Using IBM QRadar log source extension to parse your cluster audit logs

You can map your cluster audit events to IBM QRadar event model by using the DSM (Device Support Module) editor.

Log source type is used to parse audit logs. You can add custom properties to parse custom fields. For a list of custom properties, see Custom properties to parse your audit records.

Note: If you already set up log source type, you do not need to complete the tasks that are in the following sections. You can proceed with Configuring IBM QRadar to receive your cluster audit logs over TLS.

Creating log source type

  1. Navigate to DSM Editor Admin > Data Sources > DSM Editor.

  2. Click Create New to create a new log source type.

  3. Enter a name for the new log source type and save it.

Adding custom properties to log source type

  1. Use the following sample audit record to extract fields and add custom properties.
{"typeURI":"http://schemas.dmtf.org/cloud/audit/1.0/event","eventType":"activity","id":"icp:db4217b0-f274-11e8-a8f9-51a9a7260dca","action":"create","requestPath":"/identity/api/v1/directory/ldap/ddd46230-e77a-11e8-92af-2773a9077558/importUserGroups","initiator":{"typeURI":"service/security/account/user","name":"admin","credential":{"type":"token"},"host":{"user-agent":"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0 Safari/605.1.15","address":"icp-management-ingress:8443"}},"target":{"id":"07035ecfb9a2aeab68826ae643f4352a8e016e0c89c17185b61e78e7d4574235","name":"ddd46230-e77a-11e8-92af-2773a9077558","actions":"cn=testgroup,ou=groups,dc=ibm,dc=com","typeURI":"service/storage/directory"},"observer":{"id":"target"},"severity":"normal","outcome":"success","reason":{"reasonType":"HTTP","reasonCode":200},"eventTime":"2018-11-27T18:47:14.347Z","kubernetes.container_id":"07035ecfb9a2aeab68826ae643f4352a8e016e0c89c17185b61e78e7d4574235","kubernetes.container_name":"platform-identity-management","kubernetes.pod":"auth-idp-zxqbm","kubernetes.namespace":"kube-system","origination":"ui","version":"v1.0"}

  1. Click the edit icon.

  2. Paste the sample audit record in the workspace and save it.

  3. Click Add to add custom properties.

  4. If a property was not created previously, click Create New.

  5. Enter the name of the property and select the appropriate field type. Add a brief description and save it.

  6. Select all required properties and add them to Log Source Type.

Configuring properties

Audit records are in JSON format. Properties can use Expression Type as JSON.

Editing property configuration

  1. Select a property that needs to be configured, for example, Pod Name.
  2. Select the JSON Expression Type from the list.
  3. Specify the JSON expression.
  4. Keep Enabled selected.
  5. Add multiple expressions if necessary.

Using custom properties to parse your audit records

Table 1. Custom properties to parse audit records
Properties Expression Type Expression
Container Name JSON /"kubernetes.container_name"
Pod Name JSON /"kubernetes.pod"
requestPath JSON /"requestPath"
Event Category JSON /"eventType"
Event ID 1. JSON 2. Regex 1. /"action" 2. \"outcome\":\"success\"
Identity Host Name JSON /"initiator"/"host"/"address"
Log Source Time JSON /"eventTime", Date Format = yyyy-MM-dd'T'HH:mm:ss'Z'
namespace JSON /"kubernetes.namespace"
Outcome JSON /"outcome"
Source IP JSON /"initiator"/"host"/"address"
Target Name JSON /"target"/"name"
Username JSON /"initiator"/"name"

Keep the following properties as is.

Table 2. Properties to keep unchanged
Properties Properties Properties
Destination MAC Destination Port Identity Extended Field
Identity Group Name Identity IP Identity IPv6
Identity MAC Identity Net BIOS Name IPv6 Destination
Post NAT Destination IP Post NAT Destination Port Post NAT Source IP
Post NAT Source Port Pre NAT Destination IP Pre NAT Destination Port
Pre NAT Source IP Pre NAT Source Port Protocol
Source MAC Source Port IPv6 Source
Destination IP