IBM QRadar

I am really struggling with this one.  I am retiring a Splunk instance and trying to duplicate a very critical dashboard for our operations team.  The dashboard displays logs from BIGIP/F5 APM module.  These logs are primarily VPN authentication.  I need to group usernames with sessions on a single screen.

Unfortunately, all of the logs for a session do not contain the username.  So, I run the query below to join logs by session_id and can quickly get a dashboard that neatly displays the username, session, and associated logs.

sourcetype="f5:bigip:apm:syslog" | transaction session_id | stats values(_raw) as log count by user, session_id

This is proving to be a nearly impossible task within Qradar.  Perhaps one of you have worked this out already?  I've been looking at transactional queries in Qradar, but it is much more complex and it doesn't produce the same clean results.

select sessionId,DATEFORMAT(starttime,'YYYY-MM-dd HH:mm:ss') start_time,username,sourceip,category from events into <cursor_name> where username='joe_blogs' SESSION BY starttime username, sourceip BEGIN category=16001 END category=16003 start '2016-11-25 16:00' stop '2016-11-25 23:30'

------------------------------
Mike
------------------------------

I am not familiar with the F5 events, but if the username of whatever information you want to group by is contained in the payload of the event and QRadar is extracting that to a field or custom property this can be easily achieved, in the case the info is in the payload but not extracted that can be fixed with the DSM editor, once the data is extracted to a field or custom property grouping is just a couple of clicks.

DSM Editor tutorial:
https://www.youtube.com/watch?v=KF40bba_kp0

------------------------------
Moises Monge
Senior SIEM Admin
IBM
------------------------------

Original Message:
Sent: Tue January 14, 2020 09:28 AM
From: Michael Burgess
Subject: Qradar BIGIP/F5 Grouping Sessions and Usernames

I am really struggling with this one.  I am retiring a Splunk instance and trying to duplicate a very critical dashboard for our operations team.  The dashboard displays logs from BIGIP/F5 APM module.  These logs are primarily VPN authentication.  I need to group usernames with sessions on a single screen.

Unfortunately, all of the logs for a session do not contain the username.  So, I run the query below to join logs by session_id and can quickly get a dashboard that neatly displays the username, session, and associated logs.

sourcetype="f5:bigip:apm:syslog" | transaction session_id | stats values(_raw) as log count by user, session_id

This is proving to be a nearly impossible task within Qradar.  Perhaps one of you have worked this out already?  I've been looking at transactional queries in Qradar, but it is much more complex and it doesn't produce the same clean results.

select sessionId,DATEFORMAT(starttime,'YYYY-MM-dd HH:mm:ss') start_time,username,sourceip,category from events into <cursor_name> where username='joe_blogs' SESSION BY starttime username, sourceip BEGIN category=16001 END category=16003 start '2016-11-25 16:00' stop '2016-11-25 23:30'

------------------------------
Mike
------------------------------

Thanks for the reply.  Unfortunately, as mentioned in the original message, the information is not contained in every log.  The Username and Session is in a single log.  The session is in every log. 

I can group by session, but it doesn't display username without multiple drill downs.  Additionally, if I search by Username (which is much more practical), the results do not show the entire session.

I was able to pull this off with a single line in Splunk, but can't figure out how to do it in Qradar.

------------------------------
Michael Burgess
------------------------------

Original Message:
Sent: Tue January 14, 2020 02:27 PM
From: Moises Monge
Subject: Qradar BIGIP/F5 Grouping Sessions and Usernames

I am not familiar with the F5 events, but if the username of whatever information you want to group by is contained in the payload of the event and QRadar is extracting that to a field or custom property this can be easily achieved, in the case the info is in the payload but not extracted that can be fixed with the DSM editor, once the data is extracted to a field or custom property grouping is just a couple of clicks.

DSM Editor tutorial:
https://www.youtube.com/watch?v=KF40bba_kp0

------------------------------
Moises Monge
Senior SIEM Admin
IBM

Original Message:
Sent: Tue January 14, 2020 09:28 AM
From: Michael Burgess
Subject: Qradar BIGIP/F5 Grouping Sessions and Usernames

I am really struggling with this one.  I am retiring a Splunk instance and trying to duplicate a very critical dashboard for our operations team.  The dashboard displays logs from BIGIP/F5 APM module.  These logs are primarily VPN authentication.  I need to group usernames with sessions on a single screen.

Unfortunately, all of the logs for a session do not contain the username.  So, I run the query below to join logs by session_id and can quickly get a dashboard that neatly displays the username, session, and associated logs.

sourcetype="f5:bigip:apm:syslog" | transaction session_id | stats values(_raw) as log count by user, session_id

This is proving to be a nearly impossible task within Qradar.  Perhaps one of you have worked this out already?  I've been looking at transactional queries in Qradar, but it is much more complex and it doesn't produce the same clean results.

select sessionId,DATEFORMAT(starttime,'YYYY-MM-dd HH:mm:ss') start_time,username,sourceip,category from events into <cursor_name> where username='joe_blogs' SESSION BY starttime username, sourceip BEGIN category=16001 END category=16003 start '2016-11-25 16:00' stop '2016-11-25 23:30'

------------------------------
Mike
------------------------------