Configure QRadar as a Log system for CloudGuard Dome9
This note describes how to configure Dome9 to send compliance and Log.ic alerts to IBM QRadar.
- AWS S3 Buckets - these will hold the Dome9 alerts, formatted for QRadar, from where they are ingested to QRadar
- the Dome9_s3_logger package (https://github.com/Dome9/dome9_tools/tree/master/dome9_s3_logger) - this creates the SNS/SQS channels, the S3 buckets, and the lambda functions
- an IBM QRadar DSM - an account on QRadar, that will ingest Dome9 logs & findings
How it works
You can send two types of events to QRadar from Dome9: system events, and alerts (compliance and Log.ic). Both send events through an AWS SNS/SQS channel. Both also use the Dome9_s3_logger package to pull the events from the SNS/SQS, reformat them to format usable by QRadar, and store them in an S3 Bucket, from where they are ingested into QRadar.
Each type of event (system and alerts) requires separate SNS, SQS, and S3 entities, and a separate instance of the S3 logger package.
For Dome9 Audit logs, this is the data flow:
For Dome9 alerts, this is the data flow:
Create S3 Buckets
S3 buckets are required to store reformatted Dome9 log and alert information. QRadar ingests the reformatted information from these S3 buckets.
Create two AWS S3 buckets, one for Dome9 audit logs, and one for Dome9 alerts.
Create an IAM Role
In your AWS account, create an IAM Role to grant CloudFormation permission to create resources in the dome9_s3_logger package (lambdas, SNS topics, SQS Queues).
Deploy the dome9_S3_logger package
In a browser, navigate to the Dome9 Github repository: https://github.com/Dome9/dome9_tools/tree/master/dome9_s3_logger .
Follow the Installation instructions in the readme file there to deploy a CloudFormat template in your AWS account which, in turn, will create the SNS/SQS channel.
You will connect the stack with one of the S3 buckets created in the previous step.
The CloudFormation template uses the IAM role created in the previous step.
Deploy this package once for each S3 created in the previous step (that is, twice in total).
This package leverages the AWS CloudFormation and Stacks services to create the workflow elements (Lambda function, SNS Topic, SQS Queue, SQS polling mechanism) that will rewrite Dome9 log and alert entries as CloudTrail-like (plain text JSON) records (suitable for QRadar ingestion), and deposit those reformatted event records in a chronologically organized file structure in the designated S3 Bucket.
The lambda function converts each Dome9 log or alert to a plaintext JSON record, and writes it to the S3 bucket.
If your QRadar AWS DSM only accepts gzipped JSON records, follow these steps:
Overwrite the index.js file in the dome9s3Logger Lambda function with this file: <link to updated index.js with gzip> . The updated index.js uses a new environment variable, IsGzipEnabled (boolean). Add this manually to the Lamda function environment variables set.
Set the variable to TRUE.
Save the updated index.js file, the Lambda function itself, and then Publish the updated Lambda function.
Configure a Dome9 Compliance Notification Policy for QRadar
Follow the instructions in the Post-Install section of the readme file, to complete the dome9_s3_logger deployment.
This configures a Notification Policy for alerts (for a specific Dome9 compliance or Log.ic ruleset, and a specific cloud account). This notification policy forwards alerts from the ruleset to the SNS created above.
It also configures Dome9 to send audit logs to the second SNS, created above.
Configure QRadar DSM
Follow the instructions here to configure a QRadar DSM to ingest log records from the S3 buckets from the previous steps.