IBM Security Trusteer Apex Advanced Malware Protection
The IBM® Security Trusteer Apex™ Advanced Malware Protection DSM collects and forwards event data from a Trusteer Apex Advanced Malware Protection system to IBM QRadar.
QRadar collects the following items from the Trusteer Apex Advanced Malware Protection system:
- Syslog events
- Log files (from an intermediary server that hosts flat feed files from the system.)
- Syslog events through SSL/TLS authentication
The following table lists the specifications for the IBM Security Trusteer Apex Advanced Malware
Protection DSM:
Specification | Value |
---|---|
Manufacturer | IBM |
DSM name | IBM Security Trusteer Apex Advanced Malware Protection |
RPM file name | DSM-TrusteerApex-QRadar_version-build_number.noarch.rpm |
Supported versions | Syslog/LEEF event collection: Apex Local Manager 2.0.45 LEEF: ver_1303.1 Flat File Feed: v1, v3, and v4 |
Protocol | Syslog Log File TLS Syslog |
Recorded event types | Malware Detection Exploit Detection Data Exfiltration Detection Lockdown for Java™ Event File Inspection Event Apex Stopped Event Apex Uninstalled Event Policy Changed Event ASLR Violation Event ASLR Enforcement Event Password Protection Event |
Automatically discovered? | Yes |
Includes identity? | No |
Includes custom properties? | No |
More information | IBM Security Trusteer Apex Advanced Malware Protection website (http://www-03.ibm.com/software/products/en/trusteer-apex-adv-malware) |
To configure IBM Security Trusteer Apex Advanced Malware Protection event collection, complete the following steps:
- If automatic updates are not enabled, download and install the most recent
version of the following RPMs from the IBM Support Website onto your QRadar
Console:
- DSMCommon RPM
- Log File Protocol RPM
- TLS Syslog Protocol RPM
- IBM Security Trusteer Apex Advanced Malware Protection DSM RPM
- Choose one of the following options:
- To send syslog events to QRadar, see Configuring IBM Security Trusteer Apex Advanced Malware Protection to send syslog events to QRadar.
- To send syslog events by using TLS Syslog Protocol to QRadar, see Configuring IBM Security Trusteer Apex Advanced Malware Protection to send TLS Syslog events to QRadar
- To collect log files from IBM Security Trusteer Apex Advanced Malware Protection through an intermediary server, see Configuring a Flat File Feed service.
- If QRadar
doesn't automatically discover the log source, add an IBM Security Trusteer Apex Advanced Malware Protection log source on the QRadar
Console. The following table describes the parameters that require specific values for IBM Security Trusteer Apex Advanced Malware Protection syslog event collection:
Table 2. IBM Security Trusteer Apex Advanced Malware Protection log source parameters for Syslog protocol Parameter Value Log Source type IBM Security Trusteer Apex Advanced Malware Protection Protocol Configuration Syslog Log Source Identifier The IP address or host name from the syslog header. If the syslog header does not contain an IP address or a host name, use the packet IP address. The following table describes the parameters that require specific values for IBM Security Trusteer Apex Advanced Malware Protection TLS Syslog event collection:Table 3. IBM Security Trusteer Apex Advanced Malware Protection log source parameters for TLS Syslog protocol Parameter Value Log Source Type IBM Security Trusteer Apex Advanced Malware Protection Protocol Configuration TLS Syslog Log Source Identifier The IP address or host name from the syslog header. If the syslog header doesn't contain an IP address or a host name, use the packet IP address. TLS Listen Port The default port is 6514. Authentication Mode TLS Certificate Type Select the Provide Certificate option from the list. Maximum Connections The Maximum Connections parameter controls how many simultaneous connections the TLS Syslog protocol can accept for each Event Collector. For each Event Collector, there is a limit of 1000 connections across all TLS syslog log source configurations. The default for each device connection is 50. Note: Automatically discovered log sources that share a listener with another log source count only one time towards the limit. For example, the same port on the same event collector.TLS Protocols Select the version of TLS installed on the client from the drop down list. Provided Server Certificate Path Absolute path of server certificate. For example, /opt/qradar/conf/trusted_certificates/apex-alm-tls.cert Provided Private Key Path Absolute path of PKCS#8 private key. For example, /etc/pki/tls/private/apex-alm-tls.pk8 Important: When you use the TLS syslog, and you want to use an FQDN to access the system, you must generate your own certificate for the listener, and then specify it in the TLS syslog configuration.The following table describes the parameters that require specific values for IBM Security Trusteer Apex Advanced Malware Protection log file collection:
Table 4. IBM Security Trusteer Apex Advanced Malware Protection log source parameters for Log File Protocol Parameter Value Log Source Type IBM Security Trusteer Apex Advanced Malware Protection Protocol Configuration Log File Log Source Identifier The IP address or host name of the server that hosts the Flat File Feed. Service Type SFTP Remote IP or Hostname The IP address or host name of the server that hosts the Flat File Feed. Remote Port 22 Remote User The user name that you created for QRadar on the server that hosts the Flat File Feed. SSH Key File If you use a password, leave this field blank. Remote Directory The log file directory where the Flat File Feed is stored. Recursive To avoid pulling the same file repeatedly to QRadar, do not select this option. FTP File Pattern "trusteer_feeds_.*?_[0-9]{8}_[0-9]*?\.csv" Start Time The time that you want your log file protocol to start collecting log files. Recurrence The polling interval for log file retrieval. Run On Save Must be enabled. Processor None Ignore Previously Processed Files Must be enabled. Event Generator LINEBYLINE File Encoding UTF-8