IBM Security QRadar

 View Only
  • 1.  CustomActionScript output to qradar

    Posted Tue April 21, 2020 11:02 AM
    I would like to syslog or create a qradar event containing the output of a script, so far I have been using logger 

    command | logger -T -n CollectorIP -t scriptoutput

    This works, but the output is included in "Custom Rule Engine Message", Which means I cannot create a log source. I was expecting a 'unknown event'. What are my options?

    ------------------------------
    Q SIEM
    ------------------------------


  • 2.  RE: CustomActionScript output to qradar

    Posted Mon May 18, 2020 10:31 AM
    Hi Q SIEM,

    You can still create a log source for these events, just set the Log Source Identifier to the IP of the system you're running the logger command on. The Custom Rule Engine log source has its LSI to the IP of the QRadar EC/EP/console that it's assigned to, which is why it's currently receiving these events, but with Low level category=Stored, which means they are being stored only but not parsed.

    Cheers
    Colin

    ------------------------------
    COLIN HAY
    IBM Security
    ------------------------------



  • 3.  RE: CustomActionScript output to qradar

    Posted Fri July 03, 2020 11:02 AM
    Edited by James Hill Fri July 03, 2020 11:04 AM
    I think the issue that @Q SIEM is having, is that logger is being run on Console itself and thus its ended up in Custom Rule Engine-8 :: Console log source.

    To work around this I would expect to place the new logsource above Custom Rule Engine-8 :: Console in the Log Source Parsing Order?

    Would we run the risk in events falling into this new log source over the system CRE LS?

    ------------------------------
    JH
    ------------------------------



  • 4.  RE: CustomActionScript output to qradar

    Posted Fri July 03, 2020 11:24 AM
    Edited by James Hill Fri July 03, 2020 11:24 AM
    A little work on this.

    I have created a new logsource, for this example it is named housekeeping-script. Its log source identifier is the IP of the Console.

    The DSM used is Universal LEEF for this example.

    When I run the following via the CLI

    logger -n ConsoleIP -P 514 'LEEF:Version|Vendor|Product|Version|EventID|CLI OUTPUT EXAMPLE'

    My output ended up in the housekeeping-script log source I created.

    ------------------------------
    JH
    ------------------------------



  • 5.  RE: CustomActionScript output to qradar

    Posted Fri July 03, 2020 01:49 PM
    Yeah it should be fine. Parsing order just defines the sequence in which log sources are given the opportunity to parse an event, but the DSMs (parser modules) associated with those log sources still have to accept or reject the event based on whether they recognize the format. A Universal LEEF log source won't accept an actual CRE event, or vice versa, so the correct log source should receive the event either way. Parsing order is primarily used to address problems where one DSM/log source is incorrectly accepting the events of a log source below it in the parsing order because the events are sufficiently similar in format such that the DSM earlier in parsing precedence has a false positive match, or to address performance issues. For example if the first DSM in parsing order is really slow and a large number of events are coming in for a log source below it in parsing order, the first DSM will try and fail to parse every event for the lower precedence log source, which can be resource intensive. This can be addressed by moving the slower DSM down in precedence.

    Cheers
    Colin

    ------------------------------
    COLIN HAY
    IBM Security
    ------------------------------