IBM Support

QRadar Security Content Pack: IBM Security Privileged Session Recorder

Question & Answer


Question

A new security content pack is available for IBM Security Privileged Session Recorder. This tech note outlines the changes and provides installation instructions for administrators.

Answer


Quick links  

What is in the IBM Security Privileged Session Recorder Security Content Pack?


IBM Privileged Session Recorder is a JDBC-based log source that retrieves events for system commands executed from the command line. This security content pack contains four new custom event properties for important fields that can be leveraged by administrators in reports or searches, which were not available in the original DSM release.



New Custom Event Properties added by the IBM Security Privileged Session Recorder Content Pack
Description Regex for the custom event property Optimized custom event property?
Client Application APPLICATIONNAME: "(.+?)" No
Client Hostname LOCALHOST: "(.+?)" No
Recording ID RECORDINGID: "([0-9a-zA-Z]+)" No
Resource Name REMOTEHOST: "(.+?)" No


This update adds to the existing custom event properties found in QRadar
Description Regex for the custom event property Optimized custom event property?
Application User ID APPLICATIONUSERID: "([^"]+)" No
Executed Command DATA: "([^"]+)" No
Local User ID LOCALUSERID: "([^"]+)" No


 

How do I install a security content pack?


To install a security content pack, an administrator must download the RPM from IBM Fix Central, then install the content pack on the Console appliance. The Console replicates the changes from the install of the content pack to all managed hosts in the deployment.

Procedure
  1. Download the IBM Security Privileged Session Recorder Security Content Pack from the IBM Fix Central website for your QRadar version:

    - For QRadar 7.1: Link to all QRadar 7.1 Security Content Packs
    - For QRadar 7.2: Link to all QRadar 7.2 Security Content Packs
     
  2. Using SSH, log in to your Console as the root user.
     
  3. Copy the security content pack to the /tmp directory on the QRadar Console. Note: If space in the /tmp directory is limited, copy the fix pack to another location that has sufficient space.
     
  4. To install the security content pack, type one the following commands:

    - For QRadar 7.1, type: rpm -Uvh ContentPackage-CustomProperties-IBMPrivilegedSessionRecorder-7.1-1432699238.x86_64.rpm  
    - For QRadar 7.2, type: rpm -Uvh ContentPackage-CustomProperties-IBMPrivilegedSessionRecorder-7.2-1432699238.x86_64.rpm
     
  5. Log in to the QRadar Console as an administrator.
     
  6. Click the Admin tab.

    Before you continue: Restarting the web server will restart the user interface and load the new custom event properties. This action will log out existing users, stop reports in progress, and halt event exports in process. It is recommended that administrators restart the user interface during a maintenance window for the appliance.
     
  7. Click Advanced > Restart Web Server.
     
  8. Click OK to restart the QRadar user interface.


    Results
    After the user interface restarts, the installation is complete. The administrator should review the IBM Security Privileged Session Recorder custom event properties to determine if any of the values need to be enabled, disabled, or optimized in the QRadar interface.


 

[{"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Component":"Integrations - IBM","Platform":[{"code":"PF016","label":"Linux"}],"Version":"7.1;7.2","Edition":"","Line of Business":{"code":"LOB24","label":"Security Software"}}]

Document Information

Modified date:
02 April 2020

UID

swg21961386