Skip to main content

Search

IBM® QRadar® - Canary DSM Installation

Description: One way IBM QRadar can process events that are received from security products is by using a plug-in file called "Device Support Module (DSM)".

We created a DSM plug-in that enables QRadar to properly parse and process Canary alert events sent from your Canary Console using Syslog.

The Canary DSM includes the following:

  • Event Mappings
  • QID Records
  • Log Source Extensions
  • Custom Extraction Properties
  • Regex Expressions

Follow the steps below to install the Canary DSM on your IBM QRadar instance:

Step 1:

Get Syslog enabled on your Canary Console as described here, and verify that Syslog alerts are reaching your IBM QRadar Event Collector.

Step 2:

Download the latest Thinkst Canary DSM file.

mceclip0.png

Step 3:

Login to your QRadar instance, go to Admin, then click on Extensions Management

mceclip1.png

Step 4:

In the Extensions Management screen, Click Add

mceclip2.png

Step 5:

Click Browse, pick the Canary DSM ZIP file downloaded from Step 2, select Install Immediately, then press Add

Extensions_Management_2022-03-30_15-26-55.png

Step 6:

If you have an older version of the Canary DSM, make sure you select Replace existing items., then click Install

mceclip6.png

Step 7:

On the Install summary page, click OK

mceclip9.png

Step 8:

After giving QRadar a few minutes to reload various system components (a safe bet would be ~10 minutes, depending on your QRadar setup), verify that the DSM has been imported successfully.

In your QRadar UI, go to "Admin"->"Data Sources"->"Events"->"DSM Editor"

mceclip4.png

A new log source type "Canary" should be available now, select it then click "Select".

mceclip5.png

Go to "Configuration",  and make sure "Enable Log Source Autodetection" is enabled: this will auto-add a log source for the Canary Console once it received "enough" logs from that source (and saves you from manually creating it) ... once you're done, click "Save"

mceclip6.png

Step 9:

To test the setup, and to kick QRadar into auto-creating the log source, you can use the Canary Console to send some "test" alerts over Syslog.

To do that, log in to your Canary Console, go to the Gear icon -> Global Settings

blobid1.png

Under "Syslog", type a number in "Send N Test Messages", then press "Test" ... this will send some Syslog test messages that you should be receiving at QRadar, anything larger than 30 should be enough to create the log source (if not, please look at the "Manually adding the log source" section at the end of this article)

mceclip8.png

Step 10:

Verify that the log source has been created: In your QRadar Console, go to "Admin"->"Data Sources"->"Events"->"Log Sources"

mceclip10.png

A new log source should have been created "CanaryCustom @ YOUR-ORG"

mceclip11.png

When you head to "Log Activity", logs should be showing up indicating the proper log source.

blobid0.png

Logs are now properly formatted, parsed and available for further processing.

Manually Adding the Log Source:

If you do not want to rely on QRadar's judgment on auto-creating the log source or want the setup to be ready for alerts without cluttering it with "Test Data", then the "Log Source" must be created Manually.
To create a Canary Log Source, go to "Admin"->"Data Sources"->"Events"->"Log Sources", then click "Add"
mceclip12.png

Then configure it as follows:

mceclip13.png

The "Log Source Identifier" will be your organisation name, after replacing the "dot" with a "dash" (e.g. inyoni-corp.com will be inyoni-corp-com"

Press "Save" and you should be good to go.

NOTE: We're still in beta with the QRadar integration, so please make sure you have a working backup of your configurations before following the steps mentioned in this article and reach out to support if you see anything out of place.

 

Was this article helpful?
8 out of 9 found this helpful
Return to top