IBM Security QRadar

Hello guys, 

I have two log sources forwarding logs from Customer QRadar (behind NAT) to my QRadar. Unfortunately, the raw logs forwarded to my QRadar had "<38>Mar 25 14:16:02" added in the header like the logs below, making it difficult to identify the log source.

<38>Mar 25 14:16:02  <29>1 2023-03-25T07:14:28.0Z MCAFEE-EPO EPOEvents - EventFwd [agentInfo@3401 tenantId="1" bpsId="1" tenantGUID="{00000000-0000-0000-0000-000000000000}" tenantNodePath="1\2"] <?xml version="1.0" encoding="UTF-8"?><EPOEvent><MachineInfo><MachineName>068-CLIENT-002</MachineName><AgentGUID>{97fa0f64-3563-11ec-05df-b07b250aw45r3}</AgentGUID><IPAddress>10.10.17.43</IPAddress><OSName>Windows 10 Workstation</OSName><UserName>%CTX_DOMAIN_USER%</UserName><TimeZoneBias>-420</TimeZoneBias><RawMACAddress>b07b2508f1242</RawMACAddress></MachineInfo><SoftwareInfo ProductName="McAfee Endpoint Security" ProductVersion="10.7" ProductFamily="TVD">....

<38>Mar 24 13:49:59  <13>1 2023-03-24T13:48:20.044478+07:00 proxy-owasp-1 - - - [NXLOG@14506 EventReceivedTime="2023-03-24 13:48:20" SourceModuleName="owasp-logs" SourceModuleType="im_file"] 2023/03/24 13:48:19 [error] 70642#70642: *2155033 [client 50.202.35.150] ModSecurity: Access denied with code 403 (phase 2). Matched "Operator `Ge' with parameter `5' against variable `TX:ANOMALY_SCORE' (Value: `5' ) [file "/etc/nginx/modsec/coreruleset-3.3.2/rules/REQUEST-949-BLOCKING-EVALUATION.conf"] [line "80"] [id "949110"] [rev ""] [msg "Inbound Anomaly Score Exceeded (Total Score: 5)"] [data ""] [severity "2"] [ver "OWASP_CRS/3.3.2"] [maturity "0"] [accuracy "0"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-generic"] [hostname "10.10.10.10"] [uri "/blog.sql"] [unique_id "1679640499"] [ref ""], client: 50.202.35.150, server: contoso.com,  request: "GET /blog.sql HTTP/1.1", host: "contoso.com:443"

The log source identifier of two log sources is the NATed IP address of the Customer QRadar, which is 172.10.20.2. Do you guy have any recommendations for creating log sources? Thank you all.

I finded the solution for this.

Hello guys, 

I have two log sources forwarding logs from Customer QRadar (behind NAT) to my QRadar. Unfortunately, the raw logs forwarded to my QRadar had "<38>Mar 25 14:16:02" added in the header like the logs below, making it difficult to identify the log source.

<38>Mar 25 14:16:02  <29>1 2023-03-25T07:14:28.0Z MCAFEE-EPO EPOEvents - EventFwd [agentInfo@3401 tenantId="1" bpsId="1" tenantGUID="{00000000-0000-0000-0000-000000000000}" tenantNodePath="1\2"] <?xml version="1.0" encoding="UTF-8"?><EPOEvent><MachineInfo><MachineName>068-CLIENT-002</MachineName><AgentGUID>{97fa0f64-3563-11ec-05df-b07b250aw45r3}</AgentGUID><IPAddress>10.10.17.43</IPAddress><OSName>Windows 10 Workstation</OSName><UserName>%CTX_DOMAIN_USER%</UserName><TimeZoneBias>-420</TimeZoneBias><RawMACAddress>b07b2508f1242</RawMACAddress></MachineInfo><SoftwareInfo ProductName="McAfee Endpoint Security" ProductVersion="10.7" ProductFamily="TVD">....

<38>Mar 24 13:49:59  <13>1 2023-03-24T13:48:20.044478+07:00 proxy-owasp-1 - - - [NXLOG@14506 EventReceivedTime="2023-03-24 13:48:20" SourceModuleName="owasp-logs" SourceModuleType="im_file"] 2023/03/24 13:48:19 [error] 70642#70642: *2155033 [client 50.202.35.150] ModSecurity: Access denied with code 403 (phase 2). Matched "Operator `Ge' with parameter `5' against variable `TX:ANOMALY_SCORE' (Value: `5' ) [file "/etc/nginx/modsec/coreruleset-3.3.2/rules/REQUEST-949-BLOCKING-EVALUATION.conf"] [line "80"] [id "949110"] [rev ""] [msg "Inbound Anomaly Score Exceeded (Total Score: 5)"] [data ""] [severity "2"] [ver "OWASP_CRS/3.3.2"] [maturity "0"] [accuracy "0"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-generic"] [hostname "10.10.10.10"] [uri "/blog.sql"] [unique_id "1679640499"] [ref ""], client: 50.202.35.150, server: contoso.com,  request: "GET /blog.sql HTTP/1.1", host: "contoso.com:443"

The log source identifier of two log sources is the NATed IP address of the Customer QRadar, which is 172.10.20.2. Do you guy have any recommendations for creating log sources? Thank you all.

Hi,

congats. Could you share your solution? It could help me with a problem that seems similar.

Thank you

I finded the solution for this.

Hello guys, 

I have two log sources forwarding logs from Customer QRadar (behind NAT) to my QRadar. Unfortunately, the raw logs forwarded to my QRadar had "<38>Mar 25 14:16:02" added in the header like the logs below, making it difficult to identify the log source.

<38>Mar 25 14:16:02  <29>1 2023-03-25T07:14:28.0Z MCAFEE-EPO EPOEvents - EventFwd [agentInfo@3401 tenantId="1" bpsId="1" tenantGUID="{00000000-0000-0000-0000-000000000000}" tenantNodePath="1\2"] <?xml version="1.0" encoding="UTF-8"?><EPOEvent><MachineInfo><MachineName>068-CLIENT-002</MachineName><AgentGUID>{97fa0f64-3563-11ec-05df-b07b250aw45r3}</AgentGUID><IPAddress>10.10.17.43</IPAddress><OSName>Windows 10 Workstation</OSName><UserName>%CTX_DOMAIN_USER%</UserName><TimeZoneBias>-420</TimeZoneBias><RawMACAddress>b07b2508f1242</RawMACAddress></MachineInfo><SoftwareInfo ProductName="McAfee Endpoint Security" ProductVersion="10.7" ProductFamily="TVD">....

<38>Mar 24 13:49:59  <13>1 2023-03-24T13:48:20.044478+07:00 proxy-owasp-1 - - - [NXLOG@14506 EventReceivedTime="2023-03-24 13:48:20" SourceModuleName="owasp-logs" SourceModuleType="im_file"] 2023/03/24 13:48:19 [error] 70642#70642: *2155033 [client 50.202.35.150] ModSecurity: Access denied with code 403 (phase 2). Matched "Operator `Ge' with parameter `5' against variable `TX:ANOMALY_SCORE' (Value: `5' ) [file "/etc/nginx/modsec/coreruleset-3.3.2/rules/REQUEST-949-BLOCKING-EVALUATION.conf"] [line "80"] [id "949110"] [rev ""] [msg "Inbound Anomaly Score Exceeded (Total Score: 5)"] [data ""] [severity "2"] [ver "OWASP_CRS/3.3.2"] [maturity "0"] [accuracy "0"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-generic"] [hostname "10.10.10.10"] [uri "/blog.sql"] [unique_id "1679640499"] [ref ""], client: 50.202.35.150, server: contoso.com,  request: "GET /blog.sql HTTP/1.1", host: "contoso.com:443"

The log source identifier of two log sources is the NATed IP address of the Customer QRadar, which is 172.10.20.2. Do you guy have any recommendations for creating log sources? Thank you all.

Hello guys, 

I have two log sources forwarding logs from Customer QRadar (behind NAT) to my QRadar. Unfortunately, the raw logs forwarded to my QRadar had "<38>Mar 25 14:16:02" added in the header like the logs below, making it difficult to identify the log source.

<38>Mar 25 14:16:02  <29>1 2023-03-25T07:14:28.0Z MCAFEE-EPO EPOEvents - EventFwd [agentInfo@3401 tenantId="1" bpsId="1" tenantGUID="{00000000-0000-0000-0000-000000000000}" tenantNodePath="1\2"] <?xml version="1.0" encoding="UTF-8"?><EPOEvent><MachineInfo><MachineName>068-CLIENT-002</MachineName><AgentGUID>{97fa0f64-3563-11ec-05df-b07b250aw45r3}</AgentGUID><IPAddress>10.10.17.43</IPAddress><OSName>Windows 10 Workstation</OSName><UserName>%CTX_DOMAIN_USER%</UserName><TimeZoneBias>-420</TimeZoneBias><RawMACAddress>b07b2508f1242</RawMACAddress></MachineInfo><SoftwareInfo ProductName="McAfee Endpoint Security" ProductVersion="10.7" ProductFamily="TVD">....

<38>Mar 24 13:49:59  <13>1 2023-03-24T13:48:20.044478+07:00 proxy-owasp-1 - - - [NXLOG@14506 EventReceivedTime="2023-03-24 13:48:20" SourceModuleName="owasp-logs" SourceModuleType="im_file"] 2023/03/24 13:48:19 [error] 70642#70642: *2155033 [client 50.202.35.150] ModSecurity: Access denied with code 403 (phase 2). Matched "Operator `Ge' with parameter `5' against variable `TX:ANOMALY_SCORE' (Value: `5' ) [file "/etc/nginx/modsec/coreruleset-3.3.2/rules/REQUEST-949-BLOCKING-EVALUATION.conf"] [line "80"] [id "949110"] [rev ""] [msg "Inbound Anomaly Score Exceeded (Total Score: 5)"] [data ""] [severity "2"] [ver "OWASP_CRS/3.3.2"] [maturity "0"] [accuracy "0"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-generic"] [hostname "10.10.10.10"] [uri "/blog.sql"] [unique_id "1679640499"] [ref ""], client: 50.202.35.150, server: contoso.com,  request: "GET /blog.sql HTTP/1.1", host: "contoso.com:443"

The log source identifier of two log sources is the NATed IP address of the Customer QRadar, which is 172.10.20.2. Do you guy have any recommendations for creating log sources? Thank you all.