Side-by-Side SIEMs, Part 2: Forwarding QRadar to Splunk
Some definitions
The first thing that we need to sort out are some terms that are being used in the QRadar world that can confuse anyone coming from other products:
- Raw data - Think about how data is written by the source of the log or flow.
- Event - A processed and normalized Raw data
- Payload - This will most of the time contain the raw data as part of an event
- Rule - A configuration contains the conditions by which events will turn into an Offense
- Offense - The product of the rules
The second subject is log sources: internal and external. External log source are pretty self descriptive. In addition QRadar has several internal log sources (that are also supported by the DSM- Device Support Modules and are obviously non-configurable)
- Anomaly Detection Engine
- Asset Profiler
- Custom Rule Engine-8
- Health Metrics-2
- Search Results-2
- SIM Audit-2 - (events of activity that took place in QRadar by users)
- SIM Generic Log DSM-7 - (General bucket for unparsed 'Unknown' events)
- System Notification-2
source: https://www.redbooks.ibm.com/redbooks/pdfs/sg248412.pdf
Configure QRadar to forward events and triggered rules(=Offenses) to Splunk
In this example we will forward QRadar events from a selected log source and a simple offense that is triggered every time a 4624 event, a successful login, was detected.
For the sake of demonstration let's call this rule "Test rule to splunk". Here are the screen captures of the configuration:
We can go to QRadar "Log Activity" and verify that both the events and the triggered rule are recorded. Note the log sources: WindowsAuthServer is the external log source, the Windows machine sending the security event logs in our case. Custom Rule Engine is the internal log source, the Qradar rules and correlation searches processor. Next we will forward both log sources to Splunk.
Now let's configure the destination for the forwarded QRadar logs (Splunkers - this is your Outputs.conf). We need to go to the Admin menu and enter the "Forwarding Destinations" window:
Follow the configuration in this screen: the format should be JSON so Splunk will have an easy life parsing the fields. put the desired destination port as the receiving port on the Splunk side and choose TCP.
Now we need to create a rule that will not create and event or an offense but only take action by forwarding the relevant events created by our Windows machine and the Custom Rule Engine (CRE) to the configure destination, which is Splunk.
This is it on the QRadar side. Let's move to Splunk now.
Configure Splunk to receive QRadar Events and Offenses in JSON format
First off we need to configure port 2500 TCP (in this example) as the receiving port on Splunk. Go to Settings-> Data inputs and add new TCP listener. In this example I will change only what is necessary which is the Source type to _JSON
Next we need to go the local directory of the destination app you choose (which is Search in this example) and create the following stanza in props.conf
[_json]
SEDCMD-removeprefix = s/<\d+>-[^{]+//g
SHOULD_LINEMERGE = false
MUST_BREAK_AFTER = \”}
This will remove a header that QRadar adds to the forwarded JSON structure, leaving only the data in between the curly braces, which is was Splunk expects. the "MUST_BREAK_AFTER" will ensure that events being sent in one stream from QRadar will not be glued together.
Now restart Splunk to apply the changes in props.conf and you should see QRadar's data coming in !
Using the command spath all the JSON fields can be parsed and used in SPL and the relavnt knowledge objects in Splunk.
That's all folks - Hope this was/will be helpful for anyone interested in use cases that involves using these two great products side by side.
PS - for some reason I had Ebony and Ivory playing in my head while writing this. Hope it didn't influence the accuracy of this post by much.
PSS - Maybe I was thinking about , wink-wink , Gartner MQ for SIEM. oh well...
