IBM Support

QRadar: How to configure the CEPs included in the "IBM Security QRadar Palo Alto PA Series Content Extension" to apply to the Cortex Data Lake events

How To


Summary

With the IBM Security QRadar Palo Alto PA Series Content Extension pack installed the Palo Alto Cortex Data Lake events can be sent to QRadar and ingested by a Palo Alto PA Series log source.

Many of the included CEPs are not successfully parsed in the Cortex Data Lake events. This article contains a workaround to modify the CEPs that are included in the content extension pack to successfully parse the Cortex Data Lake events.

Objective

Steps

The following steps use the Application CEP as an example, but each affected content extension pack CEP would required manual modification.

  1. Log in to QRadar user interface as an admin.
  2. Open DSM Editor by going to the Admin tab, then on the Data Sources section, click DSM Editor.
  3. In the Select Log Source Type window, select the Palo Alto PA Series log source type:
    image-20230615184400-1
  4. On the Properties tab, enter the CEP that you want to modify, in this example we are using Application.
  5. Click the green plus to add a new ‘Expression’
    image-20230616153534-1
  6. Select LEEF as the Expression Type. In the Expression field type the name of the LEEF attribute that you want to parse, for this example we are using Application.
    image-20230616154119-1
  7. Click Ok to save the new LEEF expression.
  8. Drag the new LEEF expression to be the first of the expression list (before the existing Regex expression).
    image-20230616154304-1
  9. Click Save to save the changes in the Palo Alto PA Series DSM.
    image-20230616154452-2
  10. Repeat the all these steps for each CEP that require modification.

    Result
    The administrator is able to configure the log source extension for Palo Alto PA Series to extract the information from the needed CEPs.

Additional Information

When support was added for the DSM to ingest the Cortex Data Lake events, the content extension pack was not updated. An IBM Idea was created to request that support of the Cortex Data Lake events be added to the content extension pack:

Update IBM QRadar Custom Properties for Palo Alto PA Series to support Palo Alto Cortex Data Lake logs

Document Location

Worldwide

[{"Type":"MASTER","Line of Business":{"code":"LOB24","label":"Security Software"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"ARM Category":[{"code":"a8m0z000000cwt0AAA","label":"Log Source"}],"ARM Case Number":"TS013271202","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"All Versions"}]

Document Information

Modified date:
21 June 2023

UID

ibm17004535

Page Feedback