Question & Answer
Question
A new security content extension is available for IBM Security Access Manager for Mobile. This tech note outlines the changes and provides installation instructions for administrators.
Answer
Tab navigation
- About-selected tab,
- Installing a Content Pack
- Installing an Extension
IBM Security Access Manager for Mobile supports TLS Syslog events for IBM Security Access Manager for Mobile and IBM IDaaS events in LEEF format. This Syslog data allows administrators to collect authentication, trust, runtime, audit, signing, CloudOE, operations, usage, and IDaaS audit information for QRadar. The security content pack for IBM Security Access Manager for Mobile contains 38 new custom event properties for important fields that can be leveraged by administrators in reports or searches, which were not available in the original DSM release.
Custom event properties added by the IBM Security Access Manager for Mobile extension
| Property name | Description |
| Action | Default custom extraction of Action. |
| Policy ID | Default custom extraction of Policy ID. |
| Resource Info | Default custom extraction of Resource Information. |
| Session ID | Default custom extraction of Session ID. |
| Access Decision | Default custom extraction of Access Decision. |
| User Session ID | Default custom extraction of User Session ID. |
| Detected Malware IDs | Default custom extraction of Detected Malware IDs. |
| Evaluated Risk Score | Default custom extraction of Evaluated Risk Score. |
| Malware Present | Default custom extraction of Malware Present. |
| Event Timestamp | Default custom extraction of Event Timestamp. |
| Detection Error Code | Default custom extraction of Detection Error Code. |
| Detection Error | Default custom extraction of Detection Error. |
| Authenticated user | Default custom extraction of Authenticated user. |
| Subject | Default custom extraction of Subject. |
| User Distinguished Name | Default custom extraction of User Distinguished Name. |
| Browser info | Default custom extraction of Browser info. |
| Obligations | Default custom extraction of Obligations. |
| Login Risk Score | Default custom extraction of Login Risk Score. |
| Login Recommendation | Default custom extraction of Login Recommendation. |
| Login Reason Code | Default custom extraction of Login Reason Code. |
| Login Reason | Default custom extraction of Login Reason. |
| Payee Risk Score | Default custom extraction of Payee Risk Score. |
| Payee Recommendation | Default custom extraction of Payee Recommendation. |
| Payee Reason Code | Default custom extraction of Payee Reason Code. |
| Payee Reason | Default custom extraction of Payee Reason. |
| Transaction Risk Score | Default custom extraction of Transaction Risk Score. |
| Transaction Recommendation | Default custom extraction of Transaction Recommendation. |
| Transaction Reason Code | Default custom extraction of Transaction Reason Code. |
| Transaction Reason | Default custom extraction of Transaction Reason. |
| Agent Key | Default custom extraction of Agent Key. |
| Device OS | Default custom extraction of Device Operating System. |
| OS Patch Level | Default custom extraction of Device Operating System Patch Level. |
| Installation Timestamp | Default custom extraction of Installation Timestamp. |
| Infected Device | Default custom extraction of Infected Device. |
| Installation Source | Default custom extraction of Installation Source. |
| Jail Broken Device | Default custom extraction of Jail Broken Device. |
| Calculated Risk Score | Default custom extraction of Calculated Risk Score. |
| Version | Default custom extraction of Version. |
To install a security content pack, an administrator must download the RPM from IBM Fix Central, then install the content pack on the Console appliance. The Console replicates the changes from the install of the content pack to all managed hosts in the deployment.
Procedure
- Download the IBM Security Access Manager for Mobile content pack from the IBM Fix Central website for your QRadar version:
- For QRadar 7.1: Link to all QRadar 7.1 Security Content Packs
- For QRadar 7.2: Link to all QRadar 7.2 Security Content Packs
- Using SSH, log in to your Console as the root user.
- Copy the security content pack to the /tmp directory on the QRadar Console.
- Note: If space in the /tmp directory is limited, copy the fix pack to another location that has sufficient space.
- To install the security content pack, type one the following command:
- For QRadar 7.1, type: rpm -Uvh ContentPackage-CustomProperties-IBMSecurityAccessManagerForMobile-7.1-1444222119.x86_64.rpm
- For QRadar 7.2, type: rpm -Uvh ContentPackage-CustomProperties-IBMSecurityAccessManagerForMobile-7.2-1444222119.x86_64.rpm
- Log in to the QRadar Console as an administrator.
- Click the Admin tab.
- Before you continue: Restarting the web server will restart the user interface and load the new custom event properties. This action will log out existing users, stop reports in progress, and halt event exports in process. It is recommended that administrators restart the user interface during a maintenance window for the appliance.
- Click Advanced > Restart Web Server.
- Click OK to restart the QRadar user interface.
Results After the user interface restarts, the installation is complete. The administrator should review the Bit9 Security Platform custom event properties to determine if any of the values need to be enabled, disabled, or optimized in the QRadar interface.
Installing a QRadar Extension
The Extension Management window in QRadar is used to add applications to your deployment to improve the functionality or add customize content to QRadar. Extensions can contain content, such as rules, reports, searches, reference sets, and dashboards or extensions can install applications that deliver specific new functionality to QRadar. The About tab of this article will outline the contents of the extension being added to QRadar.Procedure
- Log in to the QRadar Console as an administrator. If you have not downloaded the extension yet, you can download files from http://apps.xforce.ibmcloud.com/.
- Click the Admin tab.
- Click the Extension Management icon.
- To upload an extension, click Add and select the extension to upload.
- Note:The extension (zip) must be downloaded to your local computer before it can be uploaded to the Console appliance.
- To install the extension immediately, select the Install immediately check box and then click Add.
- A preview of the application content is displayed. You can choose how existing content items are handled.
- To preview the contents of an extension after it is added and before it is installed, select it from the list of extensions, and click More Details.
- Before the extension is installed, the content items are compared to content items that are already in the deployment. If the content items exist, you can choose to overwrite them or to keep the existing data.
Results
After the extension is added, a yellow caution icon in the Status column indicates potential issues with the digital signature. Hover the mouse over the triangle for more information. Extensions that are unsigned or are signed by the developer, but not validated by your vendor, might cause compatibility issues in your deployment.
Related Information
[{"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Component":"Integrations - IBM","Platform":[{"code":"PF016","label":"Linux"}],"Version":"7.1;7.2","Edition":"","Line of Business":{"code":"LOB24","label":"Security Software"}}]
Was this topic helpful?
Document Information
Modified date:
02 April 2020
UID
swg21974828