Configuring Fidelis XPS

You can configure syslog forwarding of alerts from your Fidelis XPS appliance.

Procedure

  1. Log in to CommandPost to manage your Fidelis XPS appliance.
  2. From the navigation menu, select System > Export.

    A list of available exports is displayed. The list is empty the first time you use the export function.

  3. Select one of the following options:
    • Click New to create a new export for your Fidelis XPS appliance.
    • Click Edit next to an export name to edit an existing export on your Fidelis XPS appliance.
    The Export Editor is displayed.
  4. From the Export Method list, select Syslog LEEF.
  5. In the Destination field, type the IP address or host name for IBM QRadar.

    For example, 192.0.2.1:::514

    The Destination field does not support non-ASCII characters.

  6. From Export Alerts, select one of the following options:
    • All alerts - Select this option to export all alerts to QRadar. This option is resource-intensive and it can take time to export all alerts.
    • Alerts by Criteria - Select this option to export specific alerts to QRadar. This option displays a new field where you can define your alert criteria.
  7. From Export Malware Events, select None.
  8. From Export Frequency, select Every Alert / Malware.
  9. In the Save As field, type a name for your export.
  10. Click Save.
  11. Optional: To verify that events are forwarded to QRadar, you can click Run Now.

    Run Now is intended as a test tool to verify that alerts selected by criteria are exported from your Fidelis appliance. This option is not available if you selected to export all events in Configuring Fidelis XPS.

    The configuration is complete. The log source is added to QRadar as Fidelis XPS syslog events are automatically discovered. Events that are forwarded to QRadar by Fidelis XPS are displayed on the Log Activity tab of QRadar.