Data exports give you the option to configure the events Verdasys Digital Guardian
forwards to IBM
QRadar.
Procedure
-
Log in to the Digital Guardian Management Console.
-
Select .
-
From the Data Sources list, select Alerts
or Events as the data source.
-
From the Export type list, select QRadar
LEEF.
If your Verdasys Digital Guardian is v6.0.x, you can select Syslog as the
Export Type. QRadar LEEF is the preferred
export type format for all Verdasys Digital Guardian appliances with v6.1.1 and later.
-
From the Type list, select UDP
or TCP as the transport protocol.
QRadar can accept syslog
events from either transport protocol. If the length of your alert events typically exceeds 1024
bytes, then you can select TCP to prevent the events from being
truncated.
-
In the Server field, type the IP address of your QRadar
Console or Event Collector.
-
In the Port field, type 514.
-
From the Severity Level list, select a severity
level.
-
Select the Is Active check box.
-
Click Next.
-
From the list of available fields, add the following Alert or Event
fields for your data export:
- Agent Local Time
- Application
- Computer Name
- Detail File Size
- IP Address
- Local Port
- Operation (required)
- Policy
- Remote Port
- Rule
- Severity
- Source IP Address
- User Name
- Was Blocked
- Was Classified
-
Select a Criteria for the fields in your data export and click Next.
By default, the Criterion is blank.
-
Select a group for the criteria and click Next.
By default, the Group is blank.
-
Click Test Query.
A Test Query ensures that the database runs properly.
-
Click Next.
-
Save the data export.
The configuration is complete.
What to do next
The data export from Verdasys Digital Guardian occurs on a 5-minute interval. You can
adjust this timing with the job scheduler in Verdasys Digital Guardian, if required. Events that are
exported to QRadar by Verdasys
Digital Guardian are displayed on the Log Activity tab.