................................
427
Configuring syslog event
forwarding............................................................................................427
Syslog log source parameters for Barracuda Web
Filter.............................................................
428 Barracuda Web Filter sample event
message.............................................................................
428
Chapter 39.
Box.......................................................................................................................................
449 Configuring Box to communicate with
QRadar.................................................................................
450 Box sample event
messages.............................................................................................................
452
Broadcom CA Top
Secret...................................................................................................................
466 Log File log source
parameter......................................................................................................
467 Create a log source for near real-time event
feed.......................................................................
471 Integrate Broadcom CA Top Secret with IBM QRadar by using audit
scripts.............................471 Configuring Broadcom CA Top
Secret that uses audit scripts to integrate with IBM
QRadar....471
Broadcom Symantec
SiteMinder.......................................................................................................
474 Broadcom Symantec SiteMinder DSM
specifications..................................................................474
Syslog log source parameters for Broadcom Symantec
SiteMinder...........................................475
Configuring syslog-ng for Broadcom Symantec
SiteMinder........................................................476
Broadcom Symantec SiteMinder sample event
messages.........................................................
477
Bit9 Security
Platform........................................................................................................................484
Configuring Carbon Black Bit9 Security Platform to communicate with
QRadar....................... 485
with QRadar
............................................................................................................................
493 Centrify Infrastructure Services sample event
messages..........................................................
494
Chapter 45. Check
Point..........................................................................................................................495
Integrate Check Point by using
syslog...............................................................................................495
x
Syslog Redirect log source parameters for Check
Point...................................................................
504 Configuring Check Point to forward LEEF events to
QRadar.............................................................505
Configuring QRadar to receive LEEF events from Check
Point......................................................... 507
Integration of Check Point Firewall
events.......................................................................................
507 Check Point Multi-Domain Management
(Provider-1)......................................................................
508
Chapter 46. Cilasoft
QJRN/400...............................................................................................................513
Configuring Cilasoft
QJRN/400..........................................................................................................513
Syslog log source parameters for Cilasoft
QJRN/400.......................................................................514
Cisco Cloud Web
Security..................................................................................................................
538 Configuring Cloud Web Security to communicate with QRadar
................................................. 540
Cisco Firepower Threat
Defense........................................................................................................549
Cisco Firepower Threat Defense DSM
specifications..................................................................
549 Configuring Cisco Firepower Threat Defense to communicate with
QRadar..............................550 Configuring QRadar to use
previous connection event processing for Cisco Firepower
Threat Defense
.......................................................................................................................
550 Cisco Firepower Threat Defense sample event
message............................................................551
Cisco
FWSM........................................................................................................................................552
Configuring Cisco FWSM to forward syslog
events......................................................................552
Syslog log source parameters for Cisco
FWSM............................................................................553
Cisco
Meraki.......................................................................................................................................
567 Cisco Meraki DSM
specifications..................................................................................................568
Configure Cisco Meraki to communicate with IBM QRadar
........................................................568 Cisco
Meraki sample event
messages.........................................................................................
569
Cisco
Umbrella...................................................................................................................................
576 Configure Cisco Umbrella to communicate with
QRadar............................................................
577 Cisco Umbrella DSM
specifications..............................................................................................578
Cisco Umbrella sample event
messages.....................................................................................
578
Cisco VPN 3000 Concentrator
..........................................................................................................
579 Syslog log source parameters for Cisco VPN 3000
Concentrator...............................................579
Cisco Wireless LAN
Controllers.........................................................................................................
580 Configuring syslog for Cisco Wireless LAN
Controller.................................................................
580 Syslog log source parameters for Cisco Wireless LAN
Controllers............................................. 580
Configuring SNMPv2 for Cisco Wireless LAN
Controller..............................................................581
Configuring a trap receiver for Cisco Wireless LAN
Controller.................................................... 582
SNMPv2 log source parameters for Cisco Wireless LAN
Controllers..........................................582
Cisco Wireless Services
Module........................................................................................................
584 Configuring Cisco WiSM to forward
events..................................................................................
584 Syslog log source parameters for Cisco
WiSM.............................................................................586
API
protocol..................................................................................................................................
595 Create an SQS queue and configure S3 ObjectCreated
notifications...............................................595
Configuring security credentials for your AWS user
account............................................................603
HTTP Receiver log source parameters for Cloudflare
Logs..............................................................
604 Amazon AWS S3 REST API log source parameters for Cloudflare
Logs...........................................604 Cloudflare Logs
sample event
messages..........................................................................................
606
Chapter 51. CloudPassage Halo
.............................................................................................................607
Configuring CloudPassage Halo for communication with
QRadar....................................................607
Syslog log source parameters for CloudPassage
Halo......................................................................609
Log File log source parameters for CloudPassage
Halo....................................................................609
Chapter 53. Correlog Agent for IBM
z/OS...............................................................................................
613 Configuring your CorreLog Agent system for communication with
QRadar..................................... 614
Chapter 54. CrowdStrike
Falcon..............................................................................................................615
CrowdStrike Falcon DSM
specifications............................................................................................
615 Configuring CrowdStrike Falcon to communicate with
QRadar........................................................616
Syslog log source parameters for CrowdStrike
Falcon.....................................................................
619 CrowdStrike Falcon Host sample event
message.............................................................................
619
Chapter 56.
CyberArk.............................................................................................................................
623 CyberArk Privileged Threat
Analytics................................................................................................
623
Configuring syslog for CyberArk
Vault..........................................................................................625
Syslog log source parameters for CyberArk
Vault.......................................................................
625
Chapter 60. Digital China Networks
(DCN).............................................................................................
633 Configuring a DCN DCS/DCRS Series
Switch.....................................................................................633
Syslog log source parameters for DCN DCS/DCRS Series
switches................................................. 634
Chapter 61. Enterprise-IT-Security.com
SF-Sherlock............................................................................635
Configuring Enterprise-IT-Security.com SF-Sherlock to communicate
with QRadar...................... 636
Chapter 63. ESET Remote
Administrator................................................................................................643
Configuring ESET Remote Administrator to communicate with
QRadar..........................................644
Extreme HiGuard Wireless
IPS..........................................................................................................
651 Configuring Enterasys HiGuard
...................................................................................................
652 Syslog log source parameters for Extreme
HiGuard...................................................................
652
Extreme HiPath Wireless
Controller..................................................................................................
653 Configuring your HiPath Wireless
Controller...............................................................................
653 Syslog log source parameters for Extreme
HiPath......................................................................
653
Syslog log source parameters for Extreme XSR Security
Router................................................ 660
Chapter 66. F5
Networks........................................................................................................................661
F5 Networks BIG-IP
AFM...................................................................................................................661
F5 Networks BIG-IP
ASM..................................................................................................................
666 Syslog log source parameters for F5 Networks BIG-IP
ASM...................................................... 667 F5
Networks BIG-IP ASM sample event
message......................................................................
668
F5 Networks
FirePass........................................................................................................................
672 Configuring syslog forwarding for F5
FirePass............................................................................
672 Syslog log source parameters for F5 Networks
FirePass............................................................672
Chapter 69. Fidelis
XPS...........................................................................................................................
683 Configuring Fidelis
XPS......................................................................................................................
683 Syslog log source parameters for Fidelis
XPS...................................................................................
684 Fidelis XPS sample event
messages.................................................................................................
684
Forcepoint
Sidewinder.......................................................................................................................
692 Forcepoint Sidewinder DSM
specifications.................................................................................
693 Configure Forcepoint Sidewinder to communicate with
QRadar................................................ 693
Forcepoint Sidewinder sample event
message...........................................................................
693
Forcepoint V-Series Content
Gateway...............................................................................................697
Configure syslog for Forcepoint V-Series Content
Gateway........................................................698
Configuring the Management Console for Forcepoint V-Series Content
Gateway..................... 698 Enabling Event Logging for
Forcepoint V-Series Content
Gateway.............................................699 Syslog log
source parameters for Forcepoint V-Series Content
Gateway.................................. 699 Log file protocol for
Forcepoint V-Series Content
Gateway........................................................ 699
Forcepoint V-Series Content Gateway sample event
messages.................................................701
Chapter 72. ForeScout
CounterACT.......................................................................................................
703 Syslog log source parameters for ForeScout
CounterACT................................................................703
Configuring the ForeScout CounterACT
Plug-in................................................................................
703 Configuring ForeScout CounterACT
Policies.....................................................................................
704 ForeScout CounterACT sample event
messages..............................................................................
705
Chapter 74. Foundry FastIron
................................................................................................................
711 Configuring syslog for Foundry
FastIron...........................................................................................
711 Syslog log source parameters for Foundry
FastIron.........................................................................
711
Chapter 75.
FreeRADIUS.........................................................................................................................713
Configuring your FreeRADIUS device to communicate with
QRadar............................................... 713
Generic
firewall..................................................................................................................................
718 Configuring event properties for generic firewall events
............................................................718
Syslog log source parameters for generic
firewall.......................................................................720
Chapter 77. genua
genugate...................................................................................................................
723 Configuring genua genugate to send events to
QRadar....................................................................724
genua genugate sample event
messages..........................................................................................724
xvi
Chapter 79. Google Cloud Platform
Firewall..........................................................................................
731 Google Cloud Platform Firewall DSM
specifications.........................................................................
731 Configuring Google Cloud Platform Firewall to communicate with
QRadar.....................................732 Google Cloud Pub/Sub
log source parameters for Google Cloud Platform
Firewall........................732 Sample event
message......................................................................................................................
733
Chapter 80. Google G Suite Activity
Reports..........................................................................................
735 Google G Suite Activity Reports DSM
specifications.........................................................................735
Configuring Google G Suite Activity Reports to communicate with
QRadar.................................... 736 Assigning a role to
a
user...................................................................................................................
736 Creating a service account with viewer
access.................................................................................
737 Granting API client access to a service
account...............................................................................
738 Google G Suite Activity Reports log source
parameters...................................................................
738 Google G Suite Activity Reports sample event
messages................................................................
739 Troubleshooting Google G Suite Activity
Reports.............................................................................
740
Invalid private
keys.......................................................................................................................740
Authorization
errors......................................................................................................................741
Invalid email or username
errors.................................................................................................741
Invalid JSON
formatting...............................................................................................................
742 Network
errors..............................................................................................................................742
Google G Suite Activity Reports
FAQ............................................................................................742
Chapter 83. HBGary Active
Defense......................................................................................................
749 Configuring HBGary Active
Defense..................................................................................................
749 Syslog log source parameters for HBGary Active
Defense...............................................................
749
Chapter 85. Honeycomb Lexicon File Integrity Monitor
(FIM)..............................................................
753 Supported Honeycomb FIM event types logged by
QRadar.............................................................753
Configuring the Lexicon mesh
service...............................................................................................
753 Syslog log source parameters for Honeycomb Lexicon File
Integrity Monitor.................................754
Chapter 86. Hewlett Packard
Enterprise................................................................................................
757 HPE Network
Automation..................................................................................................................
757
Chapter 87.
Huawei.................................................................................................................................
763 Huawei AR Series
Router...................................................................................................................
763
Huawei S Series
Switch......................................................................................................................764
Chapter 88. HyTrust
CloudControl..........................................................................................................
767 Configuring HyTrust CloudControl to communicate with
QRadar....................................................
768
IBM Cloud Platform (formerly known as IBM Bluemix
Platform).....................................................791
Configuring IBM Cloud Platform to communicate with
QRadar..................................................792
IBM
DataPower..................................................................................................................................
794 Configuring IBM DataPower to communicate with
QRadar........................................................
795
IBM DLC
Metrics.................................................................................................................................804
IBM DLC Metrics DSM
specifications...........................................................................................
804 Configuring IBM Disconnected Log Collector to communicate with
QRadar............................. 805 Forwarded Log source
parameters for IBM DLC
Metrics.............................................................806
IBM DLC Metrics sample event
message.....................................................................................806
IBM Federated Directory Server
.......................................................................................................
807 Configuring IBM Federated Directory Server to monitor security
events...................................808
IBM MaaS360
Security......................................................................................................................
808 IBM Fiberlink REST API log source parameters for IBM MaaS360
Security.............................. 809 Universal Cloud REST API
log source parameters for IBM MaaS360
Security.......................... 809 IBM MaaS360 Security sample
event
messages........................................................................
810
IBM
Guardium....................................................................................................................................
811 Creating a syslog destination for
events......................................................................................
812 Configuring policies to generate syslog
events...........................................................................
813 Installing an IBM Guardium Policy
..............................................................................................813
Syslog log source parameters for IBM
Guardium........................................................................814
Creating an event map for IBM Guardium
events.......................................................................
814 Modifying the event
map..............................................................................................................
815 IBM Guardium sample event
messages......................................................................................
815
IBM
Proventia.....................................................................................................................................825
IBM Proventia Management
SiteProtector..................................................................................
825 JDBC log source parameters for IBM Proventia Management
SiteProtector............................. 825 IBM ISS Proventia
........................................................................................................................826
IBM
RACF...........................................................................................................................................
829 Log File log source
parameter......................................................................................................
830 Create a log source for near real-time event
feed.......................................................................
834 Integrate IBM RACF with IBM QRadar by using audit
scripts..................................................... 835
Configuring IBM RACF that uses audit scripts to integrate with IBM
QRadar............................ 835
IBM SAN Volume
Controller...............................................................................................................837
Configuring IBM SAN Volume Controller to communicate with
QRadar.....................................839
IBM Security Access Manager for Enterprise Single
Sign-On...........................................................839
Configuring a log server
type........................................................................................................839
Configuring syslog
forwarding......................................................................................................
840 Syslog log source parameters for IBM Security Access Manager
for Enterprise Single Sign-
IBM Security Directory
Server...........................................................................................................
844 IBM Security Directory Server DSM
specifications......................................................................845
Configuring IBM Security Directory Server to communicate with
QRadar................................. 845 Syslog log source
parameters for IBM Security Directory Server
.............................................. 847
IBM Security Identity
Governance....................................................................................................
847 JDBC log source parameters for IBM Security Identity
Governance............................................... 849 IBM
Security Identity
Manager..........................................................................................................850
IBM Security Network IPS
(GX).........................................................................................................
854 Configuring your IBM Security Network IPS (GX) appliance for
communication with QRadar..855 Syslog log source parameters for IBM
Security Network IPS
(GX).............................................855
IBM QRadar Network Security
XGS...................................................................................................
856 Configuring IBM QRadar Network Security XGS
Alerts...............................................................
857 Syslog log source parameters for IBM QRadar Network Security
XGS.......................................858
IBM Security Privileged Identity
Manager.........................................................................................858
Configuring IBM Security Privileged Identity Manager to communicate
with QRadar...............861 IBM Security Privileged Identity
Manager sample event
message.............................................862
IBM Security
Trusteer........................................................................................................................
862 IBM Security Trusteer DSM
specifications...................................................................................863
HTTP Receiver log source parameters for IBM Security
Trusteer.............................................. 863 IBM
Security Trusteer sample event
messages..........................................................................
864
xix
Configuring IBM Security Trusteer Apex Advanced Malware Protection
to send TLS Syslog events to
QRadar.....................................................................................................................
870
Configuring a Flat File Feed
service.............................................................................................
872 IBM Security Trusteer Apex Local Event
Aggregator........................................................................
873
IBM Security Verify DSM
Specifications.......................................................................................874
Configuring QRadar to pull events from IBM Security
Verify...................................................... 875
IBM Security Verify Event Service log source parameters for IBM
Security Verify.................... 875 IBM Security Verify sample
event
messages...............................................................................875
IBM
Sense..........................................................................................................................................
878 Configuring IBM Sense to communicate with
QRadar................................................................
880
IBM Tivoli Endpoint
Manager.............................................................................................................884
IBM WebSphere Application
Server..................................................................................................
884
Configuring Exporting Events to Syslog for Illumio
PCE..............................................................902
Configuring Syslog Forwarding for Illumio
PCE...........................................................................
903
Chapter 94. Infoblox
NIOS......................................................................................................................915
Infoblox NIOS DSM
specifications.....................................................................................................915
Infoblox NIOS sample event
message..............................................................................................
916
Chapter 96. Itron Smart
Meter................................................................................................................919
Syslog log source parameters for Itron Smart
Meter........................................................................919
Juniper Networks EX Series Ethernet
Switch...................................................................................
923 Configuring IBM QRadar to receive events from a Juniper EX
Series Ethernet Switch..............924
Juniper Networks
IDP........................................................................................................................
925 Configure a log
source..................................................................................................................
925
Juniper Networks Junos
OS...............................................................................................................927
Syslog log source parameters for Juniper Junos
OS...................................................................929
Configure the PCAP
Protocol........................................................................................................929
PCAP Syslog Combination log source parameters for Juniper SRX
Series.................................930 Juniper Junos OS sample
event
message...................................................................................
930
Juniper Networks Secure
Access......................................................................................................
932 Juniper Networks Security Binary Log
Collector...............................................................................932
Binary Log
Collector................................................................................................................
933 Juniper Networks Steel-Belted
Radius.............................................................................................
934
protocol....................................................................................................................................938
Configuring a Juniper Steel-Belted Radius log source by using the
Log File protocol............... 939 Juniper Steel Belted Radius
sample event
message..................................................................
940
Juniper Networks vGW Virtual
Gateway...........................................................................................
940 Juniper Networks Junos WebApp
Secure.........................................................................................
941
Chapter 98.
Kaspersky...........................................................................................................................
947 Kaspersky
CyberTrace.......................................................................................................................
947
Chapter 99. Kisco Information Systems
SafeNet/i.................................................................................959
Configuring Kisco Information Systems SafeNet/i to communicate with
QRadar...........................960
Chapter 100. Kubernetes
Auditing..........................................................................................................963
Kubernetes Auditing DSM
specifications..........................................................................................
963 Configuring Kubernetes Auditing to communicate with
QRadar...................................................... 964
Kubernetes Auditing log source
parameters.....................................................................................965
Kubernetes Auditing sample event
message....................................................................................965
Configuring your LOGbinder EX system to send Microsoft Exchange
event logs to QRadar...... 982 LOGbinder SP event collection from
Microsoft
SharePoint..............................................................
982
Configuring your LOGbinder SP system to send Microsoft SharePoint
event logs to QRadar....983 LOGbinder SQL event collection from
Microsoft SQL
Server............................................................
984
Configuring your LOGbinder SQL system to send Microsoft SQL Server
event logs to QRadar..985
Chapter 106.
McAfee..............................................................................................................................987
JDBC log source parameters for McAfee Application/Change
Control............................................ 987 McAfee
ePolicy
Orchestrator.............................................................................................................
988
McAfee MVISION Cloud (formerly known as Skyhigh Networks Cloud
Security Platform).............994 Configuring McAfee MVISION Cloud
to communicate with
QRadar...........................................995 McAfee MVISION
Cloud sample event
messages.......................................................................
996
McAfee Network Security Platform (formerly known as McAfee
Intrushield) ................................ 996 McAfee Network
Security Platform DSM
specifications..............................................................997
Configuring alert events for McAfee Network Security Platform 2.x -
5.x.................................. 998
xxii
McAfee Web
Gateway......................................................................................................................
1005 McAfee Web Gateway DSM integration
process.......................................................................
1006 Configuring McAfee Web Gateway to communicate with QRadar
(syslog).............................. 1006 Importing the Syslog
Log
Handler.............................................................................................
1007 Configuring McAfee Web Gateway to communicate with IBM QRadar
(log file protocol)....... 1008 Pulling data by using the log file
protocol..................................................................................1009
Creation of an event map for McAfee Web Gateway
events..................................................... 1009
Discovering unknown
events.....................................................................................................
1009 Modifying the event
map............................................................................................................1010
McAfee Web Gateway sample event
message..........................................................................1010
Chapter 107. Syslog log source parameters for MetaInfo
MetaIP......................................................
1013
Chapter 108.
Microsoft..........................................................................................................................1015
Microsoft 365
Defender...................................................................................................................1015
Microsoft Azure Security
Center......................................................................................................1028
Microsoft Azure Security Center DSM
specifications................................................................
1029 Microsoft Graph Security API protocol log source parameters
for Microsoft Azure Security
Center....................................................................................................................................
1029 Microsoft Azure Security Center sample event
message..........................................................1030
Microsoft
Hyper-V............................................................................................................................
1045 Microsoft Hyper-V DSM integration
process..............................................................................1046
WinCollect log source parameters for Microsoft
Hyper-V.........................................................1046
Microsoft Office 365 Message
Trace...............................................................................................
1055 Microsoft Office 365 Message Trace DSM
specifications..........................................................1055
Microsoft office Message Trace REST API log source parameters for
Microsoft Office
Message
Trace.......................................................................................................................1056
Microsoft Office 365 Message Trace sample event
message...................................................
1057
Configuring a database view to collect audit
events.................................................................
1059 Configuring Microsoft SharePoint audit
events.........................................................................
1059 Creating a database view for Microsoft
SharePoint...................................................................1060
Creating read-only permissions for Microsoft SharePoint database
users.............................. 1061 JDBC log source parameters
for Microsoft Share
Point............................................................
1061 JDBC log source parameters for Microsoft SharePoint with
predefined database queries.....1063
Microsoft SQL
Server.......................................................................................................................
1064 Microsoft SQL Server preparation for communication with
QRadar.........................................1065 JDBC log source
parameters for Microsoft SQL
Server.............................................................1067
Microsoft SQL Server sample event
message...........................................................................
1068
Installing the MSRPC protocol on the QRadar
Console.............................................................1070
MSRPC parameters on Windows
hosts......................................................................................1071
Diagnosing connection issues with the MSRPC test
tool.......................................................... 1074
WMI parameters on Windows
hosts..........................................................................................
1075 Installing Winlogbeat and Logstash on a Windows
host...........................................................1078
Configuring which usernames QRadar considers to be system users in
events that are
Chapter 112. NetApp Data
ONTAP.......................................................................................................
1093
Chapter 115. NGINX HTTP
Server........................................................................................................
1103 NGINX HTTP Server DSM
specifications.........................................................................................1103
Configuring NGINX HTTP Server to communicate with
QRadar.................................................... 1104
NGINX HTTP Server sample event
messages.................................................................................1104
Chapter 124.
OpenBSD.........................................................................................................................
1145 Syslog log source parameters for
OpenBSD...................................................................................
1145 Configuring syslog for
OpenBSD......................................................................................................1145
Oracle Audit
Vault............................................................................................................................
1159 Configuring Oracle Audit Vault to communicate with
QRadar.................................................. 1162
Oracle DB
Listener...........................................................................................................................
1173 Oracle Database Listener log source
parameters.....................................................................
1173 Collecting Oracle database events by using Perl
......................................................................1173
Configuring the Oracle Database Listener within
QRadar.........................................................1175
Chapter 129.
osquery............................................................................................................................1185
osquery DSM
specifications.............................................................................................................1186
Configuring rsyslog on your Linux
system.......................................................................................
1186 Configuring osquery on your Linux
system.....................................................................................
1187 osquery log source
parameters.......................................................................................................1188
osquery sample event
message......................................................................................................
1188
xxvi
Creating a forwarding policy on your Palo Alto PA Series
device..............................................1205 Creating
ArcSight CEF formatted Syslog events on your Palo Alto PA Series
Networks
Firewall
device.......................................................................................................................1205
TLS Syslog log source parameters for Palo Alto PA
Series....................................................... 1207
Palo Alto PA Series Sample event
message..............................................................................
1207
Chapter 134.
ProFTPd...........................................................................................................................
1223 Configuring
ProFTPd........................................................................................................................
1223 Syslog log source parameters for
ProFTPd.....................................................................................
1223
IBM
QRadar.................................................................................................................................1226
Syslog log source parameters for Proofpoint Enterprise Protection
and Enterprise Privacy........ 1226
Configuring a Pulse Secure Pulse Connect Secure device to send
WebTrends Enhanced Log File (WELF) events to IBM
QRadar........................................................................................1231
Configuring a Pulse Secure Pulse Connect Secure device to send
syslog events to QRadar...1232 Pulse Secure Pulse Connect Secure
sample event
message....................................................1232
Chapter 137.
Radware..........................................................................................................................
1235 Radware
AppWall.............................................................................................................................1235
Radware
DefensePro.......................................................................................................................
1237 Syslog log source parameters for Radware
DefensePro...........................................................
1238
xxvii
Chapter 142.
Riverbed..........................................................................................................................
1251 Riverbed SteelCentral NetProfiler (Cascade Profiler)
Audit...........................................................
1251
Configuring your Riverbed SteelCentral NetProfiler system to enable
communication with
QRadar...................................................................................................................................1255
Chapter 143. RSA Authentication
Manager..........................................................................................1257
Configuration of syslog for RSA Authentication Manager 6.x, 7.x and
8.x..................................... 1257 Configuring
Linux.............................................................................................................................
1257 Configuring
Windows.......................................................................................................................
1258 Configuring the log file protocol for RSA Authentication
Manager 6.x and 7.x.............................. 1258
Log File log source parameters for RSA Authentication
Manager............................................ 1259
Configuring RSA Authentication Manager
6.x.................................................................................
1259 Configuring RSA Authentication Manager
7.x.................................................................................
1260
Configuring the Salesforce Security Monitoring server to
communicate with QRadar............ 1264 Salesforce Rest API log
source parameters for Salesforce
Security........................................ 1264
Salesforce Security
Auditing............................................................................................................1265
Downloading the Salesforce audit trail
file................................................................................1266
Log File log source parameters for Salesforce Security
Auditing............................................. 1266
Detection.....................................................................................................................................1278
Creating a pattern filter on the SAP
server......................................................................................1279
Troubleshooting the SAP Enterprise Threat Detection Alert
API................................................... 1280 SAP
Enterprise Threat Detection sample event
messages............................................................
1281
Sophos
PureMessage.......................................................................................................................1306
Integrating QRadar with Sophos PureMessage for Microsoft
Exchange.................................. 1306 JDBC log source
parameters for Sophos
PureMessage............................................................
1306 Integrating QRadar with Sophos PureMessage for
Linux..........................................................1307
JDBC log source parameters for Sophos PureMessage for Microsoft
Exchange..................... 1308
Sophos Astaro Security
Gateway....................................................................................................
1309 Sophos Astaro Security Gateway sample event
messages.......................................................1310
Chapter 157. Starent
Networks............................................................................................................
1323
STEALTHbits StealthINTERCEPT
Alerts..........................................................................................
1329 Collecting alerts logs from STEALTHbits
StealthINTERCEPT...................................................
1330
Sun Solaris Basic Security Mode
(BSM)..........................................................................................
1339 Enabling Basic Security Mode in Solaris
10...............................................................................1339
Enabling Basic Security Mode in Solaris
11...............................................................................1339
Converting Sun Solaris BSM audit
logs......................................................................................
1340 Creating a cron job
.....................................................................................................................1340
Sun Solaris
OS..................................................................................................................................1346
Sun Solaris OS DSM
specifications............................................................................................
1346 Configuring Sun Solaris OS to communicate with
QRadar........................................................ 1346
Syslog log source parameters for Sun Solaris
OS......................................................................1347
Sun Solaris OS sample event
messages....................................................................................
1347
Symantec
SGS..................................................................................................................................1370
Syslog log source parameters for Symantec
SGS.....................................................................
1370
Syslog log source parameters for ThreatGRID Malware Threat
Intelligence Platform............1379 Log File log source
parameters for ThreatGRID Malware Threat Intelligence
Platform..........1381
Chapter 165.
TippingPoint....................................................................................................................
1385 TippingPoint Intrusion Prevention System
.....................................................................................1385
xxx
Chapter 166. Top Layer
IPS..................................................................................................................1389
Trend Micro Apex
One......................................................................................................................1397
Integrating with Trend Micro Apex One 8.x
..............................................................................
1397 Integrating with Trend Micro Apex One 10.x
............................................................................1398
Integrating with Trend Micro Apex One XG
..............................................................................
1400 Changing the date format in QRadar to match the date format
for your Trend Micro Apex
One
device.............................................................................................................................
1401 SNMPv2 log source parameters for Trend Micro Apex
One......................................................
1402
Trend Micro Deep Discovery
Analyzer.............................................................................................1405
Configuring your Trend Micro Deep Discovery Analyzer instance for
communication with
QRadar...................................................................................................................................1406
Trend Micro Deep Discovery
Director..............................................................................................1407
Trend Micro Deep Discovery Email
Inspector.................................................................................
1410 Configuring Trend Micro Deep Discovery Email Inspector to
communicate with QRadar....... 1411
Trend Micro Deep Discovery
Inspector...........................................................................................
1412 Configuring Trend Micro Deep Discovery Inspector V3.0 to send
events to QRadar............... 1413 Configuring Trend Micro Deep
Discovery Inspector V3.8, V5.0 and V5.1 to send events to
QRadar...................................................................................................................................1414
Trend Micro Deep
Security...............................................................................................................1414
Chapter 169.
Tripwire............................................................................................................................1417
Chapter 176. Vericept Content 360
DSM.............................................................................................1437
Chapter 177.
VMware............................................................................................................................1439
VMware
AppDefense........................................................................................................................1439
VMware Carbon Black App Control (formerly known as Carbon Black
Protection).......................1443 VMware Carbon Black App
Control DSM
specifications............................................................1444
Configuring VMware Carbon Black App Control to communicate with
QRadar....................... 1444 Syslog log source parameters for
VMware Carbon Black App
Control..................................... 1445 VMware Carbon
Black App Control sample event
messages...................................................
1445
VMware ESX and
ESXi......................................................................................................................1446
Configuring syslog on VMware ESX and ESXi
servers...............................................................
1446 Enabling syslog firewall settings on vSphere
Clients................................................................
1447 Syslog log source parameters for VMware ESX or ESXi
........................................................... 1448
Configuring the EMC VMWare protocol for ESX or ESXi
servers............................................... 1449
Creating an account for QRadar in
ESX......................................................................................1449
Configuring read-only account
permissions..............................................................................1450
EMC VMWare log source parameters for VMware ESX or ESXi
................................................ 1450 EMC VMWare
sample event
messages......................................................................................
1451
VMware
vCenter...............................................................................................................................1452
EMC VMWare log source parameters for VMware
vCenter....................................................... 1452
VMware vCenter sample event
message...................................................................................1452
VMware
vShield................................................................................................................................1455
VMware vShield DSM integration
process.................................................................................
1456 Configuring your VMware vShield system for communication with
IBM QRadar.....................1456 Syslog log source parameters
for VMware
vShield...................................................................
1456
xxxii
with
QRadar................................................................................................................................
1464 Configuring your WatchGuard Fireware OS appliance in Fireware
XTM for communication with
QRadar........................................................................................................................................
1464 Syslog log source parameters for WatchGuard Fireware
OS..........................................................1465
About this DSM Configuration Guide
The DSM Configuration guide provides instructions about how to
collect data from your third-party devices, also known as log
sources.
You can configure IBM QRadar to accept event logs from log sources
that are on your network. A log source is a data source that
creates an event log.
Note: This guide describes the Device Support Modules (DSMs) that
are produced by IBM. Third-party DSMs are available on the IBM App
Exchange, but are not documented here.
Intended audience System administrators must have QRadar access,
knowledge of the corporate network security concepts and device
configurations.
Technical documentation To find IBM Security QRadar product
documentation on the web, including all translated documentation,
access the IBM Knowledge Center
(http://www.ibm.com/support/knowledgecenter/SS42VS/welcome).
For information about how to access more technical documentation in
the QRadar products library, see QRadar Support – Assistance 101
(https://ibm.biz/qradarsupport).
Contacting customer support For information about contacting
customer support, see QRadar Support – Assistance 101 (https://
ibm.biz/qradarsupport).
Statement of good security practices IT system security involves
protecting systems and information through prevention, detection
and response to improper access from within and outside your
enterprise. Improper access can result in information being
altered, destroyed, misappropriated or misused or can result in
damage to or misuse of your systems, including for use in attacks
on others. No IT system or product should be considered completely
secure and no single product, service or security measure can be
completely effective in preventing improper use or access. IBM
systems, products and services are designed to be part of a lawful
comprehensive security approach, which will necessarily involve
additional operational procedures, and may require other systems,
products or services to be most effective. IBM DOES NOT WARRANT
THAT ANY SYSTEMS, PRODUCTS OR SERVICES ARE IMMUNE FROM, OR WILL
MAKE YOUR ENTERPRISE IMMUNE FROM, THE MALICIOUS OR ILLEGAL CONDUCT
OF ANY PARTY.
Please Note:
Use of this Program may implicate various laws or regulations,
including those related to privacy, data protection, employment,
and electronic communications and storage. IBM Security QRadar may
be used only for lawful purposes and in a lawful manner. Customer
agrees to use this Program pursuant to, and assumes all
responsibility for complying with, applicable laws, regulations and
policies. Licensee represents that it will obtain or has obtained
any consents, permissions, or licenses required to enable its
lawful use of IBM Security QRadar.
© Copyright IBM Corp. 2012, 2022 xxxv
Part 1. QRadar DSM installation and log source management
© Copyright IBM Corp. 2012, 2022 1
2 IBM QRadar : QRadar DSM Configuration Guide
Chapter 1. Event collection from third-party devices To configure
event collection from third-party devices, you need to complete
configuration tasks on the third-party device, and your QRadar
Console, Event Collector, or Event Processor. The key components
that work together to collect events from third-party devices are
log sources, DSMs, and automatic updates.
Log sources A log source is any external device, system, or cloud
service that is configured to either send events to your IBM QRadar
system or be collected by your QRadar system. QRadar shows events
from log sources in the Log Activity tab.
To receive raw events from log sources, QRadar supports several
protocols, including syslog from OS, applications, firewalls,
IPS/IDS, SNMP, SOAP, JDBC for data from database tables and views.
QRadar also supports proprietary vendor-specific protocols such as
OPSEC/LEA from Checkpoint.
DSMs A Device Support Module (DSM) is a code module that parses
received events from multiple log sources and converts them to a
standard taxonomy format that can be displayed as output. Each type
of log source has a corresponding DSM. For example, the IBM
Fiberlink MaaS360 DSM parses and normalizes events from an IBM
Fiberlink MaaS360 log source.
Automatic Updates QRadar provides daily and weekly automatic
updates on a recurring schedule. The weekly automatic update
includes new DSM releases, corrections to parsing issues, and
protocol updates. For more information about automatic updates, see
the IBM QRadar Administration Guide.
Third-party device installation process To collect events from
third-party device, you must complete installation and
configuration steps on both the log source device and your QRadar
system. For some third-party devices, extra configuration steps are
needed, such as configuring a certificate to enable communication
between that device and QRadar.
The following steps represent a typical installation process:
1. Read the specific instructions for how to integrate your
third-party device. 2. Download and install the RPM for your
third-party device. RPMs are available for download from the
IBM support website (http://www.ibm.com/support).
Tip: If your QRadar system is configured to accept automatic
updates, this step might not be required. 3. Configure the
third-party device to send events to QRadar.
After some events are received, QRadar automatically detects some
third-party devices and creates a log source configuration. The log
source is listed on the Log Sources list and contains default
information. You can customize the information.
4. If QRadar does not automatically detect the log source, manually
add a log source. The list of supported DSMs and the
device-specific topics indicate which third-party devices are not
automatically detected.
5. Deploy the configuration changes and restart your web
services.
Custom log source types for unsupported third-party log sources
After the events are collected and before the correlation can
begin, individual events from your devices must be properly
normalized. Normalization means to map information to common field
names, such
© Copyright IBM Corp. 2012, 2022 3
For more information, see the IBM QRadar Administration
Guide.
Adding a DSM If your Device Support Module (DSM) is not
automatically discovered, manually install a DSM.
Each type of log source has a corresponding DSM that parses and
normalizes events from the log source.
Procedure 1. Download the DSM RPM file from the IBM support website
(http://www.ibm.com/support). 2. Copy the RPM file to QRadar. 3.
Using SSH, log in to the QRadar host as the root user. 4. Go to the
directory that includes the downloaded file. 5. Type the following
command:
yum -y install <rpm_filename>
Note: The rpm -Uvh <rpm_filename> command line to install was
replaced with the yum -y install <rpm_filename>
command.
6. Log in to QRadar. 7. On the Admin tab, click Deploy
Changes.
Restriction: Uninstalling a Device Support Module (DSM) is not
supported in QRadar.
4 IBM QRadar : QRadar DSM Configuration Guide
For example, a firewall or intrusion protection system (IPS) logs
security-based events, and switches or routers logs network-based
events.
To receive raw events from log sources, QRadar supports many
protocols. Passive protocols listen for events on specific ports.
Active protocols use APIs or other communication methods to connect
to external systems that poll and retrieve events.
Depending on your license limits, QRadar can read and interpret
events from more than 300 log sources.
To configure a log source for QRadar, you must do the following
tasks:
1. Download and install a device support module (DSM) that supports
the log source. A DSM is software application that contains the
event patterns that are required to identify and parse events from
the original format of the event log to the format that QRadar can
use.
2. If automatic discovery is supported for the DSM, wait for QRadar
to automatically add the log source to your list of configured log
sources.
3. If automatic discovery is not supported for the DSM, manually
create the log source configuration.
Related tasks “Adding a log source” on page 5 “Adding bulk log
sources” on page 8 “Adding a log source parsing order” on page 11
You can assign a priority order for when the events are parsed by
the target event collector. “Adding a DSM” on page 4
Adding a log source If the log source is not automatically
discovered, manually add it by using the QRadar Log Source
Management app so that you can receive events from your network
devices or appliances.
If you are using QRadar 7.3.1 to 7.3.3, you can also add a log
source by using the Log Sources icon.
Before you begin Ensure that the QRadar Log Source Management app
is installed on your QRadar Console. For more information about
installing the app, see Installing the QRadar Log Source Management
app.
Procedure 1. Log in to QRadar. 2. Click the Admin tab. 3. To open
the app, click the QRadar Log Source Management app icon. 4. Click
New Log Source > Single Log Source. 5. On the Select a Log
Source Type page, select a log source type, and click Select
Protocol Type. 6. On the Select a Protocol Type page, select a
protocol, and click Configure Log Source Parameters. 7. On the
Configure the Log Source parameters page, configure the log source
parameters, and click
Configure Protocol Parameters.
The following table describes the common log source parameters for
all log source types:
© Copyright IBM Corp. 2012, 2022 5
Parameter Description
Log Source Identifier The IPv4 address or hostname that identifies
the log source.
If your network contains multiple devices that are attached to a
single management console, specify the IP address of the device
that created the event. A unique identifier for each device, such
as an IP address, prevents event searches from identifying the
management console as the source for all of the events.
Enabled When this option is not enabled, the log source does not
collect events.
Credibility Credibility represents the integrity or validity of
events that are created by a log source. The credibility value that
is assigned to a log source can increase or decrease based on
incoming events and can be adjusted as a response to user-created
event rules. The credibility of events from log sources contributes
to the calculation of the offense magnitude and can increase or
decrease the magnitude value of an offense.
Target Event Collector Specifies the QRadar Event Collector that
polls the remote log source.
Use this parameter in a distributed deployment to improve console
system performance by moving the polling task to an Event
Collector.
Coalescing Events When multiple events with the same QID, Username,
Source IP, Destination IP, Destination Port, Domain, and Log Source
occur within a short time interval (10 seconds), they are coalesced
(bundled) together.
Because the events are bundled together, the number of events that
are stored is decreased, which reduces the storage cost of events.
Coalescing events might lead to loss of information, including raw
payloads or event properties. The default is enabled. For more
information, see How does coalescing work in QRadar?
8. On the Configure the protocol parameters page, configure the
protocol-specific parameters.
• If your configuration can be tested, click Test Protocol
Parameters. • If your configuration cannot be tested, click
Finish.
9. In the Test protocol parameters window, click Start Test. 10. To
fix any errors, click Configure Protocol Parame