The purpose of this project is to provide a mechanism for ingesting IBM Cloud VPC Flow Logs into QRadar.
IBM Cloud User account with privileges to:
- Create and configure IBM Cloud Object Storage instances and buckets.
- Create and configure IBM LogDNA
- Create and configure IBM Cloud Functions
IBM Cloud Service Accounts When configuring IBM Cloud VPC Flow logs to use IBM Fucntions Triggers & Actions and Cloud Object Storage you will need to configure service IDs with the appropriate privileges. Refer to the About IBM Cloud Flow Logs for VPC and integrating Cloud Functions with Cloud Obeject Storage for steps for creating the appropriate service IDs.
- IBM QRadar 7.4 or higher
- IBM QRadar user account with privileges to create/modify log sources and create/modify DSMs.
There are options for how to send the VPC Flow logs to Log DNA.
- Use the instructions outlined at https://github.com/IBM-Cloud/vpc-flowlogs-logdna.
- Use the example action in this repo ibm-cloud-function/ibm-cloud-function-action.py. *Note the provided Example QRadar DSM was created based upon using this example.
The parameters needed to configure the Univeral Cloud Rest API require information specific to the instance of IBM Cloud LogDNA. See below on how to get the required parameters. The two required parameters are Host Name and Service Key. There are optional parameters below that allow you to limit the LogDNA query results.
To obtain the 'Host Name':
- Log on to the IBM Cloud LogDNA
- Navigate to "Installation Instructions"
- Click 'REST API'
- This will give you the URL for the LogDNA service in your region. Example: https://logs.us-south.logging.cloud.ibm.com
- This URL is for log ingestion, so you will need to modify the URL for event export.
- In the URL relpace 'logs' with 'api'. Example: https://api.us-south.logging.cloud.ibm.com
To obtain a 'Service Key':
- Log on to the IBM Cloud LogDNA
- Navigate to "Settings"
- Click "Organization"
- Click the 'API Keys'
- Generate or choose and existing 'Service Key'
- Log in to QRadar.
- Click the Admin tab.
- To open the app, click the QRadar Log Source Management app icon.
- Click New Log Source > Single Log Source.
- On the Select a Log Source Type page, Select a Log Source Type (Universal DSM) and click Select Protocol Type (Universal Rest API).
- On the Select a Protocol Type page, select a protocol and click Configure Log Source Parameters.
- On the Configure the Log Source parameters page, configure the log source parameters and click Configure Protocol Parameters.
- On the Configure the Protocol Parameters page, configure the protocol-specific parameters (Workflow and Workflow Parameter Values).
- In the Test protocol parameters window, click Start Test.
- To fix any errors, click Configure Protocol Parameters. Configure the parameters and click Test Protocol Parameters.
- Click Finish
There are 2 optional query options to limit the number of returns based upon LogDNA Log Source and LogDNA Application. These parameters are 'logsourcehosts' and 'logsourceapps' that can be configured in IBMCloud-LogDNA-Workflow-Parameter.xml. Additional query options can configured, see https://docs.logdna.com/reference#v1export-1.
logsourcehosts: comma separated list of hosts to filter by
logsourceapps: comma separated list of apps to filter by
If you have any questions or issues you can create a new [issue here][issues].
Pull requests are very welcome! Make sure your patches are well tested. Ideally create a topic branch for every separate change you make. For example:
- Fork the repo
- Create your feature branch (
git checkout -b my-new-feature) - Commit your changes (
git commit -am 'Added some feature') - Push to the branch (
git push origin my-new-feature) - Create new Pull Request
All source files must include a Copyright and License header.
If you would like to see the detailed LICENSE click here.
#
# Copyright 2020- IBM Inc. All rights reserved
# SPDX-License-Identifier: Apache2.0
#