IBM Security QRadar

 View Only

Integrating unsupported Log source with IBM QRadar SIEM

By Vishal Tangadkar posted Tue January 30, 2024 03:21 AM

  

IBM® QRadar® SIEM collect events from security products by using a plug-in file which is called a Device Support Module (DSM). IBM already has many DSMs available out of the Box.

IBM® QRadar® SIEM receive logs from systems and devices by using the standard protocol i.e. Syslog protocol. Supported DSMs can use any other protocols as well, as mentioned in the Supported DSM table. One can also try to configure third-party applications to send logs to IBM® QRadar® SIEM using the Syslog protocol. 

IBM® QRadar® SIEM is responsible for writing the regex, doing the parsing and Mapping of QIDs for supported log sources. Refer Supported DSM document to understand more about supported DSMs.

For unsupported DSMs, to make the sense out of events;  we need to parse, Normalised and map events to  Event Name. To find any anomaly during monitoring rule conditions can be applied on events to trigger offense.
In case of Supported DSMs, events will be parsed properly. However, if they are not parsed engage IBM Support.

The document describes detailed procedure about how to deal with unsupported events from the device Manufacturer and/or model. This integration is step by step guide to implement same. 

Configure and use a Custom DSM (UDSM):

Write a log source extension to parse events from unsupported device.:
For more information, see Log source extensions and the DSM Editor. Use content extensions for sending events to IBM® QRadar® SIEM that are provided by third-party vendors from the IBM Security App Exchange (https://exchange.xforce.ibmcloud.com/hub/). These third-party DSM integrations are supported by the resp. vendor, NOT by IBM.

NOTE: The third-party DSM integration or parsing issues observed are out of the IBM Support scope.
Please find below video on how to write DSM in DSM Editor. https://www.youtube.com/watch?v=KF40bba_kp0

Figure 1 – Log Source Integration with IBM® QRadar® SIEM

Choosing the Right Protocol:

First thing which important is to receive the Events on the IBM® QRadar® SIEM . We can use any of the below protocols to collect the events. Important ones are highlighted in the Table.

Protocol Available for Integration

AhnLabPolicyCenterJdbc

IBM QRadar DLC Protocol

Microsoft Security Event Log over MSRPC

Syslog Redirect

Akamai Kona REST API

IBM Security Identity Manager JDBC

Netskope Active REST API

TCP Multiline Syslog

Amazon AWS S3 REST API

IBM Security Randori REST API

OPSEC/LEA

TLS Syslog

Amazon Web Services

IBM Security ReaQta REST API

ObserveIT JDBC

UDP Multiline Syslog

Apache Kafka

IBM Security Verify Event Service

Office 365 Message Trace REST API

Universal Cloud REST API

Ariel REST API

IBM SmartCloud Orchestrator REST API

Office 365 REST API

VMWare AppDefense API

Blue Coat Web Security Service REST API

JDBC

Okta REST API

VMware vCloud Director

Box REST API

JDBC - SiteProtector

Oracle Database Listener

WinCollect

Centrify Redrock REST API

Juniper NSM

PCAP Syslog Combination

WinCollect Config Server

Cisco Duo

Juniper Security Binary Log Collector

Rabbit MQ

WinCollect File Forwarder

Cisco Firepower eStreamer

Log File

SAP Enterprise Threat Detection Alert API

WinCollect Juniper SBR

Cisco NSEL

MQ JMS

SDEE

WinCollect Microsoft DHCP

EMC VMWare

Microsoft Azure Event Hubs

SMB Tail

WinCollect Microsoft DNS Debug

Google Cloud Pub/Sub

Microsoft DHCP

SNMPv1

WinCollect Microsoft Exchange

Google G Suite Activity Reports Rest API

Microsoft Defender for Endpoint REST API

SNMPv2

WinCollect Microsoft IAS / NPS

HCL BigFix SOAP

Microsoft Exchange

SNMPv3

WinCollect Microsoft IIS

HTTP Receiver

Microsoft Graph Security API

Salesforce REST API

WinCollect Microsoft ISA / Forefront TMG

IBM BigFix EDR REST API

Microsoft IIS

Seculert Protection REST API

WinCollect Microsoft SQL

IBM Cloud Object Storage

Microsoft Security Event Log (End of life)

Sophos Enterprise Console JDBC

WinCollect NetApp Data ONTAP

IBM Fiberlink REST API

Microsoft Security Event Log Custom

Syslog

 

 

Next step is to parse the events. In case of trouble in configuring any of above protocol, reach out to IBM Software Support. SMB Tail or Log File protocol  can be used, in situations where we do not have direct protocol to receive the events; either by dumping application logs on any Linux or Windows server. IBM® QRadar® SIEM can pull these events from there.

 

Configure and use a Custom DSM (UDSM):

Let’s explore the option of configuring the Custom DSM manually.


Figure 2 - Flow Chart

 

Let’s consider an example to understand how to parse Unsupported Events:

The following events do not have any existing supported DSM from IBM® QRadar® SIEM.

Nov 25 12:20 unsupported eventid="New Unsupported Event" eventcategory="category1" username=user1 srcip=192.168.1.1 srcport=6666
Nov 25 12:22 unsupported eventid="New Unsupported Event" eventcategory="category2" username=user2 srcip=192.168.1.2 srcport=6667

The received events are categorized as SIM Generic which are unparsed.

Figure 3 - Unparsed and Unmapped Events in Log Activity Tab

Using DSM Editor:

Using DSM editor we can create create custom DSM. Open the events in DSM Editor, and follow below steps.

1. Choose the Log Source Type. As we do not have supported DSM, we need to Create one.


Figure 4 - Select Create New

2. Choose the Log Source Name as per your requirement. eg :  Internal New Log Source” ( for demo purpose)

Figure 5 - Name the Log Source

3. It will show up in the available Log Source Type List.

Figure 6 - Available Log Source Types

4.

4. Once you select the Log Source Type “Internal New Log Source”, DSM Editor will show events information as : 

a.     Events here are showing Parsing Failed.

b.     All the properties are not getting parsed.

c.     Event Category is showing unknown.

d.     Event Name is showing unknown

e.     Event Name is showing unknown

Figure 7 - Parsing Failed Events in DSM Editor

5. Let us  create the regex to extract the Event Category

a.     Search Event Category Property

b.     Override system behaviour

c.     Choose Expression Type ( Available options are : Regex, JSON, CEF, LEEF, GENERIC LIST, NAME VALUE PAIR, XML. For more details check qradar-property-configuration-in-dsm-editor )

d.     Select Regex here and we can directly put the expression to extract the property we need or type in the property which you would like to extract and hit “Suggest Regex”

e.     The Regex and Dark Yellow highlighted text is the extracted value by Regex.

Figure 8 - Regex for Event Category

6. Regex extracts the correct value for Event Category.

Figure 9 - Event Category is populating now

7. Next is to create the regex to extract the Event ID. Follow the same steps used in the Step 6 to extract Event ID using Regex.

Figure 10 - Regex for Event ID

8.  Post this; Regex extracts the correct value and Event Category starts populating. Once you have Event ID and Event Category Extracted you can see the Parsing Status has been changed to “Parsed and NOT Mapped

Figure 11 - Event ID is populating now and Parsing Status changed to “Parsed and NOT Mapped”

9.     Follow the same method used in steps 5 and 6 to generate Regex for Source IP. Or we can write  regex to extract the Source IP. You can see Source IP is populating now for all the events

Figure 12 - Source IP is populating now

10.  Same method is used in steps 5 and 6 to generate Regex for Source Port. Or you can write  regex to extract the Source Port. You can see Source Port is populating now for all the events.

Figure 13 - Source Port is populating now

11.  Same method used in steps 5 and 6 to generate Regex for Username. Or write regex to extract the Username. You can see Username is populating now for all the events

Figure 14 - Username is populating now

12.  At this we have Event Category and Event ID extracted. Also, all other properties are extracted. The  next step is Event Mappings. We can map the combination of Event Category and Event Name to the QID / Event Name. Then default  two mappings by default are unknown/ Stored and unknown / unknown.

13.  To add new mapping Click on + sign to add the new mapping.

Figure 15 - Available Default Event Mapping

14.  We can see available unknown event mappings, and select one by one to start mapping with available QIDs or by creating new QIDs. Here we select First Pair :
Event Category – New Unsupported Event
Event ID – category1

Figure 16 - Unknown Event Mapping available for mapping Select First Pair

15.  Choose any of the available QID or click on create new QID Record.

Figure 17 - QID Records Search or Create New QID Record

16.  Create new QID.

a.     Name :  Event - Category1

b.     Description : This is new Unsupported Event Of Category 1.

c.     Log Source Type : Internal New Log Source

d.     High Level Category : User Defined

e.     Low Level Category : Custom Policy 1

f.     Severity : 5

Figure 18 - Add New Custom QID Record for Event – Category1

17.  New QID is created with QID Number 1004000002. Click Ok and Create to get the QID mapped.

Figure 19 - New QID record created and available to use for mapping

18.  Now select the second Pair:

Event Category – New Unsupported Event
Event ID – category2

Figure 20 - Unknown Event Mapping available for mapping select second pair

 

19.   Create New QID Record.

a.     Name :  Event - Category1

b.     Description : This is new Unsupported Event Of Category 1.

c.     Log Source Type : Internal New Log Source

d.     High Level Category : User Defined

e.     Low Level Category : Custom Policy 1

f.      Severity : 5

Figure 21 - Add New Custom QID Record for Event – Category2

20.  We can see now new QID is created with QID Number 1004000003. Click Ok and Create to get the QID mapped.

Figure 22 - New QID record created and available to use for mapping

21.  Once All Events are parsed and mapped, Parsing Status has been changed to “Parsed and Mapped”. Event Name  is seen as per the QID mapping we have done in earlier steps.

Figure 23 - Parsing Status is changed to "Parsed and Mapped"

22.  At this point our DSM is capable of parsing the unsupported logs which we are going to received. We can either create Log Source manually from Log source management tab or we can use below method to enable the auto detection of the Custom Log Source As well.

 
Once we enable this if Auto Detection engine will detect the log source automatically based on the Advanced Options and create the log source as per the naming format
Log Source Name : $$DEVICE_TYPE$$ @ $$SOURCE_ADDRESS$$
Log Source Description : $$DEVICE_TYPE$$ device

Note below Advance option which you can modify as well:
Minimum Successful Events for Autodetection
: Minimum number of events from an unknown source that must be successfully parsed for auto detection to occur.

Minimum Success Rate for Autodetection :  Minimum parsing success rate (percentage) for events from an unknown source for auto detection to occur.

Attempted Parse Limit : Maximum number of events from an unknown source to attempt before abandoning auto detection.

Consecutive Failed Parse Limit : Number of consecutive events from an unknown source to abandon auto detection.

Figure 24 - Auto Detection Enabled

Figure 25 - Autodetection Advanced options

23.  Save the DSM and Go to Log Activity tab to confirm DSM is parsing and mapping the events properly. We can confirm by  Event Name and Log source is auto detected. Source IP, Source Port, Username fields.

Figure 26 - Log Source Autodetected and Events are getting parsed and mapped

24.  Now when we go to Log source Management tab we can see that after 25 events Log Source is auto detected and started showing up on the Log Activity tab.

Figure 27 - Log Source is Autodetected on LSM App

Open and RFE:

  • Open a request for enhancement on IBM Ideas portal to get officially supported DSM.
  • Go to the IBM® QRadar® SIEM IBM Ideas page https://ibmsecurity.ideas.ibm.com/
  • Log in to the support portal page.
  • Click the Submit tab and type the necessary information.

Professional Services :

Contact your IBM Account Manager or IBM Sales Representative and request for Professional Services/ SEL. They will do an assessment on the integration and will review any customisation requirements for the integration. This is paid engagement, Client will be billed for the services provided.

Conclusion:

  • You can now  map any unmapped and unparsed events reaching to IBM® QRadar® SIEM With help of DSM editor.
  • We can now use use all the parsed properties in Searches, Reports, Rules and Dashboards.
  • This custom DSM is unsupported by IBM. So if this starts showing up as expensive DSM you need to fine tune this DSM further. For tuning the regex go through how-to-avoid-while-writing-ceps-in-ibm-qradar
  • First step would be to stop the Auto detection once we have required Log Sources auto detected. So that it will not add load on the Traffic Analysis Engine.

If at any point in time, you have any questions, have any comments or want to discuss this further, feel free to get in touch with IBM Support:

Vishal Tangadkar – vishal.tangadkar1@ibm.com
Special thanks for review  – Praphullachandra S Mujumdar  prmujumd@in.ibm.com

References:

https://www.ibm.com/docs/en/dsm?topic=configuration-qradar-supported-dsms
https://www.ibm.com/docs/en/dsm?topic=configuration-dsms-supported-by-third-party-vendors
https://www.ibm.com/docs/en/dsm?topic=configuration-undocumented-protocols
https://www.ibm.com/docs/en/dsm?topic=configuration-protocol-options
https://www.ibm.com/docs/en/qsip/7.5?topic=qradar-property-configuration-in-dsm-editor
https://www.ibm.com/docs/en/qradar-on-cloud?topic=qradar-dsm-editor-overview
https://community.ibm.com/community/user/security/blogs/saket-nimdeokar/2022/09/28/how-to-avoid-while-writing-ceps-in-ibm-qradar
https://community.ibm.com/community/user/security/blogs/saket-nimdeokar/2022/09/01/optimizing-cep-in-qradar
https://www.youtube.com/watch?v=KF40bba_kp0

4 comments
78 views

Permalink

Comments

Tue April 16, 2024 07:57 AM

Nice article, with detailed information and documentation. Thank you for sharing the step-by-step procedure around Integrating unsupported Log sources with IBM QRadar SIEM.

Thu February 22, 2024 07:09 AM

Thank you, now all the links are correct.

Tue February 13, 2024 02:31 PM

Great article. Thank  You!
The reference links at the end of the article, they link all to the same Supported DSMs page. If i copy the written link then they work. Not a big deal just worth to mention.

Fri February 02, 2024 08:31 AM

Really nice article, and well written and presented. Thank you for that.