Network IPS Events Are "Unknown" in QRadar SIEM

Technote (troubleshooting)


Problem(Abstract)

After integrating the Network IPS appliance to send the system log to the QRadar SIEM, some of the IPS events from the Network IPS appliance present as "unknown" in the QRadar SIEM.

Cause

The Network IPS firmware version 4.5 release is the first release to integrate the QRadar SIEM and the Network IPS appliance. Both product teams continue to work on this integration.

Resolving the problem

Use one of the following procedures to map an "unknown" event to an existing IPS event.

Manual mapping with a universal LEEF DSM

  1. Download the universal LEEF DSM file from the Q1 Labs Qmmunity at https://qmmunity.q1labs.com/ using your Q1 Labs customer login credentials. The latest version of this file is entitled DSM-UniversalLEEF-7.0-358344.noarch.rpm at https://qmmunity.q1labs.com/node/2492.
  2. Upload the Q1 Labs universal LEEF DSM file to the QRadar SIEM.
  3. To install the file, type "rpm -Uhv DSM-UniversalLEEF-7.0-358344.noarch.rpm".
  4. Create a universal LEEF DSM using SSH file transfer (SFTP) or secure copy (SCP) to retrieve the LEEF message from the Network IPS appliance.
  5. On the QRadar SIEM, got to the Log Activity tab in the Management Console. Select an "unknown" event from the Network IPS appliance.
  6. On the Map Event page, search the QID database. Select IBM Proventia Network Intrusion Prevention System (IPS) as the Log Source Type and type the text part (without the number) of the Log Source Event ID as the QID/Name.
  7. Select a comparable QID and click OK to save the mapping.

The QRadar SIEM presents the "unknown" event as the comparable QID.

Automatic mapping with a universal DSM

  1. Write a log source extension (LSX) xml file to parse the LEEF message from the Network IPS appliance. Set up the automatic mapping with the following parameters:
    • For the EventName, use the text part (without the number) of the Log Source Event ID
    • For the match-group tag, set the attribute to device-type-id-override="15".
    • For the event-match-multiple tag, set the attribute to device-event-category="Proventia".
  2. Create a universal LEEF DSM using SSH file transfer (SFTP) or secure copy (SCP) to retrieve the LEEF message from the Network IPS appliance.
  3. For more information on writing an LSX xml file, go to he Q1 Labs Qmmunity and look for the Log Sources User Guide. The latest version of the article is LogSources-70MR5.pdf at https://qmmunity.q1labs.com/system/files/LogSources-70MR5.pdf.


If the above information does not resolve your issue, please contact IBM Security Systems Technical Support.

Rate this page:

(0 users)Average rating

Add comments

Document information


More support for:

IBM Security Network Intrusion Prevention System

Software version:

4.5

Operating system(s):

Firmware

Reference #:

1609607

Modified date:

2012-10-16

Translate my page

Machine Translation

Content navigation