page-brochureware.php

Auto Updates 101

Integration updates and change information for QRadar weekly auto updates.

Update Metrics

May Integration and Release Updates

10

Device Support Modules (DSMs)

4

Protocols

April Integration and Release Updates

16

Device Support Modules (DSMs)

7

Protocols

March Integration and Release Updates

18

Device Support Modules (DSMs)

1

Protocols

February Integration and Release Updates

21

Device Support Modules (DSMs)

5

Protocols

January Integration and Release Updates

11

Device Support Modules (DSMs)

1

Protocols

Year to Date Integration and Release Updates

76

Device Support Moduless (DSMs)

18

Protocols

Recent Releases

June 14

DSM

  • No RPM file updates were delivered in this QRadar weekly auto update. All changes for 14 June 2021 were completed as QID changes, which do not require an RPM file from the QRadar Integration Team. For more information, see the QIDMAP tab.

June 11

DSM

  • New! Red Hat Advanced Cluster Security for Kubernetes: Release of a new DSM to support JSON audit and alert events from Red Hat Advanced Cluster Security for Kubernetes. Administrators without auto updated enabled must have the latest version of the DSM Common RPM installed to properly parse events.
  • Microsoft Windows Defender ATP: Resolves multiple issues in the Microsoft Windows Defender ATP DSM: 1. Resolves a reported issue where Source or Destination IP addresses can parse as the appliance IP that received the event when the payload does not contain a valid Source or Destination information. This RPM release allows the DSM to use 0.0.0.0 when the payload does not contain an identifiable Source or Destination IP address. 2. Added support for IPv6 address parsing. 3. Added Severity to Suspicious Activity events. This RPM release updates the QID map and parsing to provide severity information as either High or Low on Windows Defender ATP Suspicious Activity events.
  • Cisco Firewall Devices: Resolves an issue in the Cisco Firewall Devices DSM where the username includes the domain for some Cisco Adaptive Security Appliance (ASA) events when the option for ‘Remove leading domain name from username’ in enabled the DSM Editor. This RPM release updates username parsing and reviews that reported Cisco ASA events, such as ASA-6-302013 and ASA-6-302020 exclude the domain from identity firewall usernames when the advanced configuration option is ON.
  • Microsoft Windows Security Event Log: Enhanced the Microsoft Windows Security Event Log DSM to include new NullPointerException handlers to prevent some events from categorizing as ‘Stored’. This update allows the DSM to handle older format issues and conditions, such as Service Control events, where the payload does not include message information.

Protocols

  • Rabbit MQ: Enhanced the Rabbit MQ protocol to update the jar to version 2.2.0 in this RPM release.

June 2

DSM

  • No RPM file updates were delivered in this QRadar weekly auto update. All changes for 2 June 2021 were completed as QID changes, which do not require an RPM file from the QRadar Integration Team. For more information, see the QIDMAP tab.

May 27

DSM

  • New! Amazon AWS Application Load Balancer Access Logs: Release of a new DSM to parse and categorize Amazon AWS Application Load Balancer Access Log events. This RPM release adds collection for access log events retrieved using the Amazon AWS S3 REST API protocol. Administrators without automatic updates enabled must install the latest versions of the following RPMs to ensure events parse properly: Amazon AWS S3 REST API protocol, DSM Common, Protocol Common and the Amazon AWS Application Load Balancer Access Logs DSM.
  • Microsoft Azure Active Directory: Resolves an issue in the Microsoft Azure Active Directory to ensure the several error codes categorize with an eventID of ‘Sign-in activity-failure’. This RPM release updates the following error codes to parse as Sign-in activity-failure events: 50074 User did not pass the MFA challenge, 50053 Account is locked because user tried to sign in too many times with an incorrect user ID or password, and 500121 Authentication failed during strong authentication request.
  • DSM Common: Enhanced the DSM Common framework to support the release of the Amazon AWS Application Load Balancer Access Logs. This RPM update adds a utility to DSM Common that tokenizes a string, including quoted substrings to assist with parsing Amazon AWS Application Load Balancer Access Logs events. DSM Common is an installation dependency for the Amazon AWS Application Load Balancer Access Logs DSM.

May 19

DSM

  • New! Zscaler Private Access: Release of a new Device Support Module (DSM) to parse and categorize user status, app connector status, and audit events from Zscaler Private Access. Administrators who manually install RPM updates on the Console must first download and install the latest version of the DSM Common as it is an installation dependency. The Zscaler Private Access DSM supports automatic discovery of Syslog LEEF events.
  • Netskope Active: Resolves multiple issue in the Netskope Active DSM: 1. Resolves an issue where some audit events were categorized as ‘Unknown Netskope Active’. This QID map update is included in this release to resolve the unknown events. 2. Updated parsing to resolve an issue where audit events that include ‘data_values:false’ JSON parameters are interpreted as strings and not boolean values. When the payload of the event was interpreted as a boolean, the following exception is logged in /var/log/qradar.log on the appliance that received the event: ‘EventParseException: DSM NetskopeActive failed to parse Syslog event’ and ‘java.lang.Boolean incompatible with java.lang.String’.
  • Cisco Call Manager: Resolves an issue where users reported events from Cisco Call Manager v11.5 can categorize as ‘Stored’. This RPM release adds parsing and a QID map update to properly categorize events for the following processes: Log: Partition Monitoring Tool, settroubleshoot, run-parts, and Intercluster Lookup Service deamon (ilsd).

Protocols

  • Google GSuite Activity Reports REST API: Resolved an issue where the session tracking was not using the most recent timestamp as described in APAR IJ27028. This protocol update includes a new user interface option named ‘Event Delay’, which allows Administrators to set the newest event time to X seconds from current time (last received event time to current time minus event delay). The new parameter reduces the chance that an event occurred, but was not posted to the Google G Suite Activity Reports REST API when the data is requested.
  • HTTP Receiver: Resolves multiple issues in the HTTP Receiver protocol: 1. Enhanced the protocol to include two new configuration parameters in the user interface for: ‘Max Payload Length’ and ‘Max POST method Request Length’. When a single event size exceeds Max payload length, the event is truncated with the remainder of the payload added as a new event with a matching timestamp. When an incoming POST exceeds the value of the Max POST method Request Length field, the body of the message is too large and an HTTP status 413 (Payload Too Large) is returned. 2. Resolves an issue where Mbean registration can cause a NullPointerException when initializing the log source, which causes the log source to display ‘Error’ in the Status column unexpectedly.

June 14

QID Updates

  • CiscoIOS 1623334998336.qidmap-import.xml
  • CiscoAironet 1623335318663.qidmap-import.xml
  • MicrosoftAzure 1623335961025.qidmap-import.xml
  • WindowsAuth 1623347367603.qidmap-import.xml
  • MicrosoftOffice365 1623353489806.qidmap-import.xml
  • Juniper 1623112758981.qidmap-import.xml
  • SymantecEP 1623112907984.qidmap-import.xml
  • Snort 1623114256420.qidmap-import.xml
  • Fortigate 1623116202218.qidmap-import.xml
  • SiteProtectorXForce 1623165359365.qidmap-import.xml
  • SymantecEP 1623242579446.qidmap-import.xml
  • SiteProtectorXForce 1623242871596.qidmap-import.xml
  • Intrushield 1623243585519.qidmap-import.xml
  • Snort 1623243980020.qidmap-import.xml
  • PA 1623246197152.qidmap-import.xml
  • Juniper 1623302515270.qidmap-import.xml
  • SymantecEP 1623302690606.qidmap-import.xml
  • Snort 1623303878507.qidmap-import.xml
  • PaloAlto 1623305818174.qidmap-import.xml
  • GoogleGSuite 1623333697337.qidmap-import.xml
  • Fortigate 1623334652068.qidmap-import.xml
  • CiscoWism 1623335638531.qidmap-import.xml
  • PaloAltoPaSeries 1623336339028.qidmap-import.xml
  • GoogleCloudAudit 1623337759250.qidmap-import.xml
  • SalesforceSecurityMonitoring 1623339432767.qidmap-import.xml
  • SymantecDLP 1623340029893.qidmap-import.xml
  • TrendMicroDeepSecurity 1623340353122.qidmap-import.xml
  • IBMFiberlinkMaaS360 1623340815244.qidmap-import.xml
  • WindowsAuth 1623334314183.qidmap-import.xml
  • MicrosoftOffice365 1623355356942.qidmap-import.xml
  • SymantecEP 1623389087317.qidmap-import.xml
  • Snort 1623390305561.qidmap-import.xml
  • PaloAlto 1623392237052.qidmap-import.xml
  • MicrosoftOffice365 1623420574452.qidmap-import.xml
  • McAfeeEPO 1623353829776.qidmap-import.xml
  • RSAAuthenticationManager 1623333366933.qidmap-import.xml

June 11

QID Updates

  • CiscoIOS 1622131240259.qidmap-import.xml
  • KubernetesAuditing 1622131843567.qidmap-import.xml
  • VectraNetworksVectra 1622132159333.qidmap-import.xml
  • NetskopeActive 1622132456461.qidmap-import.xml
  • CounterActNonRule 1622142225550.qidmap-import.xml
  • MicrosoftOffice365 1622227409687.qidmap-import.xml
  • FireEyeMPS 1622227728352.qidmap-import.xml
  • BigIP 1622228041487.qidmap-import.xml
  • CiscoAMP 1622228349400.qidmap-import.xml
  • CiscoIOS 1622468910502.qidmap-import.xml
  • TippingPointCustom 1622569669149.qidmap-import.xml
  • NetscreenIDPNonRule 1622725368410.qidmap-import.xml
  • JuniperRouter 1622725832185.qidmap-import.xml
  • Juniper 1622727537679.qidmap-import.xml
  • SymantecEP 1622727693278.qidmap-import.xml
  • SiteProtectorXForce 1622727948550.qidmap-import.xml
  • Intrushield 1622728751870.qidmap-import.xml
  • Snort 1622729105680.qidmap-import.xml
  • Fortigate 1622730968131.qidmap-import.xml
  • PaloAlto 1622731277515.qidmap-import.xml
  • WindowsAuth 1622568884127.qidmap-import.xml

June 2

QID Updates

  • Snort 1621519443602.qidmap-import.xml
  • WindowsAuth 1621519757506.qidmap-import.xml
  • ProventiaVuln 1621520079534.qidmap-import.xml
  • NetscreenIDP 1621520999854.qidmap-import.xml
  • Intrushield 1621521307883.qidmap-import.xml
  • CiscoIDS 1621521606688.qidmap-import.xml
  • Fortigate 1621521924475.qidmap-import.xml
  • PaloAltoImportViaRESTAPI 1621522229358.qidmap-import.xml
  • F5ASM 1621522836836.qidmap-import.xml
  • StonesoftStoneGate 1621523133178.qidmap-import.xml
  • Juniper 1622119034800.qidmap-import.xml
  • SymantecEP 1622119211460.qidmap-import.xml
  • SiteProtectorXForce 1622119515621.qidmap-import.xml
  • Intrushield 1622120456014.qidmap-import.xml
  • Snort 1622120827329.qidmap-import.xml
  • PaloAlto 1622122823873.qidmap-import.xml

May 27

QID Updates

  • OktaIdentityManagement 1620945688732.qidmap-import.xml
  • AmazonAWSCloudTrail 1620948235891.qidmap-import.xml
  • BigIP 1620948859235.qidmap-import.xml
  • FortiGate 1621015219186.qidmap-import.xml
  • MicrosoftOffice365 1621020740548.qidmap-import.xml
  • PaloAltoPaSeries 1621220676308.qidmap-import.xml
  • PaloAltoPaSeries 1621259599797.qidmap-import.xml
  • PaloAltoPaSeries 1621260085742.qidmap-import.xml
  • MicrosoftOffice365 1621259899992.qidmap-import.xml
  • KasperskyCyberTrace 1621437970292.qidmap-import.xml
  • akama‎i 1621453274730.qidmap-import.xml
  • checkpoint‎ 1621453557563.qidmap-import.xml
  • fidel‎is 1621453852630.qidmap-import.xml
  • microsof‎tHyperv‎ 1621454132996.qidmap-import.xml
  • palo‎alto‎ 1621454426332.qidmap-import.xml
  • FireEye 1621468697563.qidmap-import.xml
  • stonesoft‎ 1621454804525.qidmap-import.xml
  • symantec‎ 1621455141994.qidmap-import.xml
  • tippingpoi‎nt_1 1621469981988.qidmap-import.xml
  • tippingpoi‎nt_2 1621470519610.qidmap-import.xml
  • trend 1621468353247.qidmap-import.xml
  • Juniper 1621482045531.qidmap-import.xml
  • SymantecEP 1621482203980.qidmap-import.xml
  • SiteProtectorXForce 1621482455223.qidmap-import.xml
  • Intrushield 1621483229848.qidmap-import.xml
  • Snort 1621483595847.qidmap-import.xml
  • Fortigate 1621485489291.qidmap-import.xml
  • PaloAlto 1621485819752.qidmap-import.xml
  • KubernetesAuditing 1621469012188.qidmap-import.xml
  • MicrosoftOffice365 1621469347769.qidmap-import.xml
  • MicrosoftIIS 1621469663079.qidmap-import.xml

May 19

QID Updates

  • PaloAltoNetworksPASeries 1620663923322.qidmap-import.xml
  • Trend Micro Deep Discovery 1620665191883.qidmap-import.xml
  • Amazon AWS CloudTrail 1620666208449.qidmap-import.xml
  • CiscoAironet 1620667056267.qidmap-import.xml
  • Microsoftoffice365 1620739784609.qidmap-import.xml
  • AmazonAWSCloudTrail 1620741246183.qidmap-import.xml
  • Cisco AMP 1620829551472.qidmap-import.xml
  • Blue Coat Web Security Service 1620830990178.qidmap-import.xml
  • Cisco WiSM 1620836275740.qidmap-import.xml
  • CiscoAironet 1620836753032.qidmap-import.xml
  • CiscoCallManager 1620837087810.qidmap-import.xml
  • PaloAltoPaSeries 1620837709715.qidmap-import.xml
  • Juniper 1620917815253.qidmap-import.xml
  • SymantecEP 1620917975511.qidmap-import.xml
  • SiteProtectorXForce 1620918233872.qidmap-import.xml
  • Intrushield 1620919133666.qidmap-import.xml
  • Snort 1620919478346.qidmap-import.xml
  • PaloAlto 1620921602865.qidmap-import.xml
  • Fortigate 1620923021410.qidmap-import.xml

Search for Changes

Name Date Type Description
Box REST API 05/13/2021 protocol Resolves an issue in the Box REST API protocol where an ‘IllegalFormatConversionException’ error can occur when the event queue is full. This RPM release allows the protocol to query for events in the next interval if the incoming queue is full to resolve APAR IJ28431.
Amazon Web Services 05/13/2021 protocol Enhanced the Amazon Web Services protocol to include the following changes: 1. Implemented the capability to collect events directly from AWS SQS. Administrators can now select ‘SQS Queue’ from the AWS Service field and define the ‘SQS Queue URL’ to collect the events from the Log Source Management app. 2. Enhanced the ‘Assume IAM Role’ configuration in the user interface to be an optional selection for ‘Access Key’ and ‘EC2 instance IAM Role’ authentication methods.
IBM Fiberlink MaaS360 05/13/2021 dsm Resolved multiple issues in the IBM MaaS360 Security DSM: 1. Added JSON event support in IBM Fiberlink MaaS360 DSM and Renamed IBM Fiberlink MaaS360 DSM to IBM MaaS360 Security DSM. 2.Added Universal REST API Protocol as supported protocol. 3. Administrators without automatic updates enabled must install the Universal REST API Protocol as an installation dependency exists to update to the latest version of the IBM MaaS360 Security DSM.
Sun Solaris OS 05/13/2021 dsm Resolves an issue in the Solaris Operating System Authentication Messages DSM where the username did not parse correctly. This RPM release reviews different variations and locations of the username field from auth.info and audit.notice event payloads to ensure that the username parses as expected.
Cisco Meraki 05/13/2021 dsm Resolves an issue in the Cisco Meraki DSM where users reported ‘Site-to-site VPN’ events were categorizing as ‘Stored’. This RPM release adds parsing and new EventIds to ensure that ‘Site-to-site VPN’ events categorize correctly.
Akamai Kona 05/13/2021 dsm Resolves an issue in the Akamai KONA DSM where the Source IP for the event was not set correctly when the payload contains both a source IPv6 and IPv4 payloads. When this parsing issue occurred, administrators reported that offenses were generated where the Source IPv6 from the events populated correctly, but the Source IP address displayed the IPv4 address of the QRadar appliance. This RPM release allows the Source IP address field from the event payload to fallback to 0.0.0.0, instead of the hostname or an incorrect IPv4 address in the Source IP field of the user interface.
DSM Common 05/04/2021 dsm Enhanced the DSM Common to add an installation dependency on the IBM AIX Server DSM. This update allows the IBM AIX Server to reference the DSM Common framework for libraries or parsing patterns for common Linux services, such as systemd, crond, puppet-agent, ConfigRepository, kernel, sudo, and more. Administrators with automatic updates disabled must now install the DSM Common RPM to ensure that new event IDs added to the IBM AIX Server DSM parse and categorized as expected.
Tripwire Enterprise 05/04/2021 dsm Resolves a reported issue in the Tripwire Enterprise DSM where Usernames that include special characters, for example givenname-surname, did not parse as expected and only displayed the givenname for the user. This RPM release allows the DSM to parse the LogUser field from the event payload properly to display the full name, instead of the value to the left of the special character.
IBM AIX Server 05/04/2021 dsm Resolves multiple issues in the IBM AIX Server DSM: 1. Resolves an issue where a number of events parsed as ‘Unknown’ and do not auto discover as expected. This update adds 41 new event IDs, such as systemd, crond, puppet-agent, ConfigRepository, kernel, sudo, scriptd, journal, monit, iofiltervpd, multipathd, and more. 2. Added DSM Common as an installation dependency to the IBM AIX Server DSM. This change allows the IBM AIX Server DSM use common parsing libraries that are shared across base Linux operating systems. Administrators who manually install RPM updates must update DSM Common to the latest version to receive all of the parsing and categorization changes in the IBM AIX Server DSM.
New! AWS Elastic Kubernetes Service 05/04/2021 dsm Release of a new DSM to parse and categorize JSON events from Amazon AWS Kubernetes. Administrators who want to extend their container monitoring can review and download the QRadar Container Content Extension to add custom properties, rules, saved searches, and reports to enhance their user experience. Read about this integration | Recommended download: QRadar Container Content Extension
EMC VMWare 04/28/2021 dsm Resolves an issue in the EMC VMWare DSM where user role assignment events require more granular event processing and the events can categorize with a Low Level Category ‘Event Fragment’. This RPM release updates parsing to ensure that user role assignment events properly categorize as ‘Authentication.Role Assignment Success’ (Low Level Category 3133).
DSM Common 04/22/2021 dsm Release of an updated DSM Common framework to support multiple updates for the Microsoft Windows Security Event Log DSM. Administrators with Auto Updates disable must have the latest version of the DSM Common RPM installed to support several parsing changes for Windows events. These changes include detailed Snare login failed events, support for CEF version 1 formatted events, and updated parsing to support login event parsing for different logon types from the event payload. For more information, see the latest changes for the Microsoft Security Event Log DSM.
Vormetric Data Security 04/22/2021 dsm Resolves an issue in the Vormetric Data Security DSM to add parsing for an updated vendor name in the Syslog header that can cause events to categorize as Stored. This RPM release allows events parse properly when the vendor name is Thales eSecurity, Inc as reported in Vormetric Data Security version 6.4.x.
Microsoft Azure Platform 04/22/2021 dsm Enhanced the Microsoft Azure Platform DSM to move parsing for NonInteractiveUserSignInLogs events and member role PIM assignment success or failures to the Microsoft Azure Active Directory DSM. This change allows the Azure Platform DSM to record general events, such as Add role assignment, where payloads for Microsoft Azure Active Directory events contain the error codes that provide detail to the success or failure activity. Administrators without auto updates enabled must install the latest version of the Microsoft Azure Active Directory DSM to ensure that both Azure Platform and Azure Active Directory events parse properly.
Symantec Endpoint Protection 04/22/2021 dsm Enhanced the Symantec Endpoint Protection DSM to add support for parsing Japanese language events.
Cisco Firepower Threat Defense 04/22/2021 dsm Resolves multiple issues in the Cisco Firepower Threat Defense DSM: 1. Resolves an issue where the device time for the event might not parse as expected when a special character appears after the timestamp of the Syslog header, such as a percent sign character. 2. Enhanced the Cisco Firepower Threat Defense DSM where users reported AccessControlRuleAction events categorized too generically as ‘Misc Network Communication Event’. This update adds Low Level Categories and Event IDs so users can view if the rule action was an Allow or Block, instead of a ‘Misc Network Communication Event’. A new DSM Editor parameter is available for the Cisco Firepower Threat Defense DSM to revert the rule action parsing functionality in the user interface.
Trend Office Scan 04/22/2021 dsm Resolves an issue in the Trend Micro Office Scan where the date and time value from Spyware Grayware events did not parse correctly due to a format change in the event payload. This RPM release updates parsing patterns to add dd/MM/yyyy as a supported date time format and allows the DSM to switch between dd/MM and MM/dd formats that might appear in the event payload.
Microsoft Azure Active Directory 04/22/2021 dsm Resolved multiple issues in the Microsoft Azure Active Directory DSM: 1. Resolves an issue where some NonInteractiveUserSignInLogs events could categorize as Unknown Microsoft Azure. This RPM release updates sign-in success and failures to utilize the event name and the error code to differentiate the various sign-in activity, including locked accounts. 2. Updated parsing to ensure ‘Add member to role in PIM complete’ categorized properly and that ‘Add eligible member to role in PIM completed’ events parse the username and source IP Address properly. 3. Administrators without auto updates enabled must install the latest version of the Microsoft Azure Platform DSM to ensure that both Azure and Azure Active Directory events parse properly.
Microsoft Windows Security Event Log 04/22/2021 dsm Enhanced the Microsoft Security Event Log DSM with multiple updates: 1. Update parsing for event ID 4624 to distinguish between standard login events and logon events that indicate secondary logons. This change allows Event ID 4624 to parse as ‘Success Audit: An account was successfully logged on’ for standard logon event and ‘Success Audit: An account was successfully logged on as another user’ to identify privileged escalation. New QIDs were added for the ‘as another user’ events. 2. Added parsing for CEF version 1 events. 3. Updated parsing to distinguish between login events with different logon types and append the logon type into the event name, for example ‘Success Audit: An account was successfully logged on – Interactive Login’. 4. Enhanced parsing of login events so that usernames ending with a dollar sign will be set as the username, except for cases where username matches the computer name. 5. Added DSM parameters in the DSM Editor to toggle off new login and logon type parsing changes.
OPSEC/LEA PROTOCOL 04/06/2021 PROTOCOL Resolves multiple issues in the LEA protocol: 1. Resolves an issue in the QRadar Log Source Management app (7.3 version only) where the Specify Certificate field in the log source might not display all configuration options to the user when the field is toggled on. All configuration parameters should correctly display to the user after this RPM update. 2. Resolves an issue in the LEA protocol where a certificate auto download is attempted when the certificate was previously copied manually. This update ensures a new certificate retrieval is not started if the conditions to pull the cert are not fully met. This change prevents unintended ‘-93 The referred entity does not exist in the Certificate Authority’ error messages when users update certain log source parameters.
DSM COMMON 04/06/2021 DSM Enhanced the DSM Common framework to add support for parsing OpenVPN events and other services, such as pluto, awed, argos, awclient, dhcpd, hostapd, and audid as some service events did not parse as expected. This RPM release adds parsing changes reported from shared services that can appear in Sophos Astaro Security Gateway event payloads to ensure they parse properly.
MCAFEE EPOLICY ORCHESTRATOR 04/06/2021 DSM Resolves an issue where McAfee ePolicy Orchestrator events categorized as ‘Stored’ when the event payload does not contain a CommonFields value, which can cause Source IP parsing issue. This RPM release includes an event ID review that identify payloads that might parse as ‘Unknown McAfee ePolicy Orchestrator’ or ‘Stored’.
SOPHOS ASTARO SECURITY GATEWAY 04/06/2021 DSM Resolves multiple issues in this release: 1. Resolves a reported issue where Sophos Astaro Security Gateway version 17.5 devices use a new Syslog format for events. This RPM release updates parsing patterns to ensure the DSM can parse and categorize event that use the new Syslog format. 2. Added support for parsing OpenVPN events and other services, such as pluto, awed, argos, awclient, dhcpd, hostapd, and audid as some events did not parse as expected. 3. If you manually update RPMs from the command line, administrators should confirm they also have the latest version of the DSM Common framework installed. The Sophos Astaro Security Gateway RPM includes parsing dependencies contained in DSM Common.
CHECK POINT 03/30/2021 DSM Resolves multiple issues in the Check Point DSM: 1. Enhanced the parsing logic to improve username parsing performance time. 2. Adding support for parsing ‘Authcrypt failed’ and ‘Miscellaneous connection’ events from VPN-1 or FireWall-1 sources, which can categorize as ‘Stored’. 3. Resolves an issue where Usernames did not parse from some events as expected. This RPM release updates the username parsing to display common names and email addresses when present in user field of the event payload.
OSQUERY 03/30/2021 DSM Resolves an issue in the osquery DSM where users reported some events categorized as ‘Stored’ and includes an enhancement in the Query Interval logic. The Query Interval is an advanced configuration setting in the DSM Editor to determine the frequency with which polling for state changes in osquery events occur. If the Query Interval is missed, a default value of zero (0) is used for the next Query Interval time to assist with detecting net changes and parsing or mapping events to reduce ‘Stored’ categorizations.
CISCO FIREWALL DEVICES 03/30/2021 DSM Resolves multiple issues in the Cisco Firewall Devices DSM: 1. Resolves an issue where the device time for the event might not parse as expected when a special character appears after the timestamp of the Syslog header, such as a percent sign character. 2. Enhanced the Cisco Firewall Devices DSM where users reported AccessControlRuleAction events categorized too generically as ‘Misc Network Communication Event’. This update adds Low Level Categories and Event IDs so users can view if the rule action was an Allow or Block, instead of a ‘Misc Network Communication Event’. A new DSM Editor parameter is available for the Cisco Firewall Devices DSM to revert the rule action parsing functionality in the user interface.
UNIVERSAL CLOUD REST API 03/24/2021 PROTOCOL Resolved multiple issues in the Universal Cloud REST API protocol: 1. Enhanced the protocol to add an endpoint for Akamai EdgeGrid and Hawk authentication. 2. Added option to allow untrusted server certificates in the protocol configuration. 3. Enhanced the protocol to support ForEach actions on objects. 4. Enhanced JPath with a collection of common math and string functions. 5. Added an installation requirement to set the minimum install version to QRadar V7.3.2 Patch 5 (7.3.2.20191022133252) or later. 6 Resolved multiple issues reported by Universal Cloud REST API protocol users.
NEW! AMAZON AWS WAF 03/24/2021 DSM Release of a new Device Support Module to parse and categorize JSON traffic events from Amazon AWS WAF. To collect event data, you must first enabled WAF and Shield logging and metrics, then configure Amazon AWS WAF to send logs to an Amazon Kinesis Data Firehouse Delivery Stream. The SQS queue destination uses an Amazon AWS S3 bucket accessibly by QRadar to poll for events. Administrators with auto update disabled must install the latest versions of the following RPMs to collect events: Amazon Web Services protocol, Amazon AWS REST API protocol, Protocol Common, and the Amazon AWS WAF DSM.
AMAZON WEB SERVICES 03/09/2021 PROTOCOL Enhanced the Amazon Web Services protocol to resolve an issue where installing the Amazon Web Service could impact the Tomcat service, requiring the administrator to restart Tomcat as described in APAR IJ28997. This RPM release also updates the protobuf-java library to version 3.13.0 and removes some library references to the Protocol Common RPM that are no longer required.
SIM AUDIT 03/09/2021 DSM Resolves an issue in the SIM Audit DSM where user executed a command from the command prompt event (QID 28250184) did not properly parse port information from the event. This RPM release updates parsing to ensure that the Source and Destination ports values display for command line actions that occur on QRadar appliances.
SOLARIS OPERATING SYSTEM AUTHENTICATION MESSAGES 03/09/2021 DSM Resolves an issue in the Solaris Operating System Authentication Messages DSM where daemon.error events categorized as Stored. This RPM release updates parsing and maps new Event IDs to properly categorize mpathd and snmpdx daemon.error events.
TREND MICRO APEX CENTRAL 03/09/2021 DSM Enhanced the Trend Micro Apex Central DSM to resolve issues where users reported Intrusion Prevention events categorized as ‘Unknown’. This RPM release adds parsing and a QID map update to support Trend Micro Apex Central Intrusion Prevention events and adds the following Event Categories: Intrusion Prevention Block, Clean, Delete, Detect, Drop, Log, Move, Rename, Reset, Strip, Quarantine, Archive, and more.
FORTINET FORTIGATE SECURITY GATEWAY 03/09/2021 DSM Resolves an issue in the Fortinet Fortigate Security Gateway DSM where some events did not parse as expected when the URL field for WordPress URLs did not contain a log_id or blog_id field. This RPM release updates parsing to prevent ‘Stored’ event categorizations where the URL field could parse incorrectly depending on the format.
TREND INTERSCAN VIRUSWALL 03/09/2021 DSM Resolves an issue in the Trend InterScan VirusWall DSM to update the Log Source user interface to remove the product configuration from the Log Source Type menu. The Trend InterScan VirusWall configuration is no longer available in the DSM Configuration Guide; however, the product was still visible in the user interface for administrators.
MICROSOFT EXCHANGE SERVER 03/09/2021 DSM Resolves an issue in the Microsoft Exchange Server DSM where SMTP events can categorized as ‘Unknown’. This RPM release enhances parsing and includes a QID map update to confirm the following events parse and categorize as expected when the data field of the payload contains: XPROXY, XPROXYFROM, XSHADOW, AND XSHADOWREQUEST events.
DSM COMMON 03/09/2021 DSM Enhanced the DSM Common framework to include an autoupdate-deploy script to allow appliances to apply the workaround for the ‘Waiting for license’ issue described in APAR IJ30161. This change allows the Console to apply the license fix each time a deploy changes occurs in the user interface.
RADWARE DEFENSEPRO 03/09/2021 DSM Resolves an issue in the Radware DefensePro DSM where ‘Web access attempted’ and ‘Login failed via ssh’ categorized as Stored. This RPM release includes a QID map and parsing update to ensure the reported auth events parse and categorize correctly.
PROTOCOL COMMON 03/02/2021 PROTOCOL Enhanced the Protocol Common framework to support new certificate configuration options in the latest version of the TLS Syslog Protocol.
GOOGLE COMMON PROTOCOL 03/02/2021 PROTOCOL Enhanced the Google Common Protocol to update the google-oauth-client version to 1.31.4 from google-oauth-client-1.28.0.
GOOGLE COMMON PROTOCOL 03/02/2021 PROTOCOL Enhanced the Google Common Protocol to update the google-oauth-client version to 1.31.4 from google-oauth-client-1.28.0.
TLS SYSLOG 03/02/2021 PROTOCOL Enhanced the TLS Syslog protocol to include new certificate configuration options. This update allows administrators to: 1. Select a new server certificate option to choose a certificate from the QRadar Certificate Management App. 2. Use a CN (Common Name) allow list and define a regex pattern for the allow list. 3. Added a new configuration option for Issuer Verification (Root or Intermediate certificate). 4. Enhanced the TLS Syslog protocol to support advanced trust management property options.
EMC VMWARE 03/02/2021 DSM Resolves multiple issues in the EMC VMWare DSM: 1. Enhanced the EMC VMWare DSM to support parsing for NSX-T firewall events. 2. This RPM release includes a parsing update to support a new event format for shell (.sh) files, such as backup.sh where these event might categorize as ‘Stored’.
CISCO IDENTITY SERVICES ENGINE 03/02/2021 DSM Resolves a reported issue in the Cisco Identity Services Engine to allow the Device IP Address from the event payload set the Source IP address.
MICROSOFT AZURE PLATFORM 03/02/2021 DSM Resolves an issue in the Microsoft Azure Platform DSM to update parsing and prevent an issue where Azure Active Directory events might incorrectly parse by the Azure Platform DSM, generating ‘Unknown’ events.
MICROSOFT WINDOWS SECURITY EVENT LOG OVER MSRPC 02/11/2021 PROTOCOL Protocol testing tools have been added to the Windows MSRPC protocol. This RPM release is not included in automatic updates. Administrators must download and install the latest version of the Microsoft Windows Security Event Log over MSRPC RPM file on the Console using the YUM command
BROCADE FABRIC OS 02/11/2021 DSM Resolves an issue in the Brocade Fabric OS DSM where the Source IP address did not parse as expected for SNMP events. This RPM release updates parsing logic for events that use an EventID of SNMP-nnnn to ensure the Source IP value displays in the user interface.
TIPPINGPOINT INTRUSION PREVENTION SYSTEM (IPS) 02/11/2021 DSM Resolves an issue in the TippingPoint Intrusion Prevention System (IPS) DSM where two-digit event IDs did not parse as expected, leading to ‘Stored’ events. This RPM release updates parsing where event IDs, such as 0054 parse successfully, but a two-digit event ID 54 would parse as ‘Stored’.
JUNIPER JUNOS OS PLATFORM 02/11/2021 DSM Resolves an issue in the Juniper Junos OS Platform DSM where OpenVPN events from Juniper MX devices can categorize as ‘Unknown’. This RPM release adds parsing for OpenVPN events and includes a QID map update for DEV_RD, SYSTEM_MSG, AF_INET6, and TLS_ERROR events.
CISCO FIREWALL DEVICES 02/11/2021 DSM Resolves multiple issues in the Cisco Firewall Devices DSM: 1. Resolves an issue where the username field could contain an HTML break character, which caused issues with right-click filtering in the user interface. 2. Resolves an issue where the username could parse and display a domain incorrectly in the username field. For example, ww\USER1 (incorrect) versus USER1 (correct). 3. Resolves an issue where port values were incorrectly set for ICMP events.
CROWDSTRIKE FALCON 02/11/2021 DSM Resolves multiple issue in the CrowdStrike Falcon DSM: 1. Updated the DSM name from CrowdStrike Falcon Host to CrowdStrike Falcon. 2. Enhanced the DSM to add support for Incident Summary and Detection Summary event types. 3. Updated the documentation to reflact changes in the CrowdStrike SIEM Connector, which uses a Client_ID and Client_Secret field to authenticate and retrieve events in the log source configuration. 4. Updated the QID map to add several new QIDs for the following categories: user activity audit, auth activity audit, external API event, Firewall rule IP6 matched, and customer ioc event.
CISCO CATOS FOR CATALYST SWITCHES 02/11/2021 DSM Resolves multiple issues in the Cisco CatOS for Catalyst Switches DSM. 1. Resolves an issue where users reported some events categorized as ‘Unknown Cisco CatOS’. This RPM release updates event parsing and includes a Cisco CatOS QID map to ensure the following events parse: Server_Internal_Error, CAA_INT_Error, Detect, and IEEE_Disconnect. 2. Enhanced the Cisco CatOS for Catalyst Switches DSM to make the Detect EventID parsing more granular.
JDBC PROTOCOL 02/02/2021 DSM Resolved multiple issues in the JDBC protocol: 1. Resolves an issue where JDBC-based protocols can fail to collect events after an ecs-ec-ingress restart as described in APAR IJ29049. 2. Resolves an issue reported as APAR IJ26314 where the protocol test functionality in the Log Source Management app can fail when authentication to collect test events used Domain Authentication. 3. Enhanced the protocol to improve debugging logging to display more information about the JDBC database being polled by the protocol to assist with investigations for collection issues. 4. Resolves an issue where the JDBC protocol can fail to connect to MSDE databases with ‘The driver could not establish a secure connection to SQL Server by using Secure Sockets Layer (SSL) encryption.’ error messages.
DSMMICROSOFT OFFICE 365 02/02/2021 DSM Resolves multiple issues in the Microsoft Office 365 Protocol: 1. Enhanced the protocol to allow users to configure the Management Activity API URL and Azure AD Sign-in URL. These configurations options are visible when the Advanced Options toggle is enabled in the Log Source Management interface. This update resolves APAR IJ28711, where events might not collect from the API as expected when the Microsoft Office 365 tenant does not use manage.office.com URL, but instead uses .US or another domain value. 2. Resolves an issue where an exception can occur for the Microsoft Office 365 protocol when a log source is disabled. 3. Resolves an issue to prevent the adjustment of the query time range when an empty API response is received. 4. Resolves a warning message issue related to deprecated access tokens in the test functionality of the Log Source Management application. This RPM release suppresses warning messages displayed to users for deprecated access token roles as described in APAR IJ28829.
APACHE HTTP SERVER DSM 02/02/2021 DSM Resolves multiple issues in the Apache HTTP Server DSM: 1. Enhanced the DSM to support parsing RFC 5424 formatted Syslog events. 2. Resolves an issue where some HTTP status events could parse as Stored or be incorrectly identified as Forcepoint V Series events. This RPM update modifies parsing to ensure that report HTTP status events parse and categorize for Apache HTTP Servers.
CITRIX NETSCALER 01/29/2021 DSM Resolves an issue in the Citrix NetScaler DSM where the Source IP, Destination IP, and Port value might not parse from the payloads of SSL Handshake Success and SSL Handshake Failure events from traffic domains. This RPM release updates parsing patterns where the payload can contain an additional value (TD_1) for the traffic domain in the header of the event.
MCAFEE MVISION CLOUD 01/29/2021 DSM Renamed the Skyhigh Networks Cloud Security Platform DSM to McAfee MVISION Cloud to list the proper product name in the user interface. This update is a name change only, there are no parsing or QID map changes in this RPM release.
PROTOCOL COMMON 01/29/2021 DSM Resolves an issue in the Protocol Common RPM where ‘cannot execute UPDATE in a read-only transaction’ exceptions could occur after an upgrade or change to the value of the Acquire Certificate Automatically setting in the log source configuration. This Protocol Common release resolves APAR IJ29010 where some API-based log sources, such as Microsoft Azure or Cisco AMP, can stop working as expected due to the read-only transaction exception when trying to update database settings on the Console or managed host.
POSTFIX MAIL TRANSFER AGENT 01/29/2021 DSM Resolves an issue in the PostFix Mail Transfer Agent DSM where master and local daemon service events can parse as ‘Unknown’. This RPM release includes a parsing update and QID map change to ensure configuration error events, process exit, and other service events categorize and display properly for users.
EMC VMWARE 01/29/2021 DSM Resolved multiple issues in the EMC VMware DSM: 1. Resolves an issue where EMC VMware EVO:Rail events for Loudmouth and MarvinUtils daemon events categorized as Stored. This RPM release includes parsing updates and a QID map change to ensure that events categorize correctly. 2. Resolves an issue where ESXi 6.7 authentication events categorized as Information, instead of their expected description of ‘Authentication’ after administrators updated their firmware version.
DSM COMMON 01/19/2021 DSM Enhanced the DSM Common framework to support parsing changes for Linux operating system cron daemon events (crond) sent in RFC 5424 format.
LINUX OS 01/19/2021 DSM Resolves an issue in the Linux OS DSM where cron daemon (crond) events sent in RFC 5424 format parse as ‘Unknown’. This RPM release updates parsing patterns for crond events from Linux operating systems to ensure events sent as RFC 5424 parse and categorize as expected.
MCAFEE EPOLICY ORCHESTRATOR 01/19/2021 DSM Resolves an issue in the McAfee ePolicy Orchestrator DSM where JDBC events that do not include TVDEventID or ThreatEventID in the payload did not parse properly. This RPM release updates the DSM parsing patterns to ensure non-threat events categorize as ‘Unknown’. Administrators with events that categorize as ‘Unknown’ can review the payloads to determine if they include TVDEventID or ThreatEventID and create custom QIDs to map your non-threat McAfee ePolicy Orchestrator events.
IBM QRADAR DLC PROTOCOL 12/16/2020 PROTOCOL Resolves an issue in the IBM QRadar DLC Protocol to remove the use of an unnecessary Apache POI library.
PROTOCOL COMMON 12/16/2020 PROTOCOL Resolves an issue in the Protocol Common RPM to remove the Apache POI library to support changes in the Disconnected Log Collector (DLC).
TLS SYSLOG PROTOCOL 12/16/2020 PROTOCOL Resolves an issue in the TLS Syslog Protocol to remove the Apache POI library to support changes in the Disconnected Log Collector (DLC).
CHECK POINT 12/16/2020 PROTOCOL Enhanced the Check Point DSM to make TLS Syslog a supported protocol and a default protocol selection option in the user interface. This update ensures that Syslog and TLS Syslog are both listed as documented and supported protocols when configuring log sources.
LINUX DHCP SERVER 12/16/2020 DSM Resolves multiple issues in the Linux DHCP Server DSM: 1. Resolves an issue where Linux DHCP lease events could fail to match an existing parsing pattern and categorize as Unknown SIM Generic. This RPM release adds a new parsing pattern for DHCP lease events and updates the QID map description for a ‘No DHCP lease’ event. 2. Resolves an issue where a Bootstrap protocol (BOOTP) event parsed as Unknown and updates the description to ‘BOOTP request failed’.
SYSFLOW 12/16/2020 DSM Release of a new DSM for SysFlow to receive Syslog events from SysFlow agents in JSON format from OpenShift or Kubernetes clusters. For more information, see: SysFlow v1.0.0 is here
AMAZON AWS S3 REST API 12/16/2020 DSM Enhanced the Amazon AWS S3 REST API protocol to add support for AWS Network Firewall Flow Logs. This update allows the Amazon Network Firewall S3 bucket with flow data to display in the Network Activity tab for appliances with a QFlow processor. Administrators without automatic updates enabled must have the latest version of the following RPMs installed to collect network flows: AWS S3 REST API Protocol, Protocol Common, and the Amazon AWS Network Firewall DSM.
PALTO ALTO PA SERIES 12/16/2020 DSM Resolved multiple issues in the Palo Alto PA Series DSM: 1. Enhanced the DSM to support parsing LEEF 2.0 formatted events from PAN-OS. 2. Resolves an issue where the severity for PAN-OS 8.x events required a parsing update for the severity field. This RPM release allows the DSM to confirm the PAN-OS version from the event payload, then parse the severity appropriately based on the version.
NEW! TREND MICRO APEX CENTRAL 12/16/2020 DSM Release of a new Device Support Module (DSM) to parse and categorize Trend Micro Apex Central events. The Trend Micro Apex Central DSM supports Syslog and TLS Syslog events sent in CEF format to parse logs for attack discovery, behavior monitoring, data loss, network content inspection, sandbox detection, virus, malware, and more. Administrators who do not use automatic updates must install the latest version of the DSM Common RPM on their Console appliance to properly parse Trend Micro Apex Central events.
MQ JMS 12/09/2020 DSM Enhanced the MQ JMS protocol to add the latest version of the IBM MQ client library.
DSM COMMON 12/09/2020 DSM Enhanced the DSM Common framework library to support changes for Linux-based OS. The DSM Common RPM allows multiple DSMs that use the Linux platform to share parsing and a QID map for events that are common across several DSMs, which we generally refer to as OSServices. This release adds parsing for userhelper events, updates password change descriptions, and resolves PAM parsing issues for Stored events as described in the latest release of the Linux OS DSM.
MICROSOFT IIS 12/09/2020 DSM Resolves multiple issues in the Microsoft IIS Server DSM: 1. Resolves an issue where four IIS events could categorize as Microsoft IIS Server Unknown. This RPM release updates adaptive patterns to ensure the three-digit eventID is captured correctly when the value appears at the end of the event payload. 2. Enhanced the Microsoft IIS Server DSM to improve performance. This update resolves a reported preexisting performance issue where events could categorize as Stored at higher EPS.
FORCEPOINT V SERIES 12/09/2020 DSM Enhanced the Forcepoint V Series Device Support Module (DSM) to add support for parsing and categorizing Email Security events. This RPM release also resolves a reported issue where the DSM did not parse the disposition field when it appears in the event payload. The disposition field can cause some events to categorize as Stored as it is used to set the eventID when present in the event payload.
LINOX OS 12/09/2020 DSM Resolves multiple issues in the Linux OS DSM: 1. Resolves an issue where systemd-logind events for ‘New Session’ or ‘Removed Session’ could categorize as Stored. 2. Resolves an issue where the last digit in the Source IP address could truncate when the payload is parsed, leading to false positive offenses. 3. Resolves an issue where some PAM events, such as password changes expiry could parse as Stored. 4. Updated the event description for password changed events to be more descriptive for users. This release changes the description for password changed events from ‘User added to group’ to ‘User account modified’. 5. Adding parsing support and a QID map update for userhelper events in the Linux OS DSM.
NEW! CLOUDFLARE LOGS 12/09/2020 DSM Enhanced the Microsoft Windows Security Event Log over MSRPC protocol to include test functionality in the Log Source Management app. This update allows administrators with Log Source Management app V5.0 or later and QRadar 7.3.2 Patch 3 (7.3.2.20190705120852) or later to troubleshoot Windows MSRPC log source configurations. This RPM release adds test functionality to the Log Source Management app to confirm TCP connectivity, DNS resolution, checks forRelease of a new Device Support Module (DSM) for Cloudflare Logs to parse and categorize HTTP and firewall events in JSON format within an Amazon AWS S3 bucket. Administrators can configure your Cloudflare instance to send logs to an Amazon AWS S3 bucket with a logpush job, then configure an SQS queue with permissions and an ObjectCreate notification in Amazon AWS. Administrators who do not use automatic updates must install the latest version of the following RPMs to parse and categorize Cloudflare events: Protocol Common, DSM Common, Amazon Web Services protocol, Amazon AWS S3 REST API protocol, and the Cloudflare Logs DSM.
MICROSOFT WINDOWS SECURITY EVENT LOG OVER MSRPC 12/09/2020 DSM Enhanced the Microsoft Windows Security Event Log over MSRPC protocol to include test functionality in the Log Source Management app. This update allows administrators with Log Source Management app V5.0 or later and QRadar 7.3.2 Patch 3 (7.3.2.20190705120852) or later to troubleshoot Windows MSRPC log source configurations. This RPM release adds test functionality to the Log Source Management app to confirm TCP connectivity, DNS resolution, checks for Protocol Type settings, test event collection, and other improvements.
MICROSOFT WINDOWS SECURITY EVENT LOG OVER MSRPC 12/01/2020 PROTOCOL Resolves multiple issues in the Microsoft Windows Security Event Log over MSRPC protocol. 1. This update improves debug logging for the MSRPC protocol to include a static debug() method and few simplifications for debugging purposes. 2. Updated the jNQ version to prevent deadlocks in the MSRPC protocol as described in APAR IJ26863.
CISCO IRONPORT 12/01/2020 DSM Resolves a reported issue in the Cisco Ironport DSM where events from Squid sources can categorized as ‘Stored’. This RPM release adds new parsing patterns for TCP_DENIED, TCP_REFRESH_HIT, TCP_CLIENT_REFRESH_MISS, TCP_MEM_HIT, and NONE Event IDs to ensure that the payload for the events parses and categorizes properly.
F5 NETWORKS BIG-IP LTM 12/01/2020 DSM Resolves multiple issues in the F5 Networks BIG-IP LTM DSM: 1. Resolves an issue where several events, such as IControl_REST_Child_Daemon (icrd_child), httpd cookie mismatch, and debug apmd could parse as Stored. This update also resolves a reported problem where the User field might contain different capitalization than expected and cause Stored events. 2. Resolves an issue where some F5 Networks ASM events could classify as BIG-IP LTM incorrectly and create F5 Networks BIG-IP LTM log sources automatically.
AMAZON AWS S3 REST API 12/01/2020 PROTOCOL Resolves multiple issues in the Amazon AWS S3 REST API protocol: 1. Resolves an issue where the marker file format could download old event data, leading to duplicate events. 2. Resolves an issue in the Log Source Management app where sample events collected to test the protocol configuration could download more files than required, leading to unnecessary temporary files on disk. This RPM release updates the test functionality to download and process only the number of events configured for the test and clean up files immediately.
MICROSOFT AZURE PLATFORM 12/01/2020 DSM Resolves an issue in the Microsoft Azure Platform DSM where time value in UTC format did not parse into the local time zone in the user interface.
JUNIPER JUNOS OS PLATFORM 12/01/2020 DSM Resolves multiple issues in the Juniper Junos OS Platform DSM where the MAC address did not parse as expected for some Juniper JunOS firewall events.
SIM GENERIC 12/01/2020 DSM Resolves an issue where events for a custom log source type incorrectly assigns stored events to the SIM Generic log source as described in APAR IJ29348. When events are routed to a log source with a custom log source type and the log source cannot parse the events, they are incorrectly assigned to the SIM Generic log source instead of the correct log source as Stored.
NEW! AMAZON AWS NETWORK FIREWALL 11/23/2020 DSM Release of a new DSM for Amazon AWS Network Firewalls to collect allow or deny traffic events from S3 buckets that contain flow logs. To collect events, administrators must setup an S3 bucket, an SQS queue, configure SQS queue notifications, and set permissions. The AWS S3 REST API Protocol can retrieve events if the log source created by the administrator has permissions to poll the SQS queue. Administrators without automatic updates enabled must have the latest version of the following RPMs installed to collect and parse events: AWS S3 REST API Protocol, Protocol Common, and the Amazon AWS Network Firewall DSM.
MCAFEE POLICY ORCHESTRATOR 11/23/2020 DSM Resolves a reported issue in the McAfee ePolicy Orchestrator DSM where TLS Syslog events can categorize as ‘Stored’ when the xml event tag uses different capitalization. For example, EPOEvent tags parse correctly, but xml event payloads that use the tag EPOevent did not parse as expected. This RPM release resolves issues where users reported issues parsing some TLS Syslog events in McAfee ePolicy Orchestrator version 5.10.
ISC BIND 11/23/2020 DSM Resolves multiple issues in the ISC BIND Device Support Module (DSM): 1. Resolves an issue where events could be categorize as ‘Stored’ when multiple named instances were configured. For example, ‘named’ instances parse as expected where ‘named2’ instances caused parsing issues and Stored events. 2. Updated ISC BIND documentation in the DSM Configuration Guide to list 9.12 as a supported version.
SYMANTEC ENDPOINT PROTECTION 11/23/2020 DSM Resolves multiple issues in the Symantec Endpoint Protection DSM: 1. Resolves an issue where ‘Log writing to USB drives’ events could incorrectly categorize as ‘event continue’ due to a parsing error. 2. Resolves an issue where ‘Firewall Allow’ events can parse as ‘Firewall Block’. This RPM release adds logic to consider the Action field from the event when parsing the payload to correct Allow versus Blocked categorization issues.
GOOGLE CLOUD AUDIT 11/23/2020 DSM Resolves an issue in the Google Cloud Audit DSM to where Kubernetes K8s.io events parse as ‘Unknown’. This RPM release adds 23 QIDs for new method names to support parsing and categorization for Kubernetes K8s.io events.
CARBON BLACK PROTECTION 11/17/2020 DSM This RPM release includes several minor changes for Carbon Black log sources: 1. Updated the Device Support Module (DSM) name from Carbon Black Protection to Carbon Black App Control. 2. This RPM release ensures that the vendor and product name field parse properly from the LEEF Syslog header.
F5 NETWORKS BIG-IP LTM 11/17/2020 DSM Resolves a reported issue in the F5 Networks BIG-IP LTM DSM to add support for parsing ‘Request Logging’ events. Request logging profiles allow administrators to log the details of HTTP requests seen by the local F5 Networks BIG-IP LTM device. This RPM release allows ‘Request Logging’ events to parse properly, instead of categorizing as ‘Stored’.
ARUBA CLEARPASS POLICY MANAGER 11/17/2020 DSM Resolves an issue in the Aruba ClearPass Policy Manager where Service Set Identifier (SSID) authentication events did not parse the MAC address as expected.
SOLARIS OPERATING SYSTEM AUTHENTICATION MESSAGES 11/17/2020 DSM Resolves an issue in the Solaris Operating System Authentication Messages to parse Connection_refused and DB2 governor (db2govd) error events. This RPM release allows the reported ‘Stored’ and ‘Unknown’ events to parse and categorize properly.
DSM Common 11/17/2020 DSM Enhanced the DSM Common framework to replace MD5 file checks with hashes based on SHA256 for FIPS (Federal Information Processing Standards) compliant installations.
EMC VMWARE 11/9/2020 DSM Enhanced the EMC VMware to add parsing and categorization for the following events: vsanSoapServer, vcenter-server, kernel, smad, Unknown, sensord, python, VSANMGMTD, addVob, backup.sh, and Sample latency interval events.
IBM AIX SERVER 11/9/2020 DSM Resolves a reported issue in the IBM AIX Server DSM where events generated by the update_sudoers.sh script parsed as ‘Stored’.
CISCO MERAKI 11/9/2020 DSM Resolves multiple issues in the Cisco Meraki DSM: 1. Resolves an issue where Site-to-site VPN events categorized as ‘Unknown Generic Log Event’. 2. Resolves an issue to update documentation example payloads for inbound and outbound flows. Cisco Meraki generates Syslog events from inbound and outbound flows and the example payload in the documentation displayed an older format.
CISCO CALL MANAGER 11/9/2020 DSM Resolves multiple issues in the Cisco Call Manager DSM: 1. Resolves an issue to update Syslog header parsing where Cisco Call Manager v11.5 versions can use a different timestamp format. This RPM release includes a review for parsing for ports, source IP, and destination IP addresses in Cisco Call Manager v11.5 events. 2. Resolves a benign auto deploy message ‘ERROR: insert or update on table sensordeviceprotocols violates foreign key constraint’ that can display in the logs.
RADWARE APPWALL 11/2/2020 DSM Resolved an issue in the Radware AppWall DSM where an auto deploy script can impact the Tomcat web service.
MICROSOFT IIS PROTOCOL 10/26/2020 PROTOCOL Enhanced the Microsoft IIS Protocol to use jNQ libraries for SMB2 connections. This RPM update resolves the connection issue described in IJ25365 and allows the protocol test functionality incorporated in the Log Source Management application to display the SMB version when validating connections. Security bulletins are associated to this protocol update, for more information, see: https://www.ibm.com/support/pages/node/6356447 and https://www.ibm.com/support/pages/node/6356449.
SMB TAIL PROTOCOL 10/26/2020 PROTOCOL Enhanced the SMB Tail Protocol to use jNQ libraries for SMB2 connections. This RPM update resolves the connection issue described in IJ25365 and allows the protocol test functionality incorporated in the Log Source Management application to display the SMB version when validating connections. Security bulletins are associated to this protocol update, for more information, see: https://www.ibm.com/support/pages/node/6356447 and https://www.ibm.com/support/pages/node/6356449.
ORACLE DATABASE LISTENER 10/26/2020 PROTOCOL Enhanced the Oracle Database Listener Protocol to use jNQ libraries for SMB2 connections. This RPM update resolves the connection issue described in IJ25365 and allows the protocol test functionality incorporated in the Log Source Management application to display the SMB version when validating connections. Security bulletins are associated to this protocol update, for more information, see: https://www.ibm.com/support/pages/node/6356447 and https://www.ibm.com/support/pages/node/6356449.
MICROSOFT DHCP PROTOCOL 10/26/2020 PROTOCOL Enhanced the Microsoft DHCP Protocol to use jNQ libraries for SMB2 connections. This RPM update resolves the connection issue described in IJ25365 and allows the protocol test functionality incorporated in the Log Source Management application to display the SMB version when validating connections. Security bulletins are associated to this protocol update, for more information, see: https://www.ibm.com/support/pages/node/6356447 and https://www.ibm.com/support/pages/node/6356449.
MICROSOFT EXCHANGE PROTOCOL 10/26/2020 PROTOCOL Enhanced the Microsoft Exchange Protocol to use jNQ libraries for SMB2 connections. This RPM update resolves the connection issue described in IJ25365 and allows the protocol test functionality incorporated in the Log Source Management application to display the SMB version when validating connections. Security bulletins are associated to this protocol update, for more information, see: https://www.ibm.com/support/pages/node/6356447 and https://www.ibm.com/support/pages/node/6356449.
EMC VMWARE 10/26/2020 DSM Enhanced the EMC VMWare Protocol to update libraries for event collection. Security bulletins are associated to this protocol update, for more information, see: https://www.ibm.com/support/pages/node/6356447 and https://www.ibm.com/support/pages/node/6356449.
RADWARE DEFENSEPRO 10/26/2020 DSM Resolves multiple issues in the Radware DefensePro DSM: 1. Resolves a reported issue where two events categorized as ‘Unknown Radware DefensePro’. 2. Enhanced the Radware DefensePro to resolve an issue where several information level Syslog events and one login event failed message might parse as ‘Stored’ during an event replay review.
CISCO IDENTITY SERVICES ENGINE 10/26/2020 DSM Resolves a reported issue where the Cisco Identity Services Engine DSM where the Source IP address did not parse correctly for SSH Login Succeeded events. This RPM release reviewed and updating parsing logic for source IP addresses, validation for username parsing, and source port values in Cisco Identity Services Engine events.
GOOGLE CLOUD PLATFORM FIREWALL 10/21/2020 DSM Release of a new Device Support Module (DSM) to parse and categorize allow and deny events from Google Cloud Platform Firewall. If automatic updates are not enabled, administrators must have the following RPM installed for the DSM to collect and parse JSON data: DSM Common, Google Common Protocol, and Google Cloud Pub Sub Protocol.
CISCO FIREWALL DEVICES 10/21/2020 DSM Resolves multiple issues in the Cisco Firewall Devices DSM: 1. Resolves an issue where the Cisco Adaptive Security Appliance (ASA) ‘Built outbound TCP connection’ events ASA-6-302013 could display the source and destination IP address reversed. This RPM release updates the parsing logic to ensure the correct source and destinations are identified per Cisco documentation. 2. Resolves a reported issue where the Username field could in Cisco Adaptive Security Appliance (ASA) events might parse the username with break characters. This parsing issue affected right-click functionality for usernames as described in APAR IJ27004. This RPM release updates the username logic to ignore the trailing spaces, line break characters, or newline characters in the username field when the payload is parsed.
CHECK POINT 10/21/2020 DSM Resolves multiple issues in the Check Point DSM: 1. Added parsing for ‘Unknown Check Point’ events. 2. Added new documentation for integrating Check Point log sources to collect events using the TLS Syslog protocol. 3. Enhanced the DSM Editor user interface for Check Point log sources to add a DSM Configuration Parameter for ‘Disable Legacy event mapping’.
PALO ALTO NETWORKS PA SERIES 10/21/2020 DSM Enhanced the Palo Alto Networks PA Series DSM to include more granular event descriptions for ‘Client Configuration’ events. This issue was reported where the event ID for Palo Alto globalprotectgateway-config-release, globalgateway-config-succ, and globalprotectportal-config-succ were assign the same QID as 52511652 for Client Configuration when they are different configuration types. This update modifies parsing and the QID map to add more granular parsing to separate Global Gateway from Global Portal configuration events.
JUNIPER NETWORKS NETSCREEN FIREWALL 10/21/2020 DSM Resolves multiple issues in the Juniper Networks Netscreen Firewall DSM: 1. Resolves an issue where destination IPv6 addresses can cause the event payload to categorize as ‘Stored’. 2. Enhanced SSH event categorization to assign a more granular descriptions. Previously, an SSH timeout or security permission changes due to inactivity could be categorized genericly as ‘Login Failed’. This update enhances descriptions to include: SSH session logged out, SSH session finished, or System Security Access removed events.
DSM COMMON 10/21/2020 DSM Resolves multiple issues in the DSM Common framework: 1. Resolves an issue where two different sudo events, which are almost identical, can parse as two different event types and generate false positive offenses. This update reviews sudo Linux events where sudo nmap or Rapid7 vulnerability scan commands could be categorized correctly as ‘su Message’ events or incorrectly as ‘User Right Augmentation Failed’. When a vulnerability scan commands parse as ‘User Right Augmentation Failed’, these events can trigger offenses incorrectly. 2. Enhanced the DSM Common framework to update packaged deploy scripts and remove MD5 sum file check operations to comply with FIPS standards.
IBM TIVOLI ACCESS MANAGER FOR E-BUSINESS 10/21/2020 DSM Resolves an issue in the IBM Tivoli Access Manager for e-business where events categorized as ‘Miscellaneous’ did not parse the Username value or Source IP as expected.
IBM TIVOLI ACCESS MANAGER FOR E-BUSINESS 10/21/2020 DSM Resolves an issue in the IBM Tivoli Access Manager for e-business where events categorized as ‘Miscellaneous’ did not parse the Username value or Source IP as expected.
CISCO IRONPORT 10/21/2020 DSM Resolves an issue in the Cisco Ironport DSM where users reported early_expiration events were categorized as ‘Stored’. This RPM release adds parsing support and an event ID to identify and categorize early expiration events.
FORTINET FORTIGATE SECURITY GATEWAY 10/21/2020 DSM Enhanced the Fortinet Fortigate Security Gateway to support event payload changes in version 6.4. This DSM update resolves several reported parsing issues, such as new header values in v6.4, added parsing for endpoint-close events, and added parsing for UTM events.
AMAZON WEB SERVICES PROTOCOL 10/21/2020 PROTOCOL Enhanced the Amazon Web Services protocol to include the latest version of the Amazon Web Services Java SDK.
AMAZON AWS S3 REST API PROTOCOL 10/21/2020 PROTOCOL Enhanced the Amazon AWS S3 REST API protocol to include the latest version of the Amazon Web Services Java SDK.
SDEE PROTOCOL 10/21/2020 PROTOCOL Resolves a reported issue where a Null Pointer Exception (NPE) in the SDEE Protocol could periodically interrupt event collection from Cisco IPS sources. This update resolves the exception as described in APAR IJ27712 and allows Cisco IPS devices to successfully pull events from remote sources.
UNIVERSAL CLOUD REST API 10/06/2020 PROTOCOL Release of a new protocol to enable ingestion of REST API endpoints. With the Universal Cloud REST API Protocol, you can easily connect to REST API endpoints that can send data to QRadar and leverage pre-configured workflows for a specified data source or create your own workflow document. The Universal Cloud REST API protocol requires QRadar V7.3.1 or later and you must have the QRadar Log Source Management app installed.
IBM I 10/06/2020 DSM Resolves an issue in the IBM i DSM where username values did not parse from a new event type. This RPM release adds a parsing pattern update to ensure the username field parses properly.
F5 NETWORKS BIG-IP LTM 10/06/2020 DSM Resolves multiple issues in the F5 Networks BIG-IP LTM DSM: 1. Resolves an issue where CLIENT_ACCEPTED events did not parse and categorized as ‘Stored’ when the header contained a forward slash character. 2. Resolves reported issues where rule names that contains a period character did not parse as expected. 2. Resolves an issue to ensure authentication events that contain a PID value in square brackets after the service name parse as expected. 3. Enhanced the F5 Networks BIG-IP LTM DSM to verify IP intelligence service events parse and categorize as expected. 4. Resolves an issue where iControl REST daemon events could categorize as ‘Stored’ when extra spaces were present in the event payload.
SIM GENERIC 10/06/2020 DSM Resolves an issue in the SIM Generic DSM where identical log source identifiers can create inconsistent parsing order for log sources. This RPM release allows an unordered set of log sources to properly parse the log source with the highest priority parsing order assigned to resolve APAR IJ11726. 2. Resolves an issue where Syslog and TLS Syslog events sent from Disconnect Log Collector (DLC) installations do not set the source or destination IP address correctly. This RPM update allows the proper source name to be validated from a Disconnected Log Collector to address cases where the event is forwarded from an intermediate server or scenarios where a hostname in the event header contains only word characters, causing the IP address to be set incorrectly.
UNIVERSAL LEEF 09/29/2020 DSM Enhanced the Universal LEEF DSM to ensure that the Log Source Management app displays the protocol type as an ‘Undocumented’ protocol.
UNIVERSAL CEF 09/29/2020 DSM Enhanced the Universal CEF DSM to ensure that the Log Source Management app displays the protocol type as an ‘Undocumented’ protocol.
MICROSOFT EXCHANGE SERVER 09/29/2020 DSM Resolves multiple issues issue in the Microsoft Exchange Server DSM: 1. Resolves an issue where MSGTRKMA RECEIVE events parsed as ‘Unknown Microsoft Exchange Server’. This RPM release updates the QID map to add unknown events. 2. Enhanced the Microsoft Exchange Server DSM to add support for parsing source and client IP addresses in IPv6 format.
CISCO FIREPOWER MANAGEMENT CENTER 09/29/2020 DSM Resolves an issue in the Cisco Firepower Management Center DSM where VPN_USER_LOGIN events did not properly extract the username from userLoginInformation.userName field. This issue only occurred with recordType VPN_User_Login events and this RPM release verifies the username populates in the event details.
TLS SYSLOG PROTOTCOL 09/29/2020 DSM Resolved an issue where TLS Syslog listeners could fail to restart and deploy after an RPM update when a large number of clients were connected to a listener. This RPM release allows the TLS Syslog protocol updates to complete as expected and prevents administrators from being forced to manually toggle the log source status to reconnect and collect events.
VMWARE VCENTER 09/29/2020 DSM Resolved multiple reported unknown and stored events for the VMWare vCenter DSM: 1. Resolves an issue where some authentication events were incorrect categorized as miscellaneous. This update allows Bind request failed, Bind request error, and SASL errors, to categorize as Authentication Failure events. 2. Resolves an issue to add 29 QID map updates for vra audit and vcenter-server events to resolved unknowns, such as LoginSuccess, DatastoreFileUploadEvent, StatelessAlarmTriggeredEvent, ClusterFailoverActionCompletedEvent, deployment started, HostStateChangedEvent, DBHealthStatusClearEvent, status change, authorization success, redundancy restored, HardwareSensorGroupStatus, Skip service health check, Constructed command, DatastoreFileCopiedEvent, vra audit info, vra audit exception, and more.
MICROSOFT SECURITY EVENT LOG OVER MSRPC 09/29/2020 DSM Resolves an issue in the Microsoft Security Event Log over MSRPC protocol where a class not found error prevented the MSRPC test tool from working in 7.4.x versions. This RPM release verifies the MSRPC test tool functions properly and resolves APAR IJ27243.
FORTINET FORTIGATE SECURITY GATEWAY 09/29/2020 DSM Resolves multiple parsing and categorization issues in the Fortinet Fortigate Security Gateway DSM: 1. Resolves an issue where Authentication events can be sent with different capitalization causing unknown events. 2. Resolves an issue where ssl-alert, ssl-cert, allow, might parse as unknown. This update also ensures the full action for ext-session-leave is captured as the Event ID. 3. Improved the parsing logic for login events to evaluate both the action field and the status field or use the logsesc field to determine whether an event is an Authentication Success or Authentication Failure. 4. Updated the QID map to add 21 entries to prevent unknown events, such as DHCP-information, User-notice, FortiGate-notice, Local-notice, HA-notice, Disk-information, Configuration-alert, SNMP-warning, Report-notice, session-information, Routing-critical, PPPD-notice, and more.
JUNIPER JUNOS OS PLATFORM 09/22/2020 DSM Resolves a reported issue in the Juniper Junos OS Platform DSM where several Juniper MX Router events categorized as ‘Unknown’. This RPM release updates parsing for payloads that include underscore characters in the eventIDs to ensure the following events categorize correctly: Send_Message_Message, Update_device, Activate_token_assignment, Register_device, Send_token_download_url, Send_authorization_code, Send_OTP, Delete_token, Set_activation_code, and Reset_activation_code.
BOX 09/22/2020 DSM Enhanced the Box Device Support Module (DSM) to support parsing and categorization of Box Shield Alerts. Administrators with automatic updates disabled must download and install the following RPMs on the Console appliance to ensure that events parse and categorize properly: Protocol Common, Box REST API Protocol, and the latest version of the Box DSM.
DSM COMMON 09/15/2020 DSM Enhanced the DSM Common framework to support parsing changes for several Linux OS events. The DSM Common framework includes This update adds parsing changes for cronMessages, updated timestamp events, auto discovery issues related to Symantec Endpoint Protection, and adds parsing for some shared EMC VMware and Linux events as described in the latest Linux OS DSM update. Administrators who manually install RPM updates must install DSM Common with the Linux OS DSM to ensure that all events parse as expected.
LINUX OS 09/15/2020 DSM Resolves multiple issues in the Linux OS DSM: 1. Resolves an issue where ‘updated timestamp file’ events parsed as ‘Stored’. 2. Resolves an issue where the Username field did not parse as expected for cronMessage events. 3. Resolves an issue where VMware ESX events generated from Linux installations could categorize as ‘Unknown’. This RPM release updates parsing to validate that general Linux events parse by the Linux OS DSM and audit level events from the ESX host parse against the EMC VMware DSM. 4. Resolves an issue where authpriv events categorize as ‘Stored’. 5. Resolves an issue where Linux OS events auto discovered as Symantec Endpoint Protection. 5. Resolves an issue where SSH PAM authentication error events could parse with a generic description of ‘SSH message’ or ‘Kernel message’, instead of the correct description ‘Authorization fail’. 6. Resolves an issue where Linux login messages from Docker or containerd events parsed as ‘Stored’.
IMPERVA SECURESPHERE 09/15/2020 DSM Resolves multiple issues in the Imperva SecureSphere DSM: 1. Enhanced the Imperva SecureSphere DSM to parse the Severity field from event payloads to represent the severity more accurately. This update allows a description field, such as Alert Description to be evaluated for a severity value when parsed by the Imperva SecureSphere DSM as the original Syslog payloads do not include a Sev field to define a numeric severity. 2. Resolves an issue where the following events could parse as ‘Unknown’ due to a leading space character in the event ID that needed to be trimmed: Profile None, Custom None, Protocol None, and Firewall None.
MICROSOFT OFFICE 365 09/15/2020 DSM Resolves multiple issues in the Microsoft Office 365 DSM: 1. Resolves an where the Source IP address did not parse as expected from Microsoft Teams authentication events. This release updates parsing for Microsoft Teams authentication events to ensure the ‘Client IP’ address in the payload displays the correct Source IP value. 2. Resolves a reported issue where some events could parse as ‘Stored’ when the Action field contains an array, instead of a set value. This RPM release updates parsing patterns to accept Action fields that contain an array.
MICROSOFT AZURE PLATFORM 09/15/2020 DSM Resolves multiple reported issue in the Microsoft Azure Platform DSM: 1. Resolves an issue where Azure SQL database SQLSecurityAuditEvents events can display the same IP address for the Source and Destination fields in the user interface. This RPM update modifies the parsing to ensure that the client_ip field and callerIpAddress is captured properly from the event payload. 2. Resolves an issue where Azure SQLSecurityAuditEventsevents do not display the username as expected. This update modifies parsing to ensure the server_principal_name field populates the user interface with the correct user login name from the event payload.
MICROSOFT WINDOWS SECURITY EVENT LOG 09/15/2020 DSM Resolves a reported issue in the Microsoft Windows Security Event Log to properly parse scheduled task events that include message fields with XML information. This RPM release modifies parsing to update the order in which XML fields are validated by the DSM to prevent ‘Stored’ events from WinCollect agents where XML data is appended to the end of the message field of the event, such as Microsoft UpdateOrchestrator scheduled tasks.
OKTA REST API 09/15/2020 PROTOCOL Resolves an issue in the Okta REST API protocol where duplicate events could be collected due to a vendor change for http2 compliance where the HTTP header could return data as ‘Link’ or ‘link’ to track pagination for incoming data. This RPM release resolves the issue for potential duplicate Okta Identity Management events described in APAR IJ26151.
F5 NETWORKS BIG-IP ASM 09/09/2020 DSM Resolves an issue where F5 Networks BIG-IP ASM events parsed as ‘Unknown’ when the violations field, which is used to determine the event ID, contains N/A in the event payload. This RPM release updates parsing patterns to properly categorize N/A status from the violations field in F5 Networks BIG-IP ASM events.
NOVELL EDIRECTORY 09/09/2020 DSM Resolves an issue with the Novell eDirectoy DSM where the user interface can display an incorrect value in the Username field. This RPM release updates the parsing patterns to correctly capture the values from the common name (CN) field of the event payload.
MICROSOFT DNS DEBUG 09/09/2020 DSM Resolves an issue in the Microsoft DNS Debug DSM to remove an installation dependency on the WinCollect Microsoft DNS protocol. This release allows administrators to install the Microsoft DNS Debug DSM without a required dependency for a protocol RPM that is only available within WinCollect SFS files.
TCP MULTILINE SYSLONG 09/09/2020 PROTOCOL Resolves multiple issues in the TCP Multiline Syslog protocol: 1. Enhanced the protocol to increase the default payload size from 10240 to 32768. This update prevents payload truncation for Microsoft Windows events that are commonly over 10240 in size as described in APAR IJ25038. 2. Modified the regex to improve parsing and capture the ‘EventType’ from raw data when the source event comes from a multiline Windows event. This RPM release allows the TCP Syslog Multiline protocol to evaluate the payload if the EventType exists when received or if the EventType needs to be identified from the raw payload.
JDBC 09/09/2020 PROTOCOL Resolves an issue in the JDBC Protocol where the jtds-1.3.3i.jar did not copy to the appropriate location, causing ClassNotFound exceptions. This issue resolves the problem identified in APAR IJ16291 where MSDE log sources that use the JDBC Protocol would generate warning messages ‘There is a problem with the selected database driver’.
JUNIPER NETWORKS NETSCREEN FIREWALL 08/27/2020 DSM Resolves a reported issue in the Juniper Networks Netscreen Firewall where ‘SNMP request from an unknown community received’ (event 00524) could have the source and destination IP addresses reversed and did not extract the port value as expected. This RPM release updates parsing to add a unique pattern for SNMP event 00524 to ensure the event payload parses correctly.
MICROSOFT FOREFRONT ENDPOINT PROTECTION 08/27/2020 DSM Resolves an issue in the Microsoft Forefront Endpoint Protection DSM where the French language words ‘Ver’ or ‘Cheval de Troie’, did not set an event ID for their English counterparts in the QID map. This RPM release resolves an issue where worm and trojan horse French language events parsed as ‘Unknown Microsoft Forefront Endpoint Protection’ and allows the DSM to properly categorize the events.
IBM AIX SERVER 08/27/2020 DSM Resolves an issue in the IBM AIX Server DSM where the Source Port value did not parse from the event payload correctly. This RPM release updates adaptive patterns to validate that the Source Port value parses as expected.
F5 NETWORKS BIG-IP APM 08/27/2020 DSM Enhanced the F5 Networks BIG-IP APM DSM to include more granularity for dynamic ACL events. This RPM release updates the dynamic ACL event 01580005 to describe the action taken by policy and add new event IDs, such as dynamic ACL allow, dynamic ACL discard, dynamic ACL continue, or dynamic ACL reject.
OKTA IDENTITY MANAGEMENT 08/27/2020 DSM Resolves an issue in the Okta Identity Management DSM to add parsing to display the outcome field from the event payload and assign a Low Level Category based on the result. This update allows the event ID to properly describe an action as success or failure, instead of falling back to the failure state and updates the QID map to prevent ‘Unknown’ events. For example, the displayMessage field in the event payload for ‘Change application password for user’ needs to capture the outcome field to determine the success or failure state of the event. This RPM release updates outcome field parsing and allows the success or failure status be use by other event IDs, such as credential rejection or account lock success or failures.
VMWARE APPDEFENSE 08/27/2020 DSM Resolves an issue to rename the company name in the DSM (VMWare to VMware) to correct spelling issue as reported by the vendor.
MICROSOFT AZURE ACTIVE DIRECTORY 08/27/2020 DSM Enhanced the Microsoft Azure Active Directory DSM to align the QID map with Active Directory events in the Microsoft Office 365 DSM. This change aligns Active Directory event categorization where overlap exists for QIDs that exist in both DSMs. If the Active Directory event ID exists in the Microsoft Office 365 DSM’s QID map, then the event uses a value in the Microsoft Office 365 QID map as the primary check for matches. If the event ID is not present in the Microsoft Office 365 DSM, the categorization falls back to QID map entries in the Microsoft Azure Active Directory DSM for matches.This update resolves several reported issues in the Protocol Common framework: 1. Resolves an issue as described in APAR IJ15213 where the automatic certificate download can fail to retrieve certificates when the event source has TLS 1.0 disabled by the vendor. This RPM release enhances the Protocol Common framework to use the SSL protocol, allowing the certificate downloader to use any TLS version when retrieving certificates. 2. Enhanced the access token tests in the Log Source Management application for some Microsoft Azure protocols to display the list of roles required and informs the user that they need application permissions. 3. Corrects a spelling issue in warning message displayed when attempting to receive the last five events in the Log Source Management application.
PROTOCOL COMMON 08/27/2020 PROTOCOL This update resolves several reported issues in the Protocol Common framework: 1. Resolves an issue as described in APAR IJ15213 where the automatic certificate download can fail to retrieve certificates when the event source has TLS 1.0 disabled by the vendor. This RPM release enhances the Protocol Common framework to use the SSL protocol, allowing the certificate downloader to use any TLS version when retrieving certificates. 2. Enhanced the access token tests in the Log Source Management application for some Microsoft Azure protocols to display the list of roles required and informs the user that they need application permissions. 3. Corrects a spelling issue in warning message displayed when attempting to receive the last five events in the Log Source Management application.
CISCO IRONPORT 08/20/2020 DSM Resolves an issue in the Cisco Ironport DSM where users reported TCP_MISS events categorize as ‘Stored’. This RPM release adds a new parsing pattern for TCP_MISS events to ensure that these events parse and categorize as expected.
EMC VMWARE 08/20/2020 DSM Resolves multiple issues in the EMC VMWare DSM: 1. Resolves an issue to add parsing and event types for osfsd, VVold, VSANMGMTSVC, and vsansystem events where users reported the events parsed as ‘Stored’. 2. Enhanced the EMC VMWare DSM to improve categorization of ‘Miscellaneous Hostd Message’ to add Event IDs for ‘State transition’ and ‘Create VM initiated’ events.
MICROSOFT AZURE SECURITY CENTER 08/20/2020 DSM Resolves an issue in the Microsoft Azure Security Center DSM where users reported events parsing as ‘Unknown’. This update includes a change to parsing to confirm that all events parsed by the Microsoft Azure Security Center DSM include and entry for ‘ASC’ or ‘Azure Security Center’ in the vendorInformation object JSON. Events that are owned by the Microsoft Azure Security Center DSM always include the vendorInformation parameter and the parsing update prevents similar events, such as Microsoft Office 365 Advanced Threat Protection (ATP) or other device types from being categorized as ‘Unknown’ against the Microsoft Azure Security Center DSM.
MAC OS X 08/20/2020 DSM Resolves multiple issues in the Mac OS X DSM: 1. Resolves an issue where Mac OS X events categorized as `Stored` when RFC 5424 timestamps were included in the event header. This update adds support for RFC 5424 timestamps to ensure the events parse and categorize as expected. 2. Added new event IDs to the QID map for `retrieve user by name`, `error open file`, `mds error`, `login window started`, and `preferred identity` events. 3. Resolves an issue where some sshd events were incorrectly categorized as `login success` and `login failure` in QID map. This update adds event IDs for `accepted password`, `failed password`, `accepted keyboard`, `failed keyboard` events to ensure these are properly described as login successes or failures. 4. Updated the event `Failed for user` to describe the event as a Login Failure with the description of `login failure using invalid credentials` as the previous description was not clear to users.
IBM SENSE ANALYTICS 08/19/2020 DSM Enhanced the IBM Sense Analytics DSM to include a number of events to the QID map. The new events are intended to support updated machine learning models in a future release of the User Behavior Analytics (UBA) application.
APACHE HTTP SERVER 08/19/2020 DSM Enhanced the Apache HTTP Server DSM to include parsing and a new event category for ModSecurity events. This RPM update adds a QID map for all ModSecurity events to parse as ‘Unknown ModSecurity Event’ in the user interface. Administrators who need further detail can use the DSM Editor to map ‘Unknown ModSecurity Event’ to existing or custom QIDs.
GOOGLE G SUITE ACTIVITY REPORTS 08/14/2020 DSM Release of a new Device Support Module (DSM) to support the collection of audit events from Google G Suite Activity Reports. Administrators who manually update RPMs in QRadar should verify they have the following RPM dependencies installed on the Console before configuring a Google G Suite Activity Reports log source: Google G Suite Activity Reports REST API protocol, Google Common Protocol, Protocol Common, and the Google G Suite Activity Reports DSM.
MICROSOFT OFFICE 365 MESSAGE TRACE 08/14/2020 PROTOCOL Resolves multiple issues in the Microsoft Office 365 Message Trace protocol: 1. Enhanced the protocol to post events to the pipeline immediately, instead of waiting for all data collection to be complete. Previously, then Message Trace protocol collected events in an array, then added to the data to the event pipeline. 2. Resolves an issue shorten the initial query time for new log sources to prevent potential out of memory issues as described in APAR IJ26483. This update modifies the initial query time frame to collect from the current time and the last five minutes of data, instead of the last two days to reduce the event volume and prevent potential memory issues.
OUTPOST24 VULNERABILITY SCANNER 08/14/2020 SCANNER Resolves an issue in the Outpost24 Vulnerability Scanner where a Java exception could prevent the scan import from completing as expected on QRadar 7.3 appliances as described in APAR IJ08038.
F5 NETWORKS BIG-IP LTM 08/04/2020 DSM Resolves a reported issue in the F5 Networks BIG-IP LTM device support module where several audit events displayed as ‘Uknown F5 Networks BIG-IP LTM’. This RPM release updates parsing to categorize obj_delete, create, and modify object audit events as attempted, success, or failure.
LINUX OS 08/04/2020 DSM Resolves multiple issues in the Linux OS DSM: 1. Resolves an issue where the source IP address was not parsed correctly for several sshModuleEnum category events. 2. Resolves an issue where userhelper Red Hat subscription manager authentication events can parse the wrong username from the event payload. 3. Enhanced the Linux OS DSM to add parsing support for MARK events. 4. Resolves an issue where a privileged escalation sudo failure event could be categorized as ‘Successful privilege escalation succeeded’. 5. Resolves an issue where pam_tally2 SSH events categorized as ‘Unknown’. 6. Administrators who manually install RPM file must install the Linux OS DSM with DSM Common as an installation dependency exists.
DSM COMMON 08/04/2020 DSM Enhanced the DSM Common framework to support changes in the Linux OS DSM. Administrators who manually install RPM updates must install DSM Common with the Linux OS DSM to ensure that all events parse as expected.
IBM PROVENTIA MANAGEMENT SITEPROTECTOR 08/04/2020 DSM Resolves an issue in the IBM Proventia Management SiteProtector DSM where the log source time did not parse correctly. This RPM update ensures the time field when present in the event payload sets the device time, instead of the AlertDateTime field for JDBC SiteProtector log sources.
JUNIPER JUNOS OS PLATFORM 08/04/2020 DSM Resolves an issue in the Juniper Junos OS Platform DSM where ICMP Firewall Deny events had the Source and Destination Port values reversed.
AMAZON AWS S3 REST API 08/04/2020 PROTOCOL Resolves multiple issues in the Amazon AWS S3 REST API protocol: 1. Enhanced the protocol to add troubleshooting test cases to the QRadar Log Source Management (LSM) app. Administrators with LSM app V5.0 and QRadar 7.3.2 patch 3 (7.3.2.20190705120852) or later can test Amazon AWS REST protocol configurations. 2. Added a new user interface parameter to support path-style buckets with a ‘Use S3 Pass-style access’ option. 3. Resolves several issues where users reported problems using slashes, tilde, and plus symbols in a directory prefix. 4. Improved protocol performance for a potential out of memory issue. 5. Improved SQS Notification performance to use a maximum of 10 to messages in the next batch, instead of a single SQS request. 6. Updated error logging to reduce the number of information messages written to the logs when ‘Use Proxy’ is configured in the log source. 7. Resolves an issue where S3 buckets can retrieve previously collected events as described in APAR IJ26748.
CENTRIFY REDROCK REST API 07/29/2020 PROTOCOL This RPM release of the Centrify RedRock REST API protocol includes the following modifications: 1. Enhanced the protocol to support a new `Tenant URL` field in the log source configuration, such as tenantId.my.centrify.com. This protocol update allows the Centrify RedRock REST API protocol to collect events from Centrify and CyberArk Idaptiv endpoints. 2. Enhanced the date formats in the Centrify RedRock REST API protocol. This change allows event query strings to adapt to date format differences when the protocol polls a Centrify or an Idaptiv SaaS hosted solution.
LINUX DHCP SERVER 07/29/2020 DSM The Linux DHCP Server DSM includes multiple updates: 1. Enhanced the Linux DHCP DSM to identify and parse DHCP events for users with Netgate pfSense devices. Administrators who enable their Netgate pfSense devices to collect DHCP events must install the latest version of the Linux DHCP Server DSM to ensure that DHCP events parse and categorize correctly. 2. Resolves an issue where MAC addresses did not parse correctly from some DHCP events in Netgate pfSense.
NETGATE PFSENSE 07/29/2020 DSM Release of a new Device Support Module (DSM) to parse and categorize system, firewall, DNS, and DHCP Syslog events from Netgate pfSense. This new integration supports Netgate pfSense V2.4.4 and includes automatic discovery of events. Administrators who manually update RPM files on their QRadar Console must install the latest versions of following files as parsing and QID map dependencies can exist when certain features are enabled on your Netgate pfSense device: DSM Common, Linux DHCP (required if DHCP parsing is enabled), and Sourcefire Snort (required if Snort is enabled).
MCAFEE EPOLICY ORCHESTRATOR 07/23/2020 DSM Enhanced the McAfee ePolicy Orchestrator DSM to add support TLS Syslog event collection of XML formatted logs for users with McAfee McAfee ePolicy Orchestrator v5.1.0. Administrators can review the McAfee ePolicy Orchestrator chapter in the DSM Configuration Guide for instructions on how to configure the TLS Syslog protocol.
PULSE SECURE PULSE CONNECT SECURE 07/22/2020 DSM Resolves a reported issue where the Source and Destination IP address could display the same value. The DSM update includes an additional check to validate if a source IP address is the same as the destination and includes logic to fall back to the packet IP address if this condition occurs.
SOLARIS OPERATING SYSTEM AUTHENTICATION MESSAGES 07/22/2020 DSM Resolves a reported issue where an S-TAP event for a memory buffer space issue categorized as ‘Stored’. This update allows ‘NO Enough Space in STAP buffer’ events to parse and categorize properly from the Solaris operating system.
SYMANTEC ENDPOINT PROTECTION 07/22/2020 DSM Resolves several reported issues in the Symantec Endpoint Protection DSM: 1. Updated the QID map to add a new categorization for Denial of Service ‘Smurf’ attack detected events. 2. Resolves a categorization issue where the firewall allow status event, ‘The traffic from IP address X.X.X.X was blocked for 60 seconds’ was incorrectly categorized as a firewall deny. Symantec Endpoint uses ‘was blocked’ to identify a firewall allow condition where a traffic restriction is removed, allowing traffic for the defined IP address. 3. Resolves an issue where Local Port and Remote Port fields were not extracted properly from the event payload, causing the fields to not display in the user interface as expected. 4. Resolves an issue where ‘Scan could not open file’ events were incorrectly categorized as Miscellaneous Symantec Endpoint event.
INFOBLOX NIOS 07/22/2020 DSM Resolves multiple issues in the InfoBlox NIOS DSM: 1. Resolves an issue where two DHCP events ‘Reverse map update’ and ‘DDNS lease pointer clean up’ can categorize as ‘Unknown’. 2. Updated parsing to handle event format changes where InfoBlox and BIND can include an object identifier in DNS queries that occur after the client id, but before the IP address in the payload. 3. Resolves an issue to add parsing and a QID map update for ‘Possible DNS attack ongoing’. This change prevents the events from being potentially categorized as ‘Misc Bind message’. 4. Adding parsing for Login_Denied events. This update resolves a reported issue where a Login_Denied event could fall back to a categorization of ‘Mic httpd daemon message’.
MCAFEE NETWORK SECURITY PLATFORM 07/21/2020 DSM Resolves an issue in the McAfee Network Security Platform DSM where users reported some events categorize as ‘Stored’. This RPM release includes a parsing change to adapt to event format updates in McAfee Network Security Manager v10.1 where the vendor removed expected delimiters from their event payloads. The following events previously categorized as ‘Stored’ due to this event format change: Generate MDR Dump, Sensor CLI actions, Network Security Manager Login failed, Network Security Manager Login, and Network Security Manager Logoff. This RPM release ensures that McAfee Network Security Manager v10.1 events parse and categorize as expected.
MICROSOFT DHCP SERVER 07/15/2020 DSM Enhanced the Microsoft DHCP Server device support module (DSM) to add parsing and categorization for French and Spanish language DHCP events.
CHECK POINT 07/15/2020 DSM Resolves an issue where Check Point events categorize as ‘Stored’ for compliance events. This RPM release adds parsing for compliance events sent as non-LEEF formatted payloads.
ARUBA CLEARPASS POLICY MANAGER 07/15/2020 DSM Resolves multiple issues in the Aruba ClearPass Policy Manager DSM: 1. Resolves an issue where several events for Aruba ClearPass Insight logs where parsing as ‘Unknown’. This RPM release adds parsing for several predefined and default from Insight logs to prevent ‘Unknown’ events, such as Radius Authentications, TACACS Authentication, WebAUTH, Application authentication, Endpoints, Onboard, Posture, and Guest Access events. 2. Resolves a spelling error in the field name Tacacs.Auth-Source, which caused events to categorize as ‘Unknown Arua ClearPass".
CITRIX NETSCALER 07/10/2020 DSM Resolves an issue in the Citrix NetScaler DSM where Packet Engine events that contain two digits for multicore processors, such as PPE-xx, categorize as ‘Stored’. This RPM release resolves this reported issue.
MICROSOFT WINDOWS SECURITY EVENT LOG 07/10/2020 DSM Enhanced the Microsoft Windows Security Event Log DSM to include support for parsing events from Winlogbeat version 7.7.
BLUE COAT WSS REST API 07/03/2020 PROTOCOL Resolves multiple issues in the BlueCoat WSS REST API protocol: 1. Resolves an issue the provider threads could restart several times and cause the API to throttle queries, preventing the log source from starting successfully. 2. Updated the code base to use a new HTTP Client for executing API queries and added a new library for processing zip files. 3. Updated the protocol user interface to remove the automatic certificate download option as it is no longer necessary. 4. Resolves an issue where the directory name or path might generate incorrectly for unzipped folders. 5. Resoles an issue where corrupt zip files might not be deleted. 6. Resolves an issue that can potentially lead to an index-out-of-bounds exception when trying to extract a sync status from a corrupt zip file. The weekly auto update published on 09 July 2020 includes this change.
SALESFORCE REST API 07/03/2020 PROTOCOL Resolves an issue in the Salesforce REST API protocol where administrators can deselect all query types in the user interface, preventing the protocol from collecting events. This RPM release adds user interface validation to ensure that an error message displays when no query types are selected in the log source configuration.
OKTA REST API 07/03/2020 PROTOCOL Enhanced the Okta REST API protocol to add a feature where administrators can track QRadar requests to Okta API using the HTTP Client User Agent string. Resolves an issue in the Okta REST API protocol where an issue in the HTTP Client can become unresponsive as described in APAR IJ22340. Administrators who experience collection issues can install this protocol update to avoid the workaround to disable and enable the Okta log source as described in APAR IJ22340.
SQUID WEB PROXY 07/03/2020 DSM Resolves a reported issue in the Squid Web Proxy DSM where IPv6 addresses in the payload can cause the event to categorize as ‘Stored’. This RPM update adds parsing for IPv6 addresses to ensure that payloads with values such as ::1 display as expected. The weekly auto update published on 09 July 2020 includes this change.
CISCO IRONPORT 07/03/2020 DSM Resolves a reported issue in the Cisco Ironport device support module (DSM) to add a parsing format and a QID map update for mssp_audit_log events. This RPM release also includes an update to ensure that timestamps without a year value parse as expected. The weekly auto update published on 09 July 2020 includes this change.
OKTA IDENTITY MANAGEMENT 07/03/2020 DSM Resolves an issue in the Okta Identity Management where System Log Endpoint events might categorize as ‘Stored’. This RPM release includes a parsing update to ensure that the time zone displays correctly from the timestamp in the logs. The weekly auto update published on 09 July 2020 includes this change.
MICROSOFT DNS DEBUG 07/03/2020 DSM Resolves an issue in the Microsoft DNS Debug device support module (DSM) where the day and month field might be reversed in the ‘Date’ field based on the timezone of the client. This RPM update extracts the day and month of the Date from the event header to ensure that the date field displays properly. The weekly auto update published on 09 July 2020 includes this change.
MICROSOFT OFFICE 365 MESSAGE TRACE 06/30/2020 DSM Release of a new device support module (DSM) to support parsing and categorization of Microsoft Office 365 message trace JSON events. Administrators must have permissions to report data from their Microsoft Office 365 environment and the QRadar appliance must be able to connect to reports.office365.com on port 443. Users who manually apply auto updates to their Console must download and install the Office 365 Message Trace REST API protocol as the DSM includes an installation dependency. The Office 365 Message Trace REST API protocol provides log source tests for administrators with Log Source Management app v5.x and QRadar 7.3.2 Patch 3 (7.3.2.20190705120852) or later.
MICROSOFT SQL SERVER 06/25/2020 DSM Enhanced the Microsoft SQL Server device support module (DSM) to add parsing for SQL Server events sent by Windows Event Forwarding (WEF) subscriptions.
DSM COMMON 06/25/2020 DSM Resolves a reported issue where several events can parse as ‘Unknown’ or ‘Stored’ due to LEEF events containing a leading tab delimiter after the header, but before the first name value pair. This RPM update is associated to parsing changes in the Crowdstrike Falcon Host DSM. Administrators who manually update RPMs must ensure that both the Crowdstrike Falcon and DSM Common updates are applied to the Console appliance.
FREERADIUS 06/25/2020 DSM Resolves an issue in the FreeRADIUS device support module (DSM) to review and categorize ‘Unknown’ events. This RPM release includes a parsing update to account for Event IDs that might contain extra square brackets or colon characters, causing some events to be unable to map to existing QIDs correctly.
IBM SECURITY TRUSTEER 06/22/2020 DSM Release of a new Device Support Module (DSM) to collect and parse HTTP JSON formatted events from IBM Security Trusteer on port 12469 (default). This new DSM supports parsing and categorization for IBM Security Trusteer V9 alerts and requires the latest version of the HTTP Receiver protocol to collect events.
MICROSOFT IIS 06/18/2020 DSM Resolves multiple issues in the Microsoft IIS DSM: 1. Resolves an issue where the Log Source Time field might display AM, instead of PM for some events. This RPM update corrects the time format from yyyy-MM-dd hh:mm:ss to yyyy-MM-dd HH:mm:ss to ensue the Log Source Time is correct. 2. This release includes an update to support parsing Windows IIS events sent by Windows Event Forwarding (WEF) subscriptions.
MICROSOFT AZURE SECURITY CENTER 06/18/2020 DSM Resolves an issue in the Microsoft Azure Security Center to remove extra quotations from several QID map descriptions.
OPSEC / LEA PROTOCOL 06/18/2020 PROTOCOL Resolves an issue where users who leverage the API or Log Source Management app to update log sources can experience ‘invalid certification filename’ errors that prevents the log source from saving properly. This issue is identified in APAR IJ19050: ‘Error: Invalid certificate filename when using the log source management app to configure a Check Point log source’. This protocol update corrects the certificate validation issue, allowing QRadar 7.4 administrators to save log their Check Point sources from the Log Source Management app.
CROWDSTRIKE FALCON HOST 06/18/2020 DSM Resolves a reported issue in the CrowdStrike Falcon Host DSM where several events parsed as ‘Unknown’ or ‘Stored’ due to LEEF events containing a leading tab delimiter after the header, but before the first name value pair. This RPM release includes a QID map update and resolves several unknown event IDs.
VMWARE VCLOUD 06/18/2020 DSM Resolves an issue in the VMware vCloud device support module (DSM) to add support for VMware vCloud V9. This RPM release adds five new events to the QID map that previously identified as ‘Unknown’ and includes a parsing update where the Source IP address might not display as expected. Administrators who do not use QRadar weekly auto updates must manually install this DSM update and the VMware vCloud Director protocol RPM on the QRadar Console to successfully retrieve VMware vCloud V9 event data.
MICROSOFT WINDOWS SERVER EVENT LOG 06/11/2020 DSM Resolves multiple issues in the Microsoft Windows Server Event Log: 1. Resolves an issue where a Syslog header that appears in front of the JSON payload might cause the event to categorize as ‘Stored’. 2. Resolves an issue where LEEF events might categorize as ‘Stored’ due to an issue with devicetime format. 3. Resolves an issue for Sysmon events where the username did not display properly when the username contains a back-slash separator. The usernames that appear in the payload as ‘NT Authority\Local Service’ should display as ‘Local Service’ in the user interface.
POSTFIX MAIL TRANSFER AGENT 06/11/2020 DSM Resolves an issue in the PostFix Mail Transfer Agent DSM where the Source IP and Destination IP might be reversed. This update tightens parsing patterns to account for whitespace issues in the event filds and payloads where ‘connection to’ versus ‘connect to’ IP address might be unexpectedly reversed. This RPM release also includes new parsing patterns to ensure that relay events properly identify the Destination IP address.
HTTP RECEIVER 06/11/2020 PROTOCOL Enhanced the HTTP Receiver protocol to update connection handling. This update improves connection handing and switches connections to use HTTPS, instead of TLS to conform more closely to HTTP specifications. This HTTP Receiver protocol update adds troubleshooting test cases to the QRadar Log Source Management (LSM) app. Administrators with LSM app v5.0.0 and QRadar 7.3.2 patch 3 (7.3.2.20190705120852) or later can test protocol configurations when you add or edit HTTP Receiver log sources.
GOOGLE CLOUD AUDIT 06/11/2020 DSM Resolves an issue in the Google Cloud Audit where the Status field might not be captured properly by the DSM. This update ensures that parsing patterns collect the Status field from the event to provide more information to the administrator and adds a description line to the Event Name in the QID map.
CISCO FIREPOWER THREAT DEFENSE 06/05/2020 DSM Release of a new DSM to parse Syslog events from Cisco Firepower Threat Defense. Previously, Cisco Firepower Threat Defense (FTD-X-XXXXXX) events were parsed by the Cisco Firepower Management Center DSM. This update ensures that Cisco Firepower Threat Defense events are captured by a new unique DSM. Administrators who collect Threat Defense event data should install the new Cisco Firepower Threat Defense DSM and review the documentation for this log source configuration.
CISCO FIREPOWER MANAGEMENT CENTER 06/05/2020 DSM This release of the Cisco Firepower Management Center DSM is being issued to move threat defense events (FTD-X-XXXXXX) to a unique DSM for Cisco Firepower Threat Defense (FTD). The Cisco Firepower Management Center DSM will continue to collect events through the eStreamer API and Syslog protocols, but removes log source auto discovery from the Cisco Firepower Management Center DSM. This is an important notice to administrators to inform them that the Cisco Firepower Management Center DSM still retains the ability to parse threat defense events, but the log source no longer support auto discovery (traffic analysis) on appliances. Administrators who rely on the collection of threat defense event data should manually configure log sources for Syslog (FTD-X-XXXXX) event data or use the new Cisco Firepower Threat Defense DSM, which auto discovers Syslog events. Syslog parsing of events in Cisco FMC will be removed in a future update.
SONICWALL SONICOS 06/05/2020 DSM Resolves multiple issues in the SonicWall SonicOS DSM. 1: Resolves an issue in the SonicWall SonicOS DSM where the Syslog data can auto discover as Proofpoint Enterprise log source events. 2. Administrators reported an issue where the username can display as ‘TCP’ in the user interface for SonicWall NSv200 virtual firewall appliances from TCP connection event payloads. This RPM release corrects the username parsing issue.
MICROSOFT AZURE PLATFORM 06/05/2020 DSM Enhanced the Microsoft Azure Platform DSM to include more granular categorizations for SQL Security Audit events based on the ‘action_name’ field from the event payload.
TLS SYSLOG PROTOCOL 06/05/2020 PROTOCOL Enhanced the TLS Syslog protocol to support multi-line event data and adds the ‘Use as Gateway Log Source’ option to the user interface. This RPM release updates the TLS Syslog protocol to bring feature parity with Syslog Redirect and TCP Syslog Multiline protocols.
EMC VMWARE 05/29/2020 DSM Resolves multiple issues in the EMC VMWare DSM: 1. Resolves an issue where events with payloads for iofiltervpd or backup.sh were categorized as ‘Stored’. 2. Completed a review for QIDs where the Username, Source IP, log source time, or port information did not display correctly in the user interface for some QIDs. This release reviews and updates several events to ensure the data displays in the user interface, such as mountToolsInstaller, DatastoreFileDeletedEvent, rhttpproxy SSH handshake failure, rights added and rights removed events.
VMWARE VCENTER 05/29/2020 DSM Resolves multiple issues in the VMWare vCenter DSM: 1. Resolves an issue where events with payloads for iofiltervpd or backup.sh were categorized as ‘Stored’. 2. Completed a review for QIDs where the Username, Source IP, log source time, or port information did not display correctly in the user interface for some QIDs. This release reviews and updates several events to ensure the data displays in the user interface, such as mountToolsInstaller, DatastoreFileDeletedEvent, rhttpproxy SSH handshake failure, rights added and rights removed events.
JUNIPER JUNOS OS PLATFORM 05/29/2020 DSM Resolves an issue in the Juniper Junos OS Platform DSM to add support for parsing JService events Juniper MX Series devices.
CISCO MERAKI 05/21/2020 DSM Resolves a reported issue where Cisco Meraki events were categorized as ‘Stored’ for ip flow start, ip_flow_end, and layer 7 (l7) events.
PROTOCOL COMMON 05/21/2020 PROTOCOL Enhanced the Protocol Common framework to support collection for multiline TLS Syslog events. Administrators now have the option to select Enable Multiline in the user interface and define if the parsing patterns are based on a recurring beginning line value (ID-Linked) or if a start and end matching pattern is defined by the administrator using regular expressions.
AMAZON AWS S3 REST API 05/21/2020 PROTOCOL Resolves an issue where the Amazon AWS S3 Rest API protocol can become stuck in an infinite loop, preventing the log source from properly collecting events. This protocol issue is defined in APAR IJ160038 and installing the latest version of the Amazon AWS S3 Rest API protocol resolves the SSLHandshakeException loop to allow proper event collection.
SDEE PROTOCOL 05/21/2020 PROTOCOL Enhanced the SDEE Protocol to resolve a security vulnerability.
CISCO FIREWALL DEVICES 05/20/2020 DSM Resolves an issue in the Cisco Firewall Devices DSM to update parsing patterns. This RPM release corrects an issue where Cisco Firepower Threat Defense (FTD) event data might unintentionally be identified captured by Cisco Adaptive Security Appliance parsing patterns, which causes parsing issues for source and destination IP addresses.
FORTINET FORTIGATE SECURITY GATEWAY 05/20/2020 DSM Resolves an issue in the Fortinet Fortigate Security Gateway DSM to set severity for the parsed event according to the payload value. This change allows QRadar to more accurately reflect the severity in the event payload as defined by Fortinet and prevents issues where customers might see events identified with high or info that have the same numeric severity (9). This change updates the QID map to use severity levels that directly associate to Fortinet alert levels: info is severity 1, low is severity 3, medium is severity 5, high is severity 7, and critical is severity 9 for all parsed events after this RPM update.
TREND MICRO DEEP SECURITY 05/20/2020 DSM Resolves an issue in the Trend Micro Deep Security DSM where the Source IP address might not be display properly when the payload does not contain a Source (src) value. This RPM release updates parsing to allow the Trend Micro Deep Security DSM to extract a Source IP address from the dvc or dvchost fields when the src address is empty.
GOOGLE CLOUD AUDIT 05/21/2020 DSM Release of a new device support module (DSM) to parse and categorize JSON formatted Google Cloud Audit Log events. The Google Cloud Audit Log DSM parses storage, list, and update event types from the following services: Google Compute Engine, Identity Access Management, Identity Platform, and Cloud Storage. Administrators must have the latest versions of the following protocols installed to successfully collect Google Cloud Audit Log data: Google Cloud Pub Sub Protocol, Google Common Protocol, and Protocol Common.
SALESFORCE REST API 05/16/2020 PROTOCOL Resolves an issue in the Salesforce REST API protocol where an ‘Invalid URL Exception’ could be generated in the user interface when an administrator attempts to create a log source with the Log Source Management application. This RPM release resolves the exception and allows the log source to be created successfully.
MICROSOFT GRAPH SECURITY API 05/05/2020 PROTOCOL Release of a new protocol to support event collection from the Microsoft Graph Security API. The latest version of Protocol Common must be installed to use the Microsoft Graph Security API protocol. Administrators must use the DSM Editor to create a log source type to collect Microsoft Graph Security API events. This protocol release includes test functionality that allows administrators with the Log Source Management application v5.x or later and QRadar 7.3.2 Patch 3 (7.3.2.20190705120852) or later to troubleshoot Microsoft Graph Security API protocol connections.
SMB TAIL PROTOCOL 05/05/2020 PROTOCOL This update includes several resolved issues for the SMB Tail protocol: 1. Resolves an issue where SMB3 would need a account with permission higher than read-only to collect event data. 2. Enhanced the protocol for administrators with the Log Source Management app v5.x or later and QRadar 7.3.2 Patch 3 (7.3.2.20190705120852) or later to troubleshoot SMB Tail log source configurations. 3. Resolves an issue where after the protocol reconnects, SMB Tail protocol status did not transition to a success state. 4. Resolves an issue where the communication option for ‘AUTO’ might default to the SMB1 protocol and SMB3 or SMB2 configurations could not be selected.
ORACLE DATABASE LISTENER 05/05/2020 PROTOCOL This update includes several resolved issues for the Oracle Database Listener protocol: 1. Resolves an issue where SMB3 would need a account with permission higher than read-only to collect event data. 2. Enhanced the protocol for administrators with the Log Source Management app v5.x or later and QRadar 7.3.2 Patch 3 (7.3.2.2019.0705120852) or later to troubleshoot Oracle Database Listener log source configurations. 3. Resolves an issue where after the protocol reconnects, Oracle Database Listener Protocol status did not transition to a success state. 4. Resolves an issue where the communication option for ‘AUTO’ might default to the SMB1 protocol and SMB3 or SMB2 configurations could not be selected.
MICROSOFT IIS PROTOCOL 05/05/2020 PROTOCOL This update includes several resolved issues for the Microsoft IIS protocol: 1. Resolves an issue where SMB3 would need a account with permission higher than read-only to collect event data. 2. Enhanced the protocol for administrators with the Log Source Management app v5.x or later and QRadar 7.3.2 Patch 3 (7.3.2.2019.0705120852) or later to troubleshoot Microsoft IIS log source configurations. 3. Resolves an issue where after the protocol reconnects, Microsoft IIS protocol status did not transition to a success state. 4. Resolves an issue where the communication option for ‘AUTO’ might default to the SMB1 protocol and SMB3 or SMB2 configurations could not be selected.
MICROSOFT EXCHANGE PROTOCOL 05/05/2020 PROTOCOL This update includes several resolved issues for the Microsoft Exchange protocol: 1. Resolves an issue where SMB3 would need a account with permission higher than read-only to collect event data. 2. Enhanced the protocol for administrators with the Log Source Management app v5.x or later and QRadar 7.3.2 Patch 3 (7.3.2.2019.0705120852) or later to troubleshoot Microsoft Exchange log source configurations. 3. Resolves an issue where after the protocol reconnects, Microsoft Exchange protocol status did not transition to a success state. 4. Resolves an issue where the communication option for ‘AUTO’ might default to the SMB1 protocol and SMB3 or SMB2 configurations could not be selected.
MICROSOFT DHCP PROTOCOL 05/05/2020 PROTOCOL This update includes several resolved issues for the Microsoft DHCP protocol: 1. Resolves an issue where SMB3 would need a account with permission higher than read-only to collect event data. 2. Enhanced the protocol for administrators with the Log Source Management app v5.x or later and QRadar 7.3.2 Patch 3 (7.3.2.2019.0705120852) or later to troubleshoot Microsoft DHCP log source configurations. 3. Resolves an issue where after the protocol reconnects, Microsoft DHCP protocol status did not transition to a success state. 4. Resolves an issue where the communication option for ‘AUTO’ might default to the SMB1 protocol and SMB3 or SMB2 configurations could not be selected.
MICROSOFT AZURE EVENT HUBS 05/05/2020 PROTOCOL Enhanced the Microsoft Azure Event Hubs protocol to add support for ‘Use as Gateway Log Source’ options in the user interface. This update allows administrators to configure log sources with regular expression parameters to identify events that should be created as unique log sources, instead of specifying a single log source identifier.


IBM prides itself on delivering world class software support with highly skilled, customer-focused people. QRadar Support is available 24×7 for all high severity issues. For QRadar resources, technical help, guidance, and information, see our QRadar Support 101 pages.

Contact Support

Find your regional support contact