It was quite simple to add our FS7300 4657-924 to report logs to QRadar. Granted, they are on the same subnet so the firewall was not an issue. All I had to run on the FS7300 was:
mksyslogserver -name qradar01 -ip 10.10.4.192 -facility 7 -login on -audit on -warning on -info on -error on -protocol udp -port 514
I tested an invalid signon and they got it right away. They may have to parse it a little. Their problem, not mine. They were hoping for a preformatted parser for FlashSystem in the dropdown.
https://www.ibm.com/docs/en/flashsystem-7x00/8.6.x?topic=commands-mksyslogserver
At this time we are not looking at having QRadar initiate emergency flash copies upon attack as per
"Enhanced Cyber Resilience Threat Detection with IBM FlashSystem Safeguarded Copy and IBM QRadar"
https://www.redbooks.ibm.com/redpapers/pdfs/redp5655.pdf
------------------------------
Robert Berendt IBMChampion
Business Systems Analyst, Lead
Dekko
Fort Wayne
260-599-3160
------------------------------