April 2021 DSM Guide - ibm.com

IBM QRadar : QRadar DSM Configuration GuideIBM
Note
Before using this information and the product that it supports, read the information in “Notices” on page 1495.
Product information
This document applies to IBM® QRadar® Security Intelligence Platform V7.2.1 and subsequent releases unless superseded by an updated version of this document. © Copyright International Business Machines Corporation 2012, 2022. US Government Users Restricted Rights – Use, duplication or disclosure restricted by GSA ADP Schedule Contract with IBM Corp.
Contents
Chapter 1. Event collection from third-party devices................................................................................. 3 Adding a DSM..........................................................................................................................................4
Matcher (matcher).......................................................................................................................... 21 JSON matcher (json-matcher)....................................................................................................... 26 LEEF matcher (leef-matcher)......................................................................................................... 30 CEF matcher (cef-matcher)............................................................................................................ 31 Name Value Pair matcher (namevaluepair-matcher).................................................................... 31 Generic List matcher (genericlist-matcher)................................................................................... 33 XML Matcher (xml-matcher)...........................................................................................................34 Multi-event modifier (event-match-multiple)........................................................................35 Single-event modifier (event-match-single).......................................................................... 35
Common regular expressions ........................................................................................................39 Building regular expression patterns ............................................................................................ 40 Uploading extension documents to QRadar.................................................................................. 42
iii
Amazon Web Services protocol configuration options........................................................................81 Apache Kafka protocol configuration options..................................................................................... 90
the Pub/Sub Subscription....................................................................................................... 108 Populating a Pub/Sub topic with data..........................................................................................111 Adding a Google Cloud Pub/Sub log source in QRadar............................................................... 112
HCL BigFix SOAP protocol configuration options (formerly known as IBM BigFix)......................... 115 HTTP Receiver protocol configuration options..................................................................................116 IBM Cloud Object Storage protocol configuration options............................................................... 117 IBM Fiberlink REST API protocol configuration options................................................................... 120 IBM Security Verify Event Service protocol configuration options................................................... 122 JDBC protocol configuration options.................................................................................................124 JDBC - SiteProtector protocol configuration options........................................................................128 Juniper Networks NSM protocol configuration options.................................................................... 130 Juniper Security Binary Log Collector protocol configuration options............................................. 130 Log File protocol configuration options............................................................................................. 131 Microsoft Azure Event Hubs protocol configuration options............................................................ 133
Microsoft Defender for Endpoint SIEM REST API protocol configuration options...........................146 Microsoft DHCP protocol configuration options................................................................................148 Microsoft Exchange protocol configuration options..........................................................................151 Microsoft Graph Security API protocol configuration options.......................................................... 154
Configuring Microsoft Graph Security API to communicate with QRadar.................................. 155 Microsoft IIS protocol configuration options.................................................................................... 156 Microsoft Security Event Log protocol configuration options........................................................... 158
Microsoft Security Event Log over MSRPC Protocol.................................................................... 159
iv
Troubleshooting the Office 365 Message Trace REST API protocol........................................... 164 Okta REST API protocol configuration options................................................................................. 168 OPSEC/LEA protocol configuration options.......................................................................................168 Oracle Database Listener protocol configuration options................................................................ 170 PCAP Syslog Combination protocol configuration options............................................................... 172 SDEE protocol configuration options.................................................................................................174 SMB Tail protocol configuration options............................................................................................174 SNMPv2 protocol configuration options............................................................................................176 SNMPv3 protocol configuration options............................................................................................177 Seculert Protection REST API protocol configuration options..........................................................177 Sophos Enterprise Console JDBC protocol configuration options................................................... 179 Sourcefire Defense Center eStreamer protocol options...................................................................181 Syslog Redirect protocol overview.................................................................................................... 181 TCP multiline syslog protocol configuration options.........................................................................182 TLS Syslog protocol configuration options........................................................................................ 187
Part 3. DSMs......................................................................................................231
Chapter 15. Amazon AWS Application Load Balancer Access Logs.......................................................245 Amazon AWS Application Load Balancer Access Logs DSM specifications..................................... 245 Publishing flow logs to an S3 bucket.................................................................................................246 Create an SQS queue and configure S3 ObjectCreated notifications...............................................246
Finding the S3 bucket that contains the data that you want to collect.......................................247 Creating the SQS queue that is used to receive ObjectCreated notifications.............................247 Setting up SQS queue permissions.............................................................................................. 248 Creating ObjectCreated notifications...........................................................................................249
Configuring security credentials for your AWS user account............................................................254 Amazon AWS S3 REST API log source parameters for Amazon AWS Application Load Balancer
Access Logs...................................................................................................................................255 Amazon AWS Application Load Balancer Access Logs sample event message...............................255
protocol......................................................................................................................................... 258 Configuring an Amazon AWS CloudTrail log source that uses an S3 bucket with an SQS
queue....................................................................................................................................... 258 Configuring an Amazon AWS CloudTrail log source that uses an S3 bucket with a directory
prefix........................................................................................................................................ 270 Configuring an Amazon AWS CloudTrail log source by using the Amazon Web Services protocol. 276
Configuring an Amazon AWS CloudTrail log source by using the Amazon Web Services protocol and Kinesis Data Streams.........................................................................................277
Configuring an Amazon AWS CloudTrail log source by using the Amazon Web Services protocol and CloudWatch Logs............................................................................................... 282
Amazon AWS CloudTrail sample event messages............................................................................ 287
Chapter 18. Amazon AWS Network Firewall...........................................................................................297 Amazon AWS Network Firewall DSM specifications......................................................................... 297 Create an SQS queue and configure S3 ObjectCreated notifications...............................................298
Finding the S3 bucket that contains the data that you want to collect.......................................298 Creating the SQS queue that is used to receive ObjectCreated notifications.............................298
vi
Chapter 19. Amazon AWS Route 53........................................................................................................309 Amazon AWS Route 53 DSM specifications...................................................................................... 309 Configuring an Amazon AWS Route 53 log source by using the Amazon Web Services protocol
and CloudWatch logs.................................................................................................................... 310 Configuring public DNS query logging..........................................................................................311 Configuring Resolver query logging..............................................................................................311 Creating an Identity and Access Management (IAM) user in the AWS Management Console.. 312 Configuring security credentials for your AWS user account...................................................... 312 Creating a log group in Amazon CloudWatch Logs to retrieve logs in QRadar............................313 Amazon Web Services log source parameters for Amazon AWS Route 53................................ 313
Configuring an Amazon AWS Route 53 log source by using an S3 bucket with an SQS queue....... 318 Configuring Resolver query logging..............................................................................................318 Create an SQS queue and configure S3 ObjectCreated notifications......................................... 319 Finding the S3 bucket that contains the data that you want to collect.......................................319 Creating the SQS queue that is used to receive ObjectCreated notifications.............................319 Setting up SQS queue permissions.............................................................................................. 320 Creating ObjectCreated notifications...........................................................................................322 Creating an Identity and Access Management (IAM) user in the AWS Management Console.. 326 Configuring security credentials for your AWS user account...................................................... 327 Amazon AWS S3 REST API log source parameters for Amazon AWS Route 53 when using
an SQS queue.......................................................................................................................... 327 Configuring an Amazon AWS Route 53 log source by using an S3 bucket with a directory prefix.. 331
Configuring Resolver query logging..............................................................................................331 Finding an S3 bucket name and directory prefix......................................................................... 332 Creating an Identity and Access Management (IAM) user in the AWS Management Console.. 332 Configuring security credentials for your AWS user account...................................................... 333 Amazon AWS S3 REST API log source parameters for Amazon AWS Route 53 when using a
directory prefix........................................................................................................................ 333 Amazon AWS Route 53 sample event messages..............................................................................337
Chapter 21. Amazon AWS WAF...............................................................................................................345 Amazon AWS WAF DSM specifications..............................................................................................345 Configuring Amazon AWS WAF to communicate with QRadar......................................................... 346 Configuring security credentials for your AWS user account............................................................346 Amazon AWS S3 REST API log source parameters for Amazon AWS WAF......................................347 Amazon AWS WAF sample event messages..................................................................................... 348
Chapter 22. Amazon GuardDuty............................................................................................................. 351 Configuring an Amazon GuardDuty log source by using the Amazon Web Services protocol......... 351 Creating an EventBridge rule for sending events.............................................................................. 354 Creating an Identity and Access (IAM) user in the AWS Management Console.............................. 355 Configuring an Amazon GuardDuty log source by using the Amazon AWS S3 REST API protocol..355 Configuring Amazon GuardDuty to forward events to an AWS S3 Bucket....................................... 358 Amazon GuardDuty sample event messages....................................................................................358
Chapter 23. Amazon VPC Flow Logs....................................................................................................... 363
Chapter 24. Ambiron TrustWave ipAngel ...............................................................................................369
Chapter 25. APC UPS...............................................................................................................................371 Configuring your APC UPS to forward syslog events.........................................................................372 APC UPS sample event messages..................................................................................................... 372
Chapter 28. Application Security DbProtect.......................................................................................... 381 Installing the DbProtect LEEF Relay Module.....................................................................................382 Configuring the DbProtect LEEF Relay...............................................................................................382 Configuring DbProtect alerts..............................................................................................................383
Arbor Networks Pravail...................................................................................................................... 388 Configuring your Arbor Networks Pravail system to send events to IBM QRadar...................... 389 Arbor Networks Pravail sample event message.......................................................................... 390
Chapter 30. Arpeggio SIFT-IT................................................................................................................ 391 Configuring a SIFT-IT agent............................................................................................................... 391 Syslog log source parameters for Arpeggio SIFT-IT......................................................................... 392 Additional information....................................................................................................................... 392
Chapter 32. Aruba Networks...................................................................................................................397 Aruba ClearPass Policy Manager....................................................................................................... 397
Aruba Introspect................................................................................................................................ 407 Configuring Aruba Introspect to communicate with QRadar...................................................... 408
Chapter 34. BalaBit IT Security...............................................................................................................415 BalaBit IT Security for Microsoft Windows Events............................................................................415
Chapter 35. Barracuda............................................................................................................................ 423 Barracuda Spam & Virus Firewall...................................................................................................... 423
devices that do not support LEEF .......................................................................................... 426 Barracuda Web Filter......................................................................................................................... 427
Configuring syslog event forwarding............................................................................................427 Syslog log source parameters for Barracuda Web Filter............................................................. 428 Barracuda Web Filter sample event message............................................................................. 428
Chapter 39. Box....................................................................................................................................... 449 Configuring Box to communicate with QRadar................................................................................. 450 Box sample event messages............................................................................................................. 452
Broadcom CA Top Secret................................................................................................................... 466 Log File log source parameter...................................................................................................... 467 Create a log source for near real-time event feed....................................................................... 471 Integrate Broadcom CA Top Secret with IBM QRadar by using audit scripts.............................471 Configuring Broadcom CA Top Secret that uses audit scripts to integrate with IBM QRadar....471
Broadcom Symantec SiteMinder....................................................................................................... 474 Broadcom Symantec SiteMinder DSM specifications..................................................................474 Syslog log source parameters for Broadcom Symantec SiteMinder...........................................475 Configuring syslog-ng for Broadcom Symantec SiteMinder........................................................476 Broadcom Symantec SiteMinder sample event messages......................................................... 477
Bit9 Security Platform........................................................................................................................484 Configuring Carbon Black Bit9 Security Platform to communicate with QRadar....................... 485
with QRadar ............................................................................................................................ 493 Centrify Infrastructure Services sample event messages.......................................................... 494
Chapter 45. Check Point..........................................................................................................................495 Integrate Check Point by using syslog...............................................................................................495
x
Syslog Redirect log source parameters for Check Point................................................................... 504 Configuring Check Point to forward LEEF events to QRadar.............................................................505 Configuring QRadar to receive LEEF events from Check Point......................................................... 507 Integration of Check Point Firewall events....................................................................................... 507 Check Point Multi-Domain Management (Provider-1)...................................................................... 508
Chapter 46. Cilasoft QJRN/400...............................................................................................................513 Configuring Cilasoft QJRN/400..........................................................................................................513 Syslog log source parameters for Cilasoft QJRN/400.......................................................................514
Cisco Cloud Web Security.................................................................................................................. 538 Configuring Cloud Web Security to communicate with QRadar ................................................. 540
Cisco Firepower Threat Defense........................................................................................................549 Cisco Firepower Threat Defense DSM specifications.................................................................. 549 Configuring Cisco Firepower Threat Defense to communicate with QRadar..............................550 Configuring QRadar to use previous connection event processing for Cisco Firepower
Threat Defense ....................................................................................................................... 550 Cisco Firepower Threat Defense sample event message............................................................551
Cisco FWSM........................................................................................................................................552 Configuring Cisco FWSM to forward syslog events......................................................................552 Syslog log source parameters for Cisco FWSM............................................................................553
Cisco Meraki....................................................................................................................................... 567 Cisco Meraki DSM specifications..................................................................................................568 Configure Cisco Meraki to communicate with IBM QRadar ........................................................568 Cisco Meraki sample event messages......................................................................................... 569
Cisco Umbrella................................................................................................................................... 576 Configure Cisco Umbrella to communicate with QRadar............................................................ 577 Cisco Umbrella DSM specifications..............................................................................................578 Cisco Umbrella sample event messages..................................................................................... 578
Cisco VPN 3000 Concentrator .......................................................................................................... 579 Syslog log source parameters for Cisco VPN 3000 Concentrator...............................................579
Cisco Wireless LAN Controllers......................................................................................................... 580 Configuring syslog for Cisco Wireless LAN Controller................................................................. 580 Syslog log source parameters for Cisco Wireless LAN Controllers............................................. 580 Configuring SNMPv2 for Cisco Wireless LAN Controller..............................................................581 Configuring a trap receiver for Cisco Wireless LAN Controller.................................................... 582 SNMPv2 log source parameters for Cisco Wireless LAN Controllers..........................................582
Cisco Wireless Services Module........................................................................................................ 584 Configuring Cisco WiSM to forward events.................................................................................. 584 Syslog log source parameters for Cisco WiSM.............................................................................586
API protocol.................................................................................................................................. 595 Create an SQS queue and configure S3 ObjectCreated notifications...............................................595
Configuring security credentials for your AWS user account............................................................603 HTTP Receiver log source parameters for Cloudflare Logs.............................................................. 604 Amazon AWS S3 REST API log source parameters for Cloudflare Logs...........................................604 Cloudflare Logs sample event messages.......................................................................................... 606
Chapter 51. CloudPassage Halo .............................................................................................................607 Configuring CloudPassage Halo for communication with QRadar....................................................607 Syslog log source parameters for CloudPassage Halo......................................................................609 Log File log source parameters for CloudPassage Halo....................................................................609
Chapter 53. Correlog Agent for IBM z/OS............................................................................................... 613 Configuring your CorreLog Agent system for communication with QRadar..................................... 614
Chapter 54. CrowdStrike Falcon..............................................................................................................615 CrowdStrike Falcon DSM specifications............................................................................................ 615 Configuring CrowdStrike Falcon to communicate with QRadar........................................................616 Syslog log source parameters for CrowdStrike Falcon..................................................................... 619 CrowdStrike Falcon Host sample event message............................................................................. 619
Chapter 56. CyberArk............................................................................................................................. 623 CyberArk Privileged Threat Analytics................................................................................................ 623
Configuring syslog for CyberArk Vault..........................................................................................625 Syslog log source parameters for CyberArk Vault....................................................................... 625
Chapter 60. Digital China Networks (DCN)............................................................................................. 633 Configuring a DCN DCS/DCRS Series Switch.....................................................................................633 Syslog log source parameters for DCN DCS/DCRS Series switches................................................. 634
Chapter 61. Enterprise-IT-Security.com SF-Sherlock............................................................................635 Configuring Enterprise-IT-Security.com SF-Sherlock to communicate with QRadar...................... 636
Chapter 63. ESET Remote Administrator................................................................................................643 Configuring ESET Remote Administrator to communicate with QRadar..........................................644
Extreme HiGuard Wireless IPS.......................................................................................................... 651 Configuring Enterasys HiGuard ................................................................................................... 652 Syslog log source parameters for Extreme HiGuard................................................................... 652
Extreme HiPath Wireless Controller.................................................................................................. 653 Configuring your HiPath Wireless Controller............................................................................... 653 Syslog log source parameters for Extreme HiPath...................................................................... 653
Syslog log source parameters for Extreme XSR Security Router................................................ 660
Chapter 66. F5 Networks........................................................................................................................661 F5 Networks BIG-IP AFM...................................................................................................................661
F5 Networks BIG-IP ASM.................................................................................................................. 666 Syslog log source parameters for F5 Networks BIG-IP ASM...................................................... 667 F5 Networks BIG-IP ASM sample event message...................................................................... 668
F5 Networks FirePass........................................................................................................................ 672 Configuring syslog forwarding for F5 FirePass............................................................................ 672 Syslog log source parameters for F5 Networks FirePass............................................................672
Chapter 69. Fidelis XPS........................................................................................................................... 683 Configuring Fidelis XPS...................................................................................................................... 683 Syslog log source parameters for Fidelis XPS................................................................................... 684 Fidelis XPS sample event messages................................................................................................. 684
Forcepoint Sidewinder....................................................................................................................... 692 Forcepoint Sidewinder DSM specifications................................................................................. 693 Configure Forcepoint Sidewinder to communicate with QRadar................................................ 693 Forcepoint Sidewinder sample event message........................................................................... 693
Forcepoint V-Series Content Gateway...............................................................................................697 Configure syslog for Forcepoint V-Series Content Gateway........................................................698 Configuring the Management Console for Forcepoint V-Series Content Gateway..................... 698 Enabling Event Logging for Forcepoint V-Series Content Gateway.............................................699 Syslog log source parameters for Forcepoint V-Series Content Gateway.................................. 699 Log file protocol for Forcepoint V-Series Content Gateway........................................................ 699 Forcepoint V-Series Content Gateway sample event messages.................................................701
Chapter 72. ForeScout CounterACT....................................................................................................... 703 Syslog log source parameters for ForeScout CounterACT................................................................703 Configuring the ForeScout CounterACT Plug-in................................................................................ 703 Configuring ForeScout CounterACT Policies..................................................................................... 704 ForeScout CounterACT sample event messages.............................................................................. 705
Chapter 74. Foundry FastIron ................................................................................................................ 711 Configuring syslog for Foundry FastIron........................................................................................... 711 Syslog log source parameters for Foundry FastIron......................................................................... 711
Chapter 75. FreeRADIUS.........................................................................................................................713 Configuring your FreeRADIUS device to communicate with QRadar............................................... 713
Generic firewall.................................................................................................................................. 718 Configuring event properties for generic firewall events ............................................................718 Syslog log source parameters for generic firewall.......................................................................720
Chapter 77. genua genugate................................................................................................................... 723 Configuring genua genugate to send events to QRadar....................................................................724 genua genugate sample event messages..........................................................................................724
xvi
Chapter 79. Google Cloud Platform Firewall.......................................................................................... 731 Google Cloud Platform Firewall DSM specifications......................................................................... 731 Configuring Google Cloud Platform Firewall to communicate with QRadar.....................................732 Google Cloud Pub/Sub log source parameters for Google Cloud Platform Firewall........................732 Sample event message...................................................................................................................... 733
Chapter 80. Google G Suite Activity Reports.......................................................................................... 735 Google G Suite Activity Reports DSM specifications.........................................................................735 Configuring Google G Suite Activity Reports to communicate with QRadar.................................... 736 Assigning a role to a user................................................................................................................... 736 Creating a service account with viewer access................................................................................. 737 Granting API client access to a service account............................................................................... 738 Google G Suite Activity Reports log source parameters................................................................... 738 Google G Suite Activity Reports sample event messages................................................................ 739 Troubleshooting Google G Suite Activity Reports............................................................................. 740
Invalid private keys.......................................................................................................................740 Authorization errors......................................................................................................................741 Invalid email or username errors.................................................................................................741 Invalid JSON formatting............................................................................................................... 742 Network errors..............................................................................................................................742 Google G Suite Activity Reports FAQ............................................................................................742
Chapter 83. HBGary Active Defense...................................................................................................... 749 Configuring HBGary Active Defense.................................................................................................. 749 Syslog log source parameters for HBGary Active Defense............................................................... 749
Chapter 85. Honeycomb Lexicon File Integrity Monitor (FIM).............................................................. 753 Supported Honeycomb FIM event types logged by QRadar.............................................................753 Configuring the Lexicon mesh service............................................................................................... 753 Syslog log source parameters for Honeycomb Lexicon File Integrity Monitor.................................754
Chapter 86. Hewlett Packard Enterprise................................................................................................ 757 HPE Network Automation.................................................................................................................. 757
Chapter 87. Huawei................................................................................................................................. 763 Huawei AR Series Router................................................................................................................... 763
Huawei S Series Switch......................................................................................................................764
Chapter 88. HyTrust CloudControl.......................................................................................................... 767 Configuring HyTrust CloudControl to communicate with QRadar.................................................... 768
IBM Cloud Platform (formerly known as IBM Bluemix Platform).....................................................791 Configuring IBM Cloud Platform to communicate with QRadar..................................................792
IBM DataPower.................................................................................................................................. 794 Configuring IBM DataPower to communicate with QRadar........................................................ 795
IBM DLC Metrics.................................................................................................................................804 IBM DLC Metrics DSM specifications........................................................................................... 804 Configuring IBM Disconnected Log Collector to communicate with QRadar............................. 805 Forwarded Log source parameters for IBM DLC Metrics.............................................................806 IBM DLC Metrics sample event message.....................................................................................806
IBM Federated Directory Server ....................................................................................................... 807 Configuring IBM Federated Directory Server to monitor security events...................................808
IBM MaaS360 Security...................................................................................................................... 808 IBM Fiberlink REST API log source parameters for IBM MaaS360 Security.............................. 809 Universal Cloud REST API log source parameters for IBM MaaS360 Security.......................... 809 IBM MaaS360 Security sample event messages........................................................................ 810
IBM Guardium.................................................................................................................................... 811 Creating a syslog destination for events...................................................................................... 812 Configuring policies to generate syslog events........................................................................... 813 Installing an IBM Guardium Policy ..............................................................................................813 Syslog log source parameters for IBM Guardium........................................................................814 Creating an event map for IBM Guardium events....................................................................... 814 Modifying the event map.............................................................................................................. 815 IBM Guardium sample event messages...................................................................................... 815
IBM Proventia.....................................................................................................................................825 IBM Proventia Management SiteProtector.................................................................................. 825 JDBC log source parameters for IBM Proventia Management SiteProtector............................. 825 IBM ISS Proventia ........................................................................................................................826
IBM RACF........................................................................................................................................... 829 Log File log source parameter...................................................................................................... 830 Create a log source for near real-time event feed....................................................................... 834 Integrate IBM RACF with IBM QRadar by using audit scripts..................................................... 835 Configuring IBM RACF that uses audit scripts to integrate with IBM QRadar............................ 835
IBM SAN Volume Controller...............................................................................................................837 Configuring IBM SAN Volume Controller to communicate with QRadar.....................................839
IBM Security Access Manager for Enterprise Single Sign-On...........................................................839 Configuring a log server type........................................................................................................839 Configuring syslog forwarding...................................................................................................... 840 Syslog log source parameters for IBM Security Access Manager for Enterprise Single Sign-
IBM Security Directory Server........................................................................................................... 844 IBM Security Directory Server DSM specifications......................................................................845 Configuring IBM Security Directory Server to communicate with QRadar................................. 845 Syslog log source parameters for IBM Security Directory Server .............................................. 847
IBM Security Identity Governance.................................................................................................... 847 JDBC log source parameters for IBM Security Identity Governance............................................... 849 IBM Security Identity Manager..........................................................................................................850
IBM Security Network IPS (GX)......................................................................................................... 854 Configuring your IBM Security Network IPS (GX) appliance for communication with QRadar..855 Syslog log source parameters for IBM Security Network IPS (GX).............................................855
IBM QRadar Network Security XGS................................................................................................... 856 Configuring IBM QRadar Network Security XGS Alerts............................................................... 857 Syslog log source parameters for IBM QRadar Network Security XGS.......................................858
IBM Security Privileged Identity Manager.........................................................................................858 Configuring IBM Security Privileged Identity Manager to communicate with QRadar...............861 IBM Security Privileged Identity Manager sample event message.............................................862
IBM Security Trusteer........................................................................................................................ 862 IBM Security Trusteer DSM specifications...................................................................................863 HTTP Receiver log source parameters for IBM Security Trusteer.............................................. 863 IBM Security Trusteer sample event messages.......................................................................... 864
xix
Configuring IBM Security Trusteer Apex Advanced Malware Protection to send TLS Syslog events to QRadar..................................................................................................................... 870
Configuring a Flat File Feed service............................................................................................. 872 IBM Security Trusteer Apex Local Event Aggregator........................................................................ 873
IBM Security Verify DSM Specifications.......................................................................................874 Configuring QRadar to pull events from IBM Security Verify...................................................... 875 IBM Security Verify Event Service log source parameters for IBM Security Verify.................... 875 IBM Security Verify sample event messages...............................................................................875
IBM Sense.......................................................................................................................................... 878 Configuring IBM Sense to communicate with QRadar................................................................ 880
IBM Tivoli Endpoint Manager.............................................................................................................884 IBM WebSphere Application Server.................................................................................................. 884
Configuring Exporting Events to Syslog for Illumio PCE..............................................................902 Configuring Syslog Forwarding for Illumio PCE........................................................................... 903
Chapter 94. Infoblox NIOS......................................................................................................................915 Infoblox NIOS DSM specifications.....................................................................................................915 Infoblox NIOS sample event message.............................................................................................. 916
Chapter 96. Itron Smart Meter................................................................................................................919 Syslog log source parameters for Itron Smart Meter........................................................................919
Juniper Networks EX Series Ethernet Switch................................................................................... 923 Configuring IBM QRadar to receive events from a Juniper EX Series Ethernet Switch..............924
Juniper Networks IDP........................................................................................................................ 925 Configure a log source.................................................................................................................. 925
Juniper Networks Junos OS...............................................................................................................927 Syslog log source parameters for Juniper Junos OS...................................................................929 Configure the PCAP Protocol........................................................................................................929 PCAP Syslog Combination log source parameters for Juniper SRX Series.................................930 Juniper Junos OS sample event message................................................................................... 930
Juniper Networks Secure Access...................................................................................................... 932 Juniper Networks Security Binary Log Collector...............................................................................932
Binary Log Collector................................................................................................................ 933 Juniper Networks Steel-Belted Radius............................................................................................. 934
protocol....................................................................................................................................938 Configuring a Juniper Steel-Belted Radius log source by using the Log File protocol............... 939 Juniper Steel Belted Radius sample event message.................................................................. 940
Juniper Networks vGW Virtual Gateway........................................................................................... 940 Juniper Networks Junos WebApp Secure......................................................................................... 941
Chapter 98. Kaspersky........................................................................................................................... 947 Kaspersky CyberTrace....................................................................................................................... 947
Chapter 99. Kisco Information Systems SafeNet/i.................................................................................959 Configuring Kisco Information Systems SafeNet/i to communicate with QRadar...........................960
Chapter 100. Kubernetes Auditing..........................................................................................................963 Kubernetes Auditing DSM specifications.......................................................................................... 963 Configuring Kubernetes Auditing to communicate with QRadar...................................................... 964 Kubernetes Auditing log source parameters.....................................................................................965 Kubernetes Auditing sample event message....................................................................................965
Configuring your LOGbinder EX system to send Microsoft Exchange event logs to QRadar...... 982 LOGbinder SP event collection from Microsoft SharePoint.............................................................. 982
Configuring your LOGbinder SP system to send Microsoft SharePoint event logs to QRadar....983 LOGbinder SQL event collection from Microsoft SQL Server............................................................ 984
Configuring your LOGbinder SQL system to send Microsoft SQL Server event logs to QRadar..985
Chapter 106. McAfee..............................................................................................................................987 JDBC log source parameters for McAfee Application/Change Control............................................ 987 McAfee ePolicy Orchestrator............................................................................................................. 988
McAfee MVISION Cloud (formerly known as Skyhigh Networks Cloud Security Platform).............994 Configuring McAfee MVISION Cloud to communicate with QRadar...........................................995 McAfee MVISION Cloud sample event messages....................................................................... 996
McAfee Network Security Platform (formerly known as McAfee Intrushield) ................................ 996 McAfee Network Security Platform DSM specifications..............................................................997 Configuring alert events for McAfee Network Security Platform 2.x - 5.x.................................. 998
xxii
McAfee Web Gateway...................................................................................................................... 1005 McAfee Web Gateway DSM integration process....................................................................... 1006 Configuring McAfee Web Gateway to communicate with QRadar (syslog).............................. 1006 Importing the Syslog Log Handler............................................................................................. 1007 Configuring McAfee Web Gateway to communicate with IBM QRadar (log file protocol)....... 1008 Pulling data by using the log file protocol..................................................................................1009 Creation of an event map for McAfee Web Gateway events..................................................... 1009 Discovering unknown events..................................................................................................... 1009 Modifying the event map............................................................................................................1010 McAfee Web Gateway sample event message..........................................................................1010
Chapter 107. Syslog log source parameters for MetaInfo MetaIP...................................................... 1013
Chapter 108. Microsoft..........................................................................................................................1015 Microsoft 365 Defender...................................................................................................................1015
Microsoft Azure Security Center......................................................................................................1028 Microsoft Azure Security Center DSM specifications................................................................ 1029 Microsoft Graph Security API protocol log source parameters for Microsoft Azure Security
Center.................................................................................................................................... 1029 Microsoft Azure Security Center sample event message..........................................................1030
Microsoft Hyper-V............................................................................................................................ 1045 Microsoft Hyper-V DSM integration process..............................................................................1046 WinCollect log source parameters for Microsoft Hyper-V.........................................................1046
Microsoft Office 365 Message Trace............................................................................................... 1055 Microsoft Office 365 Message Trace DSM specifications..........................................................1055 Microsoft office Message Trace REST API log source parameters for Microsoft Office
Message Trace.......................................................................................................................1056 Microsoft Office 365 Message Trace sample event message................................................... 1057
Configuring a database view to collect audit events................................................................. 1059 Configuring Microsoft SharePoint audit events......................................................................... 1059 Creating a database view for Microsoft SharePoint...................................................................1060 Creating read-only permissions for Microsoft SharePoint database users.............................. 1061 JDBC log source parameters for Microsoft Share Point............................................................ 1061 JDBC log source parameters for Microsoft SharePoint with predefined database queries.....1063
Microsoft SQL Server....................................................................................................................... 1064 Microsoft SQL Server preparation for communication with QRadar.........................................1065 JDBC log source parameters for Microsoft SQL Server.............................................................1067 Microsoft SQL Server sample event message........................................................................... 1068
Installing the MSRPC protocol on the QRadar Console.............................................................1070 MSRPC parameters on Windows hosts......................................................................................1071 Diagnosing connection issues with the MSRPC test tool.......................................................... 1074 WMI parameters on Windows hosts.......................................................................................... 1075 Installing Winlogbeat and Logstash on a Windows host...........................................................1078 Configuring which usernames QRadar considers to be system users in events that are
Chapter 112. NetApp Data ONTAP....................................................................................................... 1093
Chapter 115. NGINX HTTP Server........................................................................................................ 1103 NGINX HTTP Server DSM specifications.........................................................................................1103 Configuring NGINX HTTP Server to communicate with QRadar.................................................... 1104 NGINX HTTP Server sample event messages.................................................................................1104
Chapter 124. OpenBSD......................................................................................................................... 1145 Syslog log source parameters for OpenBSD................................................................................... 1145 Configuring syslog for OpenBSD......................................................................................................1145
Oracle Audit Vault............................................................................................................................ 1159 Configuring Oracle Audit Vault to communicate with QRadar.................................................. 1162
Oracle DB Listener........................................................................................................................... 1173 Oracle Database Listener log source parameters..................................................................... 1173 Collecting Oracle database events by using Perl ......................................................................1173 Configuring the Oracle Database Listener within QRadar.........................................................1175
Chapter 129. osquery............................................................................................................................1185 osquery DSM specifications.............................................................................................................1186 Configuring rsyslog on your Linux system....................................................................................... 1186 Configuring osquery on your Linux system..................................................................................... 1187 osquery log source parameters.......................................................................................................1188 osquery sample event message...................................................................................................... 1188
xxvi
Creating a forwarding policy on your Palo Alto PA Series device..............................................1205 Creating ArcSight CEF formatted Syslog events on your Palo Alto PA Series Networks
Firewall device.......................................................................................................................1205 TLS Syslog log source parameters for Palo Alto PA Series....................................................... 1207 Palo Alto PA Series Sample event message.............................................................................. 1207
Chapter 134. ProFTPd........................................................................................................................... 1223 Configuring ProFTPd........................................................................................................................ 1223 Syslog log source parameters for ProFTPd..................................................................................... 1223
IBM QRadar.................................................................................................................................1226 Syslog log source parameters for Proofpoint Enterprise Protection and Enterprise Privacy........ 1226
Configuring a Pulse Secure Pulse Connect Secure device to send WebTrends Enhanced Log File (WELF) events to IBM QRadar........................................................................................1231
Configuring a Pulse Secure Pulse Connect Secure device to send syslog events to QRadar...1232 Pulse Secure Pulse Connect Secure sample event message....................................................1232
Chapter 137. Radware.......................................................................................................................... 1235 Radware AppWall.............................................................................................................................1235
Radware DefensePro....................................................................................................................... 1237 Syslog log source parameters for Radware DefensePro........................................................... 1238
xxvii
Chapter 142. Riverbed.......................................................................................................................... 1251 Riverbed SteelCentral NetProfiler (Cascade Profiler) Audit........................................................... 1251
Configuring your Riverbed SteelCentral NetProfiler system to enable communication with QRadar...................................................................................................................................1255
Chapter 143. RSA Authentication Manager..........................................................................................1257 Configuration of syslog for RSA Authentication Manager 6.x, 7.x and 8.x..................................... 1257 Configuring Linux............................................................................................................................. 1257 Configuring Windows....................................................................................................................... 1258 Configuring the log file protocol for RSA Authentication Manager 6.x and 7.x.............................. 1258
Log File log source parameters for RSA Authentication Manager............................................ 1259 Configuring RSA Authentication Manager 6.x................................................................................. 1259 Configuring RSA Authentication Manager 7.x................................................................................. 1260
Configuring the Salesforce Security Monitoring server to communicate with QRadar............ 1264 Salesforce Rest API log source parameters for Salesforce Security........................................ 1264
Salesforce Security Auditing............................................................................................................1265 Downloading the Salesforce audit trail file................................................................................1266 Log File log source parameters for Salesforce Security Auditing............................................. 1266
Detection.....................................................................................................................................1278 Creating a pattern filter on the SAP server......................................................................................1279 Troubleshooting the SAP Enterprise Threat Detection Alert API................................................... 1280 SAP Enterprise Threat Detection sample event messages............................................................ 1281
Sophos PureMessage.......................................................................................................................1306 Integrating QRadar with Sophos PureMessage for Microsoft Exchange.................................. 1306 JDBC log source parameters for Sophos PureMessage............................................................ 1306 Integrating QRadar with Sophos PureMessage for Linux..........................................................1307 JDBC log source parameters for Sophos PureMessage for Microsoft Exchange..................... 1308
Sophos Astaro Security Gateway.................................................................................................... 1309 Sophos Astaro Security Gateway sample event messages.......................................................1310
Chapter 157. Starent Networks............................................................................................................ 1323
STEALTHbits StealthINTERCEPT Alerts.......................................................................................... 1329 Collecting alerts logs from STEALTHbits StealthINTERCEPT................................................... 1330
Sun Solaris Basic Security Mode (BSM).......................................................................................... 1339 Enabling Basic Security Mode in Solaris 10...............................................................................1339 Enabling Basic Security Mode in Solaris 11...............................................................................1339 Converting Sun Solaris BSM audit logs...................................................................................... 1340 Creating a cron job .....................................................................................................................1340
Sun Solaris OS..................................................................................................................................1346 Sun Solaris OS DSM specifications............................................................................................ 1346 Configuring Sun Solaris OS to communicate with QRadar........................................................ 1346 Syslog log source parameters for Sun Solaris OS......................................................................1347 Sun Solaris OS sample event messages.................................................................................... 1347
Symantec SGS..................................................................................................................................1370 Syslog log source parameters for Symantec SGS..................................................................... 1370
Syslog log source parameters for ThreatGRID Malware Threat Intelligence Platform............1379 Log File log source parameters for ThreatGRID Malware Threat Intelligence Platform..........1381
Chapter 165. TippingPoint.................................................................................................................... 1385 TippingPoint Intrusion Prevention System .....................................................................................1385
xxx
Chapter 166. Top Layer IPS..................................................................................................................1389
Trend Micro Apex One......................................................................................................................1397 Integrating with Trend Micro Apex One 8.x .............................................................................. 1397 Integrating with Trend Micro Apex One 10.x ............................................................................1398 Integrating with Trend Micro Apex One XG .............................................................................. 1400 Changing the date format in QRadar to match the date format for your Trend Micro Apex
One device............................................................................................................................. 1401 SNMPv2 log source parameters for Trend Micro Apex One...................................................... 1402
Trend Micro Deep Discovery Analyzer.............................................................................................1405 Configuring your Trend Micro Deep Discovery Analyzer instance for communication with
QRadar...................................................................................................................................1406 Trend Micro Deep Discovery Director..............................................................................................1407
Trend Micro Deep Discovery Email Inspector................................................................................. 1410 Configuring Trend Micro Deep Discovery Email Inspector to communicate with QRadar....... 1411
Trend Micro Deep Discovery Inspector........................................................................................... 1412 Configuring Trend Micro Deep Discovery Inspector V3.0 to send events to QRadar............... 1413 Configuring Trend Micro Deep Discovery Inspector V3.8, V5.0 and V5.1 to send events to
QRadar...................................................................................................................................1414 Trend Micro Deep Security...............................................................................................................1414
Chapter 169. Tripwire............................................................................................................................1417
Chapter 176. Vericept Content 360 DSM.............................................................................................1437
Chapter 177. VMware............................................................................................................................1439 VMware AppDefense........................................................................................................................1439
VMware Carbon Black App Control (formerly known as Carbon Black Protection).......................1443 VMware Carbon Black App Control DSM specifications............................................................1444 Configuring VMware Carbon Black App Control to communicate with QRadar....................... 1444 Syslog log source parameters for VMware Carbon Black App Control..................................... 1445 VMware Carbon Black App Control sample event messages................................................... 1445
VMware ESX and ESXi......................................................................................................................1446 Configuring syslog on VMware ESX and ESXi servers............................................................... 1446 Enabling syslog firewall settings on vSphere Clients................................................................ 1447 Syslog log source parameters for VMware ESX or ESXi ........................................................... 1448 Configuring the EMC VMWare protocol for ESX or ESXi servers............................................... 1449 Creating an account for QRadar in ESX......................................................................................1449 Configuring read-only account permissions..............................................................................1450 EMC VMWare log source parameters for VMware ESX or ESXi ................................................ 1450 EMC VMWare sample event messages...................................................................................... 1451
VMware vCenter...............................................................................................................................1452 EMC VMWare log source parameters for VMware vCenter....................................................... 1452 VMware vCenter sample event message...................................................................................1452
VMware vShield................................................................................................................................1455 VMware vShield DSM integration process................................................................................. 1456 Configuring your VMware vShield system for communication with IBM QRadar.....................1456 Syslog log source parameters for VMware vShield................................................................... 1456
xxxii
with QRadar................................................................................................................................ 1464 Configuring your WatchGuard Fireware OS appliance in Fireware XTM for communication with
QRadar........................................................................................................................................ 1464 Syslog log source parameters for WatchGuard Fireware OS..........................................................1465
About this DSM Configuration Guide
The DSM Configuration guide provides instructions about how to collect data from your third-party devices, also known as log sources.
You can configure IBM QRadar to accept event logs from log sources that are on your network. A log source is a data source that creates an event log.
Note: This guide describes the Device Support Modules (DSMs) that are produced by IBM. Third-party DSMs are available on the IBM App Exchange, but are not documented here.
Intended audience System administrators must have QRadar access, knowledge of the corporate network security concepts and device configurations.
Technical documentation To find IBM Security QRadar product documentation on the web, including all translated documentation, access the IBM Knowledge Center (http://www.ibm.com/support/knowledgecenter/SS42VS/welcome).
For information about how to access more technical documentation in the QRadar products library, see QRadar Support – Assistance 101 (https://ibm.biz/qradarsupport).
Contacting customer support For information about contacting customer support, see QRadar Support – Assistance 101 (https:// ibm.biz/qradarsupport).
Statement of good security practices IT system security involves protecting systems and information through prevention, detection and response to improper access from within and outside your enterprise. Improper access can result in information being altered, destroyed, misappropriated or misused or can result in damage to or misuse of your systems, including for use in attacks on others. No IT system or product should be considered completely secure and no single product, service or security measure can be completely effective in preventing improper use or access. IBM systems, products and services are designed to be part of a lawful comprehensive security approach, which will necessarily involve additional operational procedures, and may require other systems, products or services to be most effective. IBM DOES NOT WARRANT THAT ANY SYSTEMS, PRODUCTS OR SERVICES ARE IMMUNE FROM, OR WILL MAKE YOUR ENTERPRISE IMMUNE FROM, THE MALICIOUS OR ILLEGAL CONDUCT OF ANY PARTY.
Please Note:
Use of this Program may implicate various laws or regulations, including those related to privacy, data protection, employment, and electronic communications and storage. IBM Security QRadar may be used only for lawful purposes and in a lawful manner. Customer agrees to use this Program pursuant to, and assumes all responsibility for complying with, applicable laws, regulations and policies. Licensee represents that it will obtain or has obtained any consents, permissions, or licenses required to enable its lawful use of IBM Security QRadar.
© Copyright IBM Corp. 2012, 2022 xxxv
Part 1. QRadar DSM installation and log source management
© Copyright IBM Corp. 2012, 2022 1
2 IBM QRadar : QRadar DSM Configuration Guide
Chapter 1. Event collection from third-party devices To configure event collection from third-party devices, you need to complete configuration tasks on the third-party device, and your QRadar Console, Event Collector, or Event Processor. The key components that work together to collect events from third-party devices are log sources, DSMs, and automatic updates.
Log sources A log source is any external device, system, or cloud service that is configured to either send events to your IBM QRadar system or be collected by your QRadar system. QRadar shows events from log sources in the Log Activity tab.
To receive raw events from log sources, QRadar supports several protocols, including syslog from OS, applications, firewalls, IPS/IDS, SNMP, SOAP, JDBC for data from database tables and views. QRadar also supports proprietary vendor-specific protocols such as OPSEC/LEA from Checkpoint.
DSMs A Device Support Module (DSM) is a code module that parses received events from multiple log sources and converts them to a standard taxonomy format that can be displayed as output. Each type of log source has a corresponding DSM. For example, the IBM Fiberlink MaaS360 DSM parses and normalizes events from an IBM Fiberlink MaaS360 log source.
Automatic Updates QRadar provides daily and weekly automatic updates on a recurring schedule. The weekly automatic update includes new DSM releases, corrections to parsing issues, and protocol updates. For more information about automatic updates, see the IBM QRadar Administration Guide.
Third-party device installation process To collect events from third-party device, you must complete installation and configuration steps on both the log source device and your QRadar system. For some third-party devices, extra configuration steps are needed, such as configuring a certificate to enable communication between that device and QRadar.
The following steps represent a typical installation process:
1. Read the specific instructions for how to integrate your third-party device. 2. Download and install the RPM for your third-party device. RPMs are available for download from the
IBM support website (http://www.ibm.com/support).
Tip: If your QRadar system is configured to accept automatic updates, this step might not be required. 3. Configure the third-party device to send events to QRadar.
After some events are received, QRadar automatically detects some third-party devices and creates a log source configuration. The log source is listed on the Log Sources list and contains default information. You can customize the information.
4. If QRadar does not automatically detect the log source, manually add a log source. The list of supported DSMs and the device-specific topics indicate which third-party devices are not automatically detected.
5. Deploy the configuration changes and restart your web services.
Custom log source types for unsupported third-party log sources After the events are collected and before the correlation can begin, individual events from your devices must be properly normalized. Normalization means to map information to common field names, such
For more information, see the IBM QRadar Administration Guide.
Adding a DSM If your Device Support Module (DSM) is not automatically discovered, manually install a DSM.
Each type of log source has a corresponding DSM that parses and normalizes events from the log source.
Procedure 1. Download the DSM RPM file from the IBM support website (http://www.ibm.com/support). 2. Copy the RPM file to QRadar. 3. Using SSH, log in to the QRadar host as the root user. 4. Go to the directory that includes the downloaded file. 5. Type the following command:
yum -y install <rpm_filename>
Note: The rpm -Uvh <rpm_filename> command line to install was replaced with the yum -y install <rpm_filename> command.
6. Log in to QRadar. 7. On the Admin tab, click Deploy Changes.
Restriction: Uninstalling a Device Support Module (DSM) is not supported in QRadar.
4 IBM QRadar : QRadar DSM Configuration Guide
For example, a firewall or intrusion protection system (IPS) logs security-based events, and switches or routers logs network-based events.
To receive raw events from log sources, QRadar supports many protocols. Passive protocols listen for events on specific ports. Active protocols use APIs or other communication methods to connect to external systems that poll and retrieve events.
Depending on your license limits, QRadar can read and interpret events from more than 300 log sources.
To configure a log source for QRadar, you must do the following tasks:
1. Download and install a device support module (DSM) that supports the log source. A DSM is software application that contains the event patterns that are required to identify and parse events from the original format of the event log to the format that QRadar can use.
2. If automatic discovery is supported for the DSM, wait for QRadar to automatically add the log source to your list of configured log sources.
3. If automatic discovery is not supported for the DSM, manually create the log source configuration.
Related tasks “Adding a log source” on page 5 “Adding bulk log sources” on page 8 “Adding a log source parsing order” on page 11 You can assign a priority order for when the events are parsed by the target event collector. “Adding a DSM” on page 4
Adding a log source If the log source is not automatically discovered, manually add it by using the QRadar Log Source Management app so that you can receive events from your network devices or appliances.
If you are using QRadar 7.3.1 to 7.3.3, you can also add a log source by using the Log Sources icon.
Before you begin Ensure that the QRadar Log Source Management app is installed on your QRadar Console. For more information about installing the app, see Installing the QRadar Log Source Management app.
Procedure 1. Log in to QRadar. 2. Click the Admin tab. 3. To open the app, click the QRadar Log Source Management app icon. 4. Click New Log Source > Single Log Source. 5. On the Select a Log Source Type page, select a log source type, and click Select Protocol Type. 6. On the Select a Protocol Type page, select a protocol, and click Configure Log Source Parameters. 7. On the Configure the Log Source parameters page, configure the log source parameters, and click
Configure Protocol Parameters.
The following table describes the common log source parameters for all log source types:
Parameter Description
Log Source Identifier The IPv4 address or hostname that identifies the log source.
If your network contains multiple devices that are attached to a single management console, specify the IP address of the device that created the event. A unique identifier for each device, such as an IP address, prevents event searches from identifying the management console as the source for all of the events.
Enabled When this option is not enabled, the log source does not collect events.
Credibility Credibility represents the integrity or validity of events that are created by a log source. The credibility value that is assigned to a log source can increase or decrease based on incoming events and can be adjusted as a response to user-created event rules. The credibility of events from log sources contributes to the calculation of the offense magnitude and can increase or decrease the magnitude value of an offense.
Target Event Collector Specifies the QRadar Event Collector that polls the remote log source.
Use this parameter in a distributed deployment to improve console system performance by moving the polling task to an Event Collector.
Coalescing Events When multiple events with the same QID, Username, Source IP, Destination IP, Destination Port, Domain, and Log Source occur within a short time interval (10 seconds), they are coalesced (bundled) together.
Because the events are bundled together, the number of events that are stored is decreased, which reduces the storage cost of events. Coalescing events might lead to loss of information, including raw payloads or event properties. The default is enabled. For more information, see How does coalescing work in QRadar?
8. On the Configure the protocol parameters page, configure the protocol-specific parameters.
• If your configuration can be tested, click Test Protocol Parameters. • If your configuration cannot be tested, click Finish.
9. In the Test protocol parameters window, click Start Test. 10. To fix any errors, click Configure Protocol Parame

April 2021 DSM Guide - ibm.com

Documents

Transcript of April 2021 DSM Guide - ibm.com