IBM Security Trusteer Apex Advanced Malware Protection

The IBM® Security Trusteer Apex™ Advanced Malware Protection DSM collects and forwards event data from a Trusteer Apex Advanced Malware Protection system to IBM QRadar.

QRadar collects the following items from the Trusteer Apex Advanced Malware Protection system:
  • Syslog events
  • Log files (from an intermediary server that hosts flat feed files from the system.)
  • Syslog events through SSL/TLS authentication
The following table lists the specifications for the IBM Security Trusteer Apex Advanced Malware Protection DSM:
Table 1. IBM Security Trusteer Apex Advanced Malware Protection DSM specifications
Specification Value
Manufacturer IBM
DSM name IBM Security Trusteer Apex Advanced Malware Protection
RPM file name DSM-TrusteerApex-QRadar_version-build_number.noarch.rpm
Supported versions Syslog/LEEF event collection: Apex Local Manager 2.0.45

LEEF: ver_1303.1

Flat File Feed: v1, v3, and v4

Protocol Syslog

Log File

TLS Syslog

Recorded event types Malware Detection

Exploit Detection

Data Exfiltration Detection

Lockdown for Java™ Event

File Inspection Event

Apex Stopped Event

Apex Uninstalled Event

Policy Changed Event

ASLR Violation Event

ASLR Enforcement Event

Password Protection Event

Automatically discovered? Yes
Includes identity? No
Includes custom properties? No
More information IBM Security Trusteer Apex Advanced Malware Protection website (http://www-03.ibm.com/software/products/en/trusteer-apex-adv-malware)
To configure IBM Security Trusteer Apex Advanced Malware Protection event collection, complete the following steps:
  1. If automatic updates are not enabled, download and install the most recent version of the following RPMs from the IBM Support Website onto your QRadar Console:
    • DSMCommon RPM
    • Log File Protocol RPM
    • TLS Syslog Protocol RPM
    • IBM Security Trusteer Apex Advanced Malware Protection DSM RPM
  2. Choose one of the following options:
  3. If QRadar doesn't automatically discover the log source, add an IBM Security Trusteer Apex Advanced Malware Protection log source on the QRadar Console.
    The following table describes the parameters that require specific values for IBM Security Trusteer Apex Advanced Malware Protection syslog event collection:
    Table 2. IBM Security Trusteer Apex Advanced Malware Protection log source parameters for Syslog protocol
    Parameter Value
    Log Source type IBM Security Trusteer Apex Advanced Malware Protection
    Protocol Configuration Syslog
    Log Source Identifier The IP address or host name from the syslog header. If the syslog header does not contain an IP address or a host name, use the packet IP address.
    The following table describes the parameters that require specific values for IBM Security Trusteer Apex Advanced Malware Protection TLS Syslog event collection:
    Table 3. IBM Security Trusteer Apex Advanced Malware Protection log source parameters for TLS Syslog protocol
    Parameter Value
    Log Source Type IBM Security Trusteer Apex Advanced Malware Protection
    Protocol Configuration TLS Syslog
    Log Source Identifier The IP address or host name from the syslog header. If the syslog header doesn't contain an IP address or a host name, use the packet IP address.
    TLS Listen Port The default port is 6514.
    Authentication Mode TLS
    Certificate Type Select the Provide Certificate option from the list.
    Maximum Connections The Maximum Connections parameter controls how many simultaneous connections the TLS Syslog protocol can accept for each Event Collector. For each Event Collector, there is a limit of 1000 connections across all TLS syslog log source configurations. The default for each device connection is 50.
    Note: Automatically discovered log sources that share a listener with another log source count only one time towards the limit. For example, the same port on the same event collector.
    TLS Protocols Select the version of TLS installed on the client from the drop down list.
    Provided Server Certificate Path Absolute path of server certificate. For example, /opt/qradar/conf/trusted_certificates/apex-alm-tls.cert
    Provided Private Key Path Absolute path of PKCS#8 private key. For example, /etc/pki/tls/private/apex-alm-tls.pk8
    Important: When you use the TLS syslog, and you want to use an FQDN to access the system, you must generate your own certificate for the listener, and then specify it in the TLS syslog configuration.

    The following table describes the parameters that require specific values for IBM Security Trusteer Apex Advanced Malware Protection log file collection:

    Table 4. IBM Security Trusteer Apex Advanced Malware Protection log source parameters for Log File Protocol
    Parameter Value
    Log Source Type IBM Security Trusteer Apex Advanced Malware Protection
    Protocol Configuration Log File
    Log Source Identifier The IP address or host name of the server that hosts the Flat File Feed.
    Service Type SFTP
    Remote IP or Hostname The IP address or host name of the server that hosts the Flat File Feed.
    Remote Port 22
    Remote User The user name that you created for QRadar on the server that hosts the Flat File Feed.
    SSH Key File If you use a password, leave this field blank.
    Remote Directory The log file directory where the Flat File Feed is stored.
    Recursive To avoid pulling the same file repeatedly to QRadar, do not select this option.
    FTP File Pattern "trusteer_feeds_.*?_[0-9]{8}_[0-9]*?\.csv"
    Start Time The time that you want your log file protocol to start collecting log files.
    Recurrence The polling interval for log file retrieval.
    Run On Save Must be enabled.
    Processor None
    Ignore Previously Processed Files Must be enabled.
    Event Generator LINEBYLINE
    File Encoding UTF-8