Add an extension document to the MEG log source in the QRadar® Console.
About this task
An extension document is an Extensible Markup Language (XML) formatted document that you can
create or edit by using any common text, code, or markup editor. You can create multiple extension
documents but a log source can have only one applied to it.
An extension document can extend or modify how the elements of a particular log source are
parsed. You can use the extension document to correct a parsing issue or override the default
parsing for an event from the DSM.
An extension document can also provide event support when a DSM does not exist to parse events
for an appliance or security device in your network.
Procedure
- From the QRadar Console, click the
Admin tab, and select .
- Locate the new extension document named
IBMMaaS360MobileEnterpriseGateway_ext.
The
XML file contains the following
content.
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<ns2:device-extension xmlns:ns2="event_parsing/device_extension">
<pattern id="DestinationIp-Pattern-1">Server\s\[(.*?):[0-9]+\]</pattern>
<pattern id="DestinationPort-Pattern-1">Server\s\[.*?:([0-9]+)\]</pattern>
<pattern id="EventName-Pattern-1">(MaaS360MEGAuth\:\s\[PASSWORD_AUTH\]\s\[SUCCESS\])</pattern>
<pattern id="EventName-Pattern-2">(MaaS360MEGAuth\:\s\[PASSWORD_AUTH\]\s\[FAILURE\])</pattern>
<pattern id="EventName-Pattern-3">(MaaS360MEGAuth\:\s\[CERT_AUTH\]\s\[SUCCESS\])</pattern>
<pattern id="EventName-Pattern-4">(MaaS360MEGAuth\:\s\[CERT_AUTH\]\s\[FAILURE\])</pattern>
<pattern id="EventName-Pattern-5">(MaaS360MEGWebAuth\:\s\[RES_AUTH_RSP_PASS\])</pattern>
<pattern id="EventName-Pattern-6">(MaaS360MEGWebAuth\:\s\[RES_AUTH_RSP_FAIL\])</pattern>
<pattern id="UserName-Pattern-1">User\s\[(.*?)\]</pattern>
<match-group device-type-id-override="4003" order="1">
<matcher order="1" capture-group="1" pattern-id="DestinationIp-Pattern-1" field="DestinationIp"/>
<matcher order="1" capture-group="1" pattern-id="DestinationPort-Pattern-1" field="DestinationPort"/>
<matcher order="1" capture-group="1" pattern-id="EventName-Pattern-1" field="EventName"/>
<matcher order="2" capture-group="1" pattern-id="EventName-Pattern-2" field="EventName"/>
<matcher order="3" capture-group="1" pattern-id="EventName-Pattern-3" field="EventName"/>
<matcher order="4" capture-group="1" pattern-id="EventName-Pattern-4" field="EventName"/>
<matcher order="5" capture-group="1" pattern-id="EventName-Pattern-5" field="EventName"/>
<matcher order="6" capture-group="1" pattern-id="EventName-Pattern-6" field="EventName"/>
<matcher order="1" capture-group="1" pattern-id="UserName-Pattern-1" field="UserName"/>
<event-match-multiple force-qidmap-lookup-on-fixup="true" send-identity="UseDSMResults" pattern-id="EventName-Pattern-1"/>
</match-group>
</ns2:device-extension>
To edit the extension document, click
Browse to locate the file, and click
Upload.
- Click Save.
- On the Admin tab, click Deploy
Changes.