Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 

IBM BigFix Detect

 

The JSA DSM for the IBM BigFix collects events from the IBM BigFix Detect platform.

The following table describes the specifications for the IBM BigFix Detect DSM:

Table 1: BigFix Detect DSM Specifications

Specification

Value

Manufacturer

IBM

DSM name

IBM BigFix Detect

RPM file name

DSM-IBMBigFixDetect-JSA_version_build_number.noarch.rpm

Supported versions

V9.5

Protocol

IBM BigFix EDR REST API Protocol

Recorded event types

IOC and IOA alerts

Automatically discovered?

No

Includes identity?

No

Includes custom properties?

No

More information

IBM website for BigFix Detect (IBM website for BigFix Detect)

To integrate IBM BigFix Detect with JSA, complete the following steps:

  1. If automatic updates are not enabled, download and install the most recent version of the IBM BigFix Detect DSM RPM on your JSA console:

    • Protocol Common RPM

    • IBM BigFix EDR REST API Protocol RPM

    • DSM Common RPM

    • IBM BigFix Detect DSM RPM

  2. Configure your IBM BigFix Detect for API access.

  3. Add an IBM BigFix Detect log source on the JSA console. The following table describes the parameters that require specific values to collect event from IBM BigFix Detect:

    Table 2: BigFix Detect Log Source Parameters

    Parameter

    Value

    Log Source Type

    IBM BigFix Detect

    Protocol Configuration

    IBM BigFix EDR REST API

    API Hostname or IP

    The host name or IP address of the BigFix EDR API

    API Port

    The port number that is used to access the API.

    The default is 443.

    Client Certificate Filename

    The PKCS12 certificate file name in the /opt/qradar/conf/trusted_certificates/ibmbigfixedr directory in JSA.

    Use Proxy

    If JSA accesses the BigFix EDR API by using a proxy, enable Use Proxy.

    If the proxy requires authentication, configure the Proxy Server, Proxy Port, Proxy Username, and Proxy Password fields.

    If the proxy does not require authentication, configure the Proxy Server and Proxy Port fields.

    Automatically Acquire Server Certificate(s)

    Select Yes for JSA to automatically download the server certificate and begin trusting the target server.

    EPS Throttle

    The maximum number of events per second.

    The default is 5000.

  4. To verify that JSA is configured correctly, review the following table to see an example of a normalized event message.

    The following table shows a sample LEEF event message from IBM BigFix Detect:

    Table 3: BigFix Detect Log Source Parameters

    Event name

    Low level category

    Sample log message

    IOC Detected

    Suspicious Activity

    LEEF:1.0|IBM|IBM BigFix Detect |BF-Detect.9.5|blue.static|alert_id =xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx xx event_id=xxxxxxxxxxx ak=00000000000000000000000000000000 0962AA560FD9E45E5270557BB9DA801E resource=12587632 bf_ endpoint_name=xxxxxxxxxxxx det ected_ioc=urn:xxx.xxx.example.com:origi n.bigfixqaedr//example:Indicator-xxx xxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx /ver/1 devTime=Feb 09 2017 06: 11:32.000 UTC detection_descri ption=IOC 00_jw-mo_File name and path detected. detection_mechani sm=blue.static risk=medium sev=5 confidence=low devTimeFormat=MMM dd yyyy HH: mm:ss.SSS z

Configuring IBM BigFix Detect to Communicate with JSA

To configure JSA to collect IOC and IOA alerts from an IBM BigFix Detect system, you must obtain information that is required for the configuration from your IBM BigFix administrator.

Before you can configure JSA to receive alerts from IBM BigFix Detect, you must contact your IBM BigFix Administrator and obtain the following information:

  • Hostname or IP address

  • Port number

  • Private key and corresponding certificate, and Trusteer CA certificate

  1. Generate the pkcs12 formatted client keystore.
    1. Log in to JSA using SSH

    2. Type the following command:

      openssl pkcs12 -inkey<private_key_filename> -in <certificate_filename> -export -out<PKCS#12_filename>

      The parameters are described in the following table:

      Table 4: Parameters

      Parameter

      Description

      private_key_filename

      The Private key that you obtained from the BigFix administrator.

      certificate_filename

      The corresponding certificate that you obtained from the BigFix administrator.

      PKCS#12_filename

      The corresponding certificate that you obtained from the BigFix administrator.

      Note

      Record the password that you created when you generated the pkcs12 client keystore. The password is required when you configure the log source

  2. Store the keystore and CA certificate in JSA.
    1. Copy the Trusteer CA certificate in the /opt/qradar/conf/trusted_certificates/ directory in JSA.

    2. Create a directory named ibmbigfixedr in the /opt/qradar/conf/trusted_certificates/ directory.

    3. Copy the keystore.pkcs12 file to the /opt/qradar/conf/trusted_certificates/ibmbigfixedr/ directory that you created. Do not store the client keystore file in any other location.

Configure the log source in JSA by using only the file name of the client keystore file in the /opt/qradar/conf/trusted_certificates/ibmbigfixedr/ directory. Ensure that you type the file name correctly in the Client Certificate Filename field. Type the password that you created when you generated the pkcs12 client keystore, in the Client Certificate Password field.