Almost Everything is perfect in the Land of Qradar logs

But sometimes you can encounter a Sensor which will not send  full data information

For example:

We will take Imperva ScureSphere WAF as an example:


IBM knowledge Center :
http://www-01.ibm.com/support/knowledgecenter/SS42VS_7.2.5/com.ibm.dsm.doc/t_DSM_guide_Securesphere


Which explains  how to configure the imperva to send syslogs toward qradar machine by just configuring action set to use this format for Qradar to understand the incoming logs :

LEEF:1.0|Imperva|SecureSphere |${SecureSphereVersion}| ${Alert.alertType} ${Alert.immediateAction} |Alert ID=${Alert.dn} |devTimeFormat=[see note]|devTime=${Alert.createTime} |Alert type=${Alert.alertType}|

src=${Alert.sourceIp} |usrName=${Alert.username}|Application name=${Alert.applicationName}

|Service name=${Alert.serviceName}|Alert Description=${Alert.description} |Severity=${Alert.severity}|Simulation Mode=${Alert.simulationMode} |Immediate Action=${Alert.immediateAction}

The problem:

This format its doesn’t show full information data :

  • NO ports (dst or src) .
  • Does not show custom rules.
  • Does not show updated rules, and more .

I would like to get as much raw data as possible , in a case i have only access to Qradar in IR .
Instead of using basic Qradar format i have used RSA \ ARCSIGHT Format which will provide with more data .


%IMPERVA-Imperva,alert#=$!{Alert.dn},event#=$!{Event.dn},createTime=$!{Alert.createTime},updateTime=$! {Alert.lastUpdateTime},alertSev=$!{Alert.severity},group=$!{Alert.serverGroupName},ruleName=”$! {Alert.alertMetadata.alertName}”,evntDesc=”$!{Alert.description}”,category=$!{Alert.alertType}, disposition=$!{Alert.immediateAction},eventType=$!{Event.eventType},proto=$!{Event.sourceInfo. ipProtocol},srcPort=$!{Event.sourceInfo.sourcePort},srcIP=$!{Event.sourceInfo.sourceIp},dstPort=$! {Event.destInfo.serverPort},dstIP=$!{Event.destInfo.serverIp},policyName=”$!{Rule.parent.displayName}” ,occurrences=$!{Alert.aggregationInfo.occurrences},httpHost=$!{Event.struct.httpRequest.url.host}, webMethod=$!{Event.struct.httpRequest.url.method},url=”$!{Event.struct.httpRequest.url.path}”, webQuery=”$!{Event.struct.httpRequest.url.queryString}”,soapAction=$!{Event.struct.httpRequest. soapAction.soapAction},resultCode=$!{Event.struct.httpResponse.responseCode},sessionID=$! {Event.struct.webCorrelationInfo.sessionId},username=$!{Alert.username},addUsername=$! {Event.struct.user.additionalUser},responseTime=$!{Event.struct.responseTime},responseSize=$! {Event.struct.responseSize},direction=$!{Event.struct.networkDirection},dbUsername=$! {Event.struct.rawUser.rawUser},queryGroup=$!{Event.struct.queryGroup.queryGroup},application=”$! {Event.struct.application.application}”,srcHost=$!{Event.struct.host.host},osUsername=$! {Event.struct.osUser.osUser},schemaName=$!{Event.struct.databases.schemaName},dbName=$! {Event.struct.databases.databaseName},hdrName=$!{Event.struct.httpRequest.headers.name},action=”$! {Event.struct.query.parsedQuery}”

Upon receiving the new format you can notice all the raw data is featured but, (there always a but ) the out of the box rules  will show just fine , but when you write your own rules they will not show on ruleName but instead in evntDesc, meaing you will display custom rules instead of the rule name.

The Solution:  

We solve this issue with using XML-DSM :

We can see we have different event names , using the XML we can check for more than one match and tell the Parser to take the group we are interested in like in raw one.

   <pattern id=”EventName1″>ruleName\=\'(Custom\sViolation)\’\,evntDesc\=\'(.+?)\’\,</pattern>

   <pattern id=”EventName2″>(Multiple\sSQL\sInjection)</pattern>

   <pattern id=”EventName3″>ruleName\=\'(.+?)\’\,</pattern>

   <pattern id=”EventCategory”>category\=(.*?)\,</pattern>

   <pattern id=”SourceIp”>srcIP\=(.*?)\,</pattern>

   <pattern id=”SourcePort”>srcPort\=(.*?)\,</pattern>

   <pattern id=”DestinationIp”>dstIP\=(.*?)\,</pattern>

   <pattern id=”DestinationPort”>dstPort\=(.*?)\,</pattern>

<matcher order=”1″ enable-substitutions=”false” capture-group=”2″ pattern-id=”EventName1″ field=”EventName”/>

  <matcher order=”2″ enable-substitutions=”false” capture-group=”1″ pattern-id=”EventName2″ field=”EventName”/>

<matcher order=”3″ enable-substitutions=”false” capture-group=”1″ pattern-id=”EventName3″ field=”EventName”/>

XML ready for Qradar download here

Good luck .

if you have any problems you are welcome to mail me at  gregorin[@]qmasters.co