LightCyber Magna

The IBM QRadar DSM for LightCyber Magna collects events from a LightCyber Magna device.

The following table describes the specifications for the LightCyber Magna DSM:
Important: Due to formatting issues, paste the message format into a text editor and then remove any carriage return or line feed characters.
Table 1. LightCyber Magna DSM specifications
Specification Value
Manufacturer LightCyber
DSM name LightCyber Magna
RPM file name DSM-LightCyberMagna-QRadar_version-build_number.noarch.rpm
Supported versions 3.9
Protocol Syslog
Event format LEEF
Recorded event types

C&C

Exfilt

Lateral

Malware

Recon

Automatically discovered? Yes
Includes identity? No
Includes custom properties? No
More information LightCyber website (https://www.lightcyber.com)
To integrate LightCyber Magna with QRadar, complete the following steps:
  1. If automatic updates are not enabled, download and install the most recent version of the following RPMs from the IBM® Support Website onto your QRadar Console:
    • DSMCommon RPM
    • LightCyber Magna DSM RPM
  2. Configure your LightCyber Magna device to send syslog events to QRadar.
  3. If QRadar does not automatically detect the log source, add a LightCyber Magna log source on the QRadar Console. The following table describes the parameters that require specific values to collect events from LightCyber Magna:
    Table 2. LightCyber Magna log source parameters
    Parameter Value
    Log Source type LightCyber Magna
    Protocol Configuration Syslog
    Log Source Identifier Type a unique identifier for the log source.
  4. To verify that QRadar is configured correctly, review the following table to see an example of a normalized audit event message.
    The following table shows a sample event message from LightCyber Magna:
    Table 3. LightCyber Magna sample message
    Event name Low level category Sample log message
    Suspicious Riskware Misc Malware
    LEEF:2.0|LightCyber|Magna|3.7.3.0|New indicator|type=Riskware   sev=7   devTime=Sep 18 2016 08:26:08    devTimeFormat=MMM dd yyyy HH:mm:ss     devTimeEnd=Sep 29 2016 15:26:47 devTimeEndFormat=MMM dd yyyy HH:mm:ss   msg=Riskware alert (0 ) app=    dstPort=        usrName=        shostId=xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx    shost=PC04    src=<Source_IP_address> srcMAC=<Source_MAC_address>        status=Suspicious       filePath=c:\program files\galaxy must\galaxy must.exe   malwareName=W32.HfsAutoB.3DF2   fileHash=d836433d538d864d21a4e0f7d66e30d2       externalId=16100        sdeviceExternalId=32373337-3938-5A43-4A35-313030303336