Importing QIDs to QRadar

February 27, 2024

ID 171611

QRadar must correctly process the incoming events from Kaspersky CyberTrace Service. For this purpose, you must add a list of permissible events (a list of QRadar identifiers (QIDs)) to QRadar. In Kaspersky CyberTrace Service, the event categories are defined in the configuration file, in the Feeds > Feed > Field element, the category attribute.

The distribution kit of Kaspersky CyberTrace includes a file named sample_qid.txt that contains necessary events from Kaspersky CyberTrace Service. Do not alter the descriptions of these events but, instead, add your own events to this file.

We recommend that you name the event categories according to the format "KL_<feed>_<object_type>", where:

  • <feed>—The name of the feed which detects the event (for example, PhishingUrl).
  • <object_type>—The field by which the event is detected (for example, URL, Hash_MD5, Hash_SHA1, Hash_SHA256).

To import the list of QIDs to QRadar:

  1. If necessary (for example, if your technical account manager recommends it), edit the %service_dir%/integration/qradar/sample_qid.txt file by adding to it all the event categories contained in the configuration file.

    Every event category must be described in a single line that has the following format:

    ,<event>,<descr>,<sev>,<cat_id>

    where:

    • <event>—The name of the incoming event.
    • <descr>—The description of the event.
    • <sev>—The severity of the event.
    • <cat_id>—A low-level QRadar event identifier.

      The total list of QRadar event identifiers can be printed by the following command:

      /opt/qradar/bin/qidmap_cli.sh -l

      We recommend that you use values for <sev> and <cat_id> according to QRadar documentation.

    For example:

    ,KL_Malicious_URL,Malicious URL is detected by Kaspersky Threat Feed Service,8,7058

  2. Upload the %service_dir%/integration/qradar/sample_qid.txt file to the server that has QRadar installed.
  3. Invoke the command:

    /opt/qradar/bin/qidmap_cli.sh -i -f <filename>

    where <filename> is the destination path of the sample_qid.txt file uploaded in step 2.

  4. To view the added custom QIDs, run the following command:

    /opt/qradar/bin/qidmap_cli.sh –e

If an error occurs, refer to IBM Security QRadar SIEM Administration Guide for information on resolving the problem.

Did you find this article helpful?
What can we do better?
Thank you for your feedback! You're helping us improve.
Thank you for your feedback! You're helping us improve.