This article describes a method for ingesting IBM Cloud VPC flow logs into QRadar. This use case utilizes IBM Cloud LogDNA to store the flow logs so that QRadar can query for flow logs. The GitHub project at
https://github.com/IBM/ibm-cloud-vpc-logs-2-qradar walks you through how to setup IBM Cloud and QRadar and has a QRadar DSM available for mapping the VPC Flow logs to QRadar ACL Allow and ACL Deny rules.
This method uses the IBM QRadar Universal Cloud REST API for ingesting the flow logs. At the time of writing this article the Universal Cloud REST API only allows for posting logs into the Event Pipeline of QRadar. No logs can be posted to the Flow Pipeline of QRadar at this time using this method.
Flow Outline
- IBM Cloud VPC Flow Logs are saved to a Cloud Object Storage (COS) bucket.
- A IBM Cloud Object Storage trigger detects that a new log has been written.
- A function is called to gather the flow log information from the COS bucket and send the data to LogDNA.
- QRadar uses the Universal Cloud REST API to query for new VPC Flow Data from LogDNA.
References
- Understanding IBM Cloud VPC Flow Logs:
https://cloud.ibm.com/docs/vpc?topic=vpc-ordering-flow-log-collector
- Setting up triggers for changes to IBM Cloud Object Storage bucket where VPC Flow Logs are saved:
https://cloud.ibm.com/docs/openwhisk?topic=openwhisk-pkg_obstorage
- Understanding IBM Cloud Log Analysis (LogDNA):
https://cloud.ibm.com/docs/log-analysis?topic=log-analysis-getting-started
- Understanding IBM QRadar Universal Cloud REST API protocol:
https://www.ibm.com/docs/en/qsip/7.4?topic=configuration-universal-cloud-rest-api-protocol
------------------------------
Matthew Dobbs
IBM Security
Atlanta GA
------------------------------