LightCyber Magna

The IBM QRadar DSM for LightCyber Magna collects events from a LightCyber Magna device.

The following table describes the specifications for the LightCyber Magna DSM:

Important: Due to formatting issues, paste the message format into a text editor and then remove any carriage return or line feed characters.

Table 1. LightCyber Magna DSM specifications
Specification	Value
Manufacturer	LightCyber
DSM name	LightCyber Magna
RPM file name	DSM-LightCyberMagna-`QRadar_version-build_number`.noarch.rpm
Supported versions	3.9
Protocol	Syslog
Event format	LEEF
Recorded event types	C&C Exfilt Lateral Malware Recon
Automatically discovered?	Yes
Includes identity?	No
Includes custom properties?	No
More information	LightCyber website (https://www.lightcyber.com)

To integrate LightCyber Magna with QRadar, complete the following steps:

If automatic updates are not enabled, download and install the most recent version of the following RPMs from the IBM® Support Website onto your QRadar Console:
- DSMCommon RPM
- LightCyber Magna DSM RPM
Configure your LightCyber Magna device to send syslog events to QRadar.

If QRadar does not automatically detect the log source, add a LightCyber Magna log source on the QRadar Console. The following table describes the parameters that require specific values to collect events from LightCyber Magna:

Table 2. LightCyber Magna log source parameters
Parameter	Value
Log Source type	LightCyber Magna
Protocol Configuration	Syslog
Log Source Identifier	Type a unique identifier for the log source.

To verify that QRadar is configured correctly, review the following table to see an example of a normalized audit event message.

The following table shows a sample event message from LightCyber Magna:

Event name Low level category Sample log message

Suspicious Riskware

Misc Malware

Table 3. LightCyber Magna sample message
Event name	Low level category	Sample log message
Suspicious Riskware	Misc Malware	LEEF:2.0\|LightCyber\|Magna\|3.7.3.0\|New indicator\|type=Riskware sev=7 devTime=Sep 18 2016 08:26:08 devTimeFormat=MMM dd yyyy HH:mm:ss devTimeEnd=Sep 29 2016 15:26:47 devTimeEndFormat=MMM dd yyyy HH:mm:ss msg=Riskware alert (0 ) app= dstPort= usrName= shostId=xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx shost=PC04 src=<Source_IP_address> srcMAC=<Source_MAC_address> status=Suspicious filePath=c:\program files\galaxy must\galaxy must.exe malwareName=W32.HfsAutoB.3DF2 fileHash=d836433d538d864d21a4e0f7d66e30d2 externalId=16100 sdeviceExternalId=32373337-3938-5A43-4A35-313030303336

LEEF:2.0|LightCyber|Magna|3.7.3.0|New indicator|type=Riskware   sev=7   devTime=Sep 18 2016 08:26:08    devTimeFormat=MMM dd yyyy HH:mm:ss     devTimeEnd=Sep 29 2016 15:26:47 devTimeEndFormat=MMM dd yyyy HH:mm:ss   msg=Riskware alert (0 ) app=    dstPort=        usrName=        shostId=xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx    shost=PC04    src=<Source_IP_address> srcMAC=<Source_MAC_address>        status=Suspicious       filePath=c:\program files\galaxy must\galaxy must.exe   malwareName=W32.HfsAutoB.3DF2   fileHash=d836433d538d864d21a4e0f7d66e30d2       externalId=16100        sdeviceExternalId=32373337-3938-5A43-4A35-313030303336