October 2022 DSM Guide - IBM

IBM QRadar

DSM Configuration Guide October 2022

IBM

Note Before using this information and the product that it supports, read the information in "Notices" on page 1525.

? Copyright International Business Machines Corporation 2012, 2022. US Government Users Restricted Rights ? Use, duplication or disclosure restricted by GSA ADP Schedule Contract with IBM Corp.

Contents

About this DSM Configuration Guide................................................................. xxxv

Part 1. QRadar DSM installation and log source management..................................1

Chapter 1. Event collection from third-party devices................................................................................. 3 Adding a DSM..........................................................................................................................................4

Chapter 2. Introduction to log source management...................................................................................5 Adding a log source................................................................................................................................ 5 Adding a log source by using the Log Sources icon.............................................................................. 7 Adding bulk log sources......................................................................................................................... 8 Adding bulk log sources by using the Log Sources icon........................................................................ 9 Editing bulk log sources....................................................................................................................... 10 Editing bulk log sources by using the Log Sources icon...................................................................... 10 Adding a log source parsing order....................................................................................................... 11 QRadar DSM installations and log source management FAQ............................................................. 11 Testing log sources...............................................................................................................................11 Protocols available for testing........................................................................................................ 12 Log source groups................................................................................................................................ 13 Creating a log source group............................................................................................................ 13 Copying and removing log sources.................................................................................................14 Removing a log source group......................................................................................................... 14

Chapter 3. Gateway log source..................................................................................................................15 Log source identifier pattern................................................................................................................ 16

Chapter 4. Log source extensions............................................................................................................. 19 Examples of log source extensions on QRadar Support Forums ....................................................... 19 Patterns in log source extension documents...................................................................................... 20 Match groups ....................................................................................................................................... 20 Matcher (matcher).......................................................................................................................... 21 JSON matcher (json-matcher)....................................................................................................... 26 LEEF matcher (leef-matcher)......................................................................................................... 30 CEF matcher (cef-matcher)............................................................................................................ 31 Name Value Pair matcher (namevaluepair-matcher).................................................................... 31 Generic List matcher (genericlist-matcher)................................................................................... 33 XML Matcher (xml-matcher)...........................................................................................................34 Multi-event modifier (event-match-multiple)........................................................................35 Single-event modifier (event-match-single).......................................................................... 35 Extension document template.............................................................................................................36 Creating a log source extensions document to get data into QRadar.................................................38 Common regular expressions ........................................................................................................ 39 Building regular expression patterns ............................................................................................ 40 Uploading extension documents to QRadar.................................................................................. 42 Examples of parsing issues..................................................................................................................42

Chapter 5. Manage log source extensions................................................................................................ 47 Adding a log source extension............................................................................................................. 47

Chapter 6. Threat use cases by log source type....................................................................................... 49

iii

Chapter 7. Troubleshooting DSMs.............................................................................................................61

Part 2. QRadar protocol configuration...................................................................65

Chapter 8. Undocumented protocols........................................................................................................ 67 Configuring an undocumented protocol.............................................................................................. 67

Chapter 9. Protocol configuration options................................................................................................ 69 Akamai Kona REST API protocol configuration options...................................................................... 69 Amazon AWS S3 REST API protocol configuration options................................................................ 70 Amazon VPC Flow Logs........................................................................................................................ 76 Amazon VPC Flow Logs specifications........................................................................................... 79 Publishing flow logs to an S3 bucket..............................................................................................80 Create the SQS queue that is used to receive ObjectCreated notifications..................................80 Configuring security credentials for your AWS user account........................................................ 80 Amazon Web Services protocol configuration options........................................................................81 Apache Kafka protocol configuration options..................................................................................... 91 Configuring Apache Kafka to enable Client Authentication...........................................................94 Configuring Apache Kafka to enable SASL Authentication............................................................97 Troubleshooting Apache Kafka ......................................................................................................99 Blue Coat Web Security Service REST API protocol configuration options......................................100 Centrify Redrock REST API protocol configuration options..............................................................100 Cisco Firepower eStreamer protocol configuration options............................................................. 102 Cisco NSEL protocol configuration options....................................................................................... 103 EMC VMware protocol configuration options.................................................................................... 103 Forwarded protocol configuration options........................................................................................ 104 Google Cloud Pub/Sub protocol configuration options.....................................................................104 Configuring Google Cloud Pub/Sub to integrate with QRadar.....................................................107 Adding a Google Cloud Pub/Sub log source in QRadar............................................................... 108 Google G Suite Activity Reports REST API protocol options.............................................................109 Google G Suite Activity Reports REST API protocol FAQ.............................................................110 HCL BigFix SOAP protocol configuration options (formerly known as IBM BigFix)......................... 111 HTTP Receiver protocol configuration options..................................................................................112 Setting up certificate-based authentication for HTTP Receiver..................................................113 IBM Cloud Object Storage protocol configuration options............................................................... 114 IBM Fiberlink REST API protocol configuration options................................................................... 117 IBM Security Verify Event Service protocol configuration options................................................... 119 JDBC protocol configuration options.................................................................................................121 JDBC - SiteProtector protocol configuration options........................................................................126 Juniper Networks NSM protocol configuration options.................................................................... 128 Juniper Security Binary Log Collector protocol configuration options............................................. 128 Log File protocol configuration options............................................................................................. 129 Microsoft Azure Event Hubs protocol configuration options............................................................ 131 Configuring Microsoft Azure Event Hubs to communicate with QRadar.....................................135 Troubleshooting Microsoft Azure Event Hubs protocol...............................................................137 Microsoft Defender for Endpoint SIEM REST API protocol configuration options........................... 144 Microsoft DHCP protocol configuration options................................................................................146 Microsoft Exchange protocol configuration options..........................................................................149 Microsoft Graph Security API protocol configuration options.......................................................... 152 Configuring Microsoft Graph Security API to communicate with QRadar.................................. 154 Migrating Microsoft Defender for Endpoint REST API log sources to Microsoft Graph Security API log sources......................................................................................................... 155 Microsoft IIS protocol configuration options.................................................................................... 156 Microsoft Security Event Log protocol configuration options........................................................... 158 Microsoft Security Event Log over MSRPC Protocol.................................................................... 159 MQ protocol configuration options.................................................................................................... 162

iv

Office 365 Message Trace REST API protocol configuration options...............................................163 Troubleshooting the Office 365 Message Trace REST API protocol........................................... 165

Okta REST API protocol configuration options................................................................................. 168 OPSEC/LEA protocol configuration options.......................................................................................169 Oracle Database Listener protocol configuration options................................................................ 170 PCAP Syslog Combination protocol configuration options............................................................... 172 RabbitMQ protocol configuration options......................................................................................... 174 SDEE protocol configuration options.................................................................................................175 Seculert Protection REST API protocol configuration options..........................................................176

Seculert Protection REST API protocol workflow........................................................................178 SMB Tail protocol configuration options............................................................................................181 SNMPv2 protocol configuration options............................................................................................183 SNMPv3 protocol configuration options............................................................................................184 Sophos Enterprise Console JDBC protocol configuration options................................................... 185 Sourcefire Defense Center eStreamer protocol options................................................................... 187 Syslog Redirect protocol overview.................................................................................................... 187 TCP multiline syslog protocol configuration options.........................................................................188 TLS Syslog protocol configuration options........................................................................................ 193

Multiple log sources over TLS Syslog........................................................................................... 198 UDP multiline syslog protocol configuration options........................................................................ 199 VMware vCloud Director protocol configuration options.................................................................. 202

Chapter 10. Universal Cloud REST API protocol.................................................................................... 205 Workflow............................................................................................................................................ 206 Workflow Parameter Values.............................................................................................................. 207 State................................................................................................................................................... 208 Actions................................................................................................................................................ 208 Abort............................................................................................................................................. 209 Add................................................................................................................................................ 209 CallEndpoint..................................................................................................................................210 ClearStatus................................................................................................................................... 215 Copy.............................................................................................................................................. 215 Create JWTAccessToken...............................................................................................................216 Delete............................................................................................................................................ 217 DoWhile......................................................................................................................................... 217 ForEach......................................................................................................................................... 218 FormatDate................................................................................................................................... 218 GenerateHMAC............................................................................................................................. 219 If/ElseIf/Else.................................................................................................................................219 Initialize........................................................................................................................................ 221 Log................................................................................................................................................. 221 Merge............................................................................................................................................ 221 ParseDate......................................................................................................................................222 PostEvent...................................................................................................................................... 222 PostEvents.................................................................................................................................... 223 RegexCapture............................................................................................................................... 224 Set................................................................................................................................................. 225 SetStatus.......................................................................................................................................225 Sleep............................................................................................................................................. 225 Split............................................................................................................................................... 226 While............................................................................................................................................. 226 XPathQuery................................................................................................................................... 227 JPath...................................................................................................................................................228 Basic selection..............................................................................................................................228 Query.............................................................................................................................................229 Arithmetic operations in JSON elements.....................................................................................230 Functions in JPath expressions....................................................................................................231 Command line testing tool.................................................................................................................232

v

................
................

In order to avoid copyright disputes, this page is only a partial summary.

To fulfill the demand for quickly locating and searching documents.

It is intelligent file search solution for home and business.

Literature Lottery

October 2022 DSM Guide - IBM

To fulfill the demand for quickly locating and searching documents.

Related download

Related searches

October 2022 DSM Guide - IBM

Dsm 4 to dsm

To fulfill the demand for quickly locating and searching documents.

Related download

Related searches