LightCyber Magna
The IBM QRadar DSM for LightCyber Magna collects events from a LightCyber Magna device.
The following table describes the specifications for the LightCyber Magna DSM:
Important: Due to formatting issues, paste the message format into a text editor and then
remove any carriage return or line feed characters.
Specification | Value |
---|---|
Manufacturer | LightCyber |
DSM name | LightCyber Magna |
RPM file name | DSM-LightCyberMagna-QRadar_version-build_number.noarch.rpm |
Supported versions | 3.9 |
Protocol | Syslog |
Event format | LEEF |
Recorded event types |
C&C Exfilt Lateral Malware Recon |
Automatically discovered? | Yes |
Includes identity? | No |
Includes custom properties? | No |
More information | LightCyber website (https://www.lightcyber.com) |
To integrate LightCyber Magna with QRadar, complete the following steps:
- If automatic updates are not enabled, download and install the most recent version of the
following RPMs from the IBM® Support Website onto your QRadar
Console:
- DSMCommon RPM
- LightCyber Magna DSM RPM
- Configure your LightCyber Magna device to send syslog events to QRadar.
- If QRadar does not
automatically detect the log source, add a LightCyber Magna log source on the QRadar
Console. The following table describes
the parameters that require specific values to collect events from LightCyber Magna:
Table 2. LightCyber Magna log source parameters Parameter Value Log Source type LightCyber Magna Protocol Configuration Syslog Log Source Identifier Type a unique identifier for the log source. - To verify that QRadar is
configured correctly, review the following table to see an example of a normalized audit event
message.The following table shows a sample event message from LightCyber Magna:
Table 3. LightCyber Magna sample message Event name Low level category Sample log message Suspicious Riskware Misc Malware LEEF:2.0|LightCyber|Magna|3.7.3.0|New indicator|type=Riskware sev=7 devTime=Sep 18 2016 08:26:08 devTimeFormat=MMM dd yyyy HH:mm:ss devTimeEnd=Sep 29 2016 15:26:47 devTimeEndFormat=MMM dd yyyy HH:mm:ss msg=Riskware alert (0 ) app= dstPort= usrName= shostId=xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx shost=PC04 src=<Source_IP_address> srcMAC=<Source_MAC_address> status=Suspicious filePath=c:\program files\galaxy must\galaxy must.exe malwareName=W32.HfsAutoB.3DF2 fileHash=d836433d538d864d21a4e0f7d66e30d2 externalId=16100 sdeviceExternalId=32373337-3938-5A43-4A35-313030303336