Configuring Cisco Stealthwatch to communicate with QRadar

Cisco Stealthwatch can forward events of different message types, including customized syslog messages, to third parties.

Procedure

  1. Log in to the Stealthwatch Management Console (SMC) as an administrator.
  2. In the menu bar, click Configuration > Response Management.
  3. From the Actions section in the Response Management menu, click Add > Syslog Message.
  4. In the Add Syslog Message Action window, configure the following parameters:
    Parameter Value
    Name The name for the syslog message action.
    Enabled This check box is enabled by default.
    IP Address The IP address of the QRadar Event Collector.
    Port The default port is port 514.
    Format Select Syslog Formats.
  5. Enter the following custom format:
    LEEF:2.0|Lancope|Stealthwatch|6.8|{alarm_type_id}|0x7C|src={source_ip}|dst={target_ip}|dstPort={port}|proto={protocol}|msg={alarm_type_description}|fullmessage={details}|start={start_active_time}|end={end_active_time}|cat={alarm_category_name}|alarmID={alarm_id}|sourceHG={source_host_group_names}|targetHG={target_host_group_names}|sourceHostSnapshot={source_url}|targetHostSnapshot={target_url}|flowCollectorName={device_name}|flowCollectorIP={device_ip}|domain={domain_name}|exporterName={exporter_hostname}|exporterIPAddress ={exporter_ip}|exporterInfo={exporter_label}|targetUser={target_username}|targetHostname={target_hostname}|sourceUser={source_username}|alarmStatus={alarm_status}|alarmSev={alarm_severity_name}
  6. Select the custom format from the list and click OK.
    Note: Use the Test button to send test message to QRadar
  7. Click Response Management > Rules.
  8. Click Add and select Host Alarm.
  9. Provide a rule name in the Name field.
  10. Create rules by selecting values from the Type and Options menus. To add more rules, click the ellipsis icon. For a Host Alarm, combine as many possible types in a statement as possible.
  11. In the Action dialog, select IBM QRadar syslog action for both Active and Inactive conditions. The event is forwarded to QRadar when any predefined condition is satisfied.