What’s new in Splunk Data Forwarding App for QRadar version 3.0.0
By Jeff Rusk and Sophia McCarthy
I’m going to highlight a couple new features that were released in Splunk Data Forwarding app v3.0.0.
Now available for QRadar on Cloud (QRoC) Deployments
To successfully connect the Splunk Data Forwarding app to your Splunk Instances, you will need to use the QRoC Self Serve app to configure proxy mapping for your QRoC instance to easily forward data sources from your Splunk Instance to QRadar.
Automatically create Windows log source
If the Splunk Data Forwarding app detects that there are Windows Source Types available for forwarding from your Splunk instance, it will notify you that there are one or more Windows Source Types available for forwarding.
To enable forwarding of Windows Source Types from your Splunk instance to the QRadar deployment, you will be presented with two options; to automatically create a Windows log source on QRadar, and additionally to configure the Windows log source as a gateway log source to identify the windows logs coming in from various sources.
In the example below, I’ve selected to have my Windows log source automatically created. To enable this option, I selected my Splunk instance and the specified which QRadar instance and port on the QRadar instance I want to retrieve the logs on.
Once I’ve configured which QRadar instance I want my logs forwarded to, I can verify my configuration prior to completing the forwarding.
I can now complete the forwarding process, and in the example below, I can see that a new log source has been automatically created named ‘WindowsAuthServer @ xxx.xxx.xxx’.
Once this process of automatically creating the log source is complete, I can now deploy changes in our QRadar instance to ensure that the log source automatically created is ready to retrieve logs from the Splunk instance.
After you’ve deployed changes for the Windows Auth Server log source, you can now navigate to the Log Source Management App to see the newly automatically created Windows log source on your QRadar instance.
Note: If you haven’t yet installed the Log Source Management App, I’d highly recommend installing it, as we will soon migrate to the app as being our primary mode of managing and maintaining log sources. You can check out what’s new in the app here.
Quickly identify Windows Source Types
Windows source types are easily identified with an asterisk in the Source Type view notifying you that the app has detected a Windows Source Type.
Easily discard the forwarding queue
Forwarding queue can be cleared by clicking the ‘X’ button right next to the Forward button to easily discard source types that are queued for forwarding.
Manually enter a forwarding destination
You can now manually enter a forwarding destination if the preferred event collector is not populated within the selection box.
Summary
Our goal is to ensure that you can easily forward events from your Splunk instance to your QRadar deployment to provide you deeper insight into your security data to which QRadar offers. Enabling support for QRoC customers ensures that all QRadar users now have access to the functionality shown here – and in fact all the screen captures from this blog are from the app installed on a QRoC instance.