IBM Security QRadar

 View Only
  • 1.  QRadar and Cisco IronPort Content Security Management Virtual Appliance

    Posted Wed April 01, 2020 09:44 AM
    Hi, has anyone tried to onboard IronPort SMA (Content Security Management Virtual Appliance)? Do we have any support for this?
    I have tried to use IronPort DSM and I get events like:
    <22>Apr 01 11:10:59 QRadar-Logs: Info: TRANSFER: Plugin TRACKINGPLUGIN downloading from 10.55.80.4 - /export/tracking/tracking.@20200401T080701Z_20200401T081001Z.s.gz .
    LLC is Stored

    Is that the right way to go? The payload looks in my eyes pretty much like events being forwarded from an IronPort ESA (instead of 'QRadar-Logs' it contains 'QRadar-Mail' or do I have to create a DSM for this.
    I am using QRadar 7.3.3.FP2 and are up to date on the DSMs

    Screen shots attached.

    Thanks.


    ------------------------------
    Peter Eibak
    ------------------------------


  • 2.  RE: QRadar and Cisco IronPort Content Security Management Virtual Appliance

    Posted Fri April 03, 2020 11:44 AM
    The example does not "ring a bell". The logs I've seen come from the ESA (Email Security Appliance) via syslog come from different functional contexts (mail, quarantine...) as multi-line.
    [DSM guide lists that out of the box the Ironport, ESA and WSA are supported (web content filtering events in W3C format, Text Mail Logs and System Logs); for ESA log file collection protocol is used and for WSA syslog is used].
    From what I recall, CSM sits as the "manager" on top of ESA/WSA; what was your intention - e.g. to get system logs from it logged in QRadar ?

    ------------------------------
    Dusan VIDOVIC
    ------------------------------



  • 3.  RE: QRadar and Cisco IronPort Content Security Management Virtual Appliance

    Posted Mon April 06, 2020 03:10 AM
    Based on my experience, WSA DSM is full of c*. Fortunately it is uses Squid format, so Squid source can be applied, but we still have to work a lot to make it perfect from Qradar point of view. I suppose you have to do the same with this fancy Ironport thingy as well :) Sorry for the bad news... fire up DSM editor, and make your own parser, because Cisco will not do it

    ------------------------------
    Laszlo Pal
    ------------------------------



  • 4.  RE: QRadar and Cisco IronPort Content Security Management Virtual Appliance

    Posted Tue April 07, 2020 01:42 AM
    Hello,

    If you have new verision of Cisco IronPort 13 you can use new logs feature. It is possible to send logs in CEF format, so it means all message content in one row. It works great, but Unfortunately Qradar don't have DSM for that format so you need to make your own.

    Bellow I pasted example from my deployment:


    Everything works fine, I have only one problem whit this logs corelated with special characters. It don't shows correctly whit any encoding

    Best regards, Miro


    ------------------------------
    Miroslav Matijević
    Information Security Engineer
    Petrol d.d
    Ljubljana
    ------------------------------



  • 5.  RE: QRadar and Cisco IronPort Content Security Management Virtual Appliance

    Posted Fri February 05, 2021 06:23 PM
    HI Matijevic,

    Hope you are doing well. 

    we have also Cisco Ironport deployment and we are sending logs  as "Log File Protocol". which is confusing for us and we are not able to come up with any use case

    Referring above snapshot I will check with Device admin to send the logs in CEF format. once they are in qradar. Please tell me that we need custom parser or we can use existing parser and any other configuration changes required to map MID/ICID.

    Looking for your kind response.

    Regards,
    Rashid






    ------------------------------
    Rashid Iqbal
    ------------------------------



  • 6.  RE: QRadar and Cisco IronPort Content Security Management Virtual Appliance

    Posted Sat February 06, 2021 02:39 PM
    Yes sure, you need to build costum parser and also you need tune all rules which is in corelation with mail logs. I hope IBM will build standard parser soon.

    Best regards, Miro


    To elektronsko sporočilo in priponke se sme uporabljati v skladu s sporočilom objavljenim na: http://www.petrol.si/disclaimer.
    This email and its attachments are subject to the disclaimer statement posted on: http://www.petrol.si/disclaimer.