Sending Notifications to qRadar
QRadar 7.3 or later is required for this procedure.
Configure CEF Server via GUI
To enable logging to a QRadar console via the Asset Manager graphical user interface (GUI) . . .
- Log in Asset Manager Asset Manager.
- Select Settings > Asset Manager Systems.
- Click the CEF Notifications tab.
- Identify the logging server to which you want to send event notifications.
Protocol: Type TCP-IPv4, UDP-IPv4, TCP-IPv6, UDP-IPv6
Host Name or IP Address: Must be an IPv4-type IP address
Port number: Must be a valid integer
- When you are ready to send CEF-formatted event notifications, click the CEF Enabled checkbox.
- Click Submit.
A message displays, indicating that your configuration settings were saved.
Asset Manager Asset Manager is now configured to display CEF-formatted syslog output in your QRadar console.
Configure CEF Server via CLI
To enable logging to a QRadar console via the Asset Manager graphical user interface (GUI) or the Asset Manager command-line interface (CLI).
- Log in the Command-Line Interface (CLI).
- Open a host or server that supports SSH.
- At the prompt, type ssh admin@<yourservername> and press Enter.
- Enter your password (i.e., admin) and press Enter.
- At the command prompt, type
log cefserver <enable/disable> <protocol> <IP address> <port number> and press Enter.
Protocol: Type TCP-IPv4, UDP-IPv4, TCP-IPv6, UDP-IPv6
IP Address: Must be an IPv4-type IP address
Port number: Must be a valid integer
Enable: Enables the CEFserver
Disable: Disables the CEFserver
Asset Manager Asset Manager is now configured to display CEF-formatted syslog output in your QRadar console.
Configuring CEF-Formatted Syslog Output
- On the CEF Notifications tab, click the tab for the type of CEF Notifications you want to display: either System or Device.
- To edit the prioritization of the event and whether you subscribe to it, click Edit and update the form.
- Subscribed: Indicates whether or not you've opted to receive notifications of the particular event type.
- Name: Name of the event
- Priority: Indicates level of severity: informational, alert, or warning.
- Event Type: The Event Type is the predefined category of event.
- To Add a device notification, click Add and update the form.
- To apply additional filters to your device notifications, update this form:
Note: Filtering does not affect the exporting of notifications. Unfiltered data exports.
CEF Output
Header Syntax
<syslogheader> CEF:Version|Device Vendor|Device Product|Device Version|Signature ID|Name|Severity
Header Sample
22 Jul 2014 13:28:59 grog CEF:0|Asset Manager|Asset Manager|3.2.4.9086|DEVICE_DISCOVERED|Device Discovered|5
Message Sample
msg=Device stealth:c:3038:1 created.
Asset Manager-specific Fields
The message is followed by Asset Manager specific custom fields mapped to CEF attributes. All custom fields are appended after "msg."
CEF to qRadar Property Mapping
A CEF Event generated from Asset Manager Asset Manager will have its fields separated by a | and will look as follows:
0|Asset Manager|Asset Manager|3.2.4.9086|DEVICE_DISCOVERED| Device Discovered |5|msg=Device stealth:c:3038:1 created. cat= DISCOVERY dvchost=CCM-AMC rt=Nov 02 2017 13:19:55 cn1=1 cn1Label=Facility Zone1 dhost= c6a3= mac=
Mapping of CEF Event fields to qRadar Properties is defined in the table below:
QRadar Property | DataType | Asset Manager Event Attribute | Value from Above Example |
|---|---|---|---|
Device Vendor | static word: Asset Manager | Name of Company | Asset Manager |
Device Product | static word: Asset Manager | Name of Product | Asset Manager |
Device Version | Real Number | Version of Product | 3.2.4 |
Event ID | String or integer | Notification Type | DEVICE_DISCOVERED |
Event Name | String | NotificationName/NotificationType | Device Discovered |
Severity | Integer | 1, 5, 10 | 5 |
Event Category | String | DISCOVERY("/discovery"), | DISCOVERY |
| MAC Address | mac address associated with the event |
|
| IPV4 Address | IP Address asscociated with the event |
|
Log Source Time | TimeStamp | Event generation time | Nov 02 2017 13:19:55 |
Hostname (custom) | String | Asset Manager CC System Name | CCM-AMC |
dhost | String | Host associated with the event | c6a3 |
c6a3 | IPv6 | IP associated with the event |
|
suser | String | User name associated with the event |
|
cn1 | Long | Zone ID of the event | 1 |
cn1Label | String | Zone Name of the event | Facility Zone1 |
Message (custom) | String | Event generated |
|
Events Generated by Asset Manager
The following events are generated by Asset Manager and have been added as Event Mapping in qRadar:
CEF Event Type | Description | Sample Message |
|---|---|---|
AGENT_CONNECTED | A connection was created between discovery-agent and Asset Manager-webapp | Discovery Agent Connected
|
AGENT_START | Displays one of the following Agent and that it has started: TCP Port Scanner|Host Discovery|Snmp Hunter|Snmp Scanner|Path Scanner|Broadcast Discovery|CIFSScanner|DNSScanner|Http Scanner|Leak Discovery | Host Discovery (or any other agent name) Started Agents: TCP Port Scanner|Host Discovery|Snmp Hunter|Snmp Scanner|Path Scanner|Broadcast Discovery|CIFSScanner|DNSScanner|Http Scanner|Leak Discovery |
AGENT_STATUS | Displays the Agent Name (to show that the Agent is currently running): TCP Port Scanner|Host Discovery|Snmp Hunter|Snmp Scanner|Path Scanner|Broadcast Discovery|CIFSScanner|DNSScanner|Http Scanner|Leak Discovery | Host Discovery (or any other agent name) |
AGENT_STOP | Displays one of the following Agent and that it has stopped: TCP Port Scanner|Host Discovery|Snmp Hunter|Snmp Scanner|Path Scanner|Broadcast Discovery|CIFSScanner|DNSScanner|Http Scanner|Leak Discovery | Host Discovery (or any other agent name) Stopped |
COLLECTOR_CREATED | New Asset Manager Collector created containing device discovery configuration | Collector <> created |
COLLECTOR_REMOVED | Indicated existing Asset Manager Collector has been removed | Collector <> removed |
COLLECTOR_UPDATED | Updated discovery configuration was applied to a Asset Manager Collector | Collector <> Config Inserted |
DEVICE_ACTIVITY | Discovered device’s status has changed from active to inactive (or vice versa) | Device <> became active. Earlier state : inactive OR Device <> became inactive. Earlier state : active |
DEVICE_DISCOVERED | New entry for a Device discovered. Multiple entries for each scan technique | Device<>created |
DEVICE_PROFILED | Discovered device’s profile information has changed. Profile information includes device type, operating system, operating system version and vendor. | Device<>profileattributeschanged:DeviceType=<>,OS=<>,Vendor=<>,Version=<>|2017-11-0709:24:13.384338 |
DEVICE_REMOVED | Discovered device has become inactive and removed | Device<>removed |
DEVICE_UPDATED | Discovered Device has been updated with new information. Multiple entries for each scan technique. | Device<>updated.IPassignedto<>|IPchangedto<> |
FORWARDER_ | Discovered device has been identified as a forwarding device based on TTL | Device<>forwardstraffic |
JOB_COMPLETED | Displays status of a background job that was deployed on the Asset Manager box (example: importing pattern file, importing zone attributes) | Job Success ( jobId : 1, jobName : importPatterns-job ) |
JOB_STARTED | Displays initialization of a background job that was deployed on the Asset Manager box (example: importing pattern file, importing zone attributes) | Job Started (jobId : 1, jobName : importPatterns-job) |
LEAK_DISCOVERED | Asset Manager has identified a potential Leak Path to / from a protected network |
|
LICENSE_REMINDER | User notification that the Asset Manager license is about to expire | License expiration imminent – |
LICENSE_VIOLATION | User notification that the Asset Manager license has exceeded the IP Count | License expired – new license required – contact support@Asset Manager.com | | IP count exceeded – contact support@Asset Manager.com |
LICENSE_WARNING | User notification that the Asset Manager license is approaching the IP Count limit | License expired – contact support@Asset Manager.com | IP count exceeded – contact support@Asset Manager.com |
LINK_DISCOVERED | Path has been discovered between two IPs | Linkdiscoveredbetween<>and<> |
LOGLEVEL_UPDATED | Log level has been changed to INFO/WARN/DEBUG | Service <> log level set to <> |
NOTIFICATION_ | Displays the Notification ID that was acknowledged by the user on Asset Manager System’s map. | Notification<notificationnumber>acknowledged |
NOTIFICATION_ | All Notifications on Asset Manager System’s map have been acknowledged for a specific priority. | AllNotificationsacknowledgedforpriority |
OPENPORT_ | Discovered Device has been found with an open port |
|
ROUTER_DISCOVERED | Discovered Device is now profiled as a router |
|
ROUTER_REMOVED | Discovered Device that was profiled as a router has now been removed |
|
SYSTEM_CONNECT | User notification that a connection has been created between CC <-> Portal, CC <-> Scout | Peer connection established (<> <-> <>) |
SYSTEM_DISCONNECT | User notification that a disconnection occured between CC <-> Portal, CC <-> Scout | Peer connection closed (<> <-> <>) |
UPDATE_ERROR |
| |
UPDATE_REMOTE |
|
|
UPDATE_STEP |
| |
UPDATE_WARNING |
| |
USER_CREATED | New Asset Manager user was created | User <> created |
USER_REMOVED | Asset Manager user was deleted | User <> removed |
USER_UPDATED | Changes were made to an existing Asset Manager user | User <> updated |
ZONE_CREATED | New Asset Manager Zone created containing device discovery configuration | Created zone. (name <>, description = <>, |
ZONE_REMOVED | Indicated existing Asset Manager Zone has been removed | Deleted zone. (name = <>, description = <>, |
ZONE_UPDATED | Updated discovery configuration was applied to a Asset Manager Zone | Zone <> CIDRs Updated |