IBM Security QRadar

Hi,

After upgrading the cisco ftd the logs in QRadar are with Low Level Category stored and the payload is:


<172>Oct 17 2019 13:37:35 "log-source" : %FTD-4-733100: [ Scanning] drop rate-2 exceeded. Current burst rate is 5 per second, max configured rate is 8; Current average rate is 50 per second, max configured rate is 4; Cumulative total count is 180623

Can any one give me some advice where to debug?

BR,
Alex

------------------------------
Aleksandar Stojanovski
------------------------------

Hi @Aleksander

As the low level category is Stored, that usually means that QRadar doesn't know what to do with the logs and thus cannot parse it. I would do the following troubleshooting.
1) See if there is a supported DSM in QRadar for Cisco FTD @https://www.ibm.com/support/knowledgecenter/SS42VS_DSM/com.ibm.dsm.doc/c_DSM_guide_Cisco_intro.html#c_dsm_guide_cisco_intro​​. I briefly checked and could not see this specific name. Normally if it is supported, it also required it to be in some format eg LEEF, CEF, Syslog etc. You need logs in that particular format for QRadar to understand the logs. But if not listed, point 2 :)
2) This is my favourite. If Logs received by QRadar are not understood and there is no supported DSM for this, QRadar has something called "Universal DSM". This is a plain DSM where you can customize the parsing. Depending on which QRadar version you are you can either use Log Source Extension tab or DSM editor
Log Source Extension : https://www.ibm.com/support/knowledgecenter/SS42VS_DSM/com.ibm.dsm.doc/c_LogSourceGuide_ExtDocs_intro.html
DSM Editor: https://www.youtube.com/watch?v=KF40bba_kp0

After that, save the configuration and wait for sometime(and restart ecs-ep service if doesnt work) and you should then see the logs being parsed and low level category depending on the events.





------------------------------
Chinmay Kulkarni
------------------------------

Original Message:
Sent: Thu October 17, 2019 09:40 AM
From: Aleksandar Stojanovski
Subject: LLC stored

Hi,

After upgrading the cisco ftd the logs in QRadar are with Low Level Category stored and the payload is:


<172>Oct 17 2019 13:37:35 "log-source" : %FTD-4-733100: [ Scanning] drop rate-2 exceeded. Current burst rate is 5 per second, max configured rate is 8; Current average rate is 50 per second, max configured rate is 4; Cumulative total count is 180623

Can any one give me some advice where to debug?

BR,
Alex

------------------------------
Aleksandar Stojanovski
------------------------------

Hi Chinmay,

I added the log as you suggested in point 2. But i get the same Payload:
<172>Oct 28 2019 13:22:41 "log-source" : %FTD-4-733100: [ Scanning] drop rate-1 exceeded. Current burst rate is 32 per second, max configured rate is 10; Current average rate is 68 per second, max configured rate is 5; Cumulative total count is 40846 


So i think is issue on the log source side...

Do you have something else to advice me?

BR,

------------------------------
Aleksandar Stojanovski
------------------------------

Original Message:
Sent: Fri October 25, 2019 10:05 AM
From: Chinmay Kulkarni
Subject: LLC stored

Hi @Aleksander

As the low level category is Stored, that usually means that QRadar doesn't know what to do with the logs and thus cannot parse it. I would do the following troubleshooting.
1) See if there is a supported DSM in QRadar for Cisco FTD @https://www.ibm.com/support/knowledgecenter/SS42VS_DSM/com.ibm.dsm.doc/c_DSM_guide_Cisco_intro.html#c_dsm_guide_cisco_intro​​. I briefly checked and could not see this specific name. Normally if it is supported, it also required it to be in some format eg LEEF, CEF, Syslog etc. You need logs in that particular format for QRadar to understand the logs. But if not listed, point 2 :)
2) This is my favourite. If Logs received by QRadar are not understood and there is no supported DSM for this, QRadar has something called "Universal DSM". This is a plain DSM where you can customize the parsing. Depending on which QRadar version you are you can either use Log Source Extension tab or DSM editor
Log Source Extension : https://www.ibm.com/support/knowledgecenter/SS42VS_DSM/com.ibm.dsm.doc/c_LogSourceGuide_ExtDocs_intro.html
DSM Editor: https://www.youtube.com/watch?v=KF40bba_kp0

After that, save the configuration and wait for sometime(and restart ecs-ep service if doesnt work) and you should then see the logs being parsed and low level category depending on the events.





------------------------------
Chinmay Kulkarni

Original Message:
Sent: Thu October 17, 2019 09:40 AM
From: Aleksandar Stojanovski
Subject: LLC stored

Hi,

After upgrading the cisco ftd the logs in QRadar are with Low Level Category stored and the payload is:


<172>Oct 17 2019 13:37:35 "log-source" : %FTD-4-733100: [ Scanning] drop rate-2 exceeded. Current burst rate is 5 per second, max configured rate is 8; Current average rate is 50 per second, max configured rate is 4; Cumulative total count is 180623

Can any one give me some advice where to debug?

BR,
Alex

------------------------------
Aleksandar Stojanovski
------------------------------

Hi Aleksander​,

If I understand this correctly, the payload is not the problem. Cisco FTD is just sending these events to QRadar. And you are correct. This might be something Cisco FTD appliance is trying to tell system but nothing with QRadar.

But the only thing you need to do is parse these events into QRadar. I hope you wrote the "log-source" for privacy and the logs are not coming in like this. Also, from what I know, the syslog header needs to be standard syslog header(RFC compiant). If you have this, you created a log source with that log source identifier. After you create the custom DSM from the DSM editor, you should not see the Stored event category.

------------------------------
Chinmay Kulkarni
------------------------------

Original Message:
Sent: Mon October 28, 2019 10:21 AM
From: Aleksandar Stojanovski
Subject: LLC stored

Hi Chinmay,

I added the log as you suggested in point 2. But i get the same Payload:
<172>Oct 28 2019 13:22:41 "log-source" : %FTD-4-733100: [ Scanning] drop rate-1 exceeded. Current burst rate is 32 per second, max configured rate is 10; Current average rate is 68 per second, max configured rate is 5; Cumulative total count is 40846 


So i think is issue on the log source side...

Do you have something else to advice me?

BR,

------------------------------
Aleksandar Stojanovski

Original Message:
Sent: Fri October 25, 2019 10:05 AM
From: Chinmay Kulkarni
Subject: LLC stored

Hi @Aleksander

As the low level category is Stored, that usually means that QRadar doesn't know what to do with the logs and thus cannot parse it. I would do the following troubleshooting.
1) See if there is a supported DSM in QRadar for Cisco FTD @https://www.ibm.com/support/knowledgecenter/SS42VS_DSM/com.ibm.dsm.doc/c_DSM_guide_Cisco_intro.html#c_dsm_guide_cisco_intro​​. I briefly checked and could not see this specific name. Normally if it is supported, it also required it to be in some format eg LEEF, CEF, Syslog etc. You need logs in that particular format for QRadar to understand the logs. But if not listed, point 2 :)
2) This is my favourite. If Logs received by QRadar are not understood and there is no supported DSM for this, QRadar has something called "Universal DSM". This is a plain DSM where you can customize the parsing. Depending on which QRadar version you are you can either use Log Source Extension tab or DSM editor
Log Source Extension : https://www.ibm.com/support/knowledgecenter/SS42VS_DSM/com.ibm.dsm.doc/c_LogSourceGuide_ExtDocs_intro.html
DSM Editor: https://www.youtube.com/watch?v=KF40bba_kp0

After that, save the configuration and wait for sometime(and restart ecs-ep service if doesnt work) and you should then see the logs being parsed and low level category depending on the events.





------------------------------
Chinmay Kulkarni

Original Message:
Sent: Thu October 17, 2019 09:40 AM
From: Aleksandar Stojanovski
Subject: LLC stored

Hi,

After upgrading the cisco ftd the logs in QRadar are with Low Level Category stored and the payload is:


<172>Oct 17 2019 13:37:35 "log-source" : %FTD-4-733100: [ Scanning] drop rate-2 exceeded. Current burst rate is 5 per second, max configured rate is 8; Current average rate is 50 per second, max configured rate is 4; Cumulative total count is 180623

Can any one give me some advice where to debug?

BR,
Alex

------------------------------
Aleksandar Stojanovski
------------------------------

Hi Chinmay,

Yes, Cisco FTD is just sending these events to QRadar. 
Do you think maybe the payload encoding should be changed or?

The "log-source" is for privacy . 
I did not get what did you mean with "the syslog header needs to be standard syslog header(RFC compiant)"?

BR,



------------------------------
Aleksandar Stojanovski
------------------------------

Original Message:
Sent: Tue October 29, 2019 06:26 AM
From: Chinmay Kulkarni
Subject: LLC stored

Hi Aleksander​,

If I understand this correctly, the payload is not the problem. Cisco FTD is just sending these events to QRadar. And you are correct. This might be something Cisco FTD appliance is trying to tell system but nothing with QRadar.

But the only thing you need to do is parse these events into QRadar. I hope you wrote the "log-source" for privacy and the logs are not coming in like this. Also, from what I know, the syslog header needs to be standard syslog header(RFC compiant). If you have this, you created a log source with that log source identifier. After you create the custom DSM from the DSM editor, you should not see the Stored event category.

------------------------------
Chinmay Kulkarni

Original Message:
Sent: Mon October 28, 2019 10:21 AM
From: Aleksandar Stojanovski
Subject: LLC stored

Hi Chinmay,

I added the log as you suggested in point 2. But i get the same Payload:
<172>Oct 28 2019 13:22:41 "log-source" : %FTD-4-733100: [ Scanning] drop rate-1 exceeded. Current burst rate is 32 per second, max configured rate is 10; Current average rate is 68 per second, max configured rate is 5; Cumulative total count is 40846 


So i think is issue on the log source side...

Do you have something else to advice me?

BR,

------------------------------
Aleksandar Stojanovski

Original Message:
Sent: Fri October 25, 2019 10:05 AM
From: Chinmay Kulkarni
Subject: LLC stored

Hi @Aleksander

As the low level category is Stored, that usually means that QRadar doesn't know what to do with the logs and thus cannot parse it. I would do the following troubleshooting.
1) See if there is a supported DSM in QRadar for Cisco FTD @https://www.ibm.com/support/knowledgecenter/SS42VS_DSM/com.ibm.dsm.doc/c_DSM_guide_Cisco_intro.html#c_dsm_guide_cisco_intro​​. I briefly checked and could not see this specific name. Normally if it is supported, it also required it to be in some format eg LEEF, CEF, Syslog etc. You need logs in that particular format for QRadar to understand the logs. But if not listed, point 2 :)
2) This is my favourite. If Logs received by QRadar are not understood and there is no supported DSM for this, QRadar has something called "Universal DSM". This is a plain DSM where you can customize the parsing. Depending on which QRadar version you are you can either use Log Source Extension tab or DSM editor
Log Source Extension : https://www.ibm.com/support/knowledgecenter/SS42VS_DSM/com.ibm.dsm.doc/c_LogSourceGuide_ExtDocs_intro.html
DSM Editor: https://www.youtube.com/watch?v=KF40bba_kp0

After that, save the configuration and wait for sometime(and restart ecs-ep service if doesnt work) and you should then see the logs being parsed and low level category depending on the events.





------------------------------
Chinmay Kulkarni

Original Message:
Sent: Thu October 17, 2019 09:40 AM
From: Aleksandar Stojanovski
Subject: LLC stored

Hi,

After upgrading the cisco ftd the logs in QRadar are with Low Level Category stored and the payload is:


<172>Oct 17 2019 13:37:35 "log-source" : %FTD-4-733100: [ Scanning] drop rate-2 exceeded. Current burst rate is 5 per second, max configured rate is 8; Current average rate is 50 per second, max configured rate is 4; Cumulative total count is 180623

Can any one give me some advice where to debug?

BR,
Alex

------------------------------
Aleksandar Stojanovski
------------------------------

Hi Aleksander,

 

If you are going the custom DSM/Universal DSM way, you do not need to change anything.

1) Create a log source. You said you already did that so it should be fine

2) Go to log activity and search for these events. After searching select 2 or 3 events and go to Actions drop down at the top and select DSM editor. Now DSM editor should open and should display selected events in Workspace. Choose log source type "Universal DSM" if asked.

2) Go to Event Mappings > Click on the "+" symbol. This should open a Event ID and Event Category fields to be filled.

3) Click on Choose QID and then click on "Create New QID Record"

4) You should get a QID Records page

Write a human understandable Name, for example, "Cisco Drop Rate Exceeded" and a description. The Name will be your Event name. Keep Log Source Type as Universal DSM. Event category can be anything you want, for example, LLC can be Alert. This will create a QID which QRadar mapps to every event. Select high level category and low level category from the drop down as you see fit. Then save.

5) You will get your QID number written in QID/Name field. Copy it for future reference.

6) Go into Event Mappings > Select the entry and select edit > Search for the QID with the QID number copied and click save. This should save the mapping for that events.

7) Now the events should come as the event name and category what you configured.

 

 

NOTE : You can also create a QID on CLI with the following command:

 /opt/qradar/bin/qidmap_cli.sh -c --qname "name" --qdescription "description" --severity 1-10 --lowlevelcategoryid categoryid where you can find the categoryid with /opt/qradar/bin/qidmap_cli.sh -l