One way IBM QRadar can process events that are received from security products is by using a plug-in file called "Device Support Module (DSM)".
We created a DSM plug-in that enables QRadar to properly parse and process Canary alert events sent from your Canary Console using Syslog.
The Canary DSM includes the following:
- Event Mappings
- QID Records
- Log Source Extensions
- Custom Extraction Properties
- Regex Expressions
Follow the steps below to install the Canary DSM on your IBM QRadar instance:
Step 1: Enable and Verify Syslog Alerts to IBM QRadar
Get Syslog enabled on your Canary Console as described here, and verify that Syslog alerts are reaching your IBM QRadar Event Collector.
Step 2: Download DSM File
Download the latest Thinkst Canary DSM file.
Step 3: Access Extensions Management
Login to your QRadar instance, go to Admin, then click on Extensions Management.
Step 4: Add a New Extension
In the Extensions Management screen, Click Add.
Step 5: Upload and Install the Canary DSM
Click Browse, pick the Canary DSM ZIP file downloaded from Step 2, select Install Immediately, then press Add.
Step 6: Replace Older Versions (if applicable)
If you have an older version of the Canary DSM, make sure you select Replace existing items, then click Install.
Step 7: Confirm the Installation
On the Install summary page, click OK.
Step 8: Verify DSM Import and Configuration
After giving QRadar a few minutes to reload various system components (a safe bet would be ~10 minutes, depending on your QRadar setup), verify that the DSM has been imported successfully.
In your QRadar UI, go to Admin > Data Sources > Events > DSM Editor.
A new log source type Canary should be available now, select it, then click Select.
Go to Configuration, and make sure Enable Log Source Autodetection is enabled: this will auto-add a log source for the Canary Console once it receives "enough" logs from that source (and saves you from manually creating it) ... once you're done, click Save.
Step 9: Send Test Alerts to QRadar via Syslog
To test the setup, and to kick QRadar into auto-creating the log source, you can use the Canary Console to send some "test" alerts over Syslog.
To do that, log in to your Canary Console, go to the Gear icon > Global Settings.
Under Syslog, type a number in Send N Test Messages, then press Test ... this will send some Syslog test messages that you should be receiving at QRadar, anything larger than 30 should be enough to create the log source (if not, please look at the Manually adding the log source section at the end of this article)
Step 10: Verify Log Source Creation and Log Activity
Verify that the log source has been created: In your QRadar Console, go to Admin > Data Sources > Events > Log Sources.
A new log source should have been created "CanaryCustom @ YOUR-ORG".
When you head to Log Activity, logs should be showing up indicating the proper log source.
Logs are now properly formatted, parsed and available for further processing.
Manually Adding the Log Source:
If you do not want to rely on QRadar's judgment on auto-creating the log source or want the setup to be ready for alerts without cluttering it with "Test Data", then the "Log Source" must be created Manually. To create a Canary Log Source, go to Admin > Data Sources > Events > Log Sources, then click Add.
Then configure it as follows:
The Log Source Identifier will be your organisation name, after replacing the "dot" with a "dash" (e.g. inyoni-corp.com will be inyoni-corp-com"
Press Save and you should be good to go.
We're still in beta with the QRadar integration, so please make sure you have a working backup of your configurations before following the steps mentioned in this article and reach out to support if you see anything out of place.