Skip to content
/ IBM-QRadar-Universal-Cloud-REST-API Public
forked from IBM/IBM-QRadar-Universal-Cloud-REST-API

These workflows are provided for sample usage, new submissions and updates from the community, and are NOT supported by IBM.

0 stars 93 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

ermes-cyber-security/IBM-QRadar-Universal-Cloud-REST-API

BranchesTags
 
 

Repository files navigation

EPM Configuration

Steps to obtain an integration with QRadar: 1). User id, password, EPM dispatcher server (login.epm.cyberark.com) – these needs to be fill into the xml parameter file. https://docs.cyberark.com/EPM/Latest/en/Content/WebServices/ServerAuthentication.htm

2). There are 3 log source type: EPM – EPM aggregated events. This fetch 7 days backlog on first run. https://docs.cyberark.com/EPM/Latest/en/Content/WebServices/GetAggregatedEvents.htm

EPM-AdminAudit1 – EPM admin audit. This fetch 1 day backlog on first run. https://docs.cyberark.com/EPM/Latest/en/Content/WebServices/GetAccountAdminAudit.htm

EPM-Policy – EPM aggregated policy audits. This fetch 7 days backlog on first run. https://docs.cyberark.com/EPM/Latest/en/Content/WebServices/GetAggregatedPolicyAudits.htm

QRadar Log Source Configuration

Please follow the root ReadMe for configuring within QRadar.

Troubleshooting

You can extract the debug run of the workflow from /var/log/qradar.log into a file and share the file with Cyberark support. Each workflow has a specific prefix for logging.

For event workflow: grep “EPM::AggEvent” qradar.log > aggevent.log

For policy workflow: grep “EPM:AggPolicy” qradar.log > aggpolicy.log

For admin audit workflow: grep “EPM::AdminAudit” qradar.log > aggaudit.log

You can also grep on the EPM:: prefix to capture logs for all 3 workflows. Here is a sample where the password was changed in EPM but not reflected in the workflow parameter xml file in Qradar.

[root@host-1 log]# grep "EPM::" qradar.log

Mar 26 13:50:37 ::ffff:10.0.0.1 [ecs-ec-ingress.ecs-ec-ingress] [Thread-165] com.q1labs.semsources.sources.universalcloudrestapi.v1.workflow.action.LogAction: [INFO] [NOT:0000006000][10.0.0.1/- -] [-/- - ]EPM::AdminAudit - The EPM Bookmark value was 1679466638733 : 2023-03-22T06:30:38.733Z Mar 26 13:50:40 ::ffff:10.0.0.1 [ecs-ec-ingress.ecs-ec-ingress] [Thread-165] com.q1labs.semsources.sources.universalcloudrestapi.v1.workflow.action.LogAction: [INFO] [NOT:0000006000][10.0.0.1/- -] [-/- - ]EPM::AdminAudit - Abort - Login fail, check userid and password. Mar 26 13:52:23 ::ffff:10.0.0.1 [ecs-ec-ingress.ecs-ec-ingress] [Thread-170] com.q1labs.semsources.sources.universalcloudrestapi.v1.workflow.action.LogAction: [INFO] [NOT:0000006000][10.0.0.1/- -] [-/- - ]EPM::AggEvent - The EPM Bookmark value was 1679466723151 : 2023-03-22T06:32:03Z Mar 26 13:52:23 ::ffff:10.0.0.1 [ecs-ec-ingress.ecs-ec-ingress] [Thread-171] com.q1labs.semsources.sources.universalcloudrestapi.v1.workflow.action.LogAction: [INFO] [NOT:0000006000][10.0.0.1/- -] [-/- - ]EPM::AggPolicy - The EPM Bookmark value was 1679466723143 : 2023-03-22T06:32:03Z Mar 26 13:52:25 ::ffff:10.0.0.1 [ecs-ec-ingress.ecs-ec-ingress] [Thread-170] com.q1labs.semsources.sources.universalcloudrestapi.v1.workflow.action.LogAction: [INFO] [NOT:0000006000][10.0.0.1/- -] [-/- - ]EPM::AggEvent - Abort - Login fail, check userid and password. Mar 26 13:52:25 ::ffff:10.0.0.1 [ecs-ec-ingress.ecs-ec-ingress] [Thread-171] com.q1labs.semsources.sources.universalcloudrestapi.v1.workflow.action.LogAction: [INFO] [NOT:0000006000][10.0.0.1/- -] [-/- - ]EPM::AggPolicy - Abort - Login fail, check userid and password.

About

These workflows are provided for sample usage, new submissions and updates from the community, and are NOT supported by IBM.

Resources

Readme
Activity
Custom properties

Stars

0 stars

Watchers

0 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published