Hello,
If you have new verision of Cisco IronPort 13 you can use new logs feature. It is possible to send logs in CEF format, so it means all message content in one row. It works great, but Unfortunately Qradar don't have DSM for that format so you need to make your own.
Bellow I pasted example from my deployment:
Everything works fine, I have only one problem whit this logs corelated with special characters. It don't shows correctly whit any encoding
Best regards, Miro
------------------------------
Miroslav Matijević
Information Security Engineer
Petrol d.d
Ljubljana
------------------------------
Original Message:
Sent: Wed April 01, 2020 05:09 AM
From: Peter Eibak
Subject: QRadar and Cisco IronPort Content Security Management Virtual Appliance
Hi, has anyone tried to onboard IronPort SMA (Content Security Management Virtual Appliance)? Do we have any support for this?
I have tried to use IronPort DSM and I get events like:
<22>Apr 01 11:10:59 QRadar-Logs: Info: TRANSFER: Plugin TRACKINGPLUGIN downloading from 10.55.80.4 - /export/tracking/tracking.@20200401T080701Z_20200401T081001Z.s.gz .
LLC is Stored
Is that the right way to go? The payload looks in my eyes pretty much like events being forwarded from an IronPort ESA (instead of 'QRadar-Logs' it contains 'QRadar-Mail' or do I have to create a DSM for this.
I am using QRadar 7.3.3.FP2 and are up to date on the DSMs
Screen shots attached.
Thanks.
------------------------------
Peter Eibak
------------------------------