February 2020 DSM Guide · 2020-02-19 · Configuring your 3COM Switch 8800 .....137 Chapter 10....
Transcript of February 2020 DSM Guide · 2020-02-19 · Configuring your 3COM Switch 8800 .....137 Chapter 10....
-
IBM QRadar
DSM Configuration GuideMarch 2020
IBM
-
Note
Before using this information and the product that it supports, read the information in “Notices” onpage 1193.
Product information
This document applies to IBM® QRadar® Security Intelligence Platform V7.2.1 and subsequent releases unlesssuperseded by an updated version of this document.© Copyright International Business Machines Corporation 2005, 2020.US Government Users Restricted Rights – Use, duplication or disclosure restricted by GSA ADP Schedule Contract withIBM Corp.
-
Contents
About this DSM Configuration Guide.................................................................. xxix
Part 1. QRadar DSM installation and log source management..................................1
Chapter 1. Event collection from third-party devices.................................................................................3Adding a DSM..........................................................................................................................................4
Chapter 2. Introduction to log source management...................................................................................5Adding a log source................................................................................................................................ 5Adding a log source by using the Log Sources icon...............................................................................7Adding bulk log sources......................................................................................................................... 8Adding bulk log sources by using the Log Sources icon........................................................................9Editing bulk log sources....................................................................................................................... 10Editing bulk log sources by using the Log Sources icon......................................................................10Adding a log source parsing order....................................................................................................... 11Testing log sources.............................................................................................................................. 11
Protocols available for testing........................................................................................................12
Chapter 3. Log source extensions............................................................................................................. 13Building a Universal DSM..................................................................................................................... 13Building a Universal DSM by using the Log Sources icon....................................................................14Exporting the logs ................................................................................................................................14Examples of log source extensions on QRadar forum ........................................................................16Patterns in log source extension documents...................................................................................... 16Match groups ....................................................................................................................................... 17
Matcher (matcher).......................................................................................................................... 18JSON matcher (json-matcher)....................................................................................................... 22LEEF matcher (leef-matcher)......................................................................................................... 26CEF matcher (cef-matcher)............................................................................................................ 27Multi-event modifier (event-match-multiple)........................................................................27Single-event modifier (event-match-single).......................................................................... 28
Extension document template.............................................................................................................29Creating a log source extensions document to get data into QRadar................................................ 31
Common regular expressions ........................................................................................................32Building regular expression patterns ............................................................................................ 33Uploading extension documents to QRadar.................................................................................. 35
Parsing issues and examples...............................................................................................................35Parsing a CSV log format ................................................................................................................38
Chapter 4. Manage log source extensions................................................................................................ 39Adding a log source extension............................................................................................................. 39
Chapter 5. Threat use cases by log source type....................................................................................... 41
Chapter 6. Troubleshooting DSMs.............................................................................................................53
Part 2. Protocols..................................................................................................55
Chapter 7. Undocumented Protocols........................................................................................................57Configuring an undocumented protocol.............................................................................................. 57
iii
-
Chapter 8. Protocol configuration options................................................................................................ 59Akamai Kona REST API protocol configuration options......................................................................59Amazon AWS S3 REST API protocol configuration options................................................................ 60Amazon Web Services protocol configuration options....................................................................... 65Apache Kafka protocol configuration options..................................................................................... 73
Configuring Apache Kafka to enable Client Authentication.......................................................... 76Configuring Apache Kafka to enable SASL Authentication............................................................79Troubleshooting Apache Kafka ..................................................................................................... 81
Blue Coat Web Security Service REST API protocol configuration options........................................81Centrify Redrock REST API protocol configuration options................................................................82Cisco Firepower eStreamer protocol configuration options............................................................... 83Cisco NSEL protocol configuration options......................................................................................... 84EMC VMware protocol configuration options...................................................................................... 85Forwarded protocol configuration options.......................................................................................... 86Google Cloud Pub/Sub protocol configuration options.......................................................................86
Configuring Google Cloud Pub/Sub to integrate with QRadar.......................................................88Creating a Pub/Sub Topic and Subscription in the Google Cloud Console................................... 88Creating a service account and a service account key in Google Cloud Console to access
the Pub/Sub Subscription..........................................................................................................90Populating a Pub/Sub topic with data............................................................................................ 93Adding a Google Cloud Pub/Sub log source in QRadar................................................................. 94
Google G Suite Activity Reports REST API protocol options...............................................................95HTTP Receiver protocol configuration options....................................................................................96IBM BigFix SOAP protocol configuration options................................................................................96JDBC protocol configuration options...................................................................................................97JDBC - SiteProtector protocol configuration options........................................................................101Juniper Networks NSM protocol configuration options....................................................................103Juniper Security Binary Log Collector protocol configuration options.............................................103Log File protocol configuration options.............................................................................................104Microsoft Azure Event Hubs protocol configuration options............................................................ 105Microsoft DHCP protocol configuration options................................................................................107Microsoft Exchange protocol configuration options......................................................................... 109Microsoft IIS protocol configuration options.................................................................................... 111Microsoft Security Event Log protocol configuration options...........................................................113
Microsoft Security Event Log over MSRPC Protocol.................................................................... 113MQ protocol configuration options.................................................................................................... 117Okta REST API protocol configuration options................................................................................. 118OPSEC/LEA protocol configuration options...................................................................................... 118Oracle Database Listener protocol configuration options................................................................ 120PCAP Syslog Combination protocol configuration options............................................................... 121SDEE protocol configuration options.................................................................................................123SMB Tail protocol configuration options........................................................................................... 124SNMPv2 protocol configuration options............................................................................................125SNMPv3 protocol configuration options............................................................................................126Seculert Protection REST API protocol configuration options......................................................... 126Sophos Enterprise Console JDBC protocol configuration options................................................... 128Sourcefire Defense Center eStreamer protocol options...................................................................130Syslog Redirect protocol overview.................................................................................................... 130TCP multiline syslog protocol configuration options........................................................................ 131TLS syslog protocol configuration options........................................................................................ 136
Multiple log sources over TLS Syslog...........................................................................................138UDP multiline syslog protocol configuration options........................................................................139VMware vCloud Director protocol configuration options..................................................................142
Part 3. DSMs......................................................................................................143
iv
-
Chapter 9. 3Com Switch 8800................................................................................................................ 145Configuring your 3COM Switch 8800 ................................................................................................145
Chapter 10. AhnLab Policy Center.......................................................................................................... 147
Chapter 11. Akamai Kona........................................................................................................................149Configure an Akamai Kona log source by using the HTTP Receiver protocol.................................. 149Configuring an Akamai Kona log source by using the Akamai Kona REST API protocol................. 150Configuring Akamai Kona to communicate with QRadar..................................................................152Creating an event map for Akamai Kona events............................................................................... 152Modifying the event map for Akamai Kona........................................................................................153Sample event messages.................................................................................................................... 154
Chapter 12. Amazon AWS CloudTrail......................................................................................................157Configuring an Amazon AWS CloudTrail log source by using the Amazon AWS S3 REST API
protocol......................................................................................................................................... 158Configuring an Amazon AWS CloudTrail log source that uses an S3 bucket with an SQS
queue....................................................................................................................................... 158Configuring an Amazon AWS CloudTrail log source that uses an S3 bucket with a directory
prefix........................................................................................................................................ 170Configuring an Amazon AWS CloudTrail log source by using the Amazon Web Services protocol. 178
Configuring an Amazon AWS CloudTrail log source by using the Amazon Web Servicesprotocol and Kinesis Data Streams.........................................................................................179
Configuring an Amazon AWS CloudTrail log source by using the Amazon Web Servicesprotocol and CloudWatch Logs............................................................................................... 184
Chapter 13. Amazon AWS Security Hub................................................................................................. 191Creating an IAM role for the Lambda function.................................................................................. 195Creating a Lambda function...............................................................................................................196Creating a CloudWatch events rule................................................................................................... 197Configuring the Lambda function...................................................................................................... 198Creating a log group and log stream to retrieve Amazon AWS Security Hub events for QRadar.... 200Creating an Identity and Access (IAM) user in the AWS Management Console when using
Amazon Web Services...................................................................................................................200Amazon AWS Security Hub DSM specifications................................................................................ 201Amazon AWS Security Hub Sample event messages....................................................................... 201
Chapter 14. Amazon GuardDuty............................................................................................................. 203Configuring an Amazon GuardDuty log source by using the Amazon Web Services protocol.........203
Creating an IAM role for the Lambda function.............................................................................207Creating a Lambda function......................................................................................................... 209Creating a CloudWatch events rule..............................................................................................209Configuring the Lambda function................................................................................................. 210
Creating a log group and log stream to retrieve Amazon GuardDuty events for QRadar................ 211Creating an Identity and Access (IAM) user in the AWS Management Console when using
Amazon Web Services...................................................................................................................212Sample event message...................................................................................................................... 212
Chapter 15. Ambiron TrustWave ipAngel ...............................................................................................215
Chapter 16. Amazon VPC Flow Logs....................................................................................................... 217Amazon VPC Flow Logs specifications.............................................................................................. 220Publishing flow logs to an S3 bucket.................................................................................................221Create the SQS queue that is used to receive ObjectCreated notifications..................................... 221Configuring security credentials for your AWS user account............................................................222
Chapter 17. APC UPS...............................................................................................................................223
v
-
Configuring your APC UPS to forward syslog events.........................................................................224
Chapter 18. Apache HTTP Server............................................................................................................225Configuring Apache HTTP Server with syslog................................................................................... 225Syslog log source parameters for Apache HTTP Server................................................................... 226Configuring Apache HTTP Server with syslog-ng..............................................................................226Syslog log source parameters for Apache HTTP Server................................................................... 227
Chapter 19. Apple Mac OS X................................................................................................................... 229Syslog log source parameters for Apple MAC OS X.......................................................................... 229Configuring syslog on your Apple Mac OS X......................................................................................229
Chapter 20. Application Security DbProtect..........................................................................................233Installing the DbProtect LEEF Relay Module.....................................................................................234Configuring the DbProtect LEEF Relay.............................................................................................. 234Configuring DbProtect alerts............................................................................................................. 235
Chapter 21. Arbor Networks................................................................................................................... 237Arbor Networks Peakflow SP.............................................................................................................237
Supported event types for Arbor Networks Peakflow SP ...........................................................238Configuring a remote syslog in Arbor Networks Peakflow SP.....................................................238Configuring global notifications settings for alerts in Arbor Networks Peakflow SP..................238Configuring alert notification rules in Arbor Networks Peakflow SP...........................................239Syslog log source parameters for Arbor Networks Peakflow SP................................................ 239
Arbor Networks Pravail...................................................................................................................... 240Configuring your Arbor Networks Pravail system to send events to IBM QRadar......................241
Chapter 22. Arpeggio SIFT-IT................................................................................................................ 243Configuring a SIFT-IT agent...............................................................................................................243Syslog log source parameters for Arpeggio SIFT-IT.........................................................................244Additional information....................................................................................................................... 244
Chapter 23. Array Networks SSL VPN.....................................................................................................247Syslog log source parameters for Array Networks SSL VPN.............................................................247
Chapter 24. Aruba Networks...................................................................................................................249Aruba ClearPass Policy Manager....................................................................................................... 249
Configuring Aruba ClearPass Policy Manager to communicate with QRadar............................. 250Aruba Introspect................................................................................................................................ 250
Configuring Aruba Introspect to communicate with QRadar...................................................... 252Aruba Mobility Controllers................................................................................................................. 253
Configuring your Aruba Mobility Controller................................................................................. 253Syslog log source parameters for Aruba Mobility Controllers.....................................................253
Chapter 25. Avaya VPN Gateway........................................................................................................... 255Avaya VPN Gateway DSM integration process..................................................................................255Configuring your Avaya VPN Gateway system for communication with IBM QRadar..................... 256Syslog log source parameters for Avaya VPN Gateway.................................................................... 256
Chapter 26. BalaBit IT Security...............................................................................................................257BalaBit IT Security for Microsoft Windows Events............................................................................257
Configuring the Syslog-ng Agent event source............................................................................257Configuring a syslog destination.................................................................................................. 258Restarting the Syslog-ng Agent service....................................................................................... 259Syslog log source parameters for BalaBit IT Security for Microsoft Windows Events............... 259
BalaBit IT Security for Microsoft ISA or TMG Events........................................................................ 259Configure the BalaBit Syslog-ng Agent........................................................................................260Configuring the BalaBit Syslog-ng Agent file source................................................................... 260
vi
-
Configuring a BalaBit Syslog-ng Agent syslog destination..........................................................261Filtering the log file for comment lines........................................................................................ 261Configuring a BalaBit Syslog-ng PE Relay....................................................................................262Syslog log source parameters for BalaBit IT Security for Microsoft ISA or TMG Events............263
Chapter 27. Barracuda............................................................................................................................ 265Barracuda Spam & Virus Firewall...................................................................................................... 265
Configuring syslog event forwarding............................................................................................265Syslog log source parameters for Barracuda Spam Firewall...................................................... 265
Barracuda Web Application Firewall................................................................................................. 266Configuring Barracuda Web Application Firewall to send syslog events to QRadar.................. 267Configuring Barracuda Web Application Firewall to send syslog events to QRadar for
devices that do not support LEEF .......................................................................................... 267Barracuda Web Filter......................................................................................................................... 268
Configuring syslog event forwarding............................................................................................269Syslog log source parameters for Barracuda Web Filter.............................................................269
Chapter 28. BeyondTrust PowerBroker..................................................................................................271Syslog log source parameters for BeyondTrust PowerBroker..........................................................271TLS Syslog log source parameters for BeyondTrust PowerBroker...................................................272Configuring BeyondTrust PowerBroker to communicate with QRadar............................................ 272BeyondTrust PowerBroker DSM specifications................................................................................ 274Sample event messages.................................................................................................................... 274
Chapter 29. BlueCat Networks Adonis................................................................................................... 277Supported event types.......................................................................................................................277Event type format...............................................................................................................................277Configuring BlueCat Adonis............................................................................................................... 278Syslog log source parameters for BlueCat Networks Adonis........................................................... 278
Chapter 30. Blue Coat............................................................................................................................. 279Blue Coat SG.......................................................................................................................................279
Creating a custom event format...................................................................................................280Creating a log facility.................................................................................................................... 281Enabling access logging............................................................................................................... 281Configuring Blue Coat SG for FTP uploads...................................................................................282Syslog log source parameters for Blue Coat SG.......................................................................... 282Log File log source parameters for Blue Coat SG........................................................................ 283Configuring Blue Coat SG for syslog.............................................................................................286Creating extra custom format key-value pairs............................................................................ 286
Blue Coat Web Security Service.........................................................................................................286Configuring Blue Coat Web Security Service to communicate with QRadar.............................. 288
Chapter 31. Box....................................................................................................................................... 289Configuring Box to communicate with QRadar................................................................................. 290
Chapter 32. Bridgewater......................................................................................................................... 293Configuring Syslog for your Bridgewater Systems Device................................................................ 293Syslog log source parameters for Bridgewater Systems.................................................................. 293
Chapter 33. Brocade Fabric OS............................................................................................................... 295Configuring syslog for Brocade Fabric OS appliances.......................................................................295
Chapter 34. CA Technologies................................................................................................................. 297CA ACF2..............................................................................................................................................297
Create a log source for near real-time event feed.......................................................................298Log File log source parameter......................................................................................................298Integrate CA ACF2 with IBM QRadar by using audit scripts....................................................... 302
vii
-
Configuring CA ACF2 that uses audit scripts to integrate with IBM QRadar.............................. 303CA SiteMinder.....................................................................................................................................306
Syslog log source parameters for CA SiteMinder........................................................................ 306Configuring Syslog-ng for CA SiteMinder..................................................................................... 307
CA Top Secret.....................................................................................................................................308Log File log source parameter......................................................................................................309Create a log source for near real-time event feed.......................................................................313Integrate CA Top Secret with IBM QRadar by using audit scripts.............................................. 313Configuring CA Top Secret that uses audit scripts to integrate with IBM QRadar..................... 313
Chapter 35. Carbon Black.......................................................................................................................317Carbon Black...................................................................................................................................... 317
Configuring Carbon Black to communicate with QRadar............................................................ 318Carbon Black Protection.................................................................................................................... 319
Configuring Carbon Black Protection to communicate with QRadar.......................................... 320Carbon Black Bit9 Parity.................................................................................................................... 321
Syslog log source parameters for Carbon Black Bit9 Parity........................................................321Bit9 Security Platform........................................................................................................................321
Configuring Carbon Black Bit9 Security Platform to communicate with QRadar....................... 322
Chapter 36. Centrify................................................................................................................................ 323Centrify Identity Platform.................................................................................................................. 323
Centrify Identity Platform DSM specifications............................................................................ 324Configuring Centrify Identity Platform to communicate with QRadar........................................ 325Sample event message................................................................................................................ 326
Centrify Infrastructure Services........................................................................................................ 326Configuring WinCollect agent to collect event logs from Centrify Infrastructure Services........328Configuring Centrify Infrastructure Services on a UNIX or Linux device to communicate
with QRadar ............................................................................................................................ 329Sample event messages...............................................................................................................330
Chapter 37. Check Point..........................................................................................................................333Check Point.........................................................................................................................................333
Integration of Check Point by using OPSEC.................................................................................333Adding a Check Point Host........................................................................................................... 334Creating an OPSEC Application Object........................................................................................ 334Locating the log source SIC..........................................................................................................335OPSEC/LEA log source parameters for Check Point....................................................................335Edit your OPSEC communications configuration.........................................................................336Changing the default port for OPSEC LEA communication......................................................... 336Configuring OPSEC LEA for unencrypted communications.........................................................337Integration of Check Point Firewall events from external syslog forwarders............................ 338Configuring Check Point to forward LEEF events to QRadar....................................................... 339Sample event messages...............................................................................................................341
Check Point Multi-Domain Management (Provider-1)...................................................................... 342Integrating syslog for Check Point Multi-Domain Management (Provider-1)............................ 342Syslog log source parameters for Check Point Multi-Domain Management (Provider-1)..........343Configuring OPSEC for Check Point Multi-Domain Management (Provider-1) .......................... 343OPSEC/LEA log source parameters for Check Point Multi-Domain Management (Provider-1). 344Configuring Check Point to forward LEEF events to QRadar....................................................... 344
Chapter 38. Cilasoft QJRN/400...............................................................................................................347Configuring Cilasoft QJRN/400..........................................................................................................347Syslog log source parameters for Cilasoft QJRN/400...................................................................... 348
Chapter 39. Cisco ...................................................................................................................................351Cisco ACE Firewall..............................................................................................................................351
Configuring Cisco ACE Firewall.................................................................................................... 351
viii
-
Syslog log source parameters for Cisco ACE Firewall................................................................. 351Cisco ACS............................................................................................................................................352
Configuring Syslog for Cisco ACS v5.x..........................................................................................352Creating a Remote Log Target......................................................................................................352Configuring global logging categories.......................................................................................... 353Syslog log source parameters for Cisco ACS v5.x....................................................................... 353Configuring Syslog for Cisco ACS v4.x..........................................................................................354Configuring syslog forwarding for Cisco ACS v4.x....................................................................... 354Syslog log source parameters for Cisco ACS v4.x....................................................................... 355UDP Multiline Syslog log source parameters for Cisco ACS........................................................355
Cisco Aironet...................................................................................................................................... 356Syslog log source parameters for Cisco Aironet..........................................................................357
Cisco ASA........................................................................................................................................... 357Integrate Cisco ASA Using Syslog................................................................................................ 357Configuring syslog forwarding......................................................................................................358Syslog log source parameters for Cisco ASA............................................................................... 358Integrate Cisco ASA for NetFlow by using NSEL......................................................................... 359Configuring NetFlow Using NSEL................................................................................................. 359Cisco NSEL log source parameters for Cisco ASA....................................................................... 360
Cisco AMP...........................................................................................................................................361Cisco AMP DSM specifications..................................................................................................... 361Creating a Cisco AMP Client ID and API key for event queues................................................... 362Creating a Cisco AMP event stream............................................................................................. 363Configure a log source for a user to manage the Cisco AMP event stream................................ 364Sample event message................................................................................................................ 365
Cisco CallManager..............................................................................................................................366Configuring syslog forwarding .....................................................................................................366Syslog log source parameters for Cisco CallManager................................................................. 367
Cisco CatOS for Catalyst Switches.....................................................................................................367Configuring syslog ........................................................................................................................367Syslog log source parameters for Cisco CatOS for Catalyst Switches........................................ 368
Cisco Cloud Web Security.................................................................................................................. 368Configuring Cloud Web Security to communicate with QRadar ................................................. 370
Cisco CSA............................................................................................................................................371Configuring syslog for Cisco CSA..................................................................................................371Syslog log source parameters for Cisco CSA............................................................................... 372
Cisco Firepower Management Center............................................................................................... 372Creating Cisco Firepower Management Center 5.x and 6.x certificates.....................................374Importing a Cisco Firepower Management Center certificate in QRadar................................... 376Configure your Cisco Firepower appliance to send intrusion or connection events to
QRadar by using Syslog........................................................................................................... 377Cisco Firepower Management Center log source parameters....................................................378
Cisco FWSM........................................................................................................................................378Configuring Cisco FWSM to forward syslog events......................................................................378Syslog log source parameters for Cisco FWSM........................................................................... 379
Cisco Identity Services Engine.......................................................................................................... 379Configuring a remote logging target in Cisco ISE........................................................................ 382Configuring logging categories in Cisco ISE.................................................................................382
Cisco IDS/IPS..................................................................................................................................... 383SDEE log source parameters for Cisco IDS/IPS.......................................................................... 383
Cisco IOS............................................................................................................................................ 385Configuring Cisco IOS to forward events..................................................................................... 385Syslog log source parameters for Cisco IOS................................................................................386
Cisco IronPort.....................................................................................................................................387Cisco IronPort DSM specifications............................................................................................... 387Configuring Cisco IronPort appliances to communicate with QRadar........................................388Configuring a Cisco IronPort and Cisco ESA log source by using the log file protocol............... 388Configuring a Cisco IronPort and Cisco WSA log source by using the Syslog protocol.............. 391
ix
-
Sample event messages...............................................................................................................392Cisco Meraki....................................................................................................................................... 392
Cisco Meraki DSM specifications..................................................................................................393Configure Cisco Meraki to communicate with IBM QRadar ....................................................... 394Sample event messages...............................................................................................................394
Cisco NAC........................................................................................................................................... 396Configuring Cisco NAC to forward events.................................................................................... 396Syslog log source parameters for Cisco NAC...............................................................................396
Cisco Nexus........................................................................................................................................ 397Configuring Cisco Nexus to forward events................................................................................. 397Syslog log source parameters for Cisco Nexus............................................................................397
Cisco Pix............................................................................................................................................. 398Configuring Cisco Pix to forward events...................................................................................... 398Syslog log source parameters for Cisco Pix.................................................................................399
Cisco Stealthwatch.............................................................................................................................399Configuring Cisco Stealthwatch to communicate with QRadar.................................................. 400
Cisco Umbrella................................................................................................................................... 401Configure Cisco Umbrella to communicate with QRadar............................................................ 404Cisco Umbrella DSM specifications..............................................................................................404Sample event messages...............................................................................................................404
Cisco VPN 3000 Concentrator .......................................................................................................... 405Syslog log source parameters for Cisco VPN 3000 Concentrator...............................................405
Cisco Wireless LAN Controllers......................................................................................................... 406Configuring syslog for Cisco Wireless LAN Controller................................................................. 406Syslog log source parameters for Cisco Wireless LAN Controllers.............................................407Configuring SNMPv2 for Cisco Wireless LAN Controller..............................................................408Configuring a trap receiver for Cisco Wireless LAN Controller....................................................409SNMPv2 log source parameters for Cisco Wireless LAN Controllers..........................................409
Cisco Wireless Services Module........................................................................................................ 410Configuring Cisco WiSM to forward events.................................................................................. 411Syslog log source parameters for Cisco WiSM.............................................................................412
Chapter 40. Citrix.....................................................................................................................................415Citrix Access Gateway........................................................................................................................415
Syslog log source parameters for Citrix Access Gateway........................................................... 415Citrix NetScaler.................................................................................................................................. 416
Syslog log source parameters for Citrix NetScaler...................................................................... 417
Chapter 41. Cloudera Navigator..............................................................................................................419Configuring Cloudera Navigator to communicate with QRadar........................................................420
Chapter 42. CloudPassage Halo .............................................................................................................421Configuring CloudPassage Halo for communication with QRadar....................................................421Syslog log source parameters for CloudPassage Halo..................................................................... 423Log File log source parameters for CloudPassage Halo....................................................................423
Chapter 43. CloudLock Cloud Security Fabric........................................................................................ 425Configuring CloudLock Cloud Security Fabric to communicate with QRadar...................................426
Chapter 44. Correlog Agent for IBM z/OS...............................................................................................427Configuring your CorreLog Agent system for communication with QRadar.....................................428
Chapter 45. CrowdStrike Falcon Host.....................................................................................................429Configuring CrowdStrike Falcon Host to communicate with QRadar...............................................430
Chapter 46. CRYPTOCard CRYPTO-Shield ............................................................................................433Configuring syslog for CRYPTOCard CRYPTO-Shield ....................................................................... 433Syslog log source parameters for CRYPTOCard CRYPTO-Shield..................................................... 433
x
-
Chapter 47. CyberArk............................................................................................................................. 435CyberArk Privileged Threat Analytics................................................................................................ 435
Configuring CyberArk Privileged Threat Analytics to communicate with QRadar...................... 436CyberArk Vault....................................................................................................................................436
Configuring syslog for CyberArk Vault..........................................................................................437Syslog log source parameters for CyberArk Vault....................................................................... 437
Chapter 48. CyberGuard Firewall/VPN Appliance..................................................................................439Configuring syslog events.................................................................................................................. 439Syslog log source parameters for CyberGuard................................................................................. 439
Chapter 49. Damballa Failsafe................................................................................................................ 441Configuring syslog for Damballa Failsafe ......................................................................................... 441Syslog log source parameters for Damballa Failsafe........................................................................441
Chapter 50. DG Technology MEAS......................................................................................................... 443Configuring your DG Technology MEAS system for communication with QRadar...........................443
Chapter 51. Digital China Networks (DCN)............................................................................................. 445Configuring a DCN DCS/DCRS Series Switch.....................................................................................445Syslog log source parameters for DCN DCS/DCRS Series switches.................................................446
Chapter 52. Enterprise-IT-Security.com SF-Sherlock........................................................................... 447Configuring Enterprise-IT-Security.com SF-Sherlock to communicate with QRadar..................... 448
Chapter 53. Epic SIEM.............................................................................................................................449Configuring Epic SIEM 2014 to communicate with QRadar............................................................. 450Configuring Epic SIEM 2015 to communicate with QRadar............................................................. 450Configuring Epic SIEM 2017 to communicate with QRadar............................................................. 452
Chapter 54. ESET Remote Administrator............................................................................................... 455Configuring ESET Remote Administrator to communicate with QRadar..........................................456
Chapter 55. Exabeam.............................................................................................................................. 457Configuring Exabeam to communicate with QRadar........................................................................ 457
Chapter 56. Extreme...............................................................................................................................459Extreme 800-Series Switch............................................................................................................... 459
Configuring your Extreme 800-Series Switch..............................................................................459Syslog log source parameters for Extreme 800-Series Switches...............................................459
Extreme Dragon................................................................................................................................. 460Creating a Policy for Syslog ......................................................................................................... 460Syslog log source parameters for Extreme Dragon..................................................................... 462Configure the EMS to forward syslog messages..........................................................................462Configuring syslog-ng Using Extreme Dragon EMS V7.4.0 and later.......................................... 462Configuring syslogd Using Extreme Dragon EMS V7.4.0 and earlier.......................................... 463
Extreme HiGuard Wireless IPS.......................................................................................................... 463Configuring Enterasys HiGuard ................................................................................................... 463Syslog log source parameters for Extreme HiGuard................................................................... 464
Extreme HiPath Wireless Controller..................................................................................................465Configuring your HiPath Wireless Controller............................................................................... 465Syslog log source parameters for Extreme HiPath......................................................................465
Extreme Matrix Router....................................................................................................................... 466Extreme Matrix K/N/S Series Switch................................................................................................. 466Extreme NetSight Automatic Security Manager ...............................................................................467Extreme NAC...................................................................................................................................... 468
Syslog log source parameters for Extreme NAC..........................................................................468
xi
-
Extreme stackable and stand-alone switches.................................................................................. 469Extreme Networks ExtremeWare...................................................................................................... 470
Syslog log source parameters for Extreme Networks ExtremeWare..........................................470Extreme XSR Security Router............................................................................................................ 471Syslog log source parameters for Extreme XSR Security Router..................................................... 471
Chapter 57. F5 Networks....................................................................................................................... 473F5 Networks BIG-IP AFM.................................................................................................................. 473
Configuring a logging pool............................................................................................................ 473Creating a high-speed log destination......................................................................................... 474Creating a formatted log destination........................................................................................... 474Creating a log publisher................................................................................................................474Creating a logging profile..............................................................................................................475Associating the profile to a virtual server.................................................................................... 475Syslog log source parameters for F5 Networks BIG-IP AFM...................................................... 476
F5 Networks BIG-IP APM.................................................................................................................. 476Configuring Remote Syslog for F5 BIG-IP APM V11.x to V14.x ................................................. 476Configuring a Remote Syslog for F5 BIG-IP APM 10.x ............................................................... 477Syslog log source parameters for F5 Networks BIG-IP APM......................................................477
Configuring F5 Networks BIG-IP ASM...............................................................................................478Syslog log source parameters for F5 Networks BIG-IP ASM......................................................478
F5 Networks BIG-IP LTM...................................................................................................................479Syslog log source parameters for F5 Networks BIG-IP LTM...................................................... 479Configuring syslog forwarding in BIG-IP LTM .............................................................................479Configuring Remote Syslog for F5 BIG-IP LTM V11.x to V14.x ..................................................480Configuring Remote Syslog for F5 BIG-IP LTM V10.x ................................................................ 480Configuring Remote Syslog for F5 BIG-IP LTM V9.4.2 to V9.4.8................................................481
F5 Networks FirePass........................................................................................................................ 481Configuring syslog forwarding for F5 FirePass............................................................................ 481Syslog log source parameters for F5 Networks FirePass............................................................482
Chapter 58. Fair Warning.........................................................................................................................483Log File log source parameters for Fair Warning...............................................................................483
Chapter 59. Fasoo Enterprise DRM......................................................................................................... 485Configuring Fasoo Enterprise DRM to communicate with QRadar................................................... 489
Chapter 60. Fidelis XPS........................................................................................................................... 491Configuring Fidelis XPS...................................................................................................................... 491Syslog log source parameters for Fidelis XPS...................................................................................492
Chapter 61. FireEye................................................................................................................................. 493Configuring your FireEye system for communication with QRadar..................................................495Configuring your FireEye HX system for communication with QRadar............................................ 495
Chapter 62. Forcepoint............................................................................................................................497FORCEPOINT Stonesoft Management Center...................................................................................497
Configuring FORCEPOINT Stonesoft Management Center to communicate with QRadar.........498Configuring a syslog traffic rule for FORCEPOINT Stonesoft Management Center....................499
Forcepoint Sidewinder....................................................................................................................... 500Forcepoint Sidewinder DSM specifications................................................................................. 501Configure Forcepoint Sidewinder to communicate with QRadar................................................501Sample event messages...............................................................................................................501
Forcepoint TRITON............................................................................................................................ 502Configuring syslog for Forcepoint TRITON.................................................................................. 503Syslog log source parameters for Forcepoint TRITON................................................................503
Forcepoint V-Series Data Security Suite........................................................................................... 504Configuring syslog for Forcepoint V-Series Data Security Suite................................................. 504
xii
-
Syslog log source parameters for Forcepoint V-Series Data Security Suite............................... 504Forcepoint V-Series Content Gateway.............................................................................................. 505
Configure syslog for Forcepoint V-Series Content Gateway....................................................... 505Configuring the Management Console for Forcepoint V-Series Content Gateway.....................505Enabling Event Logging for Forcepoint V-Series Content Gateway............................................ 506Syslog log source parameters for Forcepoint V-Series Content Gateway..................................506Log file protocol for Forcepoint V-Series Content Gateway........................................................ 507
Chapter 63. ForeScout CounterACT.......................................................................................................509Syslog log source parameters for ForeScout CounterACT................................................................509Configuring the ForeScout CounterACT Plug-in................................................................................ 509Configuring ForeScout CounterACT Policies..................................................................................... 510
Chapter 64. Fortinet FortiGate Security Gateway.................................................................................. 513Configuring a syslog destination on your Fortinet FortiGate Security Gateway device................... 514Configuring a syslog destination on your Fortinet FortiAnalyzer device.......................................... 514
Chapter 65. Foundry FastIron ................................................................................................................ 517Configuring syslog for Foundry FastIron........................................................................................... 517Syslog log source parameters for Foundry FastIron.........................................................................517
Chapter 66. FreeRADIUS.........................................................................................................................519Configuring your FreeRADIUS device to communicate with QRadar............................................... 519
Chapter 67. Generic.................................................................................................................................521Generic Authorization Server.............................................................................................................521
Configuring event properties .......................................................................................................521Syslog log source parameters for Generic Authorization Server................................................ 523
Generic Firewall................................................................................................................................. 523Configuring event properties .......................................................................................................523Syslog log source parameters for Generic Firewall.....................................................................525
Chapter 68. genua genugate................................................................................................................... 527Configuring genua genugate to send events to QRadar....................................................................528
Chapter 69. Google G Suite Activity Reports.......................................................................................... 529Google G Suite Activity Reports DSM specifications.........................................................................529Configuring Google G Suite Activity Reports to communicate with QRadar.................................... 530Assign a role to a user........................................................................................................................ 530Create a service account with viewer access....................................................................................532Grant API client access to a service account.................................................................................... 532Google G Suite Activity Reports log source parameters...................................................................533Sample event messages.................................................................................................................... 534Troubleshooting Google G Suite Activity Reports.............................................................................535
Invalid private keys...................................................................................................................... 535Authorization errors......................................................................................................................536Invalid email or username errors.................................................................................................536Invalid JSON formatting............................................................................................................... 537Network errors..............................................................................................................................537Google G Suite Activity Reports FAQ............................................................................................537
Chapter 70. Great Bay Beacon................................................................................................................539Configuring syslog for Great Bay Beacon.......................................................................................... 539Syslog log source parameters for Great Bay Beacon........................................................................539
Chapter 71. HBGary Active Defense...................................................................................................... 541Configuring HBGary Active Defense.................................................................................................. 541Syslog log source parameters for HBGary Active Defense............................................................... 541
xiii
-
Chapter 72. H3C Technologies...............................................................................................................543H3C Comware Platform..................................................................................................................... 543
Configuring H3C Comware Platform to communicate with QRadar........................................... 544
Chapter 73. Honeycomb Lexicon File Integrity Monitor (FIM)..............................................................545Supported Honeycomb FIM event types logged by QRadar.............................................................545Configuring the Lexicon mesh service...............................................................................................546Syslog log source parameters for Honeycomb Lexicon File Integrity Monitor................................ 546
Chapter 74. Hewlett Packard (HP)..........................................................................................................549HP Network Automation.................................................................................................................... 549Configuring HP Network Automation Software to communicate with QRadar................................550HP ProCurve....................................................................................................................................... 551
Syslog log source parameters for HP ProCurve...........................................................................551HP Tandem.........................................................................................................................................552Hewlett Packard UniX (HP-UX)..........................................................................................................552
Syslog log source parameters for Hewlett Packard UniX (HP-UX)............................................. 553
Chapter 75. Huawei................................................................................................................................. 555Huawei AR Series Router................................................................................................................... 555
Syslog log source parameters for Huawei AR Series Router.......................................................555Configuring Your Huawei AR Series Router................................................................................. 556
Huawei S Series Switch......................................................................................................................556Syslog log source parameters for Huawei S Series Switch......................................................... 557Configuring Your Huawei S Series Switch....................................................................................557
Chapter 76. HyTrust CloudControl..........................................................................................................559Configuring HyTrust CloudControl to communicate with QRadar.................................................... 560
Chapter 77. IBM .....................................................................................................................................561IBM AIX.............................................................................................................................................. 561
IBM AIX Server DSM overview..................................................................................................... 561IBM AIX Audit DSM overview....................................................................................................... 562
IBM i................................................................................................................................................... 567Configuring IBM i to integrate with IBM QRadar......................................................................... 568Manually extracting journal entries for IBM i...............................................................................569Pulling Data Using Log File Protocol............................................................................................ 570Configuring Townsend Security Alliance LogAgent to integrate with QRadar............................571
IBM BigFix.......................................................................................................................................... 571IBM BigFix Detect.............................................................................................................................. 572IBM Bluemix Platform........................................................................................................................572
Configuring IBM Bluemix Platform to communicate with QRadar..............................................573IBM CICS............................................................................................................................................ 575
Create a log source for near real-time event feed.......................................................................576Log File log source parameter......................................................................................................576
IBM DataPower.................................................................................................................................. 580Configuring IBM DataPower to communicate with QRadar........................................................ 581
IBM DB2............................................................................................................................................. 582Create a log source for near real-time event feed.......................................................................583Log File log source parameter......................................................................................................583Integrating IBM DB2 Audit Events............................................................................................... 587Extracting audit data for DB2 v8.x to v9.4................................................................................... 588Extracting audit data for DB2 v9.5...............................................................................................588
IBM Federated Directory Server ....................................................................................................... 589Configuring IBM Federated Directory Server to monitor security events...................................590
IBM Fiberlink MaaS360..................................................................................................................... 590IBM Fiberlink REST API log source parameters for IBM Fiberlink MaaS360............................. 591
xiv
-
IBM Guardium.................................................................................................................................... 592Creating a syslog destination for events......................................................................................592Configuring policies to generate syslog events........................................................................... 593Installing an IBM Guardium Policy ..............................................................................................594Syslog log source parameters for IBM Guardium........................................................................594Creating an event map for IBM Guardium events....................................................................... 595Modifying the event map.............................................................................................................. 595
IBM IMS..............................................................................................................................................596Configuring IBM IMS ....................................................................................................................597Log File log source parameters for IBM IMS............................................................................... 599
IBM Informix Audit.............................................................................................................................599IBM Lotus Domino..............................................................................................................................600
Setting Up SNMP Services............................................................................................................600Setting up SNMP in AIX................................................................................................................ 600Starting the Domino Server Add-in Tasks....................................................................................601Configuring SNMP Services.......................................................................................................... 601SNMPv2 log source parameters for IBM Lotus Domino.............................................................. 602
IBM Privileged Session Recorder...................................................................................................... 602Configuring IBM Privileged Session Recorder to communicate with QRadar............................ 604JDBC log source parameters for IBM Privileged Session Recorder............................................604
IBM Proventia.....................................................................................................................................604IBM Proventia Management SiteProtector.................................................................................. 604JDBC log source parameters for IBM Proventia Management SiteProtector.............................605IBM ISS Proventia ........................................................................................................................606
IBM QRadar Packet Capture..............................................................................................................607Configuring IBM QRadar Packet Capture to communicate with QRadar....................................608Configuring IBM QRadar Network Packet Capture to communicate with QRadar.....................609
IBM RACF........................................................................................................................................... 609Log File log source parameter......................................................................................................610Create a log source for near real-time event feed.......................................................................614Integrate IBM RACF with IBM QRadar by using audit scripts.....................................................615Configuring IBM RACF that uses audit scripts to integrate with IBM QRadar............................615
IBM SAN Volume Controller...............................................................................................................617Configuring IBM SAN Volume Controller to communicate with QRadar.................................... 619
IBM Security Access Manager for Enterprise Single Sign-On...........................................................619Configuring a log server type........................................................................................................619Configuring syslog forwarding......................................................................................................620Syslog log source parameters for IBM Security Access Manager for Enterprise Single Sign-
On.............................................................................................................................................620IBM Security Access Manager for Mobile..........................................................................................621
Configuring IBM Security Access Manager for Mobile to communicate with QRadar................623Configuring IBM IDaaS Platform to communicate with QRadar................................................. 624Configuring an IBM IDaaS console to communicate with QRadar..............................................624
IBM Security Directory Server........................................................................................................... 624IBM Security Directory Server DSM specifications......................................................................625Configuring IBM Security Directory Server to communicate with QRadar................................. 625Syslog log source parameters for IBM Security Directory Server .............................................. 626
IBM Security Identity Governance.................................................................................................... 627JDBC log source parameters for IBM Security Identity Governance............................................... 629IBM Security Identity Manager..........................................................................................................630
IBM Security Identity Manager JDBC log source parameters for IBM Security IdentityManager................................................................................................................................... 630
IBM Security Network IPS (GX)......................................................................................................... 634Configuring your IBM Security Network IPS (GX) appliance for communication with QRadar..635Syslog log source parameters for IBM Security Network IPS (GX).............................................635
IBM QRadar Network Security XGS................................................................................................... 636Configuring IBM QRadar Network Security XGS Alerts............................................................... 636Syslog log source parameters for IBM QRadar Network Security XGS.......................................637
xv
-
IBM Security Privileged Identity Manager.........................................................................................638Configuring IBM Security Privileged Identity Manager to communicate with QRadar...............641Sample event message................................................................................................................ 642
IBM Security Trusteer Apex Advanced Malware Protection.............................................................642Configuring IBM Security Trusteer Apex Advanced Malware Protection to send syslog
events to QRadar..................................................................................................................... 646Configuring IBM Security Trusteer Apex Advanced Malware Protection to send TLS Syslog
events to QRadar..................................................................................................................... 647Configuring a Flat File Feed service............................................................................................. 649
IBM Security Trusteer Apex Local Event Aggregator........................................................................ 650Configuring syslog for Trusteer Apex Local Event Aggregator.................................................... 650
IBM Sense.......................................................................................................................................... 651Configuring IBM Sense to communicate with QRadar................................................................ 652
IBM SmartCloud Orchestrator........................................................................................................... 652Installing IBM SmartCloud Orchestrator..................................................................................... 653IBM SmartCloud Orchestrator log source parameters................................................................653
IBM Tivoli Access Manager for e-business....................................................................................... 654Configure Tivoli Access Manager for e-business.........................................................................654Syslog log source parameters for IBM Tivoli Access Manager for e-business........................... 655
IBM Tivoli Endpoint Manager.............................................................................................................655IBM WebSphere Application Server.................................................................................................. 656
Configuring IBM WebSphere .......................................................................................................