Description: One way IBM QRadar can process events that are received from security products is by using a plug-in file called "Device Support Module (DSM)".
We created a DSM plug-in that enables QRadar to properly parse and process Canary alert events sent from your Canary Console using Syslog.
The Canary DSM includes the following:
- Event Mappings
- QID Records
- Log Source Extensions
- Custom Extraction Properties
- Regex Expressions
Follow the steps below to install the Canary DSM on your IBM QRadar instance:
Get Syslog enabled on your Canary Console as described here, and verify that Syslog alerts are reaching your IBM QRadar Event Collector.
Download the latest Thinkst Canary DSM file.
Login to your QRadar instance, go to Admin, then click on Extensions Management
In the Extensions Management screen, Click Add
Click Browse, pick the Canary DSM ZIP file downloaded from Step 2, select Install Immediately, then press Add
If you have an older version of the Canary DSM, make sure you select Replace existing items., then click Install
On the Install summary page, click OK
After giving QRadar a few minutes to reload various system components (a safe bet would be ~10 minutes, depending on your QRadar setup), verify that the DSM has been imported successfully.
In your QRadar UI, go to "Admin"->"Data Sources"->"Events"->"DSM Editor"
A new log source type "Canary" should be available now, select it then click "Select".
Go to "Configuration", and make sure "Enable Log Source Autodetection" is enabled: this will auto-add a log source for the Canary Console once it received "enough" logs from that source (and saves you from manually creating it) ... once you're done, click "Save"
To test the setup, and to kick QRadar into auto-creating the log source, you can use the Canary Console to send some "test" alerts over Syslog.
To do that, log in to your Canary Console, go to the Gear icon -> Global Settings
Under "Syslog", type a number in "Send N Test Messages", then press "Test" ... this will send some Syslog test messages that you should be receiving at QRadar, anything larger than 30 should be enough to create the log source (if not, please look at the "Manually adding the log source" section at the end of this article)
Verify that the log source has been created: In your QRadar Console, go to "Admin"->"Data Sources"->"Events"->"Log Sources"
A new log source should have been created "CanaryCustom @ YOUR-ORG"
When you head to "Log Activity", logs should be showing up indicating the proper log source.
Logs are now properly formatted, parsed and available for further processing.
Manually Adding the Log Source:
If you do not want to rely on QRadar's judgment on auto-creating the log source or want the setup to be ready for alerts without cluttering it with "Test Data", then the "Log Source" must be created Manually.
To create a Canary Log Source, go to "Admin"->"Data Sources"->"Events"->"Log Sources", then click "Add"
Then configure it as follows:
The "Log Source Identifier" will be your organisation name, after replacing the "dot" with a "dash" (e.g. inyoni-corp.com will be inyoni-corp-com"
Press "Save" and you should be good to go.
NOTE: We're still in beta with the QRadar integration, so please make sure you have a working backup of your configurations before following the steps mentioned in this article and reach out to support if you see anything out of place.