IBM QRadar

Hello,

on June, 17 a new Log Source (Cisco FirePower Management Center) appeared for the IP address of our firewall. There is already a log source of type Cisco FirePower Threat Defense for this IP. Both Log Sources received events from the same IP but many with the low level category "stored".

We deleted the wrong log source (FirePower Management Center) and deactivated autodetection.

Most of the events are still with the low level category "stored".

Custom Properties are not filled.

Opening these Events in the DSM Editor shows an empty "Log Activity Preview" window with "no events were parsed" (changing the "log source type" to the wrong "Cisco FirePower Management Center" shows the events in the window "Log Acitivity Preview" but in the status "parsing failed".

Is there a way to repair the log source type "Cisco Firepower Threat Defense"?

Regards,

Harald

On June, 17 some applications were updated (e.g. User Behavior Analytics, QRadar Deployment Intelligence, QRadar Log Source Management) or installed by our external service provider.

Today I found and installed "IBM QRadar Custom Properties for Cisco Firepower (Syslog)" - but this didn't help.

QRadar is installed in version 7.4.2 FixPack 3 (Build 20210323172312)

I'm not sure what version you are on, but QRadar supports Cisco Firepower Management Center V5.2 to V6.4. If Cisco FPMC is sending events and they are being auto discovered as Cisco FirePower Threat Defense, then you might be experiencing a jar signing issue where threat events were being categorized as 'Stored'.

There is an RPM update available that was release to Fix Central and it should be in next the Weekly Auto Update for 13 July 2021. So, you can either install the updated RPM on your Console (requires both Cisco Firewall Devices and Cisco Firepower Threat Management DSM) or you can wait for next week's auto update (WAU).

Text description for the RPM

Resolves an issue in the Cisco Firepower Threat Defense DSM to rebuild and update the jar signer in the RPM. This RPM release prevents events from unexpectedly generating an error, which can cause Cisco Firepower Threat Defense events to categorize as 'Stored'.

If this were my Console, I would probably install the Cisco Firewall Devices DSM and the Cisco Firepower Threat Defense DSM to see if this resolves your issue. These were both posted to IBM Fix Central on 5 July 2021. We have an auto updates page that lists recent fixes on both QRadar 101 home and the Auto Updates 101 page. However, I think you want to get these latest RPMs installed, then if you are still having events sent to 'Stored', then you might need to open a case with support.

• Direct download link for both RPMs here (IBM Fix Central)
• How to manually install an RPM file

Note: Cisco Firewall Devices has an installation dependency now to install the Cisco FirePower Threat Defense RPM. This is why I linked you both Cisco Firewall Devices from 5 July 2021 and Cisco Firepower Threat Defense for 5 July 2021 as you probably need to install Cisco Firewall Devices first, then update Threat Defense.

Hi Harald,

as Jonathan mentioned, this is the solution. After both RPMS are applied manually, the Events are normalized again and showing up as expected :)

Regards,

Ralph