Page tree

Contents

The Log Activity tab in the IBM QRadar console displays real-time information about the data that is transferred from the Data Connector to the IBM QRadar console. 

When you click on a specific log event, it displays detailed information about the respective event as shown in the figure below.

Note

If the events are shown as Unknown in QRadar SIEM server, then the following steps must be performed:

  • Inspect the unknown event packet to identify the category name associated with the unknown event.
  • Create an Event Categorization with the above category name, which will generate QID.
  • Map the unknown event to generated QID. All the future events matching these criteria will be mapped to the specified QID.

References:

Configuring the IBM QRadar Console to receive data

You must configure a log source on the IBM QRadar console to receive DNS queries and responses from the Data Connector.

  1. Log in to the IBM QRadar console.
  2. Click the Admin tab, click Data Sources -> Events, and click Log Sources.
  3. Click Add to define a new log source. In the Log Sources screen, specify the necessary details.

    Table
    Ensure that you specify the following:

    • Log Source Name: Enter a name for the log source.
    • Log Source Description: You can specify additional details about the log source.
    • Log Source Type: Select Universal Leef from the drop-down list. Infoblox supports Universal Leef syslog format for IBM QRadar.
    • Protocol Configuration: Select TLS Syslog from the drop-down list to use TLS encryption protocol for syslog.
    • Log Source Identifier: Enter the same IP address that was mentioned while configuring destination in the Data Connector.
    • TLS Listen Port: Enter the same port number that was mentioned while configuring destination in the Data Connector.
    • Authentication Mode: Select TLS from the drop-down list to use TLS encryption protocol for authentication.
    • Certificate Type: Select Generate Certificate from the drop-down list. TLS uses certificates to encrypt and authenticate data transfer.
    • Enable the log source when ready.
  4. Add log source to the groups.
  5. Click Deploy Changes for the new log source addition to take effect.


  6. Click Save.

For more information, refer to the IBM QRadar documentation.




  • No labels

This page has no comments.