IBM QRadar

IBM QRadar

Join this online user group to communicate across Security product users and IBM experts by sharing advice and best practices with peers and staying up to date regarding product enhancements.

 View Only

  • 1.  Support for Sysmon on Linux

    Posted Mon January 15, 2024 02:11 PM

    Hello,

    I'm looking to test the functionality of sending sysmon events from Linux OSs to QRadar.  I have not been able to find any comments online if a DSM exists or if QRadar can ingest and parse the logs yet.  This concerns me that perhaps it is not yet supported and a custom parser may be needed.  Of anyone have one and is willing to share please do so.

    Thanks,

    Ben



    ------------------------------
    Ben McHarg
    ------------------------------


  • 2.  RE: Support for Sysmon on Linux

    Posted Tue January 16, 2024 12:09 PM

    At present there is no supported DSM for SysmonForLinux.
    Though since these are Syslog events you should be able to create a Custom DSM to custom parse them. 

    https://www.ibm.com/docs/en/qsip/7.4?topic=qradar-custom-log-source-types

    To request a new feature you can submit an IBM Idea (RFE) via the following link:

    https://www.ibm.com/support/pages/qradar-requesting-new-features-ibm-ideas



    ------------------------------
    Comghall Morgan
    QRadar Support Architect
    IBM
    ------------------------------

    Original Message