Question & Answer
Question
Answer
Tab navigation
- About-selected tab,
- Installing a Content Pack
- Installing an Extension
IBM Security Access Manager for Enterprise Single Sign-On creates events are read from the IMSLOGUserService, IMSLOGUserAdminActivity, and IMSLOGUserActivity database tables and forwarded to QRadar using Syslog using UDP on port 514. All events that are forwarded to QRadar from IBM Security Access Manager for Enterprise Single Sign-On use ### as a Syslog field-separator. The security content pack contains 7 custom event properties for important fields that can be leveraged by administrators in reports or searches, which were not available in the original DSM release.
Custom event properties added by the IBM Security Access Manager for ESSO extension
Description | Regex for the custom event property | Enabled after installation |
Action Result | ###Description.+?;.*?;.*?;.*?;.*?;([-0-9]*).*?### | Yes |
Client Application | ###Description.+?;.*?;.*?;.*?;(.*?);.*?### | Yes |
Client Hostname | ###Description.*?\) ([^ ]*) ; | Yes |
Credential ID | ###Description.+?;.*?;.*?;(.*?);.*?;.*?### | Yes |
Credential Pool | ###Description.+?;.*?;(.*?);.*?;.*?;.*?### | Yes |
Recording ID | ###Description.+?;.*?;.*?;.*?;.*?;.*?;([0-9a-zA-Z]*)### | Yes |
Resource Name | ###Description.+?;(.*?);.*?;.*?;.*?;.*?### | Yes |
Procedure
- Download the Bit9 Security Platform Security Content Pack from the IBM Fix Central website for your QRadar version:
- For QRadar 7.1: Link to all QRadar 7.1 Security Content Packs
- For QRadar 7.2: Link to all QRadar 7.2 Security Content Packs
- Using SSH, log in to your Console as the root user.
- Copy the security content pack to the /tmp directory on the QRadar Console.
- Note: If space in the /tmp directory is limited, copy the fix pack to another location that has sufficient space.
- To install the security content pack, type one the following command:
- For QRadar 7.1, type: rpm -Uvh ContentPackage-CustomProperties-IBMSecurityAccessManagerESSO-7.1-1432699256.x86_64.rpm
- For QRadar 7.2, type: rpm -Uvh ContentPackage-CustomProperties-IBMSecurityAccessManagerESSO-7.2-1432699256.x86_64.rpm
- Log in to the QRadar Console as an administrator.
- Click the Admin tab.
- Before you continue: Restarting the web server will restart the user interface and load the new custom event properties. This action will log out existing users, stop reports in progress, and halt event exports in process. It is recommended that administrators restart the user interface during a maintenance window for the appliance.
- Click Advanced > Restart Web Server.
- Click OK to restart the QRadar user interface.
Results After the user interface restarts, the installation is complete. The administrator should review the Bit9 Security Platform custom event properties to determine if any of the values need to be enabled, disabled, or optimized in the QRadar interface.
Installing a QRadar Extension
The Extension Management window in QRadar is used to add applications to your deployment to improve the functionality or add customize content to QRadar. Extensions can contain content, such as rules, reports, searches, reference sets, and dashboards or extensions can install applications that deliver specific new functionality to QRadar. The About tab of this article will outline the contents of the extension being added to QRadar.Procedure
- Log in to the QRadar Console as an administrator. If you have not downloaded the extension yet, you can download files from http://apps.xforce.ibmcloud.com/.
- Click the Admin tab.
- Click the Extension Management icon.
- To upload an extension, click Add and select the extension to upload.
- Note:The extension (zip) must be downloaded to your local computer before it can be uploaded to the Console appliance.
- To install the extension immediately, select the Install immediately check box and then click Add.
- A preview of the application content is displayed. You can choose how existing content items are handled.
- To preview the contents of an extension after it is added and before it is installed, select it from the list of extensions, and click More Details.
- Before the extension is installed, the content items are compared to content items that are already in the deployment. If the content items exist, you can choose to overwrite them or to keep the existing data.
Results
After the extension is added, a yellow caution icon in the Status column indicates potential issues with the digital signature. Hover the mouse over the triangle for more information. Extensions that are unsigned or are signed by the developer, but not validated by your vendor, might cause compatibility issues in your deployment.
Was this topic helpful?
Document Information
Modified date:
02 April 2020
UID
swg21963370