Question & Answer
Question
A new security content pack is available for ObserveIT event data. This tech note outlines the changes and provides installation instructions for administrators.
Answer
Quick links
- What is in the ObserveIT security content pack?
- How does my log source need to be configured?
- How do I install a security content pack?
- I have additional questions, where can I go for more information?
What is in the ObserveIT security content pack?
QRadar SIEM uses the ObserveIT-JDBC protocol to collect events from the ObserveIT MySQL database. ObserveIT has four pre-configured views in version 5.7 and five pre-configured views in version 5.8 for QRadar to query for event data.
These database views allow the collection of the following event types:
- Alert events
- Database events
- Session events
- User activity
- System events (v5.8 only)
Before you begin
The custom event properties outlined in the table below are only supported on ObserveIT log source configurations that use the JDBC protocol type to collect events, which requires ObeserveIT v5.7 or later. The JDBC log source integration provides more event data than when using the Log File protocol to collect a file containing LEEF formatted event data. Customers who want to use the custom event properties defined in the content pack should ensure that the QRadar log source is collecting events using the JDBC protocol.
New custom event properties added by the ObserveIT security content pack
Description | Regex for the custom event property | Protocol configuration |
Alert ID | AlertID: "([^"]*)" | ObserveIT JDBC |
Alert Rule Name | RuleName: "([^"]*)" | ObserveIT JDBC |
Alert Severity | Severity: "([^"]*)" | ObserveIT JDBC |
Alert Sql DB Name | SqlDBName: "([^"]*)" | ObserveIT JDBC |
Alert Sql User Name | SqlUserName: "([^"]*)" | ObserveIT JDBC |
Alert Time | AlertTime: "([^"]*)" | ObserveIT JDBC |
Application name | ApplicationName: "([^"]*)" | ObserveIT JDBC |
Client Name | ClientName: "([^"]*)" | ObserveIT JDBC |
Command | Command: "([^"]*)" | ObserveIT JDBC |
Domain | DomainName: "([^"]*)" | ObserveIT JDBC |
OS | OS: "([^"]*)" | ObserveIT JDBC |
Process Name | ProcessName: "([^"]*)" | ObserveIT JDBC |
Screenshot ID | ScreenshotID: "([^"]*)" | ObserveIT JDBC |
Server Name | ServerName: "([^"]*)" | ObserveIT JDBC |
Session End Date | SessionLastActivityDate: "([^"]*)" | ObserveIT JDBC |
Session ID | SessionID: "([^"]*)" | ObserveIT JDBC |
Session Start Date | SessionDate: "([^"]*)" | ObserveIT JDBC |
User Authentication | UserAuthentication: "([^"]*)" | ObserveIT JDBC |
User Name | UserName: "([^"]*)" | ObserveIT JDBC |
Video URL | VideoURL: "([^"]*)" | ObserveIT JDBC |
Video URL Alert | VideoURL: "([^"]*)" | ObserveIT JDBC |
Video URL Session | VideoURL: "([^"]*)" | ObserveIT JDBC |
Window Title | WindowTitle: "([^"]*)" | ObserveIT JDBC |
How does my log source need to be configured?
As mentioned above, to leverage the custom event properties in the security content pack the administrator must configure the log source in QRadar to use the ObserveIT JDBC protocol. The JDBC protocol collects more event information than is available to the Log File protocol. To configure an ObserveIT log source using JDBC, the administrator must have the following RPMs:
- Latest version of the ObserveIT JDBC protocol*
- Latest version of the ObserveIT JDBC DSM*
*Both the protocol and DSM are available using QRadar automatic updates.
For example, the following image shows a sample of a JDBC ObserveIT log source configuration.
(Click to enlarge image)
Note: A 'Start Data & Time' is not required as the start time value to run immediately after the log source configuration is saved. It should also be noted that administrators might need to tune the EPS throttle to prevent going over their license limit on the appliance on extremely busy systems.
How do I install a security content pack?
To install a security content pack, an administrator must download the RPM from IBM Fix Central, then install the content pack on the Console appliance. The Console replicates the changes from the install of the content pack to all managed hosts in the deployment.
Procedure
- Download the ObserveIT security content pack from the IBM Fix Central website for your QRadar version:
- For QRadar 7.1: Link to all QRadar 7.1 Security Content Packs
- For QRadar 7.2: Link to all QRadar 7.2 Security Content Packs
- Using SSH, log in to your Console as the root user.
- Copy the security content pack to the /tmp directory on the QRadar Console. Note: If space in the /tmp directory is limited, copy the fix pack to another location that has sufficient space.
- To install the security content pack, type one the following command:
- For QRadar 7.1, type: rpm -Uvh ContentPackage-CustomProperties-ObserveIT-7.1-1432316869.x86_64.rpm
- For QRadar 7.2, type: rpm -Uvh ContentPackage-CustomProperties-ObserveIT-7.2-1432316869.x86_64.rpm
- Log in to the QRadar Console as an administrator.
- Click the Admin tab.
Before you continue: Restarting the web server will restart the user interface and load the new custom event properties. This action will log out existing users, stop reports in progress, and halt event exports in process. It is recommended that administrators restart the user interface during a maintenance window for the appliance.
- Click Advanced > Restart Web Server.
- Click OK to restart the QRadar user interface.
Results
After the user interface restarts, the installation is complete.
[{"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Component":"Integrations - 3rd Party","Platform":[{"code":"PF016","label":"Linux"}],"Version":"7.1;7.2","Edition":"","Line of Business":{"code":"LOB24","label":"Security Software"}}]
Was this topic helpful?
Document Information
Modified date:
02 April 2020
UID
swg21965925