Professional Documents
Culture Documents
QRadar
1
Contents
1 Introduction ........................................................................................................................ 3
1.1. Overview ..................................................................................................................... 3
1.2. About this Document .................................................................................................. 3
1.3. About the application .................................................................................................. 3
1.4. Custom Field Properties of DSM ................................................................................ 4
2 General ............................................................................................................................... 6
1.1. Installation ................................................................................................................... 6
2.1 Configuring Log Source .............................................................................................. 8
1. Cisco ESA Gateway Logs Source ........................................................................... 8
2. Cisco ESA Log Source .......................................................................................... 10
2.2 Generation of Authentication Token ......................................................................... 10
2.3 Configuring the Cisco ESA App ............................................................................... 11
2.4 Configuring the Cisco Email Security Virtual Appliance. ........................................ 11
2.4.1 Reroute ESA traffic to a Specific port. .............................................................. 12
3 Cisco Email Security App................................................................................................ 14
3.1 General ...................................................................................................................... 14
3.1.1 Time Range Selector .......................................................................................... 14
3.2 Monitoring Tab ......................................................................................................... 15
3.2.1 Overview ............................................................................................................ 15
3.2.2 Mail Flow Summary .......................................................................................... 16
3.2.3 Mail Flow Details .............................................................................................. 17
3.2.4 Outbreak Filtering .............................................................................................. 20
3.2.5 Connections by Country .................................................................................... 21
3.3 Tracking Tab ............................................................................................................. 21
3.3.1 Overview ............................................................................................................ 21
3.3.2 Messages ............................................................................................................ 22
3.3.3 Rejected Connections......................................................................................... 24
4 Troubleshooting ............................................................................................................... 26
5 Legal Notice ..................................................................................................................... 27
5.1 Confidentiality Notice ............................................................................................... 27
2
1 Introduction
1.1.Overview
The Cisco Email Security Application for IBM QRadar provide insight from multiple
security products and integrates them with QRadar. IBM Security QRadar and
Cisco combine to enable customers to reach compliance and security goals and
reduce the risk and severity of security breaches. The Cisco Email Security platform
helps the user to automate email security and contain threats faster and directly
from QRadar.
Integrating the Cisco Email Security solutions with QRadar enables insight,
visibility, and actionable intelligence gleaned through the depth in defence and
comprehensive security services for all web and email traffic extended across the
enterprise to combat complex security threats. QRadar benefits by getting a rich
source of contextual data, enabling QRadar to identify and alert on anomalous
behaviour and threats, enabling you to reach your compliance and security goals.
When you set up Cisco Email Security Application for QRadar, it integrates
all the data from Cisco Email Security platform and allows you to view the
data in graphical form in the QRadar console.
Prerequisites
3
1.4. Custom Field Properties of DSM
Screenshot for Custom field property
4
5
2 General
1.1. Installation
1. Login to QRadar and go to Admin tab.
2. Select Extension Management Services.
3. Install the application as a QRadar Plugin (For more details plugin
installation, click here)
4. After the installation, deploy changes in QRadar.
6
7
2.1 Configuring Log Source
1. From the Admin tab on the QRadar navigation bar, scroll down to Log
Sources.
2. Click on Add to create a new log source.
3. Enter the required parameters for creating log source.
4. Configure the 2 Log Source as shown below.
5. After Configuration save and deploy changes.
1. Cisco ESA Gateway Logs Source
ESA Gateway Log Source is mainly used to flatten multiline syslog to a single line. For a more
secure communication and QCA compatibility users can use TLS Syslog.
Create a log source with “Cisco ESA Gateway”, use “Universal DSM” as the DSM and
Protocol as “TLS Syslog”. Configure the other parameters as shown in the Screenshot.
8
Fig: Cisco ESA Gateway Log Source with TLS Syslog
NOTE: 1)Ensure Coalescing is turned OFF.
9
2. Cisco ESA Log Source
10
4. Enter the details and generate the authentication token.
Note! As a best practice we recommend users to generate Service token every 90 days
1. From the Admin tab on the QRadar navigation bar, scroll down and open Cisco ESA
App Settings.
2. Enter the Authentication Token generated in previous step and other details and click
on Submit.
NOTE: If Authentication token is not present ,then the app will not load.
11
Step 3: Enter the IP of QRadar and Select TCP Protocol.
All Mail log to be push on Port 6514 which is the port for TLS Syslog in QRadar, Since the
option is not available yet ,on Email Security Appliance. We need to reroute the traffic on
from ESA to port 6514 based on user selection.
• Change the rules in firewall to reroute the traffic from ESA to QRadar on port 6514
• User can also modify the Iptables within QRadar to route the traffic on port 6514
Configuring iptables for TLS Syslog
12
Steps
1>Using SSH, log in to QRadar as the root user.
2>Type the following command to edit the IPtables file:
vi /opt/qradar/conf/iptables-nat.post
3> Type the following command to instruct QRadar to redirect syslog events from TCP port
514 to TLS port 6514:
Where:
IP address is the IP address of your ESA server.
New port is the port number that is configured in the TCP Multiline protocol
You must include a redirect for each ESA IP address that sends events to your QRadar
Console or Event Collector.
Example:
-A PREROUTING -p tcp --dport 514 -j REDIRECT --to-port 6514 -s 192.168.0.21
You are now ready to configure IPtables on your QRadar Console or Event Collector to
accept events from your ESA servers.
6> Type the following command to instruct QRadar to allow communication from your
ESA servers:
Where:
13
IP address is the IP address of your ESA server.
New port is the port number that is configured in the TLS protocol .
You must include a redirect for each ESA IP address that sends events to your QRadar
Console or Event Collector.
Example:
/opt/qradar/bin/iptables_update.pl
User can select the predefined date ranges as well as can click on the Custom and select
Custom Date Ranges.
14
3.2 Monitoring Tab
The Monitoring Tab contains the below sub tabs:
• Mail Flow Reports
1. Mail Flow Summary
2. Mail Flow Details
3. Connections by country
• Email Threat Reports
1. Macro Detection
2. Outbreak Filtering
3. URL Filtering
4. Virus Filtering
3.2.1 Overview
The monitoring tabs contains following dropdowns:
15
3.2.2 Mail Flow Summary
Mail Flow Summary tab contains two menus:
1. Incoming
2. Outgoing
16
3.2.3 Mail Flow Details
Mail Flow Details tab contains two tabs:
1. IP Address
2. Domain
1. Incoming
• Incoming menu contains 3 charts:
1. Top Senders by Total Threat Messages
17
2. Top Senders by Clean Messages
3. Top Senders by Graymail Messages
2. Outgoing
• Outgoing menu contains two charts:
1. Top Senders by Total Threat Messages
2. Top Senders by Clean Messages
Mail Flow Details also provides search option based on IP Address and Domain.
18
19
3.2.4 Outbreak Filtering
Outbreak Filtering tab contains two charts:
1. Threat Summary
2. Hit Messages from Incoming Messages
20
3.2.5 Connections by Country
Connection by Country contains one chart of Top Incoming Mail Connections by Country
3.3.1 Overview
Tracking tab contains two tabs:
1. Messages
2. Rejected Connections
21
3.3.2 Messages
Messages tab enables user to search based on hosts present and operators such as begins with,
is, contains, is empty.
After clicking on search button when search gets completed it provides option for more details
search and for modify filters.
22
23
3.3.3 Rejected Connections
Rejected Connections tab contains filter option based on Sender IP.
24
25
4 Troubleshooting
3. In this section, we are going to run few tcpdump commands in QRadar, to verify if
ESA Logs are available in QRadar database, if the ESA Dashboard is not loading with
data, or the Log Activity search does not show the ESA Events.
Take SSH to QRadar console
Run this command > tcpdump -nnAs0 -i any host <<ESA Ip>> and port
<<port>>. Wait for few minutes if the Events are available on your ISE for the
subscribed topic, then you should see events showing up in LEEF Format.
4. Upload the following logs with the case can help our engineers assist you further:
• qradar.error
• startup.log
• app.log
To get qradar.error logs, first we need to SSH to QRadar Console
qradar.error logs are available in this location: /var/log/qradar.error
To get startup.log and app.log, first we need to get inside ESA App docker:
Login to QRadar console (putty/terminal)
26
5 Legal Notice
5.1 Confidentiality Notice
This document transmission (and/or the documents accompanying it) is for the
sole use of the intended recipient(s) and may contain information protected by the
attorney-client privilege, the attorney-work-product doctrine or other applicable
privileges or confidentiality laws or regulations. If you are not an intended
recipient, you may not review, use, copy, disclose or distribute this message or any
of the information contained in this message to anyone. If you are not the intended
recipient, contact the sender by reply e-mail and destroy all copies of this message
and attachments.
27