QRadar Plugin for Log Shipper
QRadar Plugin for Log Shipper
This document explains how to configure your QRadar integration with the Log Shipper module of the Netskope Cloud Exchange platform. This integration allows pushing alerts and events from Netskope to the QRadar platform.
Prerequisites
To complete this configuration, you need:
- A Netskope tenant (or multiple, for example, production and development/test instances) that is already configured in Cloud Exchange.
- A Netskope Cloud Exchange tenant with the Log Shipper module already configured.
- A QRadar instance.
Note
Verify your QRadar instance permissions are secure and not set up for open public access. Only allow access to your cloud storage instance from your Cloud Exchange Host and any other addresses that need access.
QRadar Plugin Support
Event Support | Yes |
Alert Support | Yes |
WebTx Support | Yes |
Logs Support | Yes |
All Netskope events, alert logs, and web transaction logs will be shared.
Note
- Incident event type is supported from Core version 4.1.0.
- CTEP alert type will be supported from Core version 4.2.0
Compatibility
CE version: v4.1.0 and v4.2.0.
API Details
The plugin uses a logging third-party library to push the data to the Syslog collector.
Refer to the official documentation for more information on the logging library.
https://docs.python.org/3/library/logging.html
Performance Matrix
Logs Ingested | Time Taken |
9940000 | 2 hours |
Stack Size | Large RAM: 32GB Core: 16 |
Alerts/Events | ~ 6 MBps |
WebTx | ~ 6 MBps |
Workflow
- Configure your QRadar Server, Port, and TLS Certificate information.
- Configure the QRadar Plugin.
- Configure Log Shipper Business Rules for QRadar.
- Configure Log Shipper SIEM Mappings for QRadar.
- Configure the WebTx Mappings (optional).
- Validate the QRadar plugin.
Click play to watch a video.
To create a log source in QRadar (through a Log Source Management app) for ingesting data with TCP/UDP/TLS protocol from Netskope, perform following steps:
- Download and install the Netskope Security Cloud DSM from here
- Go to the Log Source Management App via the Admin Panel.
- When a separate window opens, click + New Log Source.
- Select Netskope for the Log Source type.
- For receiving data sent through TCP/UDP protocol from Log Shipper, select protocol type as Syslog; for receiving data sent through TLS select protocol type as TLS Syslog.
Note
The Default port for TCP/UDP (Syslog) in QRadar is 514, and for TLS Syslog is 6514.
For more information, refer:- https://www.ibm.com/docs/en/qsip/7.4?topic=qradar-port-usage
- In the section under Configure Log Source parameters, enter the name of the log source, keep the log source enabled, and the Coalescing events checkbox disabled.
- In the section under Configure the protocol parameters, enter a Log Source Identifier, like
netskopece
.- Once you have successfully deployed a log source after that take the TLS certificate by running the command (
cat /opt/qradar/conf/trusted_certificates/syslog-tls.cert
) from the QRadar VM where the log source is deployed. This TLS certificate is required while configuring QRadar Plugin with TLS Protocol. - For the field Max Payload Length, we have observed that events are getting truncated even if we set the value to maximum, like
32768
, in this field. To avoid truncation of payload, we recommend changing payload length by following the steps given here.
- Once you have successfully deployed a log source after that take the TLS certificate by running the command (
- Click Skip Test and then Finish. Next, deploy a log source.
Deploy Log Source
Click on Deploy as shown below.
- In Cloud Exchange, go to Settings > Plugins.
- Search for and select the QRadar box to open the plugin creation pages.
- Enter a Configuration Name.
- Select a valid Mapping. (Default Mapping for all plugins are available.
Transform the raw logs: If enabled, Raw logs will be transformed using selected mapping file, else raw logs will be sent to SIEM. The ingestion may be affected if the SIEM does not accept raw logs format.
- Click Next.
- Enter a QRadar Server, select a QRadar Format and QRadar Protocol, and then enter your QRadar Port and QRadar Certificate information.
- Enter the information for yourQRadar Server, select the QRadar Format and QRadar Protocol, and then enter QRadar Port and QRadar Certificate.
- Enter a Log Source Identifier. The Default value would be
netskopece
. The Log Source Identifier should not contain the whitespaces. This will be added as a prefix to all logs. - Click Save.
- Go to Log Shipper > Business Rules.
- Click Create New Rule.
- Enter a Rule Name and select the filters to use.
- Click Save.
- Go to Log Shipper > SIEM Mappings and click Add SIEM Mapping.
- Select a Source Configuration, Business Rule, and Destination Configuration.
- Click Save.
Configure the WebTx Mapping
Use this configuration only when it is necessary to send specific WebTx fields in JSON format to the destination platform.
- Go to Settings > Log Shipper > Mapping.
- Clone the QRadar Default Mappings file.
- Enter the name of mapping file.
- Select the Editor view radio button.
- Scroll down to the “webtx” and enter the specific webtx fields inside the square brackets in double quotes (For example-”sc-status”). In case of multiple fields, use the comma-separated format.
Note
Refer the Format 3 fields from here to add fields in the webtx.
- Go back to the configured plugin and edit the Mapping file.
- Disable the toggle button as we want to send data in JSON format.
- Configure the SIEM mapping.
- Click Save.
To validate the plugin workflow, you can check from Netskope Cloud Exchange and from your QRadar instance.
Validate in Netskope Cloud Exchange
Go to Logging.
Validate in QRadar
- Go to your QRadar instance.
- Click Log Activity.
- Apply filters to see specific logs.
- You can see all logs there.