cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2783
Views
0
Helpful
3
Replies

No Malware Events Seen - eStreamer Integration(FMC & IBM Qradar)!!

tushar_bangia
Level 1
Level 1

Hi Team,

 

I need some assistance to have visibility for Malware events on IBM Qradar, the estreamer integration works fine and I can see events, IPS, Connection logs however I cant see any Malware events.

 

I have tried to generate Malware events for both Network and Endpoint level (AMP VPC is also integrated with FMC) however I am unable to see any Malware logs/events. The connection events does report connection to the site from where I am downloading test Malware samples.

 

The events are seen on the FMC however the SIEM/IBM Qradar is unable to report any information. Please suggest if we need to do anything additional.

3 Replies 3

tushar_bangia
Level 1
Level 1

I can only find below close matching caveat however the bug lacks information.

 
CSCvc91960 - Streamed Malware events uses the connection event direction
 


Hello Tushar,

 

Based on the info provided, I'd suggest you to contact IBM as well to double check settings and app logs.

 

QRadar is using estreamer FMC API but ultimately it's IBM's app the one generating the data.

 

I'd also suggest you should open a case to the FMC team as this is a matter of extensive investigation.

 

Regards!

we have a similar problem

 

Have you checked payload for malware traces? In my case i have traced some payloads with malware details etc , but they did not come from intended Log Source (i believe it should come from Log source Firesight)  instead from Log source source snort@ firewall name and hence resulting in unknown event.

 

 

Please update if you have an answer by now

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: