Overview :
As you all know Gartner named IBM a Leader in the Gartner Magic Quadrant for SIEM for the 12thconsecutive year. Many components for Qradar SIEM make it possible and one of which is DSM Parsing in QRadar.
DSM parsing is a critical component of QRadar integrations, enabling efficient data extraction and normalization from diverse log sources.
DSM Parsing receives the data which is in Raw format and every device has its own format like JSON, LEEF, CEF, Syslog etc. These includes simple alerts, warning, errors, login info or any events that device logs and process internally. DSM Parsing transforms these incoming Event Data through a match on a combination of the protocol source and the identifier address with the mapping into more readable format in QRadar's normalized event model for end users and helps QRadar SIEM to understand the security events.
Let’s understand more about the event data received and what information can be extracted by DSM Parser.
Example 1:
Raw payload data:
|
<142>Nov 29 19:30:26 2022 aruba.mobility.test dot1x-proc:1[4343]: <124038> <4343> <INFO> <aruba.mobility.test 10.0.0.0> Reused server radius_aruba.mobility.test for method=802.1x; user=host/example.com, essid=test, domain=<>, server-group=radius_emea_cp
|
Parsing Process and Processed data:
From the above payload DSM Parser identifies that this the specific log source event and maps the different properties which the help of unique parser written for it. Parser is the combination of various Regex and JSON keypath expressions.
Regex (regular expressions) are important in DSM parsing because they allow for pattern matching and data extraction from unstructured log data. Since log data is often generated
in different formats and structures, regex can be used to identify specific patterns and extract relevant data from the log.
In DSM parsing, regex can be used to define patterns for specific log fields, allowing for efficient data extraction and normalization. For example, if a log message contains a timestamp, a source IP address, and a destination IP address, regex can be used to identify and extract each of these fields.
Example of Regex:
IP - "[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}"
Username - "[a-zA-Z0-9_$@\\-\\.\\\\]+"
Source Port: (?<=SrcPort\(\d{4}\)=)\d+
Destination IP Address: (?<=DstIPAddr\(\d{4}\)=)\d{1,3}.\d{1,3}.\d{1,3}.\d{1,3}
If a device generates log messages with slight variations in format, regex can be used to capture the relevant data regardless of the format.
The transformed event can be seen in Log Activity Tab of QRadar Console. Here you can perform filter, search etc. over the data. From the Display dropdown you can select the default normalized data or the raw events too. As you can see below:
Parser tags the events with 2 fields which uniquely identifies the event :
1. Event Id – Unique id to identify event
2. Event Category – Category of the events it falls for based on DSM
You can see the event id and category mapped for the above payload in below diagram.
DSM parsing component extracts properties for events like Event Name, LLC, Event Description, Identity information, Username, Source IP, Destination IP, MAC properties from the above payload as you can see below:
Example 2:
Raw payload data:
|
<22>2022-07-20T13:25:27.116340+02:00 proofpoint.enterpriseprotection.test sendmail[7831]: 26KBPPJD007264: to=<exmaple@test.com>, delay=00:00:00, tls_verify=NOT, tls_version=TLSv1.2, cipher=ECDHE-RSA-AES256-GCM, pri=37140, stat=Blocked - see https://example.com/?ip=127.0.0.1
|
Processed data:
Example 3:
Raw payload data:
|
<6>LEEF:1.0|Imperva|SecureSphere|14.7.1|Agent status changed|devTimeFormat=yyyy-MM-dd HH:mm:ss.S|devTime=2022-09-27 16:06:00.0|Message=Status of agent "testAgent" at IP 10.0.0.0 (id=10,068) changed from Running to Disconnected.|Severity=High|usrName=test|cat=SystemEvent
|
Processed data:
DSM parsing component does support 11 languages which are English, French, Chinese (simplified), Chinese (traditional), German, Italian, Korean, Japanese, Portuguese (Brazilian) , Spanish, Russian.
There are few more aspects of DSM Parsing:
1. Identity Information :
Identity data is a special set of system properties that includes Identity Username, Identity IP, Identity NetBIOS Name, Identity Extended Field, Identity Host Name, Identity MAC, Identity Group Name.
'Identity' is a means for DSMs to supply information to the asset model - under certain conditions, DSMs should create an EventIdentityChange to attach to the Normalized Event that the DSM produces. This EventIdentityChange contains information that is used to update or add the relevant asset.
There are many DSMs that supports identity. Parsing would look like below :
Raw payload data:
|
Apr 24 2015 14:59:27.661 IST 10.17.4.207 LEEF:1.0|Aruba Networks|ClearPass|6.5.0.71095|3003|messageId=1-1-0 Common.NAS-IP-Address=10.17.6.124 Common.Roles=[User Authenticated] cat=Session Logs RADIUS.Acct-Framed-IP-Address=192.167.41.126 RADIUS.Auth-Source=AD:win2008R2-64bit.bangalore.avendasys.com Common.Request-Timestamp=2015-04-24 14:57:50+05:30 Common.Host-MAC-Address=0032b62c2895 RADIUS.Auth-Method=PAP RADIUS.Acct-Service-Name=Authenticate-OnlydevTimeFormat=MMM dd yyyy HH:mm:ss.SSS z RADIUS.Acct-NAS-Port=0Common.Username=A_user2 RADIUS.Acct-Session-Id=R00000002-01-553a0c96 RADIUS.Acct-NAS-Port-Type=Wireless-802.11 RADIUS.Acct-Username=A_user2 src=10.17.4.207 RADIUS.Acct-NAS-IP-Address=10.17.6.124 Common.Service=Radius-Test-Authentication-Service
|
Processed data:
2. Auto Discovery :
In the case of log sources is not mapped or configured to any DSM, DSM supports auto discovery of the events based on the traffic analysis configuration list. Guide for which can be found at Auto Detection Guide.
3. Log Sources :
Another most imported aspect of the devices is Log source. Each device is attached to the unique log source. Log source is the kind of unique source attached to the logs coming from different devices. In case of auto-discovery is supported, logsources are created automatically. If the auto-discovery is not supported than you can manually create the logsource. For Setting up the logsource, here is detailed guide available to help you Adding the logsource
You can also setup the parsing order for the logsources. For this , please go to the Admin tab of Console - > select Log Source Parsing Ordering icon and you will get the below screen that will help you decide the order :
4. Qidmap :
DSM matches/maps the events to unique qid(Qradar Identifier)using the Qidmap. So each event is mapped to unique eventid(Numeric value)which can be used further in Qradar processor. Same can be check at two places:
1. At Addition Information section of event :
2. In DSM Editor :
IBM Security release very often updates and fixes on FixCentral which contains the installation packages containing jars and mapping data. Generally all QRadar Console have auto-updates enabled, so anything which is released to fix central gets auto-updated in consoles. However, you can also manually download latest releases from IBM Official release platform FixCentral
As of today, DSM parsing supports more than 450 devices like AWS, Microsoft 365 Defender, Aruba Mobility, VMWare, Okta and the list goes on.. as a part of integrations.
Hope all the above information help you to dive in more to DSM world of the QRadar SIEM.
Few useful links to know more about QRadar and DSM:
QRadar Supported DSMs
How to Create Custom DSM
QRadar DSM Configuration Guide
Qradar SIEM Guide
QRadar documentation landing page