IBM Support

QRadar: Creating an Offense for Monitoring an Internal Log Source

Troubleshooting


Problem

I would like to know how to create a rule for QRadar to generate offenses when my internal log sources stop sending events, such as SIM-Audit.

Symptom

This rule is intended to fire offenses every 30 minutes when QRadar has not seen events from an internal log source for 1 hour. Internal log sources, especially SIM Audit are critical to QRadar as many administrators use SIM Audit data for reporting on QRadar user activity and meeting compliance requirements in corporate environments.

Resolving The Problem

What are internal log sources?
There are several internal DSMs that ship by default with QRadar that are non-configurable as these DSMs are specific to parsing events generated by QRadar itself. As of QRadar 7.2.7 these internal log sources do not count against your EPS limit. Internal log sources that cannot be added as a "Log Source Type" in the interface as they are intentionally hidden from the log source configuration user interface. These log sources can be searched on from the Log Activity screen for administrators interested in tracking events generated by QRadar.

Types of data collected by internal log sources:
  • Anomaly detection engine - events that fire in result to the Anomaly Detection Engine such as threshold events.
  • Asset Profile - events that come from the Asset Profiler such as discovery of a new asset, asset IP change or new MAC detected.
  • Health Metrics - events that are designed to process information about the health of the appliance such as disk space, CPU usage, or performance.
  • Search Results - events related to running searches.
  • System Notification - events that come from the system logs of the appliance such as: power on, power off, disk usage, service starting, and service stopping.
  • SIM Generic Log DSM - general bucket for unknown events.
  • SIM Audit - events of activity that took place in QRadar by users. SIM Audit events are written to disk in /var/log/audit.
  • Custom Rule Engine - events from the Custom Rule Engine (CRE) Engine such as: timeout, warning, or errors.


How to view internal log sources
Internal log sources are by default added to the log source group 'Other'. On new QRadar installations, these log sources will be the only items listed in the 'Other' category. In the Log Activity tab, if you use Add Filter > Log Sources [Indexed] > Other, you can see all DSMs and filter against internal DSMs, as all events display in the Log Activity screen.

When you install a fresh QRadar installation, there are no log sources listed, however, can see events from other processes communicating in the deployment. For example, Health Metrics, Asset Profiler, QRadar Risk Manager has a DSM, if it is activated in QRadar. Our internal DSMs on a default appliance usually have a -2 at the end. There is also a Custom Rule Engine DSM and a SIM Generic DSM, however, these only create events based on rule responses or when unknown events are forwarded to QRadar, which are user actions. You can think of internal DSMs as QRadar processes communicating and creating messages for the deployment of things we want to keep track of, like system notifications and health metrics. 


Figure 1: Example of several QRadar Internal DSMs

How to create a rule in QRadar that monitors SIM-Audit events

  1. Log in to QRadar.
  2. Click the Offenses tab.
  3. Click the Rules icon.
  4. Click Actions > New Event Rule.
  5. Double-click to add the rule test: when the events(s) have not been detected by one or more of these log source types for this many seconds.

    Figure 2: Use the rule test 'these log source types' to keep the rule test host independent.
  6. Type a name for the rule, such as QRadar SIM Audit Events Stopped.
  7. From the rule editor, click these log sources types and select SIM Audit.

    Figure 3: Select SIM Audit as the log source type.
  8. Click Submit.
  9. From the Rule Response Wizard, configure the following values:

    Figure 4: Configure your rule similar to the screen capture and ensure the rule indexes the offense by Log Source.
  10. Click Next.
  11. Review the rule summary.

    Figure 5: Review the log source summary.
  12. Click Finish.

    Results
    The rule is created to monitor for SIM Audit events that do not send data for 1 hour. If an administrator receives this offense, they should run a search sorted by SIM Audit to verify when the log source stopped sending. A search can be run to verify that SIM Audit data is being generated. If for any reason your SIM Audit log source has stopped producing data, you should contact QRadar Support (http://ibm.biz/qradarsupport).

[{"Type":"SW","Line of Business":{"code":"LOB24","label":"Security Software"},"Business Unit":{"code":"BU008","label":"Security"},"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"ARM Category":[{"code":"a8m0z000000cwtEAAQ","label":"Log Activity"},{"code":"a8m0z000000cwt0AAA","label":"Log Source"}],"ARM Case Number":"","Platform":[{"code":"PF016","label":"Linux"}],"Version":"7.3.3;7.4.2"}]

Document Information

Modified date:
27 April 2021

UID

swg21993556