Background
You may need to monitor ICD/Maximo logins with QRadar, and that's what this post will detail, as there are a few steps and a lack of documentation around it. In this case, I'm using ICD 7.6.1.1 and QRadar Community Edition 7.3.3 (downloaded on 3/13/2020).
All of the steps here apply to both ICD and Maximo, since there is nothing ICD-specific about them, so I'm going to refer to the product as just ICD in the remainder of this post.
Introduction
ICD doesn't log logins by default, and even once you configure it to track logins, it logs them to a database table rather than SystemOut.log.
Tracking logins
To enable login tracking, you need to go into the Security->Security Groups application in ICD. From there, choose the Security Controls action. In the dialog shown, select "Enable Login Tracking?" and you're done. That's it. To test it, log out and back in again, then use your favorite database tool to look at the contents of the MAXIMO.LOGINTRACKING table. You should see your login.
Configuring QRadar for a JDBC Log Source
This part is a little tricky, but that's why I'm writing this article. You need to create a new Log Source with the following important characteristics:
Type: Universal DSM
Protocol: JDBC
Database name: MAXDB76
Table name: MAXIMO.LOGINTRACKING
Compare field: ATTEMPTDATE
Those are all of the hard properties. The others should be fairly straightforward, such as hostname, port, etc. After that, deploy your changes. Once that's done, log out and back into ICD, and you should get an event that looks similar to this:
Now you can set up the normal parsing, extracting, etc. to have QRadar properly categorize your events.
No comments:
Post a Comment