Log File log source parameters for ThreatGRID Malware Threat Intelligence Platform

If QRadar does not automatically detect the log source, add a ThreatGRID Malware Threat Intelligence Platform log source on the QRadar Console by using the Log File protocol.

When using the Log File protocol, there are specific parameters that you must use.

The following table describes the parameters that require specific values to collect Log File events from ThreatGRID Malware Threat Intelligence Platform:
Table 1. Log File log source parameters for the ThreatGRID Malware Threat Intelligence Platform DSM
Parameter Value
Log Source Name Type a name for your log source
Log Source Description Type a description for the log source.
Log Source Type ThreatGRID Malware Intelligence Platform
Protocol Configuration Log File
Log Source Identifier

Type an IP address, host name, or name to identify the event source.

The log source identifier must be unique for the log source type.

Service Type

From the list, select the protocol that you want to use to retrieve log files from a remote server. The default is SFTP.

  • SFTP - SSH File Transfer Protocol
  • FTP - File Transfer Protocol
  • SCP - Secure Copy Protocol

The SCP and SFTP service type requires that the host server in the Remote IP or Hostname field has the SFTP subsystem enabled.

Remote IP or Hostname

Type the IP address or host name of the ThreatGRID server that contains your event log files.

Remote Port

Type the port number for the protocol that is selected to retrieve the event logs from your ThreatGRID server. The valid range is 1 - 65535.

The list of default service type port numbers:

  • FTP - TCP Port 21
  • SFTP - TCP Port 22
  • SCP - TCP Port 22
Remote User

Type the user name that is required to log in to the ThreatGRID web server that contains your audit event logs.

The user name can be up to 255 characters in length.

Remote Password

Type the password to log in to your ThreatGRID server.

Confirm Password

Confirm the password to log in to your ThreatGRID server

SSH Key File

If you select SCP or SFTP as the Service Type, use this parameter to define an SSH private key file. When you provide an SSH Key File, the Remote Password field is ignored.

Remote Directory

Type the directory location on the remote host from which the files are retrieved, relative to the user account you are using to log in.

For FTP only. If your log files are in the remote user's home directory, you can leave the remote directory blank. Blank values in the Remote Directory field support systems that have operating systems where a change in the working directory (CWD) command is restricted.

Recursive

Select this check box if you want the file pattern to search sub folders in the remote directory. By default, the check box is clear.

The Recursive parameter is ignored if you configure SCP as the Service Type.

FTP File Pattern

Type the regular expression (regex) required to filter the list of files that are specified in the Remote Directory. All files that match the regular expression are retrieved and processed.

The FTP file pattern must match the name that you assigned to your ThreatGRID event log. For example, to collect files that start with leef or LEEF and ends with a text file extension, type the following value:

(leef|LEEF)+.*\.txt

Use of this parameter requires knowledge of regular expressions (regex). This parameter applies to log sources that are configured to use FTP or SFTP.

FTP Transfer Mode

If you select FTP as the Service Type, from the list, select ASCII.

ASCII is required for text-based event logs.

SCP Remote File

If you select SCP as the Service Type, type the file name of the remote file.

Start Time

Type a time value to represent the time of day you want the log file protocol to start. The start time is based on a 24 hour clock and uses the following format: HH:MM.

For example, type 00:00 to schedule the Log File protocol to collect event files at midnight.

This parameter functions with the Recurrence field value to establish when your ThreatGRID server is polled for new event log files.

Recurrence

Type the frequency that you want to scan the remote directory on your ThreatGRID server for new event log files. Type this value in hours (H), minutes (M), or days (D).

For example, type 2H to scan the remote directory every 2 hours from the start time. The default recurrence value is 1H. The minimum time interval is 15M.

Run On Save

Select this check box if you want the log file protocol to run immediately after you click Save.

After the save action completes, the log file protocol follows your configured start time and recurrence schedule.

Selecting Run On Save clears the list of previously processed files for the Ignore Previously Processed File parameter.

EPS Throttle

The maximum number of events per second that QRadar ingests.

If your data source exceeds the EPS throttle, data collection is delayed. Data is still collected and then it is ingested when the data source stops exceeding the EPS throttle.

The valid range is 100 to 5000.

Processor

From the list, select NONE.

Processors allow event file archives to be expanded and processed for their events. Files are processed after they are downloaded. QRadar can process files in zip, gzip, tar, or tar+gzip archive format.

Ignore Previously Processed File(s)

Select this check box to track and ignore files that are already processed.

QRadar examines the log files in the remote directory to determine whether the event log was processed by the log source. If a previously processed file is detected, the log source does not download the file. Only new or unprocessed event log files are downloaded by QRadar.

This option applies to FTP and SFTP service types.

Change Local Directory?

Select this check box to define a local directory on your QRadar appliance to store event log files during processing.

In most scenarios, you can leave this check box not selected. When this check box is selected, the Local Directory field is displayed. You can configure a local directory to temporarily store event log files. After the event log is processed, the events added to QRadar and event logs in the local directory are deleted.

Event Generator

From the Event Generator list, select LineByLine.

The Event Generator applies extra processing to the retrieved event files. Each line of the file is a single event. For example, if a file has 10 lines of text, 10 separate events are created.