IBM Security QRadar

 View Only
  • 1.  UDSM and LSX for "Custom" Events

    Posted Thu March 25, 2021 06:24 PM

    Good Afternoon All,

    I'm hoping someone can help assist me with this. I'm missing something, and honestly not sure what it is at the moment. Note that I'm not a QRadar SIEM Administrator, but I do build scripts and solutions for our corporate instance to help alleviate some of the work that our SIEM Admin has to do.

    QRadar Version (Personal/Testing): v7.3.3 CE
    QRadar Version (Corporate): v7.3.2 with upgrades being staged to 7.4.2.

    A couple weeks ago I started re-writing a script that IBM initially built for a testing simulator. Our goal has been to ingest Microsoft Security Logs in an XML format for forensics, where the forensics client isn't a typical MSSP Client. I re-wrote sections of the logrun.pl script located in /opt/qradar/bin to support the functionality I required. It's still using the syslog headers that were originally implemented.

    After some more testing, and minor corrections in the script the data is added into the SIM-GENERIC log source correctly.

    At the moment the event payload looks like this. Event data removed for privacy reasons. The SOC-Forensics should denote log source type (if implemented over the preferred LSX). The Log source: Forensics_LSXTest should denote what log source (not the type) I want it to go into specifically


    Ideally I want to add the LSX that was built for this to the standard Microsoft Security Event Logs used by QRadar. This would allow me to override the behaviour in EventID to allow for automated QID mapping so I don't have to re-do it. I'll note that with the exception of one field, everything parses correctly in the UDSM. I just can't get this into either it's own log source type, or into the LSX-Extended Microsoft Security Event logs.

    Here's the log source I want it to go in (LSX-Extended):


    This would be the log source type that I also created just in case:


    Events coming in, classified to SIM-GENERIC: 

    Does anyone have any guidance on this? I've watched most of Jose's videos, and covered the reading from SecurityNik on UDSM creation.

    Cheers,

    Mike



    ------------------------------
    Michael Redbourne
    ------------------------------


  • 2.  RE: UDSM and LSX for "Custom" Events

    Posted Fri March 26, 2021 06:11 AM
    Hi
    Change your log source identifier to IP address from syslog header 192.168.2.195

    ------------------------------
    Slawek Gawlowski
    Security Technical Consultant
    IBM Security Intelligence Solutions
    ------------------------------



  • 3.  RE: UDSM and LSX for "Custom" Events

    Posted Fri March 26, 2021 07:28 AM
    Hello!

    I'll give this a shot in a couple hours. Thank you!