Defining a QID and creating event categories for MEG in QRadar

Create a QID and event categories for MEG in the QRadar® Console.

Procedure

  1. From the QRadar Console, click the Admin tab, and select Data Sources > DSM Editor.
  2. Select the IBM MaaS360 Mobile Enterprise Gateway log source type.
  3. From the Event Mappings tab, click the plus icon to create a new event mapping.
  4. Click Choose Event to search for an existing MEG event or to create an event category.
    • To search for an existing MEG event, enter the High Level Category, Low Level Category, Log Source Type, and QID/Name and click Search.
    • To create an event category, follow the steps.
      1. Create a QID by using the following settings for MEG.
        Name Description (examples) Log Source Type High Level Category Low Level Category Severity
        MaaS360® MEG Password Authentication Success Gateway password authentication succeeded IBM® MaaS360 Mobile Enterprise Gateway Authentication User Login Success 3
        MaaS360 MEG Password Authentication Failure Gateway password authentication failed IBM MaaS360 Mobile Enterprise Gateway Authentication User Login Failure 3
        MaaS360 MEG Certificate Authentication Success Gateway certificate authentication succeeded IBM MaaS360 Mobile Enterprise Gateway Authentication User Login Success 3
        MaaS360 MEG Certificate Authentication Failure Gateway certificate authentication failed IBM MaaS360 Mobile Enterprise Gateway Authentication User Login Failure 3
        MaaS360 MEG Resource Authentication Success Gateway resource authentication succeeded IBM MaaS360 Mobile Enterprise Gateway Authentication User Login Success 3
        MaaS360 MEG Resource Authentication Failure Gateway resource authentication failed IBM MaaS360 Mobile Enterprise Gateway Authentication User Login Failure 3
      2. Create a mapping to a MEG event in QRadar by entering the event ID and category combination, and click Create.
  5. Click Save to save the event mappings.
  6. Go to the Properties tab and define the following custom properties for the events by configuring regular expressions and enabling the Override system behavior checkbox.
    • Username
    • Destination IP
    • Destination Port
  7. Click Save.
  8. On the Admin tab, click Deploy Changes.

What to do next

Add a new log source extension for MEG in the QRadar Console.