Hello,
We have an log management solution Crowdstrike (Humio - formerly known) Falcon Logscale receives events from actual log source Palo Alto firewall, filters events and forwards only the interested to events to QRoC via QRadar collector server in JSON format. During filtering, the Humio adds header information which QRadar is not being able to understand and it failed to parse the events. Here goes the raw log ingested by Humio to QRoC via DG.
<13>Jan 23 10:27:40 humtst01v.emea.ibm.net fluentd: {"@timestamp":1674475307156,"priority":"14","#type":"syslog","@error":"true","@ingestsourceip":"172.25.129.200","@ingestconfigname":"syslog","host":"blr-fi-md40702-ur.emea.ibm.net","#error":"true","@timezone":"UTC","#humioAutoShard":"1","app":"1,2023/01/23","msg":" 17:41:07,001801051440,TRAFFIC,drop,2305,2023/01/23 17:41:07,106.215.94.206,59.164.68.230,0.0.0.0,0.0.0.0,interzone-default,,,not-applicable,vsys1,Untrust_Out,DMZ,ethernet1/3.1119,,Syslog-Forwarding,2023/01/23 17:41:07,0,1,1325,35420,0,0,0x0,udp,deny,102,102,0,1,2023/01/23 17:41:06,0,any,0,233139786846,0x8000000000000000,India,India,0,1,0,policy-deny,309,0,0,0,,blr-fi-md40702-ur,from-policy,,,0,,0,,N/A,0,0,0,0,e8cc105e-c205-4f41-a590-3d8f0c577751,0,0,,,,,,,","@timestamp.nanos":"0","@rawstring":"<14>Jan 23 17:41:07 blr-fi-md40702-ur.emea.ibm.net 1,2023/01/23 17:41:07,001801051440,TRAFFIC,drop,2305,2023/01/23 17:41:07,106.215.94.206,59.164.68.230,0.0.0.0,0.0.0.0,interzone-default,,,not-applicable,vsys1,Untrust_Out,DMZ,ethernet1/3.1119,,Syslog-Forwarding,2023/01/23 17:41:07,0,1,1325,35420,0,0,0x0,udp,deny,102,102,0,1,2023/01/23 17:41:06,0,any,0,233139786846,0x8000000000000000,India,India,0,1,0,policy-deny,309,0,0,0,,blr-fi-md40702-ur,from-policy,,,0,,0,,N/A,0,0,0,0,e8cc105e-c205-4f41-a590-3d8f0c577751,0,0,,,,,,,","@error_msg[0]":"timestamp was set to a value in the future. Setting it to now","#humioBackfill":"0","@error_msg":"timestamp was set to a value in the future. Setting it to now"}
Here goes the original log ingested by Palo Alto.
<14>Jan 23 17:41:07 blr-fi-md40702-ur.emea.ibm.net 1,2023/01/23 17:41:07,001801051440,TRAFFIC,drop,2305,2023/01/23 17:41:07,106.215.94.206,59.164.68.230,0.0.0.0,0.0.0.0,interzone-default,,,not-applicable,vsys1,Untrust_Out,DMZ,ethernet1/3.1119,,Syslog-Forwarding,2023/01/23 17:41:07,0,1,1325,35420,0,0,0x0,udp,deny,102,102,0,1,2023/01/23 17:41:06,0,any,0,233139786846,0x8000000000000000,India,India,0,1,0,policy-deny,309,0,0,0,,blr-fi-md40702-ur,from-policy,,,0,,0,,N/A,0,0,0,0,e8cc105e-c205-4f41-a590-3d8f0c577751,0,0,,,,,,,
Here goes my query:
The QRadar is unfortunately not being able to understand the event ingested by Humio and I would need to manually create DSM to let QRadar extract values from the humio ingested logs. Here goes the field I would like to extract.
1. Source IP : 106.215.94.206
2. Source port
3. Destination IP: 59.164.68.230
4. Destination Prt
5. Event category
Can please someone help me with the RegEx to extract the above details from logs ingested from Humio?
We are paying crores as an subscription charge to QRadar support and its unfortunate QRadar support policy doesn't cover this the support fella in response to my case replied.
------------------------------
Venkateshwaran S
------------------------------