IBM QRadar

 View Only

DSM Parsing in QRadar

By Kajal Sangani posted Mon October 16, 2023 05:47 AM

  

Overview : 

As you all know Gartner named IBM a Leader in the Gartner Magic Quadrant for SIEM for the 12thconsecutive year. Many components for Qradar SIEM make it possible and one of which is DSM Parsing in QRadar.

Basically, DSM stands for Device Support Module and It helps QRadar SIEM to make it much meaningful to the end users. It parses the events received from multiple devices( in QRadar and transform them in the standard taxonomy format as a output.

DSM parsing is a critical component of QRadar integrations, enabling efficient data extraction and normalization from diverse log sources.

DSM Parsing  receives the data which is in Raw format and every device has its own format like JSON, LEEF, CEF, Syslog etc. These includes simple alerts, warning, errors, login info or any events that device logs and process internally. DSM Parsing transforms these incoming Event Data through a match on a combination of the protocol source and the identifier address with the mapping into more readable format in QRadar's normalized event model for end users and helps QRadar SIEM to understand the security events.

Let’s understand more about the event data received and what information can be extracted by DSM Parser.

 

Example 1:

Raw payload data:

<142>Nov 29 19:30:26 2022 aruba.mobility.test dot1x-proc:1[4343]: <124038> <4343> <INFO> <aruba.mobility.test 10.0.0.0>  Reused server radius_aruba.mobility.test for method=802.1x; user=host/example.com,  essid=test, domain=<>, server-group=radius_emea_cp

Parsing Process and Processed data:

From the above payload DSM Parser identifies that this the specific log source event and maps the different properties which the help of unique parser written for it. Parser is the combination of various Regex and JSON keypath expressions.

Regex (regular expressions) are important in DSM parsing because they allow for pattern matching and data extraction from unstructured log data. Since log data is often generated

in different formats and structures, regex can be used to identify specific patterns and extract relevant data from the log.

In DSM parsing, regex can be used to define patterns for specific log fields, allowing for efficient data extraction and normalization. For example, if a log message contains a timestamp, a source IP address, and a destination IP address, regex can be used to identify and extract each of these fields.

Example of Regex:

IP  - "[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}"

Username  -  "[a-zA-Z0-9_$@\\-\\.\\\\]+"

Source Port: (?<=SrcPort\(\d{4}\)=)\d+

Destination IP Address: (?<=DstIPAddr\(\d{4}\)=)\d{1,3}.\d{1,3}.\d{1,3}.\d{1,3}

If a device generates log messages with slight variations in format, regex can be used to capture the relevant data regardless of the format. 

The transformed event can be seen in Log Activity Tab of QRadar Console. Here you can perform filter, search etc. over the data. From the Display dropdown you can select the default normalized data or the raw events too. As you can see below:

Parser tags the events with 2 fields which uniquely identifies the event :

1.     Event Id – Unique id to identify event

2.     Event Category – Category of the events it falls for based on DSM

You can see the event id and category mapped for the above payload in below diagram.

A screenshot of a computer

Description automatically generated

DSM parsing component extracts properties for events like Event Name, LLC, Event Description, Identity information, Username, Source IP, Destination IP, MAC properties from the above payload as you can see below:

Graphical user interface, application

Description automatically generated


Example 2:

Raw payload data:

<22>2022-07-20T13:25:27.116340+02:00 proofpoint.enterpriseprotection.test sendmail[7831]: 26KBPPJD007264: to=<exmaple@test.com>, delay=00:00:00, tls_verify=NOT, tls_version=TLSv1.2, cipher=ECDHE-RSA-AES256-GCM, pri=37140, stat=Blocked - see https://example.com/?ip=127.0.0.1

Processed data:

Graphical user interface, application

Description automatically generated

Graphical user interface, application

Description automatically generated

Example 3:

Raw payload data:

<6>LEEF:1.0|Imperva|SecureSphere|14.7.1|Agent status changed|devTimeFormat=yyyy-MM-dd HH:mm:ss.S|devTime=2022-09-27 16:06:00.0|Message=Status of agent "testAgent" at IP 10.0.0.0 (id=10,068) changed from Running to Disconnected.|Severity=High|usrName=test|cat=SystemEvent

Processed data:

Graphical user interface, application, table

Description automatically generated

Graphical user interface, text, application, email

Description automatically generated

DSM parsing component does support 11 languages which are English, French, Chinese (simplified), Chinese (traditional), German, Italian, Korean, Japanese, Portuguese (Brazilian) , Spanish, Russian.

There are few more aspects of DSM Parsing:

1. Identity Information :

Identity data is a special set of system properties that includes Identity Username, Identity IP, Identity NetBIOS Name, Identity Extended Field, Identity Host Name, Identity MAC, Identity Group Name.

'Identity' is a means for DSMs to supply information to the asset model - under certain conditions, DSMs should create an EventIdentityChange to attach to the Normalized Event that the DSM produces. This EventIdentityChange contains information that is used to update or add the relevant asset.

There are many DSMs that supports identity. Parsing would look like below :

Raw payload data:

Apr 24 2015 14:59:27.661 IST 10.17.4.207 LEEF:1.0|Aruba Networks|ClearPass|6.5.0.71095|3003|messageId=1-1-0   Common.NAS-IP-Address=10.17.6.124    Common.Roles=[User Authenticated]     cat=Session Logs    RADIUS.Acct-Framed-IP-Address=192.167.41.126  RADIUS.Auth-Source=AD:win2008R2-64bit.bangalore.avendasys.com     Common.Request-Timestamp=2015-04-24 14:57:50+05:30   Common.Host-MAC-Address=0032b62c2895   RADIUS.Auth-Method=PAP RADIUS.Acct-Service-Name=Authenticate-OnlydevTimeFormat=MMM dd yyyy HH:mm:ss.SSS z        RADIUS.Acct-NAS-Port=0Common.Username=A_user2        RADIUS.Acct-Session-Id=R00000002-01-553a0c96      RADIUS.Acct-NAS-Port-Type=Wireless-802.11  RADIUS.Acct-Username=A_user2   src=10.17.4.207 RADIUS.Acct-NAS-IP-Address=10.17.6.124    Common.Service=Radius-Test-Authentication-Service

Processed data:

A white and black striped background

Description automatically generated with medium confidence

2.  Auto Discovery :

In the case of log sources is not mapped or configured to any DSM, DSM supports auto discovery of the events based on the traffic analysis configuration list. Guide for which can be found at Auto Detection Guide.  

3. Log Sources :

Another most imported aspect of the devices is Log source. Each device is attached to the unique log source. Log source is the kind of unique source attached to the logs coming from different devices. In case of auto-discovery is supported, logsources are created automatically. If the auto-discovery is not supported than you can manually create the logsource. For Setting up the logsource, here is detailed guide available to help you Adding the logsource

 

You can also setup the parsing order for the logsources. For this , please go to the Admin tab of Console - > select Log Source Parsing Ordering icon and you will get the below screen that will help you decide the order :

A screenshot of a computer

Description automatically generated

4. Qidmap :

DSM matches/maps the events to unique qid(Qradar Identifier)using the Qidmap. So each event is mapped to unique eventid(Numeric value)which can be used further in Qradar processor. Same can be check at two places:

1.     At Addition Information section of event :

A picture containing background pattern

Description automatically generated

2.     In DSM Editor :

IBM Security release very often updates and fixes on FixCentral which contains the installation packages containing jars and mapping data. Generally all QRadar Console have auto-updates enabled, so anything which is released to fix central gets auto-updated in consoles. However, you can also manually download latest releases from IBM Official release platform FixCentral

As of today, DSM parsing supports more than 450 devices like AWS, Microsoft 365 Defender, Aruba Mobility, VMWare, Okta and the list goes on.. as a part of integrations.

Hope all the above information help you to dive in more to DSM world of the QRadar SIEM.

Few useful links to know more about QRadar and DSM:

QRadar Supported DSMs

How to Create Custom DSM

QRadar DSM Configuration Guide

Qradar SIEM Guide

QRadar documentation landing page

0 comments
59 views

Permalink