IBM Security QRadar

 View Only
  • 1.  Suggestion for QRadar DSM Editor regarding Override

    Posted Wed March 15, 2023 10:03 AM

    Hello,

    When some DSM's are not enough, we start to enter regex for parsing. However, not to harm original DSM's, we create brand new DSM's and write new regexes for the source. 

    However, if we could have entered new regexes to existing properties (override) without harming the 1st regex (which is not visible to us), we could finish the job faster and we could use current DSM's other figures' advantages.

    I wonder why QRadar does not let us to leave existing 1st regex (which is written by IBM probably) when we override?

    We could enter our regex as 2nd without harming the original DSM.

    Thanks,

    Onur



    ------------------------------
    Onur Tufan
    ------------------------------



  • 2.  RE: Suggestion for QRadar DSM Editor regarding Override

    Posted Wed March 15, 2023 10:29 AM

    Hi,

    I support that suggestion, I often have the same problem. It would be really helpful to add regular expressions to the system behaviour (instead of replacing) or at least to know how IBM's DSMs work.

    Best regards
    Simon



    ------------------------------
    Simon S.
    ------------------------------



  • 3.  RE: Suggestion for QRadar DSM Editor regarding Override

    IBM Champion
    Posted Wed March 15, 2023 11:53 AM

    Onur, Simon,

    you can override default behaviour in your standard DSM: Its better to use the standard DSM rather than your own, cause event mapping continously gets improved and thus you profit from development cycle and dsm updates. Meanwhile already correctly mapped attributes will tell you when you are trying to override default mapping behavior. Please search for your unknown property first and define a new custom property. Then look for that new property in your log data and listing it as parsed but not mapped in DSM editor. This will allow you to specifically assign those events with properties from the logsource that are not mapped yet and listed as unknown HLC/LLC/event. 

    BTW DSM allows for more than Regex. It may well be thatthere is no Regex involved at all, as code is JSON, CEF, LEEF or name value pair based. Samples are being provided for those. For Regex pls lookup manual examples for expressions supported. A goog source is custom propertes which includes hundeds of them in clear text.



    ------------------------------
    [Karl] [Jaeger] [Business Partner]
    [QRadar Specialist]
    [pro4bizz]
    [Karlsruhe] [Germany]
    [4972190981722]
    ------------------------------



  • 4.  RE: Suggestion for QRadar DSM Editor regarding Override

    Posted Mon March 20, 2023 08:33 AM

    Hello Karl,

    Thank you for the answer.  In fact I think the same with you; it is better to use standard DSM. However I get nervous when I override them. So do you recommend me to create for example "Event ID (custom)" instead of "Event ID" standard one? Can you please explain step by step? 

    Thank you very much,

    Best regards,



    ------------------------------
    Onur Tufan
    ------------------------------



  • 5.  RE: Suggestion for QRadar DSM Editor regarding Override

    IBM Champion
    Posted Wed March 22, 2023 03:08 PM

    Onur

    with standard DSMs you should not mess around with standard event ID mapping. In fact newer versions wont allow this.

    The trick is to map your unknown event ID based on payload data extracted to another QID that does already exist or create one for your log source.

    I plan to write step by step blog entry - pls stay tuned!



    ------------------------------
    [Karl] [Jaeger] [Business Partner]
    [QRadar Specialist]
    [pro4bizz]
    [Karlsruhe] [Germany]
    [4972190981722]
    ------------------------------



  • 6.  RE: Suggestion for QRadar DSM Editor regarding Override

    IBM Champion
    Posted Wed March 22, 2023 03:43 PM
    Edited by Karl Jaeger Wed March 22, 2023 03:43 PM

    https://community.ibm.com/community/user/security/viewdocument/using-dsm-editor-for-overriding-unk?CommunityKey=f9ea5420-0984-4345-ba7a-d93b4e2d4864&tab=librarydocuments



    ------------------------------
    [Karl] [Jaeger] [Business Partner]
    [QRadar Specialist]
    [pro4bizz]
    [Karlsruhe] [Germany]
    [4972190981722]
    ------------------------------



  • 7.  RE: Suggestion for QRadar DSM Editor regarding Override

    Posted Thu March 23, 2023 11:09 AM

    I think that a big problem that gets overlooked is, and we've done our fair share of updating dsm's parsing, mapping etc is that whenever the DSM gets updated you are left with a DSM that behaves different then IBM anticipates so if a new content pack comes out they build that content pack and work with their standard known mappings.

    For example

    If i created a mapping and make a QID with an high / low level category of X/Y

    and IBM maps that same event to high / low level category A/B 

    the DSM and parsing for IBM and my setup is different and i "risk " that new content extensions wont work for me as i expect and there is not a single warning when DSM gets updated that i did customsation to it which the auto update cant / wont overwrite



    ------------------------------
    Martijn Groenewegen
    ------------------------------



  • 8.  RE: Suggestion for QRadar DSM Editor regarding Override

    IBM Champion
    Posted Thu March 23, 2023 12:25 PM

    Martijn

    your comment is absolutely right. My blog article therefore focusses exclusively on unknown events not beeing categorized at all! This is never used by any rule, search, report or other extensions AFAIK. Pls have a closer look!



    ------------------------------
    [Karl] [Jaeger] [Business Partner]
    [QRadar Specialist]
    [pro4bizz]
    [Karlsruhe] [Germany]
    [4972190981722]
    ------------------------------