IBM Security QRadar

 View Only

Keeping up-to-date on QRadar log source management

By Axel Buecker posted Thu July 02, 2020 03:42 PM

Keeping up-to-date on QRadar log source management can be a daunting task, and our new educational material is here to refine your skills and extend your capabilities.

The IBM Security Learning Academy has recently published several new QRadar log source related assets.

The IBM Security QRadar DSM for Amazon Web Services (AWS) CloudTrail supports audit events that are collected from Amazon S3 buckets by using the Amazon AWS S3 REST API protocol and a Simple Queue Service (SQS) queue. This method is very useful when collecting AWS CloudTrail logs from multiple accounts or regions in an Amazon S3 bucket and reduced the chance of missing files by using ObjectCreate notifications. It is an alternative to the prefix method to collect data because it does not require that the file names in the folders be in a string sorted in ascending order based on the full path.

In the course " Configuring and testing an AWS CloudTrail log source in QRadar using an S3 bucket with an SQS queue", you learn which services you need to properly configure in your AWS environment to make this method work:
  • Enable AWS CloudTrail
  • Store events in S3 bucket
  • Create SQS queue
  • Set up SQS queue permissions
  • Create Object Create notifications
  • Configure security credentials for your AWS user account
After you learn about configuring the services, you learn how to add an Amazon AWS CloudTrail log source. Finally, you see how a successfully configured log source receives events from AWS.
The "Configuring Log File log sources for QRadar" course teaches you how to avoid common issues when you configure log sources for QRadar that use the Log File protocol. In addition, you also learn how to configure both FTPS and passwordless SCP authentication for Log File log sources. Finally, you learn how to configure and test Log File log sources in the IBM Security QRadar Log Source Management app.

In the course "How to download QRadar logs, including app logs", you can learn more about how to use the Get Logs feature in QRadar interface using the following steps:
  • Download logs in the QRadar interface
  • Download app logs and identify apps with the Recon troubleshooting tool

Continue to increase your skills by utilizing the IBM Security Learning Academy :-)