Using QRadar with the SNS DSM

  1. Log in to your IBM QRadar console.
  2. In the Log Activity menu, click on New Search.
  3. Fill in the various fields of the search form:
  • Parameter field: select Log Source Type,
  • Operator field: select Equals,
  • Value field: select Stormshield Network Security.
  1. Confirm by clicking on Add Filter.
  2. Click on Search.
    Stormshield logs will appear in the grid.

NOTE:
There are two limitations in version 1.0.0 of the SNS DSM:
  • IPv6 values are not taken into account.
  • Only standard QRadar fields are used; custom properties to filter by vendor-specific values are not available.

The Stormshield DSM provides the values of the following QRadar standard properties:

  • DestinationIp,
  • DestinationMAC,
  • DestinationPort,
  • DestinationIpPreNAT,
  • DestinationPortPreNAT,
  • DeviceTime,
  • EventCategory,
  • Protocol,
  • SourceIp,
  • SourceMAC,
  • SourcePort,
  • SourceIpPostNAT,
  • SourcePortPostNAT,
  • UserName.


Following events are categorised by QRadar:

  • Connections Pass or Block,
    • Firewall and proxies,
    • Filter policy,
    • Alarms (IPS Permit or Deny),
  • Proxies,
    • Virus detection,
    • Sandboxing detection,
  • Authentication errors,
  • System events.

Support

If you encounter issues while installing or using the Stormshield Network Security DSM on the IBM QRadar platform, feel free to get in touch with Stormshield technical support.