QRadar must correctly process the incoming events from Feed Service. For this purpose, you must add a list of permissible events (a list of QRadar identifiers (QIDs)) to QRadar. In Feed Service, the event categories are defined in the configuration file, in the Feeds > Feed > Field element, the category attribute.
The distribution kit of Kaspersky CyberTrace includes a file named sample_qid.txt that contains necessary events from Feed Service. Do not alter the descriptions of these events but, instead, add your own events to this file.
We recommend that you name the event categories according to the format "KL_<feed>_<object_type>", where
<feed>—The name of the feed which detects the event (for example, PhishingUrl).<object_type>—The field by which the event is detected (for example, URL, MD5, SHA1, SHA256).To import the list of QIDs to QRadar:
%service_dir%/intergation/sample_qid.txt file by adding to it all the event categories contained in the configuration file.Every event category must be described in a single line that has the following format:
,<event>,<descr>,<sev>,<cat_id>
<sev> to 7.<cat_id>—A QRadar event identifier.The total list of QRadar event identifiers can be printed by the following command:
/opt/qradar/bin/qidmap_cli.sh -l
We recommend that you use the following values:
For example:
,KL_Malicious_URL,Malicious url was detected by KL,7,7058
%service_dir%/intergation/sample_qid.txt file to the server that has QRadar installed./opt/qradar/bin/qidmap_cli.sh -i -f <filename>
where <filename> is the destination path of the sample_qid.txt file uploaded in step 1.
If any error occurs, refer to IBM Security QRadar SIEM Administration Guide for information on resolving the problem.
Page top