Description: One way IBM QRadar can process events that are received from security products is by using a plug-in file called "Device Support Module (DSM)".
We created a DSM plug-in that enables QRadar to properly parse and process Canary alert events sent from your Canary console using Syslog.
The Canary DSM includes the following:
- Event Mappings
- QID Records
- Log Source Extensions
- Custom Extraction Properties
- Regex Expressions
Follow the steps below to install the Canary DSM on your IBM QRadar instance:
Get Syslog enabled on your Canary Console as described here; and verify that Syslog alerts are reaching your IBM QRadar Event Collector.
Download the latest Canary Custom DSM file.
Copy the DSM file to a location of your choosing on your QRadar box (e.g. using rsync or SCP to `/tmp`)
Login to your IBM QRadar installation, then `cd` into `/opt/qradar/bin/`
Install the DSM using the following command (make sure your current dir is `/opt/qradar/bin` and the DSM file you copied earlier is at `/tmp`:
./contentManagement.pl -a import -f /tmp/Canary-20200911064944.zip
After giving QRadar few minutes to reload various system components (a safe bet would be ~10 minutes, depending on your QRadar setup), verify that the DSM has been imported successfully.
In your QRadar UI, go to "Admin"->"Data Sources"->"Events"->"DSM Editor"
A new log source type "Canary" should be available now, select it then click "Select".
Go to "Configuration", and make sure "Enable Log Source Autodetection" is enabled: this will auto-add a log source for the Canary console once it received "enough" logs from that source (and saves you from manually creating it) ... once you're done, click "Save"
To test the setup, and to kick QRadar into auto-creating the log source, you can use the Canary Console to send some "test" alerts over Syslog.
To do that, login to your Canary console, go to the Gear icon -> Global Settings
Under "Syslog", type a number in "Send N Test Messages", then press "Test" ... this will send some Syslog test messages that you should be receiving at QRadar, anything larger than 30 should be enough to create the log source (if not, please look at the "Manually adding the log source" section at the end of this article)
Verify that the log source has been created: In your QRadar Console, go to "Admin"->"Data Sources"->"Events"->"Log Sources"
A new log source should have been created "CanaryCustom @ YOUR-ORG"
When you head to "Log Activity", logs should be showing up indicating the proper log source.
Logs are now properly formatted, parsed and available for further processing.
Manually Adding the Log Source:
If you do not want to rely on QRadar's judgment on auto-creating the log source, or want the setup to be ready for alerts without cluttering it with "Test Data", then the "Log Source" must be created Manually.
To create a Canary Log Source, go to "Admin"->"Data Sources"->"Events"->"Log Sources", then click "Add"
Then configure it as follows:
The "Log Source Identifier" will be your organisation name, after replacing the "dot" with a "dash" (e.g. inyoni-corp.com will be inyoni-corp-com"
Press "Save" and you should be good to go.
NOTE: We're still in beta with the QRadar integration, so please make sure you have a working backup of your configurations before following the steps mentioned in this article, and reach out to support if you see anything out of place.