Get actionable insights from the Audit Logs of your Miro Enterprise plan with The Miro Connector for IBM QRadar. Detect, prioritize and respond to security threats faster and use this integration to effortlessly ingest Miro Audit Log data directly into your IBM QRadar SIEM system.
Admin console update in phased rollout
Miro’s new admin console makes essential administration workflows easier to perform with reorganized settings, and improved common UX patterns. The new admin console is rolling out over several weeks.
Your organization may see the updated admin console before this article is updated. To see an overview of all changes, see Miro's new Admin Console (BETA).
The connector is available for QRadar 7.4.2+.
- Gain actionable insights by monitoring key user activity to enable more informed decision-making.
- Get real-time monitoring and visibility. Automate ingestion of data from Miro’s Audit Logs directly into IBM QRadar, without requiring manual data exports or mapping.
- Streamline Security Monitoring. Easily monitor and detect threats or policy violations, and protect your organization’s sensitive data.
- Speed incident analysis and remediation by using QRadar’s prioritized alerts.
This guide describes the steps to install and configure IBM QRadar for Miro Enterprise plan.
Overview
IBM QRadar is an enterprise security information and event management (SIEM) product. It collects log data from enterprise customers, its network devices, host assets and operating systems, applications, vulnerabilities, and user activities and behaviors.
The Miro app for IBM QRadar uses the Audit Logs API to fetch Miro Enterprise Audit Logs into IBM QRadar.
Prerequisites
- Download and install the Miro Audit Logs custom DSM from the IBM App Exchange
- Install Universal Cloud REST API Protocol
Configure Log Sources for Miro
Follow these steps to configure new Log Source Management.
1. In order to add a new log source in IBM QRadar first make sure that the Log Source Management app is installed in your QRadar console under the Admin tab.Configuring log sources for Miro in QRadar
2. After being redirected to a new tab select Log Sources.Managing log sources in QRadar
3. Click on New log Source and select Single Log Source.Add a new log source
5. Search and select Universal Cloud REST API as the protocol type. Then Click Step 3: Configure Log Source Parameters.Select protocol type
6. Configure the following log source parameters, leaving the remaining parameters as default:
- Name: Text field. I.e: Miro Audit Logs
- Extension: MiroAuditLogsCustom_ext
- Coalescing Events: off
Then click Step 4: Configure Protocol Parameters.
Configure log source parameters
⚠️ In order to avoid IBM QRadar combining all events into a single event is important to make sure that Coalescing Events option is switched off.
7. Configure the following protocol parameters, leaving the remaining parameters as default:
- Log Source Identifier: Text field. I.e: miro-test
- Workflow: Miro-Workflow.xml content file
- Workflow Parameter Values: Add the Miro SIEM authentication token to the Miro-Workflow-Parameter-Values.xml
<Value name="access_token" value="" />
Then click Step 5: Test Protocol Parameters.Test the protocol parameters
8. You can test whether the protocol parameters were set up correctly by clicking Start Test, or skip this step by clicking Skip Test and Finish.Testing protocol parameters
9. If you choose to test the protocol parameters and everything is set up correctly, you'll see the Test Protocol Parameters page with a green checkmark. Successful protocol parameter test
10. Once you click Finish the new Log Source should be displayed and enabled.New log source displayed and enabled
11. Once the log source has been created, you need to deploy the changes. Go to the Admin tab in the IBM QRadar console and click Deploy Changes. Deploy log source changes
Create a new event mapping in IBM QRadar (optional)
Next you need to create a new event mapping in IBM QRadar.
1. Once your log source is deployed you can see your log activity in the Log Activity tab in the IBM QRadar console. You can filter the log events by log source by clicking the Add Filter option.Log source deployed in activity log in QRadar
2. Select Log Source [Indexed] as Parameter, choose the Log Source you created in the previous steps (in this example, Miro Enterprise Test) and click Add Filter.Log source deployed in activity log in QRadar
3. After adding the new filter you can now select the time range. For example, Last 12 Hours.Selecting a the rime range for the new filter
4. Create a new event mapping in IBM QRadar for Unknown events in Miro integration. The new log source with unknown event
5. Select the Unknown event, click on the Actions option and then select the DSM Editor option. Editing an unknown event
6. On the DSM Editor click on the Event Mapping tab and then click plus to add an event.Editing a new mapping event
7. To create a new event mapping you need to provide the following parameters:
- Event ID: should match the Event type from this IBM guide and it should be unique.
- Event Category: event
Once you've added the Event ID and Event Category, you need to add a QID Record by clicking on the Choose QID link. Refer to the IBM guide. Creating event mapping
8. In the QID Records modal window, configure the following parameters:
- Name: text field. I.e: Organization SCIM enabled
- Description: Description field
- High Level Category: QRadar team as suggested Category field
-
Low Level Category: QRadar team as suggested Sub-Category field
⚠️ To know more about IBM categories, please read the IBM QRadar documentation
Then click Save.
Saving the QID record configuration
9. Once the QID Record is created you can select it by clicking Ok. Selecting the saved QID record
How to edit an existing QID Record (optional)
2. Copy the id from the previous response and then select the data_classification folder, qid_records item and qid_record_id. Then filter by qid_record_id > Path > Value pasting the copied id and click Try it Out.
4. The description attribute will be updated accordingly. Description attribute updated