Hello all,
I entered the payload extract into a local system on QRadar 750Up7.
linked it ot the CheckPoint DSM.
Created by own custom CEP and used the Regext expression provided and capture group 1.
I was able to extarct the info required from the payload in the DSM Editor.
There as been a few issues wit the DSM editor and JSON in older releases.
Here are just a few APARs in this area:
https://www.ibm.com/support/pages/apar/IJ25729
https://www.ibm.com/support/pages/apar/IJ45778
https://www.ibm.com/support/pages/apar/IJ34598
Speaking with Support we would recommned to upgrade to the latest QRadar version 750UP7.
Retest this and if the issue is still present to please raise a case with Support as we will need to investgate the logs here to analyze this further.
Regards,
------------------------------
Comghall Morgan
QRadar Support Architect
IBM
------------------------------
Original Message:
Sent: Mon November 27, 2023 03:56 AM
From: Slavcho Andreevski
Subject: Extracting json like payload information
Hello,
Just to confirm that the events are correlating correctly since i have checked them in my firewall and also in the qradar.. Yeah we are looking just for the extracting information from the payload. Extracting not removing because i need the whole data from the payload to be extracted in different fields so i can make my notifications from them.
The qradar version is 7.3.3.
Just to notice, i did not have any problem extracting the payload from the checkpoint antivirus but from the firewall i have issues because when i try to send the same log format as the antivirus (LEEF) i did not get the overall logs that are being created in the firewall. Because of that i send "Syslog" instead of LEEF and i can not extract it with the commands above..
------------------------------
Slavcho Andreevski
Original Message:
Sent: Thu November 23, 2023 07:58 AM
From: Comghall Morgan
Subject: Extracting json like payload information
Hello,
I am assuming that the Log Source is created and that the events are correlating correctly with this Log Source.
So this then means that we are solely looking at extracting info from the payload?
Can I ask what version of QRadar you are on? As there are a few issues around this area in earlier releases.
Though I would suggest you raise a case with support for this as they will be better placed to analyze the logs.
------------------------------
[Comghall] [Morgan]
[QRadar Support Architect]
[IBM]
Original Message:
Sent: Tue November 21, 2023 04:58 AM
From: Slavcho Andreevski
Subject: Extracting json like payload information
Hello friends,
I have been struggling to extract json like payload coming from my firewall. I send a syslog from there to the qradar but when i try to extract some information from it, it will not work. I tried to extract it with regex but it does not work..
I have this kind of log
<134>1 2023-11-20T10:38:41Z CP-SMS CheckPoint - [action:"Accept"; service:"443"; service_id:"https"; src:"192.168.13.118"]
I want to extract for exp the "src"
I try to extract it with: src:"(.*?)" - this is a proper regex but it does not work on qradar inserting it in the dsm editor..
Can someone help me how to extract this kind of format..
I can send the log with other format but i do not get all the logs from the firewall and because of this i need this json data to be extracted so i can make my alerts.
Thank you
------------------------------
Slavcho Andreevski
------------------------------