IBM QRadar

Hi.

 We 75UP10 Qradar.

 When LS is created, it is placed in LS Group Others. Is there some way how to change this default LS Group ?

Thanks in advance for Your help.

BR

Jan 

Follow the core document to place the log source in the correct group:
https://www.ibm.com/docs/en/dsm?topic=groups-copying-removing-log-sources

Hi.

 We 75UP10 Qradar.

 When LS is created, it is placed in LS Group Others. Is there some way how to change this default LS Group ?

Thanks in advance for Your help.

BR

Jan 

He wasn't asking how to change a log source's group.  He was asking how to change the DEFAULT group that log sources are placed in.  I would like to know that one as well.

Follow the core document to place the log source in the correct group:
https://www.ibm.com/docs/en/dsm?topic=groups-copying-removing-log-sources

Hi.

 We 75UP10 Qradar.

 When LS is created, it is placed in LS Group Others. Is there some way how to change this default LS Group ?

Thanks in advance for Your help.

BR

Jan 

The default group for all auto discovered log sources is 'Other'. There is not a method to change the default assignment as far as I'm aware. This is something that likely needs to be opened as an IBM Idea. As the default log source group is likely tied at the code level to traffic analysis, so a code update/feature would be required to implement this level of change. 

He wasn't asking how to change a log source's group.  He was asking how to change the DEFAULT group that log sources are placed in.  I would like to know that one as well.

Follow the core document to place the log source in the correct group:
https://www.ibm.com/docs/en/dsm?topic=groups-copying-removing-log-sources

Hi.

 We 75UP10 Qradar.

 When LS is created, it is placed in LS Group Others. Is there some way how to change this default LS Group ?

Thanks in advance for Your help.

BR

Jan 

>The default group for all auto discovered log sources is 'Other'.

Sort of.  Actually, log sources will appear in the Pseudo-Group "Other" if they are not placed in any group at all.  Auto Detected log sources are not placed in any groups, therefore they appear to be in the "Other" pseudo-group.  This group does not actually exist.  You can observe the special behaviour of this group  as follows:

1 - you cannot edit it in the "Log Source Groups" window

2 - if you select it for a Log Source then all other log source check marks are removed.

So, really - what you want to do is assign any log source group to an auto-detected log source.

When a device is created, an event from the "SIM Audit" Log Source with QID 28250053 and the payload will contain '

autoDiscovered="true",

You could use this event to trigger a rule that would, in turn, execute a Custom Action Script that would add the Log Source to a Log Source Group of your choosing.

Paul

The default group for all auto discovered log sources is 'Other'. There is not a method to change the default assignment as far as I'm aware. This is something that likely needs to be opened as an IBM Idea. As the default log source group is likely tied at the code level to traffic analysis, so a code update/feature would be required to implement this level of change. 

He wasn't asking how to change a log source's group.  He was asking how to change the DEFAULT group that log sources are placed in.  I would like to know that one as well.

Follow the core document to place the log source in the correct group:
https://www.ibm.com/docs/en/dsm?topic=groups-copying-removing-log-sources

Hi.

 We 75UP10 Qradar.

 When LS is created, it is placed in LS Group Others. Is there some way how to change this default LS Group ?

Thanks in advance for Your help.

BR

Jan 

A Sample Custom Action Script:

#!/bin/bash## Sample Custom Action Script: BASH version - paul.ford-hutchinson1@ibm.com## pfh - December 2024 - v1.0## Triggering rule filters#  Apply QR_AUTO_DETECTED_LOG_SOURCE on events which are detected by the Local system#   and when the event(s) were detected by one or more of SIM Audit#   and when the event QID is one of the following (28250053) Sensor Device Added#   and when the Event Payload contains autoDiscovered="true"## Expected parameters:## 1 - Auth token (static value - encrypted)# 2 - Log Source ID ( SensorDevice\( id="([0-9]+)",)# 3 - Log Source Identifier (Hostname) (, hostName="(.*?)", )# 4 - Source IP (, sendingIp="(.*?)", )# 5 - Log Source Type ID (, deviceType=SensorDeviceType\(id=([0-9]+)\), )# 6 - Log Source Name (, deviceName="(.*?)", )# 7 - New Group ID (static value - from endpoint GET - /config/event_sources/log_source_management/log_source_groups)#auth_token=${1}ls_id=${2}new_group_id=${7}## give QRadar a chance to have updated PSQL - cannot be too long, as Custom Action Scripts get killed if the live too long#sleep 5## Trivial CURL command.  Obviously the logic to choose Log Source Groups to make this new log source a member of could be much more complex.#curl --insecure -S -X POST -H "SEC: ${auth_token}" -H "Content-Type: application/json" -H "Version: 22.0" -H "Accept: application/json" --data-binary "{\"group_ids\":[${new_group_id}],\"id\":${ls_id}}" "https://127.0.0.1/api/config/event_sources/log_source_management/log_sources/${ls_id}"

>The default group for all auto discovered log sources is 'Other'.

Sort of.  Actually, log sources will appear in the Pseudo-Group "Other" if they are not placed in any group at all.  Auto Detected log sources are not placed in any groups, therefore they appear to be in the "Other" pseudo-group.  This group does not actually exist.  You can observe the special behaviour of this group  as follows:

1 - you cannot edit it in the "Log Source Groups" window

2 - if you select it for a Log Source then all other log source check marks are removed.

So, really - what you want to do is assign any log source group to an auto-detected log source.

When a device is created, an event from the "SIM Audit" Log Source with QID 28250053 and the payload will contain '

autoDiscovered="true",

You could use this event to trigger a rule that would, in turn, execute a Custom Action Script that would add the Log Source to a Log Source Group of your choosing.

Paul

The default group for all auto discovered log sources is 'Other'. There is not a method to change the default assignment as far as I'm aware. This is something that likely needs to be opened as an IBM Idea. As the default log source group is likely tied at the code level to traffic analysis, so a code update/feature would be required to implement this level of change. 

He wasn't asking how to change a log source's group.  He was asking how to change the DEFAULT group that log sources are placed in.  I would like to know that one as well.

Follow the core document to place the log source in the correct group:
https://www.ibm.com/docs/en/dsm?topic=groups-copying-removing-log-sources

Hi.

 We 75UP10 Qradar.

 When LS is created, it is placed in LS Group Others. Is there some way how to change this default LS Group ?

Thanks in advance for Your help.

BR

Jan 

>The default group for all auto discovered log sources is 'Other'.

Sort of.  Actually, log sources will appear in the Pseudo-Group "Other" if they are not placed in any group at all.  Auto Detected log sources are not placed in any groups, therefore they appear to be in the "Other" pseudo-group.  This group does not actually exist.  You can observe the special behaviour of this group  as follows:

1 - you cannot edit it in the "Log Source Groups" window

2 - if you select it for a Log Source then all other log source check marks are removed.

So, really - what you want to do is assign any log source group to an auto-detected log source.

When a device is created, an event from the "SIM Audit" Log Source with QID 28250053 and the payload will contain '

autoDiscovered="true",

You could use this event to trigger a rule that would, in turn, execute a Custom Action Script that would add the Log Source to a Log Source Group of your choosing.

Paul

The default group for all auto discovered log sources is 'Other'. There is not a method to change the default assignment as far as I'm aware. This is something that likely needs to be opened as an IBM Idea. As the default log source group is likely tied at the code level to traffic analysis, so a code update/feature would be required to implement this level of change. 

He wasn't asking how to change a log source's group.  He was asking how to change the DEFAULT group that log sources are placed in.  I would like to know that one as well.

Follow the core document to place the log source in the correct group:
https://www.ibm.com/docs/en/dsm?topic=groups-copying-removing-log-sources

Hi.

 We 75UP10 Qradar.

 When LS is created, it is placed in LS Group Others. Is there some way how to change this default LS Group ?

Thanks in advance for Your help.

BR

Jan