IBM Support

IBM QRadar Custom Property Extension: Juniper SSL VPN

Question & Answer


Question

A new security content pack is available for Juniper SSL VPN to add one new custom property and update parsing for different occurrences of 'Realm' that appear in event payloads.

Answer

Tab navigation

Juniper SSL VPN Custom Property Extension adds one custom property for 'Realm' and updates one existing custom property for QRadar for 'Realm'. The realm custom property works for some users but not for others when the keyword "Realm" includes an attached number, such as 'Realm5'. The Juniper SSL VPN Custom Property Extension resolves parsing issues for Realm when variances of the name appear in event payloads.


Administrators must pay attention to custom property changes after installing an extension. Custom properties that are updated in this extension might overwrite user modified values. A list of changes is provided to the administrator before the extension is installed in QRadar. Depending on how the administrator installs the extension, some values in the custom property might be overwritten.

Custom event properties updated in the Juniper SSL VPN extension v1.0.0

Property name Expression Change
BytesReceived \[\d+.\d+.\d+.\d+\](.*?)?\((.*?)?\)\[(.*?)?\] - Closed connection to (.*?) port \d+ after (\d+) seconds, with (\d+) bytes read (.*?)? and (\d+) bytes written None
BytesSent \[\d+.\d+.\d+.\d+\](.*?)?\((.*?)?\)\[(.*?)?\] - Closed connection to (.*?) port \d+ after (\d+) seconds, with (\d+) bytes read (.*?)? and (\d+) bytes written None
Date_Time (\d{4}-\d{2}-\d{2}\s+\d{2}:\d{2}:\d{2}) None
Duration_Seconds duration=(\d+) None
Duration_Seconds \[\d+.\d+.\d+.\d+\](.*?)?\((.*?)?\)\[(.*?)?\] - Closed connection to (.*?) port \d+ after (\d+) seconds, with (\d+) bytes read (.*?)? and (\d+) bytes written None
Policy \d+-\d+-\d+ \d+:\d+:\d+ - .*? - \[\d+.\d+.\d+.\d+\] .*?\(.*?\)\[.*?\] - (.*)? in Role None
Policy [pP]olicy '(.*?)' None
Realm Realm (.*?)[:,] Updated in v1.0.0
Realm realm=(['"])(.*?)\1 None
Realm \((.*) realm\) None
Realm \[\d+.\d+.\d+.\d+\].*\((.*)?\) Updated in v1.0.0
Resource \[\d+.\d+.\d+.\d+\] .*\([.*]?.*?\)\[.*?\] - Resources in Policy '.*?' is modified from \[(.*?)\] to \[(.*)\] None
Resource \[\d+.\d+.\d+.\d+\] .*\([.*]?.*?\)\[.*?\] - Resources in Policy '.*?' is modified from \[(.*?)\] to \[(.*)\] None
Role \[\d+.\d+.\d+.\d+\] .*\([.*]?.*?\)\[(.*?)\] None
Role [rR]ole[s]?[= ](['"])(.*?)\1 None
URL \(URL=(.*?)\) None

Installing a QRadar Extension

The Extension Management window in QRadar is used to add applications to your deployment or add customized content extensions to QRadar. Extensions can contain content, such as rules, reports, searches, reference sets, and dashboards or extensions can install applications that deliver specific new functionality to QRadar. The About tab of this article includes a list of custom properties changes in the Juniper SSL VPN Custom Property Extension.

Procedure

Results
After the extension is added, review the Status column for installation issues. A yellow caution icon might indicate a potential issue with the digital signature. Hover the mouse over the caution icon for more information. Extensions that are unsigned or are signed by the developer, but not validated by your vendor might cause compatibility issues in your deployment.

  1. Log in to the QRadar Console as an administrator. If you have not downloaded the extension yet, you can download files from: https://exchange.xforce.ibmcloud.com/hub/extension/IBMQRadar:JuniperNetworksSecureAccessCustomProperties.

  2. Click the Admin tab.

  3. Click the Extension Management icon.

  4. To upload an extension, click Add, and select the extension to upload. Note:The extension (zip) must be downloaded to your local computer before it can be uploaded to the Console appliance.


  5. To install the extension immediately, select the Install immediately check box and then click Add. A preview of the application content is displayed.


  6. To preview the contents of an extension before it is installed, select it from the list of extensions, and click More Details.


    The content items are compared to data already in the deployment. If the content already exists, you can choose to overwrite the data with the new value in the extension or to keep the existing data.

    A good rule of thumb when modifying custom even properties is to assign a unique name, instead of editing a default value. For example, instead of modifying the default custom property, copy it and provide a unique name. This will allow the administrator to overwrite default custom properties without impacting user modified values.

[{"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Component":"Integrations - 3rd Party","Platform":[{"code":"PF016","label":"Linux"}],"Version":"7.1;7.2","Edition":"","Line of Business":{"code":"LOB24","label":"Security Software"}}]

Document Information

Modified date:
03 April 2020

UID

swg21988723

Page Feedback