Integrate Qradar with Microsoft Defender for IoT
This article describes how to integrate Microsoft Defender for IoT with QRadar.
Integrating with QRadar supports:
Forwarding Defender for IoT alerts to IBM QRadar for unified IT and OT security monitoring and governance.
An overview of both IT and OT environments, allowing you to detect and respond to multi-stage attacks that often cross IT and OT boundaries.
Integrating with existing SOC workflows.
Prerequisites
Access to a Defender for IoT OT sensor as an Admin user. For more information, see On-premises users and roles for OT monitoring with Defender for IoT.
Access to a Defender for IoT OT on-premises management console as an Admin user. For more information, see On-premises users and roles for OT monitoring with Defender for IoT.
Access to the QRadar Admin area.
Configure Syslog listener for QRadar
To configure the Syslog listener to work with QRadar:
Sign in to QRadar and select Admin > Data Sources.
In the Data Sources window, select Log Sources.
In the Modal window, select Add.
In the Add a log source dialog box, define the following parameters:
Parameter Description Log Source Name <Sensor name>
Log Source Description <Sensor name>
Log Source Type Universal LEEF
Protocol Configuration Syslog
Log Source Identifier <Sensor name>
Note
The Log Source Identifier name must not include white spaces. We recommend replacing any white spaces with an underscore.
Select Save, and then Deploy Changes.
Deploy a Defender for IoT QID
A QID is a QRadar event identifier. Since all Defender for IoT reports are tagged under the same, Sensor Alert event, you can use the same QID for these events in QRadar.
To deploy a Defender for IoT QID:
Sign in to the QRadar console.
Create a file named
xsense_qids
.In the file, use the following command:
,XSense Alert,XSense Alert Report From <XSense Name>,5,7001
.Run:
sudo /opt/qradar/bin/qidmap_cli.sh -i -f <path>/xsense_qids
.A confirmation message appears, indicating that the QID was deployed successfully.
Create QRadar forwarding rules
Create a forwarding rule from your on-premises management console to forward alerts to QRadar.
Forwarding alert rules run only on alerts triggered after the forwarding rule is created. The rule doesn't affect any alerts already in the system from before the forwarding rule was created.
The following code is an example of a payload sent to QRadar:
<9>May 5 12:29:23 sensor_Agent LEEF:1.0|CyberX|CyberX platform|2.5.0|CyberX platform Alert|devTime=May 05 2019 15:28:54 devTimeFormat=MMM dd yyyy HH:mm:ss sev=2 cat=XSense Alerts title=Device is Suspected to be Disconnected (Unresponsive) score=81 reporter=192.168.219.50 rta=0 alertId=6 engine=Operational senderName=sensor Agent UUID=5-1557059334000 site=Site zone=Zone actions=handle dst=192.168.2.2 dstName=192.168.2.2 msg=Device 192.168.2.2 is suspected to be disconnected (unresponsive).
When configuring the forwarding rule:
In the Actions area, select Qradar.
Enter details for the QRadar host, port, and timezone.
Optionally, select to enable encryption, and then configure encryption, and/or select to manage alerts externally.
For more information, see Forward on-premises OT alert information.
Map notifications to QRadar
Sign into your QRadar console, and select QRadar> Log Activity .
Select Add Filter, and define the following parameters:
Parameter Description Parameter Log Sources [Indexed]
Operator Equals
Log Source Group Other
Log Source <Xsense Name>
Locate an unknown report detected from your Defender for IoT sensor and double-click it.
Select Map Event.
In the Modal Log Source Event page, select:
- High-Level Category: Suspicious Activity + Low-Level Category - Unknown Suspicious Event + Log
- Source Type: Any
Select Search.
From the results, select the line in which the name XSense appears, and select OK.
All of the sensor reports from now on are tagged as Sensor Alerts.
The following new fields appear in QRadar:
UUID: Unique alert identifier, such as 1-1555245116250.
Site: The site where the alert was discovered.
Zone: The zone where the alert was discovered.
For example:
<9>May 5 12:29:23 sensor_Agent LEEF:1.0|CyberX|CyberX platform|2.5.0|CyberX platform Alert|devTime=May 05 2019 15:28:54 devTimeFormat=MMM dd yyyy HH:mm:ss sev=2 cat=XSense Alerts title=Device is Suspected to be Disconnected (Unresponsive) score=81 reporter=192.168.219.50 rta=0 alertId=6 engine=Operational senderName=sensor Agent UUID=5-1557059334000 site=Site zone=Zone actions=handle dst=192.168.2.2 dstName=192.168.2.2 msg=Device 192.168.2.2 is suspected to be disconnected (unresponsive).
Note
The forwarding rule you create for QRadar uses the UUID
API from the on-premises management console. For more information, see UUID (Manage alerts based on the UUID).
Add custom fields to the alerts
To add custom fields to alerts:
Select Extract Property.
Select Regex Based.
Configure the following fields:
Parameter Description New Property One of the following:
- Sensor Alert Description
- Sensor Alert ID
- Sensor Alert Score
- Sensor Alert Title
- Sensor Destination Name
- Sensor Direct Redirect
- Sensor Sender IP
- Sensor Sender Name
- Sensor Alert Engine
- Sensor Source Device NameOptimize Parsing Check on. Field Type AlphaNumeric
Enabled Check on. Log Source Type Universal LEAF
Log Source <Sensor Name>
Event Name Should be already set as Sensor Alert Capture Group 1 Regex Define the following:
- Sensor Alert Description RegEx:msg=(.*)(?=\t)
- Sensor Alert ID RegEx:alertId=(.*)(?=\t)
- Sensor Alert Score RegEx:Detected score=(.*)(?=\t)
- Sensor Alert Title RegEx:title=(.*)(?=\t)
- Sensor Destination Name RegEx:dstName=(.*)(?=\t)
- Sensor Direct Redirect RegEx:rta=(.*)(?=\t)
- Sensor Sender IP: RegEx:reporter=(.*)(?=\t)
- Sensor Sender Name RegEx:senderName=(.*)(?=\t)
- Sensor Alert Engine RegEx:engine =(.*)(?=\t)
- Sensor Source Device Name RegEx:src