IBM Security QRadar

Hi,

I get a lot of events with:

Event Name	Log Source	Event Count	Time	Low Level Category	Source IP	Source Port	Destination IP	Destination Port	Username
Unknown log event	SIM Generic Log DSM-7 :: QRadarSIEM	1	Jan 16, 2020, 12:07:41 PM	Unknown Generic Log Event	10.1.1.100	0	10.1.1.100	0	N/A

The Source Ip is from our FTD, and it is disabled as log source on QRadar. On the FTD is set up Syslog to QRadar.
My questions are:
1. Is this events accountable on my license?
2. What is the reason for this events, and can i turn them off some how?

BR, 


------------------------------
Aleksandar Stojanovski
------------------------------

As much as I know, Yes it is consuming your EPS. And you can use Routing Rules to drop and take x0.6 EPS of dropped event back. (Or you may block them on the firewall)

------------------------------
Halil BALIM
------------------------------

Original Message:
Sent: Thu January 16, 2020 06:21 AM
From: Aleksandar Stojanovski
Subject: Unknown log event

Hi,

I get a lot of events with:

Event Name	Log Source	Event Count	Time	Low Level Category	Source IP	Source Port	Destination IP	Destination Port	Username
Unknown log event	SIM Generic Log DSM-7 :: QRadarSIEM	1	Jan 16, 2020, 12:07:41 PM	Unknown Generic Log Event	10.1.1.100	0	10.1.1.100	0	N/A

The Source Ip is from our FTD, and it is disabled as log source on QRadar. On the FTD is set up Syslog to QRadar.
My questions are:
1. Is this events accountable on my license?
2. What is the reason for this events, and can i turn them off some how?

BR, 


------------------------------
Aleksandar Stojanovski
------------------------------

Hi Halil BALIM,

Thank you very much on the recommendation and help.

Br,


------------------------------
Aleksandar Stojanovski
------------------------------

Original Message:
Sent: Fri January 17, 2020 02:47 AM
From: Halil BALIM
Subject: Unknown log event

As much as I know, Yes it is consuming your EPS. And you can use Routing Rules to drop and take x0.6 EPS of dropped event back. (Or you may block them on the firewall)

------------------------------
Halil BALIM

Original Message:
Sent: Thu January 16, 2020 06:21 AM
From: Aleksandar Stojanovski
Subject: Unknown log event

Hi,

I get a lot of events with:

Event Name	Log Source	Event Count	Time	Low Level Category	Source IP	Source Port	Destination IP	Destination Port	Username
Unknown log event	SIM Generic Log DSM-7 :: QRadarSIEM	1	Jan 16, 2020, 12:07:41 PM	Unknown Generic Log Event	10.1.1.100	0	10.1.1.100	0	N/A

The Source Ip is from our FTD, and it is disabled as log source on QRadar. On the FTD is set up Syslog to QRadar.
My questions are:
1. Is this events accountable on my license?
2. What is the reason for this events, and can i turn them off some how?

BR, 


------------------------------
Aleksandar Stojanovski
------------------------------

Hi,

Answer to 1. : Yes, SIM Generic Logs are accountable on you EPS.
Answer to 2. : I guess the reason ist that the FTD is sending logs to QRadar and QRadar is not able to detect the log source correct. (Maybe because you disabled it? ;-) )

To turn this off, the best way would be to stop the FTD sending logs to QRadar. If this is an option then you can drop the events coming from the FTD with a routing rule. And as far as I know the giveback is 100% to your EPS limit, when you run a QRadar 7.3.x and only 60%, if you are still on 7.2.8 or older.

------------------------------
Kind regards
Oliver
------------------------------

Original Message:
Sent: Thu January 16, 2020 06:21 AM
From: Aleksandar Stojanovski
Subject: Unknown log event

Hi,

I get a lot of events with:

Event Name	Log Source	Event Count	Time	Low Level Category	Source IP	Source Port	Destination IP	Destination Port	Username
Unknown log event	SIM Generic Log DSM-7 :: QRadarSIEM	1	Jan 16, 2020, 12:07:41 PM	Unknown Generic Log Event	10.1.1.100	0	10.1.1.100	0	N/A

The Source Ip is from our FTD, and it is disabled as log source on QRadar. On the FTD is set up Syslog to QRadar.
My questions are:
1. Is this events accountable on my license?
2. What is the reason for this events, and can i turn them off some how?

BR, 


------------------------------
Aleksandar Stojanovski
------------------------------

Hi just in case the official info about dropped and giveback it's here.

https://www.ibm.com/support/pages/qradar-license-eps-rates-and-giveback


regards

------------------------------
Juan Paulo
IBM
Santiago
------------------------------

Original Message:
Sent: Fri January 17, 2020 04:04 AM
From: Oliver Braun
Subject: Unknown log event

Hi,

Answer to 1. : Yes, SIM Generic Logs are accountable on you EPS.
Answer to 2. : I guess the reason ist that the FTD is sending logs to QRadar and QRadar is not able to detect the log source correct. (Maybe because you disabled it? ;-) )

To turn this off, the best way would be to stop the FTD sending logs to QRadar. If this is an option then you can drop the events coming from the FTD with a routing rule. And as far as I know the giveback is 100% to your EPS limit, when you run a QRadar 7.3.x and only 60%, if you are still on 7.2.8 or older.

------------------------------
Kind regards
Oliver

Original Message:
Sent: Thu January 16, 2020 06:21 AM
From: Aleksandar Stojanovski
Subject: Unknown log event

Hi,

I get a lot of events with:

Event Name	Log Source	Event Count	Time	Low Level Category	Source IP	Source Port	Destination IP	Destination Port	Username
Unknown log event	SIM Generic Log DSM-7 :: QRadarSIEM	1	Jan 16, 2020, 12:07:41 PM	Unknown Generic Log Event	10.1.1.100	0	10.1.1.100	0	N/A

The Source Ip is from our FTD, and it is disabled as log source on QRadar. On the FTD is set up Syslog to QRadar.
My questions are:
1. Is this events accountable on my license?
2. What is the reason for this events, and can i turn them off some how?

BR, 


------------------------------
Aleksandar Stojanovski
------------------------------

I cannot be sure as the log content you have appearing is unknown to me, but I had seen at another site logs from LINA arrived in such manner. These should be fairly consistent. We created a custom log source type and parsing using DSM editor (as I recall we had only ACL allow/deny events).
This way they could be of use... or you could create a routing rule that recognizes that log source and drop them.

------------------------------
Dusan VIDOVIC
------------------------------

Original Message:
Sent: Thu January 16, 2020 06:21 AM
From: Aleksandar Stojanovski
Subject: Unknown log event

Hi,

I get a lot of events with:

Event Name	Log Source	Event Count	Time	Low Level Category	Source IP	Source Port	Destination IP	Destination Port	Username
Unknown log event	SIM Generic Log DSM-7 :: QRadarSIEM	1	Jan 16, 2020, 12:07:41 PM	Unknown Generic Log Event	10.1.1.100	0	10.1.1.100	0	N/A

The Source Ip is from our FTD, and it is disabled as log source on QRadar. On the FTD is set up Syslog to QRadar.
My questions are:
1. Is this events accountable on my license?
2. What is the reason for this events, and can i turn them off some how?

BR, 


------------------------------
Aleksandar Stojanovski
------------------------------