IBM QRadar : QRadar DSM Configuration GuideIBM
Note
Before using this information and the product that it supports, read the information in “Notices” on page 1481.
© Copyright International Business Machines Corporation 2012, 2022. US Government Users Restricted Rights – Use, duplication or disclosure restricted by GSA ADP Schedule Contract with IBM Corp.
Contents
Chapter 1. Event collection from third-party devices................................................................................. 3 Adding a DSM..........................................................................................................................................4
Matcher (matcher).......................................................................................................................... 21 JSON matcher (json-matcher)....................................................................................................... 26 LEEF matcher (leef-matcher)......................................................................................................... 30 CEF matcher (cef-matcher)............................................................................................................ 31 Name Value Pair matcher (namevaluepair-matcher).................................................................... 31 Generic List matcher (genericlist-matcher)................................................................................... 33 XML Matcher (xml-matcher)...........................................................................................................34 Multi-event modifier (event-match-multiple)........................................................................35 Single-event modifier (event-match-single).......................................................................... 35
Common regular expressions ........................................................................................................39 Building regular expression patterns ............................................................................................ 40 Uploading extension documents to QRadar.................................................................................. 42
iii
Amazon Web Services protocol configuration options........................................................................81 Apache Kafka protocol configuration options..................................................................................... 90
Google G Suite Activity Reports REST API protocol options.............................................................107 Google G Suite Activity Reports REST API protocol FAQ.............................................................109
HCL BigFix SOAP protocol configuration options (formerly known as IBM BigFix)......................... 110 HTTP Receiver protocol configuration options..................................................................................110 IBM Cloud Object Storage protocol configuration options............................................................... 111 IBM Fiberlink REST API protocol configuration options................................................................... 114 IBM Security Verify Event Service protocol configuration options................................................... 116 JDBC protocol configuration options.................................................................................................118 JDBC - SiteProtector protocol configuration options........................................................................122 Juniper Networks NSM protocol configuration options.................................................................... 124 Juniper Security Binary Log Collector protocol configuration options............................................. 124 Log File protocol configuration options............................................................................................. 125 Microsoft Azure Event Hubs protocol configuration options............................................................ 127
Microsoft Defender for Endpoint SIEM REST API protocol configuration options...........................140 Microsoft DHCP protocol configuration options................................................................................142 Microsoft Exchange protocol configuration options..........................................................................145 Microsoft Graph Security API protocol configuration options.......................................................... 148
Configuring Microsoft Graph Security API to communicate with QRadar.................................. 149 Microsoft IIS protocol configuration options.................................................................................... 150 Microsoft Security Event Log protocol configuration options........................................................... 153
Microsoft Security Event Log over MSRPC Protocol.................................................................... 153 MQ protocol configuration options.................................................................................................... 156 Office 365 Message Trace REST API protocol configuration options...............................................157
Troubleshooting the Office 365 Message Trace REST API protocol........................................... 159 Okta REST API protocol configuration options................................................................................. 162
Part 3. DSMs......................................................................................................227
Chapter 15. Amazon AWS Application Load Balancer Access Logs.......................................................241 Amazon AWS Application Load Balancer Access Logs DSM specifications..................................... 241 Publishing flow logs to an S3 bucket.................................................................................................242 Create an SQS queue and configure S3 ObjectCreated notifications...............................................242
Finding the S3 bucket that contains the data that you want to collect.......................................243 Creating the SQS queue that is used to receive ObjectCreated notifications.............................243 Setting up SQS queue permissions.............................................................................................. 244 Creating ObjectCreated notifications...........................................................................................245
Configuring security credentials for your AWS user account............................................................250 Amazon AWS S3 REST API log source parameters for Amazon AWS Application Load Balancer
Access Logs...................................................................................................................................251 Amazon AWS Application Load Balancer Access Logs sample event message...............................251
protocol......................................................................................................................................... 254 Configuring an Amazon AWS CloudTrail log source that uses an S3 bucket with an SQS
queue....................................................................................................................................... 254 Configuring an Amazon AWS CloudTrail log source that uses an S3 bucket with a directory
prefix........................................................................................................................................ 266 Configuring an Amazon AWS CloudTrail log source by using the Amazon Web Services protocol. 272
Configuring an Amazon AWS CloudTrail log source by using the Amazon Web Services protocol and Kinesis Data Streams.........................................................................................273
Configuring an Amazon AWS CloudTrail log source by using the Amazon Web Services protocol and CloudWatch Logs............................................................................................... 278
Amazon AWS CloudTrail sample event messages............................................................................ 283
Chapter 18. Amazon AWS Network Firewall...........................................................................................293 Amazon AWS Network Firewall DSM specifications......................................................................... 293 Create an SQS queue and configure S3 ObjectCreated notifications...............................................294
Finding the S3 bucket that contains the data that you want to collect.......................................294 Creating the SQS queue that is used to receive ObjectCreated notifications.............................294 Setting up SQS queue permissions.............................................................................................. 295 Creating ObjectCreated notifications...........................................................................................297
Configuring security credentials for your AWS user account............................................................301 Amazon AWS S3 REST API log source parameters for Amazon AWS Network Firewall..................302 AWS Network Firewall sample event messages............................................................................... 302
vi
and CloudWatch logs.................................................................................................................... 306 Configuring public DNS query logging..........................................................................................307 Configuring Resolver query logging..............................................................................................307 Creating an Identity and Access Management (IAM) user in the AWS Management Console.. 308 Configuring security credentials for your AWS user account...................................................... 308 Creating a log group in Amazon CloudWatch Logs to retrieve logs in QRadar............................309 Amazon Web Services log source parameters for Amazon AWS Route 53................................ 309
Configuring an Amazon AWS Route 53 log source by using an S3 bucket with an SQS queue....... 314 Configuring Resolver query logging..............................................................................................314 Create an SQS queue and configure S3 ObjectCreated notifications......................................... 315 Finding the S3 bucket that contains the data that you want to collect.......................................315 Creating the SQS queue that is used to receive ObjectCreated notifications.............................315 Setting up SQS queue permissions.............................................................................................. 316 Creating ObjectCreated notifications...........................................................................................318 Creating an Identity and Access Management (IAM) user in the AWS Management Console.. 322 Configuring security credentials for your AWS user account...................................................... 323 Amazon AWS S3 REST API log source parameters for Amazon AWS Route 53 when using
an SQS queue.......................................................................................................................... 323 Configuring an Amazon AWS Route 53 log source by using an S3 bucket with a directory prefix.. 327
Configuring Resolver query logging..............................................................................................327 Finding an S3 bucket name and directory prefix......................................................................... 328 Creating an Identity and Access Management (IAM) user in the AWS Management Console.. 328 Configuring security credentials for your AWS user account...................................................... 329 Amazon AWS S3 REST API log source parameters for Amazon AWS Route 53 when using a
directory prefix........................................................................................................................ 329 Amazon AWS Route 53 sample event messages..............................................................................333
Chapter 21. Amazon AWS WAF...............................................................................................................341 Amazon AWS WAF DSM specifications..............................................................................................341 Configuring Amazon AWS WAF to communicate with QRadar......................................................... 342 Configuring security credentials for your AWS user account............................................................342 Amazon AWS S3 REST API log source parameters for Amazon AWS WAF......................................343 Amazon AWS WAF sample event messages..................................................................................... 344
Chapter 22. Amazon GuardDuty............................................................................................................. 347 Configuring an Amazon GuardDuty log source by using the Amazon Web Services protocol......... 347 Creating an EventBridge rule for sending events.............................................................................. 350 Creating an Identity and Access (IAM) user in the AWS Management Console.............................. 351 Configuring an Amazon GuardDuty log source by using the Amazon AWS S3 REST API protocol..351 Configuring Amazon GuardDuty to forward events to an AWS S3 Bucket....................................... 354 Amazon GuardDuty sample event messages....................................................................................354
Chapter 23. Amazon VPC Flow Logs....................................................................................................... 359 Amazon VPC Flow Logs specifications.............................................................................................. 362 Publishing flow logs to an S3 bucket.................................................................................................363 Create the SQS queue that is used to receive ObjectCreated notifications..................................... 363 Configuring security credentials for your AWS user account............................................................363
vii
Chapter 25. APC UPS...............................................................................................................................367 Configuring your APC UPS to forward syslog events.........................................................................368 APC UPS sample event messages..................................................................................................... 368
Chapter 28. Application Security DbProtect.......................................................................................... 377 Installing the DbProtect LEEF Relay Module.....................................................................................378 Configuring the DbProtect LEEF Relay...............................................................................................378 Configuring DbProtect alerts..............................................................................................................379
Arbor Networks Pravail...................................................................................................................... 384 Configuring your Arbor Networks Pravail system to send events to IBM QRadar...................... 385 Arbor Networks Pravail sample event message.......................................................................... 386
Chapter 30. Arpeggio SIFT-IT................................................................................................................ 387 Configuring a SIFT-IT agent............................................................................................................... 387 Syslog log source parameters for Arpeggio SIFT-IT......................................................................... 388 Additional information....................................................................................................................... 388
Chapter 32. Aruba Networks...................................................................................................................393 Aruba ClearPass Policy Manager....................................................................................................... 393
Aruba Introspect................................................................................................................................ 403 Configuring Aruba Introspect to communicate with QRadar...................................................... 404
viii
Chapter 34. BalaBit IT Security...............................................................................................................411 BalaBit IT Security for Microsoft Windows Events............................................................................411
Chapter 35. Barracuda............................................................................................................................ 419 Barracuda Spam & Virus Firewall...................................................................................................... 419
devices that do not support LEEF .......................................................................................... 422 Barracuda Web Filter......................................................................................................................... 423
Configuring syslog event forwarding............................................................................................423 Syslog log source parameters for Barracuda Web Filter............................................................. 424 Barracuda Web Filter sample event message............................................................................. 424
ix
Broadcom CA Top Secret................................................................................................................... 462 Log File log source parameter...................................................................................................... 463 Create a log source for near real-time event feed....................................................................... 467 Integrate Broadcom CA Top Secret with IBM QRadar by using audit scripts.............................467 Configuring Broadcom CA Top Secret that uses audit scripts to integrate with IBM QRadar....467
Broadcom Symantec SiteMinder....................................................................................................... 470 Broadcom Symantec SiteMinder DSM specifications..................................................................470 Syslog log source parameters for Broadcom Symantec SiteMinder...........................................471 Configuring syslog-ng for Broadcom Symantec SiteMinder........................................................472 Broadcom Symantec SiteMinder sample event messages......................................................... 473
Bit9 Security Platform........................................................................................................................480 Configuring Carbon Black Bit9 Security Platform to communicate with QRadar....................... 481
with QRadar ............................................................................................................................ 489 Centrify Infrastructure Services sample event messages.......................................................... 490
Chapter 45. Check Point..........................................................................................................................491 Integrate Check Point by using syslog...............................................................................................491
Integrate Check Point by using OPSEC..............................................................................................494 Adding a Check Point Host........................................................................................................... 494 Creating an OPSEC Application Object........................................................................................ 494 Locating the log source SIC..........................................................................................................495
Syslog Redirect log source parameters for Check Point................................................................... 500 Configuring Check Point to forward LEEF events to QRadar.............................................................501 Configuring QRadar to receive LEEF events from Check Point......................................................... 503 Integration of Check Point Firewall events....................................................................................... 503 Check Point Multi-Domain Management (Provider-1)...................................................................... 504
Chapter 46. Cilasoft QJRN/400...............................................................................................................509 Configuring Cilasoft QJRN/400..........................................................................................................509 Syslog log source parameters for Cilasoft QJRN/400.......................................................................510
xi
Configuring Cloud Web Security to communicate with QRadar ................................................. 536 Cisco CSA............................................................................................................................................537
Configuring Cisco CSA to send events to IBM QRadar................................................................ 537 Syslog log source parameters for Cisco CSA............................................................................... 537 SNMPv1 log source parameters for Cisco CSA............................................................................ 538 SNMPv2 log source parameters for Cisco CSA............................................................................ 538
Cisco Firepower Management Center............................................................................................... 539 Creating Cisco Firepower Management Center 5.x and 6.x certificates..................................... 542 Importing a Cisco Firepower Management Center certificate in QRadar................................... 543 Cisco Firepower Management Center log source parameters.................................................... 544
Cisco Firepower Threat Defense........................................................................................................545 Cisco Firepower Threat Defense DSM specifications.................................................................. 545 Configuring Cisco Firepower Threat Defense to communicate with QRadar..............................546 Configuring QRadar to use previous connection event processing for Cisco Firepower
Threat Defense ....................................................................................................................... 546 Cisco Firepower Threat Defense sample event message............................................................547
Cisco FWSM........................................................................................................................................548 Configuring Cisco FWSM to forward syslog events......................................................................548 Syslog log source parameters for Cisco FWSM............................................................................548
Cisco Meraki....................................................................................................................................... 563 Cisco Meraki DSM specifications..................................................................................................564 Configure Cisco Meraki to communicate with IBM QRadar ........................................................564 Cisco Meraki sample event messages......................................................................................... 565
xii
Cisco VPN 3000 Concentrator .......................................................................................................... 575 Syslog log source parameters for Cisco VPN 3000 Concentrator...............................................575
Cisco Wireless LAN Controllers......................................................................................................... 576 Configuring syslog for Cisco Wireless LAN Controller................................................................. 576 Syslog log source parameters for Cisco Wireless LAN Controllers............................................. 576 Configuring SNMPv2 for Cisco Wireless LAN Controller..............................................................577 Configuring a trap receiver for Cisco Wireless LAN Controller.................................................... 578 SNMPv2 log source parameters for Cisco Wireless LAN Controllers..........................................578
Cisco Wireless Services Module........................................................................................................ 580 Configuring Cisco WiSM to forward events.................................................................................. 580 Syslog log source parameters for Cisco WiSM.............................................................................582
API protocol.................................................................................................................................. 591 Create an SQS queue and configure S3 ObjectCreated notifications...............................................591
Configuring security credentials for your AWS user account............................................................599 HTTP Receiver log source parameters for Cloudflare Logs.............................................................. 600 Amazon AWS S3 REST API log source parameters for Cloudflare Logs...........................................600 Cloudflare Logs sample event messages.......................................................................................... 602
Chapter 51. CloudPassage Halo .............................................................................................................603 Configuring CloudPassage Halo for communication with QRadar....................................................603 Syslog log source parameters for CloudPassage Halo......................................................................605 Log File log source parameters for CloudPassage Halo....................................................................605
Chapter 53. Correlog Agent for IBM z/OS............................................................................................... 609 Configuring your CorreLog Agent system for communication with QRadar..................................... 610
Chapter 54. CrowdStrike Falcon..............................................................................................................611 CrowdStrike Falcon DSM specifications............................................................................................ 611 Configuring CrowdStrike Falcon to communicate with QRadar........................................................612 Syslog log source parameters for CrowdStrike Falcon..................................................................... 615 CrowdStrike Falcon Host sample event message............................................................................. 615
xiii
Configuring syslog for CyberArk Vault..........................................................................................621 Syslog log source parameters for CyberArk Vault....................................................................... 621
Chapter 60. Digital China Networks (DCN)............................................................................................. 629 Configuring a DCN DCS/DCRS Series Switch.....................................................................................629 Syslog log source parameters for DCN DCS/DCRS Series switches................................................. 630
Chapter 61. Enterprise-IT-Security.com SF-Sherlock............................................................................631 Configuring Enterprise-IT-Security.com SF-Sherlock to communicate with QRadar...................... 632
Chapter 63. ESET Remote Administrator................................................................................................639 Configuring ESET Remote Administrator to communicate with QRadar..........................................640
Extreme HiGuard Wireless IPS.......................................................................................................... 647 Configuring Enterasys HiGuard ................................................................................................... 648 Syslog log source parameters for Extreme HiGuard................................................................... 648
Extreme HiPath Wireless Controller.................................................................................................. 649 Configuring your HiPath Wireless Controller............................................................................... 649 Syslog log source parameters for Extreme HiPath...................................................................... 649
Syslog log source parameters for Extreme XSR Security Router................................................ 656
Chapter 66. F5 Networks........................................................................................................................657 F5 Networks BIG-IP AFM...................................................................................................................657
F5 Networks BIG-IP ASM.................................................................................................................. 662 Syslog log source parameters for F5 Networks BIG-IP ASM...................................................... 663 F5 Networks BIG-IP ASM sample event message...................................................................... 664
F5 Networks FirePass........................................................................................................................ 668 Configuring syslog forwarding for F5 FirePass............................................................................ 668 Syslog log source parameters for F5 Networks FirePass............................................................668
Chapter 69. Fidelis XPS........................................................................................................................... 679 Configuring Fidelis XPS...................................................................................................................... 679 Syslog log source parameters for Fidelis XPS................................................................................... 680 Fidelis XPS sample event messages................................................................................................. 680
xv
Forcepoint Sidewinder DSM specifications................................................................................. 689 Configure Forcepoint Sidewinder to communicate with QRadar................................................ 689 Forcepoint Sidewinder sample event message........................................................................... 689
Forcepoint V-Series Content Gateway...............................................................................................693 Configure syslog for Forcepoint V-Series Content Gateway........................................................694 Configuring the Management Console for Forcepoint V-Series Content Gateway..................... 694 Enabling Event Logging for Forcepoint V-Series Content Gateway.............................................695 Syslog log source parameters for Forcepoint V-Series Content Gateway.................................. 695 Log file protocol for Forcepoint V-Series Content Gateway........................................................ 695 Forcepoint V-Series Content Gateway sample event messages.................................................697
Chapter 72. ForeScout CounterACT....................................................................................................... 699 Syslog log source parameters for ForeScout CounterACT................................................................699 Configuring the ForeScout CounterACT Plug-in................................................................................ 699 Configuring ForeScout CounterACT Policies..................................................................................... 700 ForeScout CounterACT sample event messages.............................................................................. 701
Configuring QRadar 7.3 to categorize App Ctrl events from Fortinet Fortigate Security Gateway................................................................................................................................... 707
Chapter 74. Foundry FastIron ................................................................................................................ 709 Configuring syslog for Foundry FastIron........................................................................................... 709 Syslog log source parameters for Foundry FastIron......................................................................... 709
Chapter 75. FreeRADIUS.........................................................................................................................711 Configuring your FreeRADIUS device to communicate with QRadar............................................... 711
Generic firewall.................................................................................................................................. 716 Configuring event properties for generic firewall events ............................................................716 Syslog log source parameters for generic firewall.......................................................................718
Chapter 77. genua genugate................................................................................................................... 721 Configuring genua genugate to send events to QRadar....................................................................722 genua genugate sample event messages..........................................................................................722
xvi
Chapter 80. Google G Suite Activity Reports.......................................................................................... 733 Google G Suite Activity Reports DSM specifications.........................................................................733 Configuring Google G Suite Activity Reports to communicate with QRadar.................................... 734 Assigning a role to a user................................................................................................................... 734 Creating a service account with viewer access................................................................................. 735 Granting API client access to a service account............................................................................... 736 Google G Suite Activity Reports log source parameters................................................................... 736 Google G Suite Activity Reports sample event messages................................................................ 737 Troubleshooting Google G Suite Activity Reports............................................................................. 738
Invalid private keys.......................................................................................................................738 Authorization errors......................................................................................................................739 Invalid email or username errors.................................................................................................739 Invalid JSON formatting............................................................................................................... 740 Network errors..............................................................................................................................740 Google G Suite Activity Reports FAQ............................................................................................740
Chapter 83. HBGary Active Defense...................................................................................................... 747 Configuring HBGary Active Defense.................................................................................................. 747 Syslog log source parameters for HBGary Active Defense............................................................... 747
Chapter 85. Honeycomb Lexicon File Integrity Monitor (FIM).............................................................. 751 Supported Honeycomb FIM event types logged by QRadar.............................................................751 Configuring the Lexicon mesh service............................................................................................... 751 Syslog log source parameters for Honeycomb Lexicon File Integrity Monitor.................................752
Chapter 86. Hewlett Packard Enterprise................................................................................................ 755 HPE Network Automation.................................................................................................................. 755
Chapter 87. Huawei................................................................................................................................. 761 Huawei AR Series Router................................................................................................................... 761
Huawei S Series Switch......................................................................................................................762 Syslog log source parameters for Huawei S Series Switch......................................................... 763
Chapter 88. HyTrust CloudControl.......................................................................................................... 765 Configuring HyTrust CloudControl to communicate with QRadar.................................................... 766
IBM Cloud Platform (formerly known as IBM Bluemix Platform).....................................................789 Configuring IBM Cloud Platform to communicate with QRadar..................................................790
IBM DataPower.................................................................................................................................. 792 Configuring IBM DataPower to communicate with QRadar........................................................ 793
IBM DLC Metrics.................................................................................................................................802 IBM DLC Metrics DSM specifications........................................................................................... 802 Configuring IBM Disconnected Log Collector to communicate with QRadar............................. 803 Forwarded Log source parameters for IBM DLC Metrics.............................................................804 IBM DLC Metrics sample event message.....................................................................................804
IBM Federated Directory Server ....................................................................................................... 805 Configuring IBM Federated Directory Server to monitor security events...................................806
IBM MaaS360 Security...................................................................................................................... 806 IBM Fiberlink REST API log source parameters for IBM MaaS360 Security.............................. 807 Universal Cloud REST API log source parameters for IBM MaaS360 Security.......................... 807 IBM MaaS360 Security sample event messages........................................................................ 808
IBM Guardium.................................................................................................................................... 809 Creating a syslog destination for events...................................................................................... 810 Configuring policies to generate syslog events........................................................................... 811 Installing an IBM Guardium Policy ..............................................................................................811 Syslog log source parameters for IBM Guardium........................................................................812 Creating an event map for IBM Guardium events....................................................................... 812 Modifying the event map.............................................................................................................. 813 IBM Guardium sample event messages...................................................................................... 813
IBM Proventia.....................................................................................................................................823 IBM Proventia Management SiteProtector.................................................................................. 823 JDBC log source parameters for IBM Proventia Management SiteProtector............................. 823 IBM ISS Proventia ........................................................................................................................824
IBM RACF........................................................................................................................................... 827 Log File log source parameter...................................................................................................... 828 Create a log source for near real-time event feed....................................................................... 832 Integrate IBM RACF with IBM QRadar by using audit scripts..................................................... 833 Configuring IBM RACF that uses audit scripts to integrate with IBM QRadar............................ 833
IBM SAN Volume Controller...............................................................................................................835 Configuring IBM SAN Volume Controller to communicate with QRadar.....................................837
IBM Security Access Manager for Enterprise Single Sign-On...........................................................837 Configuring a log server type........................................................................................................837 Configuring syslog forwarding...................................................................................................... 838 Syslog log source parameters for IBM Security Access Manager for Enterprise Single Sign-
IBM Security Directory Server........................................................................................................... 842 IBM Security Directory Server DSM specifications......................................................................843 Configuring IBM Security Directory Server to communicate with QRadar................................. 843 Syslog log source parameters for IBM Security Directory Server .............................................. 845
IBM Security Identity Governance.................................................................................................... 845 JDBC log source parameters for IBM Security Identity Governance............................................... 847 IBM Security Identity Manager..........................................................................................................848
IBM Security Network IPS (GX)......................................................................................................... 852 Configuring your IBM Security Network IPS (GX) appliance for communication with QRadar..853 Syslog log source parameters for IBM Security Network IPS (GX).............................................853
IBM QRadar Network Security XGS................................................................................................... 854 Configuring IBM QRadar Network Security XGS Alerts............................................................... 855 Syslog log source parameters for IBM QRadar Network Security XGS.......................................856
IBM Security Privileged Identity Manager.........................................................................................856 Configuring IBM Security Privileged Identity Manager to communicate with QRadar...............859 IBM Security Privileged Identity Manager sample event message.............................................860
IBM Security Trusteer........................................................................................................................ 860 IBM Security Trusteer DSM specifications...................................................................................861 HTTP Receiver log source parameters for IBM Security Trusteer.............................................. 861 IBM Security Trusteer sample event messages.......................................................................... 862
events to QRadar..................................................................................................................... 867
Configuring a Flat File Feed service............................................................................................. 870 IBM Security Trusteer Apex Local Event Aggregator........................................................................ 871
IBM Security Verify DSM Specifications.......................................................................................872 Configuring QRadar to pull events from IBM Security Verify...................................................... 873 IBM Security Verify Event Service log source parameters for IBM Security Verify.................... 873 IBM Security Verify sample event messages...............................................................................873
IBM Sense.......................................................................................................................................... 876 Configuring IBM Sense to communicate with QRadar................................................................ 878
IBM Tivoli Endpoint Manager.............................................................................................................882 IBM WebSphere Application Server.................................................................................................. 882
Configuring Exporting Events to Syslog for Illumio PCE..............................................................900 Configuring Syslog Forwarding for Illumio PCE........................................................................... 901
Chapter 94. Infoblox NIOS......................................................................................................................913 Infoblox NIOS DSM specifications.....................................................................................................913 Infoblox NIOS sample event message.............................................................................................. 914
Juniper Networks EX Series Ethernet Switch................................................................................... 921 Configuring IBM QRadar to receive events from a Juniper EX Series Ethernet Switch..............922
Juniper Networks IDP........................................................................................................................ 923 Configure a log source.................................................................................................................. 923
Juniper Networks Junos OS...............................................................................................................925 Syslog log source parameters for Juniper Junos OS...................................................................927 Configure the PCAP Protocol........................................................................................................927 PCAP Syslog Combination log source parameters for Juniper SRX Series.................................928 Juniper Junos OS sample event message................................................................................... 928
Juniper Networks Secure Access...................................................................................................... 930 Juniper Networks Security Binary Log Collector...............................................................................930
Binary Log Collector................................................................................................................ 931 Juniper Networks Steel-Belted Radius............................................................................................. 932
protocol....................................................................................................................................936 Configuring a Juniper Steel-Belted Radius log source by using the Log File protocol............... 937 Juniper Steel Belted Radius sample event message.................................................................. 938
Juniper Networks vGW Virtual Gateway........................................................................................... 938 Juniper Networks Junos WebApp Secure......................................................................................... 939
Chapter 98. Kisco Information Systems SafeNet/i.................................................................................945 Configuring Kisco Information Systems SafeNet/i to communicate with QRadar...........................946
Chapter 99. Kubernetes Auditing............................................................................................................949 Kubernetes Auditing DSM specifications.......................................................................................... 949 Configuring Kubernetes Auditing to communicate with QRadar...................................................... 950 Kubernetes Auditing log source parameters.....................................................................................951
Configuring your LOGbinder EX system to send Microsoft Exchange event logs to QRadar...... 968 LOGbinder SP event collection from Microsoft SharePoint.............................................................. 968
Configuring your LOGbinder SP system to send Microsoft SharePoint event logs to QRadar....969 LOGbinder SQL event collection from Microsoft SQL Server............................................................ 970
Configuring your LOGbinder SQL system to send Microsoft SQL Server event logs to QRadar..971
Chapter 105. McAfee..............................................................................................................................973 JDBC log source parameters for McAfee Application/Change Control............................................ 973 McAfee ePolicy Orchestrator............................................................................................................. 974
McAfee MVISION Cloud (formerly known as Skyhigh Networks Cloud Security Platform).............980 Configuring McAfee MVISION Cloud to communicate with QRadar...........................................981 McAfee MVISION Cloud sample event messages....................................................................... 982
McAfee Network Security Platform (formerly known as McAfee Intrushield) ................................ 982 McAfee Network Security Platform DSM specifications..............................................................983 Configuring alert events for McAfee Network Security Platform 2.x - 5.x.................................. 984 Configuring alert events for McAfee Network Security Platform 6.x - 7.x.................................. 985 Configuring alert events for McAfee Network Security Platform 8.x - 10.x................................986 Configuring fault notification events for McAfee Network Security Platform 6.x - 7.x...............988 Configuring fault notification events for McAfee Network Security Platform 8.x - 10.x.............990 McAfee Network Security Platform sample event messages..................................................... 991
McAfee Web Gateway........................................................................................................................ 991 McAfee Web Gateway DSM integration process..........................................................................992 Configuring McAfee Web Gateway to communicate with QRadar (syslog)................................ 992 Importing the Syslog Log Handler................................................................................................993 Configuring McAfee Web Gateway to communicate with IBM QRadar (log file protocol)..........994 Pulling data by using the log file protocol....................................................................................995 Creation of an event map for McAfee Web Gateway events....................................................... 995 Discovering unknown events........................................................................................................995
xxii
Microsoft Azure Security Center......................................................................................................1014 Microsoft Azure Security Center DSM specifications................................................................ 1015 Microsoft Graph Security API protocol log source parameters for Microsoft Azure Security
Center.................................................................................................................................... 1015 Microsoft Azure Security Center sample event message..........................................................1016
Microsoft Hyper-V............................................................................................................................ 1031 Microsoft Hyper-V DSM integration process..............................................................................1032 WinCollect log source parameters for Microsoft Hyper-V.........................................................1032
Microsoft Office 365 Message Trace............................................................................................... 1041 Microsoft Office 365 Message Trace DSM specifications..........................................................1041 Microsoft office Message Trace REST API log source parameters for Microsoft Office
Message Trace.......................................................................................................................1042 Microsoft Office 365 Message Trace sample event message................................................... 1043
Configuring Microsoft SharePoint audit events......................................................................... 1045 Creating a database view for Microsoft SharePoint...................................................................1046
Microsoft SQL Server....................................................................................................................... 1050 Microsoft SQL Server preparation for communication with QRadar.........................................1051 JDBC log source parameters for Microsoft SQL Server.............................................................1053 Microsoft SQL Server sample event message........................................................................... 1054
Installing the MSRPC protocol on the QRadar Console.............................................................1056 MSRPC parameters on Windows hosts......................................................................................1057 Diagnosing connection issues with the MSRPC test tool.......................................................... 1060 WMI parameters on Windows hosts.......................................................................................... 1061 Installing Winlogbeat and Logstash on a Windows host...........................................................1064 Configuring which usernames QRadar considers to be system users in events that are
Chapter 108. Motorola Symbol AP........................................................................................................1071 Syslog log source parameters for Motorola SymbolAP.................................................................. 1071 Configure syslog events for Motorola Symbol AP........................................................................... 1071
Chapter 111. NetApp Data ONTAP....................................................................................................... 1079
Chapter 114. NGINX HTTP Server........................................................................................................ 1089 NGINX HTTP Server DSM specifications.........................................................................................1089 Configuring NGINX HTTP Server to communicate with QRadar.................................................... 1090 NGINX HTTP Server sample event messages.................................................................................1090
Chapter 123. OpenBSD......................................................................................................................... 1131 Syslog log source parameters for OpenBSD................................................................................... 1131 Configuring syslog for OpenBSD......................................................................................................1131
xxv
Oracle DB Listener........................................................................................................................... 1159 Oracle Database Listener log source parameters..................................................................... 1159 Collecting Oracle database events by using Perl ......................................................................1159 Configuring the Oracle Database Listener within QRadar.........................................................1161
Chapter 128. osquery............................................................................................................................1171 osquery DSM specifications.............................................................................................................1172 Configuring rsyslog on your Linux system....................................................................................... 1172 Configuring osquery on your Linux system..................................................................................... 1173 osquery log source parameters.......................................................................................................1174 osquery sample event message...................................................................................................... 1174
Palo Alto PA DSM specifications................................................................................................ 1181 Creating a Syslog destination on your Palo Alto PA Series device............................................ 1182 Forwarding Palo Alto Cortex Data Lake (Next Generation Firewall) LEEF events to IBM
QRadar...................................................................................................................................1190 Creating a forwarding policy on your Palo Alto PA Series device..............................................1191 Creating ArcSight CEF formatted Syslog events on your Palo Alto PA Series Networks
xxvi
Chapter 133. ProFTPd........................................................................................................................... 1209 Configuring ProFTPd........................................................................................................................ 1209 Syslog log source parameters for ProFTPd..................................................................................... 1209
IBM QRadar.................................................................................................................................1212 Syslog log source parameters for Proofpoint Enterprise Protection and Enterprise Privacy........ 1212
Configuring a Pulse Secure Pulse Connect Secure device to send WebTrends Enhanced Log File (WELF) events to IBM QRadar........................................................................................1217
Configuring a Pulse Secure Pulse Connect Secure device to send syslog events to QRadar...1218 Pulse Secure Pulse Connect Secure sample event message....................................................1218
Chapter 136. Radware.......................................................................................................................... 1221 Radware AppWall.............................................................................................................................1221
Radware DefensePro....................................................................................................................... 1223 Syslog log source parameters for Radware DefensePro........................................................... 1224
Chapter 140. Resolution1 CyberSecurity............................................................................................. 1235 Configuring your Resolution1 CyberSecurity device to communicate with QRadar......................1236 Log file log source parameters for Resolution1 CyberSecurity...................................................... 1236
Chapter 141. Riverbed.......................................................................................................................... 1237 Riverbed SteelCentral NetProfiler (Cascade Profiler) Audit........................................................... 1237
Configuring your Riverbed SteelCentral NetProfiler system to enable communication with QRadar...................................................................................................................................1241
Chapter 142. RSA Authentication Manager..........................................................................................1243 Configuration of syslog for RSA Authentication Manager 6.x, 7.x and 8.x..................................... 1243 Configuring Linux............................................................................................................................. 1243
Log File log source parameters for RSA Authentication Manager............................................ 1245 Configuring RSA Authentication Manager 6.x................................................................................. 1245 Configuring RSA Authentication Manager 7.x................................................................................. 1246
Configuring the Salesforce Security Monitoring server to communicate with QRadar............ 1250 Salesforce Rest API log source parameters for Salesforce Security........................................ 1250
Salesforce Security Auditing............................................................................................................1251 Downloading the Salesforce audit trail file................................................................................1252 Log File log source parameters for Salesforce Security Auditing............................................. 1252
Detection.....................................................................................................................................1264 Creating a pattern filter on the SAP server......................................................................................1265 Troubleshooting the SAP Enterprise Threat Detection Alert API................................................... 1266 SAP Enterprise Threat Detection sample event messages............................................................ 1267
Sophos PureMessage.......................................................................................................................1292 Integrating QRadar with Sophos PureMessage for Microsoft Exchange.................................. 1292 JDBC log source parameters for Sophos PureMessage............................................................ 1292 Integrating QRadar with Sophos PureMessage for Linux..........................................................1293 JDBC log source parameters for Sophos PureMessage for Microsoft Exchange..................... 1294
Sophos Astaro Security Gateway.................................................................................................... 1295
Chapter 156. Starent Networks............................................................................................................ 1309
STEALTHbits StealthINTERCEPT Alerts.......................................................................................... 1315 Collecting alerts logs from STEALTHbits StealthINTERCEPT................................................... 1316
Sun Solaris Basic Security Mode (BSM).......................................................................................... 1325 Enabling Basic Security Mode in Solaris 10...............................................................................1325 Enabling Basic Security Mode in Solaris 11...............................................................................1325 Converting Sun Solaris BSM audit logs...................................................................................... 1326 Creating a cron job .....................................................................................................................1326 Log File log source parameters for Sun Solaris BSM.................................................................1327
Symantec SGS..................................................................................................................................1356 Syslog log source parameters for Symantec SGS..................................................................... 1356
Syslog log source parameters for ThreatGRID Malware Threat Intelligence Platform............1365 Log File log source parameters for ThreatGRID Malware Threat Intelligence Platform..........1367
Chapter 164. TippingPoint.................................................................................................................... 1371 TippingPoint Intrusion Prevention System .....................................................................................1371
TippingPoint X505/X506 Device..................................................................................................... 1373 Configuring your TippingPoint X506/X506 device to communicate with QRadar................... 1373
Chapter 165. Top Layer IPS..................................................................................................................1375
xxx
Trend Micro Apex One......................................................................................................................1383 Integrating with Trend Micro Apex One 8.x .............................................................................. 1383 Integrating with Trend Micro Apex One 10.x ............................................................................1384 Integrating with Trend Micro Apex One XG .............................................................................. 1386 Changing the date format in QRadar to match the date format for your Trend Micro Apex
One device............................................................................................................................. 1387 SNMPv2 log source parameters for Trend Micro Apex One...................................................... 1388
Trend Micro Deep Discovery Analyzer.............................................................................................1391 Configuring your Trend Micro Deep Discovery Analyzer instance for communication with
QRadar...................................................................................................................................1392 Trend Micro Deep Discovery Director..............................................................................................1393
Trend Micro Deep Discovery Email Inspector................................................................................. 1396 Configuring Trend Micro Deep Discovery Email Inspector to communicate with QRadar....... 1397
Trend Micro Deep Discovery Inspector........................................................................................... 1398 Configuring Trend Micro Deep Discovery Inspector V3.0 to send events to QRadar............... 1399 Configuring Trend Micro Deep Discovery Inspector V3.8, V5.0 and V5.1 to send events to
QRadar...................................................................................................................................1400 Trend Micro Deep Security...............................................................................................................1400
Chapter 168. Tripwire............................................................................................................................1403
Chapter 176. VMware............................................................................................................................1425 VMware AppDefense........................................................................................................................1425
VMware Carbon Black App Control (formerly known as Carbon Black Protection).......................1429 VMware Carbon Black App Control DSM specifications............................................................1430 Configuring VMware Carbon Black App Control to communicate with QRadar....................... 1430 Syslog log source parameters for VMware Carbon Black App Control..................................... 1431 VMware Carbon Black App Control sample event messages................................................... 1431
VMware ESX and ESXi......................................................................................................................1432 Configuring syslog on VMware ESX and ESXi servers............................................................... 1432 Enabling syslog firewall settings on vSphere Clients................................................................ 1433 Syslog log source parameters for VMware ESX or ESXi ........................................................... 1434 Configuring the EMC VMWare protocol for ESX or ESXi servers............................................... 1435 Creating an account for QRadar in ESX......................................................................................1435 Configuring read-only account permissions..............................................................................1436 EMC VMWare log source parameters for VMware ESX or ESXi ................................................ 1436 EMC VMWare sample event messages...................................................................................... 1437
VMware vCenter...............................................................................................................................1438 EMC VMWare log source parameters for VMware vCenter....................................................... 1438 VMware vCenter sample event message...................................................................................1438
VMware vShield................................................................................................................................1441 VMware vShield DSM integration process................................................................................. 1442 Configuring your VMware vShield system for communication with IBM QRadar.....................1442 Syslog log source parameters for VMware vShield................................................................... 1442
Chapter 178. WatchGuard Fireware OS................................................................................................1449 Configuring your WatchGuard Fireware OS appliance in Policy Manager for communication
with QRadar................................................................................................................................ 1450 Configuring your WatchGuard Fireware OS appliance in Fireware XTM for communication with
QRadar........................................................................................................................................ 1450 Syslog log source parameters for WatchGuard Fireware OS..........................................................1451
About this DSM Configuration Guide
The DSM Configuration guide provides instructions about how to collect data from your third-party devices, also known as log sources.
You can configure IBM® QRadar® to accept event logs from log sources that are on your network. A log source is a data source that creates an event log.
Note: This guide describes the Device Support Modules (DSMs) that are produced by IBM. Third-party DSMs are available on the IBM App Exchange, but are not documented here.
Intended audience System administrators must have QRadar access, knowledge of the corporate network security concepts and device configurations.
Technical documentation To find IBM Security QRadar product documentation on the web, including all translated documentation, access the IBM Knowledge Center (http://www.ibm.com/support/knowledgecenter/SS42VS/welcome).
For information about how to access more technical documentation in the QRadar products library, see QRadar Support – Assistance 101 (https://ibm.biz/qradarsupport).
Contacting customer support For information about contacting customer support, see QRadar Support – Assistance 101 (https:// ibm.biz/qradarsupport).
Statement of good security practices IT system security involves protecting systems and information through prevention, detection and response to improper access from within and outside your enterprise. Improper access can result in information being altered, destroyed, misappropriated or misused or can result in damage to or misuse of your systems, including for use in attacks on others. No IT system or product should be considered completely secure and no single product, service or security measure can be completely effective in preventing improper use or access. IBM systems, products and services are designed to be part of a lawful comprehensive security approach, which will necessarily involve additional operational procedures, and may require other systems, products or services to be most effective. IBM DOES NOT WARRANT THAT ANY SYSTEMS, PRODUCTS OR SERVICES ARE IMMUNE FROM, OR WILL MAKE YOUR ENTERPRISE IMMUNE FROM, THE MALICIOUS OR ILLEGAL CONDUCT OF ANY PARTY.
Please Note:
Use of this Program may implicate various laws or regulations, including those related to privacy, data protection, employment, and electronic communications and storage. IBM Security QRadar may be used only for lawful purposes and in a lawful manner. Customer agrees to use this Program pursuant to, and assumes all responsibility for complying with, applicable laws, regulations and policies. Licensee represents that it will obtain or has obtained any consents, permissions, or licenses required to enable its lawful use of IBM Security QRadar.
© Copyright IBM Corp. 2012, 2022 xxxv
Part 1. QRadar DSM installation and log source management
© Copyright IBM Corp. 2012, 2022 1
2 IBM QRadar : QRadar DSM Configuration Guide
Chapter 1. Event collection from third-party devices To configure event collection from third-party devices, you need to complete configuration tasks on the third-party device, and your QRadar Console, Event Collector, or Event Processor. The key components that work together to collect events from third-party devices are log sources, DSMs, and automatic updates.
Log sources A log source is any external device, system, or cloud service that is configured to either send events to your IBM QRadar system or be collected by your QRadar system. QRadar shows events from log sources in the Log Activity tab.
To receive raw events from log sources, QRadar supports several protocols, including syslog from OS, applications, firewalls, IPS/IDS, SNMP, SOAP, JDBC for data from database tables and views. QRadar also supports proprietary vendor-specific protocols such as OPSEC/LEA from Checkpoint.
DSMs A Device Support Module (DSM) is a code module that parses received events from multiple log sources and converts them to a standard taxonomy format that can be displayed as output. Each type of log source has a corresponding DSM. For example, the IBM Fiberlink MaaS360 DSM parses and normalizes events from an IBM Fiberlink MaaS360 log source.
Automatic Updates QRadar provides daily and weekly automatic updates on a recurring schedule. The weekly automatic update includes new DSM releases, corrections to parsing issues, and protocol updates. For more information about automatic updates, see the IBM QRadar Administration Guide.
Third-party device installation process To collect events from third-party device, you must complete installation and configuration steps on both the log source device and your QRadar system. For some third-party devices, extra configuration steps are needed, such as configuring a certificate to enable communication between that device and QRadar.
The following steps represent a typical installation process:
1. Read the specific instructions for how to integrate your third-party device. 2. Download and install the RPM for your third-party device. RPMs are available for download from the
IBM support website (http://www.ibm.com/support).
Tip: If your QRadar system is configured to accept automatic updates, this step might not be required. 3. Configure the third-party device to send events to QRadar.
After some events are received, QRadar automatically detects some third-party devices and creates a log source configuration. The log source is listed on the Log Sources list and contains default information. You can customize the information.
4. If QRadar does not automatically detect the log source, manually add a log source. The list of supported DSMs and the device-specific topics indicate which third-party devices are not automatically detected.
5. Deploy the configuration changes and restart your web services.
Custom log source types for unsupported third-party log sources After the events are collected and before the correlation can begin, individual events from your devices must be properly normalized. Normalization means to map information to common field names, such
© Copyright IBM Corp. 2012, 2022 3
For more information, see the IBM QRadar Administration Guide.
Adding a DSM If your Device Support Module (DSM) is not automatically discovered, manually install a DSM.
Each type of log source has a corresponding DSM that parses and normalizes events from the log source.
Procedure 1. Download the DSM RPM file from the IBM support website (http://www.ibm.com/support). 2. Copy the RPM file to QRadar. 3. Using SSH, log in to the QRadar host as the root user. 4. Go to the directory that includes the downloaded file. 5. Type the following command:
yum -y install <rpm_filename>
Note: The rpm -Uvh <rpm_filename> command line to install was replaced with the yum -y install <rpm_filename> command.
6. Log in to QRadar. 7. On the Admin tab, click Deploy Changes.
Restriction: Uninstalling a Device Support Module (DSM) is not supported in QRadar.
4 IBM QRadar : QRadar DSM Configuration Guide
For example, a firewall or intrusion protection system (IPS) logs security-based events, and switches or routers logs network-based events.
To receive raw events from log sources, QRadar supports many protocols. Passive protocols listen for events on specific ports. Active protocols use APIs or other communication methods to connect to external systems that poll and retrieve events.
Depending on your license limits, QRadar can read and interpret events from more than 300 log sources.
To configure a log source for QRadar, you must do the following tasks:
1. Download and install a device support module (DSM) that supports the log source. A DSM is software application that contains the event patterns that are required to identify and parse events from the original format of the event log to the format that QRadar can use.
2. If automatic discovery is supported for the DSM, wait for QRadar to automatically add the log source to your list of configured log sources.
3. If automatic discovery is not supported for the DSM, manually create the log source configuration.
Related tasks “Adding a log source” on page 5 “Adding bulk log sources” on page 8 “Adding a log source parsing order” on page 11 You can assign a priority order for when the events are parsed by the target event collector. “Adding a DSM” on page 4
Adding a log source If the log source is not automatically discovered, manually add it by using the QRadar Log Source Management app so that you can receive events from your network devices or appliances.
If you are using QRadar 7.3.1 to 7.3.3, you can also add a log source by using the Log Sources icon.
Before you begin Ensure that the QRadar Log Source Management app is installed on your QRadar Console. For more information about installing the app, see Installing the QRadar Log Source Management app.
Procedure 1. Log in to QRadar. 2. Click the Admin tab. 3. To open the app, click the QRadar Log Source Management app icon. 4. Click New Log Source > Single Log Source. 5. On the Select a Log Source Type page, select a log source type, and click Select Protocol Type. 6. On the Select a Protocol Type page, select a protocol, and click Configure Log Source Parameters. 7. On the Configure the Log Source parameters page, configure the log source parameters, and click
Configure Protocol Parameters.
The following table describes the common log source parameters for all log source types:
© Copyright IBM Corp. 2012, 2022 5
Parameter Description
Enabled When this option is not enabled, the log source does not collect events.
Credibility Credibility represents the integrity or validity of events that are created by a log source. The credibility value that is assigned to a log source can increase or decrease based on incoming events and can be adjusted as a response to user-created event rules. The credibility of events from log sources contributes to the calculation of the offense magnitude and can increase or decrease the magnitude value of an offense.
Target Event Collector Specifies the QRadar host where the log source's protocol runs. Outbound protocols initiate connections to remote systems from this host, and inbound protocols initialize their port listeners on this host to receive event data sent by remote systems.
This parameter is not specifically used for assigning a log source to an Event Collector appliance. Because the Event Collector component exists on the following hosts, the protocols can be assigned to any of these hosts:
• Event Collectors • Event Processors • Data Gateways (QRadar on Cloud only) • The QRadar Console
Tip: All QRadar hosts that can collect events have an active syslog listener on port 514, whether they have any syslog log sources that are assigned or not. The Target Event Collector parameter is not used for log sources with the Syslog protocol.
Coalescing Events When multiple events with the same QID, Username, Source IP, Destination IP, Destination Port, Domain, and Log Source occur within a short time interval (10 seconds), they are coalesced (bundled) together.
Because the events are bundled together, the number of events that are stored is decreased, which reduces the storage cost of events. Coalescing events might lead to loss of information, including raw payloads or event properties. The default is enabled. For more information, see How does coalescing work in QRadar?
8. On the Configure the protocol parameters page, configure the protocol-specific parameters.
• If your configuration can be tested, click Test Protocol Parameters.
6 IBM QRadar : QRadar DSM Configuration Guide
10. To fix any errors, click Configure Protocol Parameters. Configure the parameters and click Test Protocol Parameters.
11. Click Finish.
Adding a log source by using the Log Sources icon If the log source is not automatically discovered, manually add a log source for QRadar to receive events from your network devices or appliances.
If you are using QRadar 7.3.0 or earlier, you can add a log source in QRadar only by using the Log Sources icon.
If you are using QRadar 7.3.1 and later, you can add a log source by using the QRadar Log Source Management app.
Procedure 1. Log on to QRadar. 2. Click the Admin tab. 3. Click the Log Sources icon. 4. Click Add. 5. Configure the common parameters for your log source. 6. Configure the protocol-specific parameters for your log source.
The following table describes the common log source parameters for all log source types:
Table 2. Common log source parameters
Parameter Description
Enabled When this option is not enabled, the log source does not collect events.
Credibility Credibility represents the integrity or validity of events that are created by a log source. The credibility value that is assigned to a log source can increase or decrease based on incoming events and can be adjusted as a response to user-created event rules. The credibility of events from log sources contributes to the calculation of the offense magnitude and can increase or decrease the magnitude value of an offense.
Chapter 2. Introduction to log source management 7
Table 2. Common log source parameters (continued)
Parameter Description
Target Event Collector Specifies the QRadar host where the log source's protocol runs. Outbound protocols initiate connections to remote systems from this host, and inbound protocols initialize their port listeners on this host to receive event data sent by remote systems.
This parameter is not specifically used for assigning a log source to an Event Collector appliance. Because the Event Collector component exists on the following hosts, the protocols can be assigned to any of these hosts:
• Event Collectors • Event Processors • Data Gateways (QRadar on Cloud only) • The QRadar Console
Tip: All QRadar hosts that can collect events have an active syslog listener on port 514, whether they have any syslog log sources that are assigned or not. The Target Event Collector parameter is not used