icon-deception.svg
Deception

Configuring IBM QRadar to Forward Active Directory Event Logs

You can configure the IBM QRadar SIEM tool to filter event logs from an Active Directory (AD) domain controller for decoy accounts or enumeration detection. You can forward the event logs to the Zscaler Deception Admin Portal via a Decoy Connector when an adversary's actions are detected.

Prerequisites

Make sure that the following prerequisites are met:

  • Configure the AD servers to forward logs to QRadar.
  • Configure a Decoy Connector as a syslog receiver with an IP address of the QRadar server in its allowed IP list.
  • Make sure that there is network connectivity between the QRadar server and the Decoy Connector’s management IP on TCP port 9514.

Configuring QRadar to Forward Logs to the Zscaler Deception Admin Portal

To configure QRadar to forward logs to the Deception Admin Portal:

  • Before you configure QRadar to forward logs, you must configure a Decoy Connector as a syslog receiver.

    1. Go to Orchestrate > SIEM > Connectors.

    2. Select a Decoy Connector that you want to use as a syslog receiver to collect the AD event logs from the QRadar server, and then click the Edit icon.

    3. In the SIEM Connector Details window, under Syslog Receiver:

      1. Source Type: Select IBM QRadar.
      2. Source Allowed IPs: Enter the QRadar server's IP address.

    4. Click Save.
    Close
    1. Open an IBM QRadar SIEM console.

    2. On the navigation menu, click Admin.

    3. On the System Configuration page, click Forwarding Destinations.

    4. On the toolbar, click Add.

    5. In the Forwarding Destinations Properties window:

      1. Name: Enter a name for the forwarding instance.
      2. Destination Address: Enter the Decoy Connector’s management IP address, which is configured as a syslog receiver.
      3. Event Format: Select Payload from the drop-down menu.
      4. Destination Port: Enter 9514.
      5. Protocol: Select TCP from the drop-down menu.
      6. Prefix a Syslog header if it is missing or invalid: Select the checkbox.

    6. Click Save.

      The forward destination entry is added to the table.

    Close
    1. On the navigation menu, go to Offenses > Rules.

    2. Click Actions > New Event Rule.

    3. On the Rule Wizard page, click Next to select the source from which you want the rule to be generated.
    4. Under Choose the source from which you want this rule to generate, select Events.

    5. Click Next.

    6. Under the Rule section, enter a rule name in Apply. For example, enter "Decoy account usage is detected". Make sure quotation marks are included around the rule name.

    Close
    1. Add a QID filter.
      1. On the Rule Wizard page, click the Add icon next to when the event QID is one of the following QIDs.

      2. Under the Rule section, click the QIDs link.

      3. Browse or search for the following QIDs, select a QID, and click Add. You can add only one QID at a time.

        • 5000937
        • 5000475
        • 5000945
        • 5000940
        • 5000938
        • 5000581
        • 5000589
        • 5000584
        • 5000835

      4. After the QIDs are added, click Submit.

    2. Add a user filter.
      1. On the Rule Wizard page, click the Add icon next to when the event matches this search filter.

      2. Under the Rule section, click the this search filter link.

      3. Select Username from the drop-down menu.
      4. Select Equals any of from the drop-down menu.
      5. Enter the decoy username and click the Plus icon to add the decoy username to the list.

      6. Click Add to add the filter.

      7. Verify that all the decoy users are added to the filter, and then click Submit.

      8. Click Next to go to the Rule Response section.

    Close
    1. Under the Rule Response section, select the Dispatch New Event checkbox.
    2. Enter an Event Name.
    3. Enter the Event Description.
    4. Select the Ensure the dispatched event is part of an offense checkbox.
    5. Under Offense Naming, select This information should set or replace the name of associated offense(s).

    6. Select the Send to Forwarding Destinations checkbox, and then select the Decoy Connector’s management IP that was configured as a forwarding destination from the list of destinations.

    7. Under Enable Rule, select the Enable this rule if you want it to begin watching events right away checkbox.

    8. Click Next, and then click Finish.

    Close
Related Articles
About Active Directory DecoysAdding an Active Directory DomainCreating an Active Directory Decoy UserViewing Active Directory Decoy ComputersConfiguring and Downloading a Trigger ScriptConfiguring Windows Task Scheduler to Enable AlertingConfiguring Microsoft Azure Sentinel to Forward Active Directory Event LogsConfiguring IBM QRadar to Forward Active Directory Event LogsConfiguring LogRhythm to Forward Active Directory Event LogsConfiguring Splunk to Forward Active Directory Event LogsExporting a Root CA Certificate from an Active Directory Certificate ServiceRunning the Decoy Deployment Script on an Active Directory