Ingesting Logs from Spectra Detect into QRadar Using Syslog and JSON
Introduction
Spectra Detect is a state‐of‐the‐art threat detection solution designed to identify and analyze potential cyber threats with precision. It delivers rich, structured log data encoded in syslog or JSON format, containing detailed insights into security events and anomalies. This robust data output provides vital context that can be leveraged to enhance threat intelligence and incident response.
Organizations can use the syslog protocol to forward JSON-formatted logs from Spectra Detect to IBM QRadar, a comprehensive security information and event management (SIEM) platform. Once the logs are ingested, QRadar automatically parses the JSON payload, correlates events with other security telemetry, and provides real-time analytics and reporting.
This integration ensures that critical threat indicators detected by Spectra Detect are quickly available within QRadar's unified dashboard. Security teams benefit from enhanced situational awareness, rapid anomaly detection, and streamlined incident response workflows — all essential for modern cybersecurity defense.
This setup has been tested on IBM QRadar 7.5 and Spectra Detect 5.5.0
Requirements
- QRadar
- ReversingLabs Spectra Detect service package
- ReversingLabs Spectra Detect account
Spectra Detect syslog configuration
- Log in to your Spectra Detect Manager instance using Admin credentials
- Select your group in the central configuration pane
- Enable Syslog receiver in the System Alerting pane
- Enter your QRadar hostname, port and supported protocol -> Save
- Configure and enable CEF Messages
Spectra Detect JSON configuration
- Log in to your Spectra Detect Manager instance using Admin credentials
- Select your group in the central configuration pane
- Enter your QRadar URL in the Callback URL dialog box
- Select Egress Integrations and choose the report_type or container
- If available, enter path to your CA certificate (truststore)
- Apply and save
- Apply the configuration to your group and verify that it is applied to the Spectra Detect Hub and Worker.
- Submit files to the Worker using the Worker upload API
cURL example
curl -k -F file=@bfd33326a173d9266af763e3b43fecb5c439e123 -X POST https://ip_address/api/tiscale/v1/upload
{"task_url":"https://ip_address/api/tiscale/v1/task/629"}
- Check and validate under
/var/log/tiscale/event.log
and search for events namedcallback_upload_success
Log example
{"task_id":630,"sample":"bfd33326a173d9266af763e3b43fecb5c439e123","container":"bfd33326a173d9266af763e3b43fecb5c439e123","filename":"bfd33326a173d9266af763e3b43fecb5c439e123","file_link":"https://ip_address/bfd33326a173d9266af763e3b43fecb5c439e123","process_duration":0}
2025-04-24T12:24:57.776775+00:00 tiscale-worker tiscale_post_processor[183205]: INFO: event=callback_success {"task_id":630,"sample":"bfd33326a173d9266af763e3b43fecb5c439e123","container":"bfd33326a173d9266af763e3b43fecb5c439e123","process_duration":0}
2025-04-24T12:24:57.779648+00:00 tiscale-worker tiscale[183206]: INFO: event=postprocessing_success {"hash": "bfd33326a173d9266af763e3b43fecb5c439e123", "task": 630}
Check the failure type events for information about errors and debugging under /var/log/tiscale/event.log
QRadar setup
- Install and configure your IBM QRadar instance using the appropriate option - hardware or software. Follow the guide for the right setup: IBM QRadar 7.5 install guide
- Log in to your IBM QRadar instance on https://qradar_ui
QRadar Log Source setup
QRadar supports adding single log source with a syslog protocol.
- Create a New Log source using the menu option
- Select the log source and add the new log source type.
- Select the Log source type name and save
- Use Syslog as the protocol type
- Configure the Log Source parameters and set it up to Enabled, configure Target event collector to default and enable Coalescing events and Store Event Payloads.
- Enter name for Log source Identifier - usually the hostname or IP of the source (i.e. Spectra Detect worker)
- Use UTF-8 as the Incoming Payload Encoding
To edit your log source type, select DSM Editor and choose your created log source type.
Log Activity
To view events sent to your HTTP Receiver log source (e.g. “SD_HTTP_receiver") in the QRadar UI:
- Open the QRadar Console and click the Log Activity tab.
- Add a Filter:
- Click Add Filter → choose Log Source Name (or Log Source Identifier) → select SD_HTTP_receiver.
- Apply the filter (or press Enter) to see only those events.
- Inspect an Event:
- Click any row to open the event details pane.
- Under Raw Event you’ll see the full JSON payload, and under Custom Properties you can verify parsed fields.
Custom mapping and rules
Custom mapping
Custom mapping lets you extract meaningful fields out of raw JSON (or syslog) events so you can search, filter, and build rules on structured data instead of opaque text. By defining “properties" in the DSM Editor or Custom Event Properties UI—using JSON keypaths like /"user"/"id"
or regex.
Create a custom mapping for the example JSON:
JSON example
{
"timestamp": "2025-04-22T12:00:00Z",
"event": "userLogin",
"user": {
"id": "u100",
"name": "alice"
},
"source": {
"ip": "10.1.1.5",
"userAgent": "curl/7.68.0"
}
}
Sending JSON to QRadar example
cURL example
curl --cacert /path/to/ca.crt \
-H "Content-Type: application/json" \
--data-binary @sample.json \
https://<QRADAR_HOST>:12469
Map Custom Fields in the UI
-
Log into QRadar, go to Admin → DSM Editor (or Log Source Extensions).
-
Select your HTTP Receiver log source (e.g. “SD_HTTP_receiver") and click Properties → Add Property.
- Modify expression for each field.
Property Name | Data Type | Expression Type | Expression (JSON Path) |
---|---|---|---|
userID | Text | JSON | /"user"/"id" |
userName | Text | JSON | /"user"/"name" |
sourceIP | IP Address | JSON | /"source"/"ip" |
timestamp | Date/Time | JSON | /"timestamp" |
- Send the example JSON payload from Log source
- Check the Log Activity
- Check the populated custom fields
Create a custom rule
Rules let you turn parsed data into security‐relevant alerts and Offenses. Once your custom properties are populating values (e.g. a sourceIP
field), you create a rule that fires when that field meets a condition (like matching a known rogue IP or containing a suspicious pattern).
- Create a New Event Rule
- Go to Offenses → Rules and click New Event Rule → Flow (or Universal).
- Rule Name: "Rogue IP Detected"
- Rule Description:
- Triggers when the JSON custom property sourceIP matches a known rogue IP.
- Rule Test:
- Click Add Condition → Custom Property → sourceIP
- Operator: Equals (or Matches Regex)
- Value: 203.0.113.55 (replace with your rogue IP)
- Rule Responses:
- Click Add Response → Create New Offense (if you want an offense record)
- Click Add Response again → Send Email
- Email Server: SendGrid
- Recipients: secops@yourcompany.com
- Subject: "[QRadar] Rogue IP Detected: $sourceIP$"
Body example
A rogue IP has been detected in incoming JSON events.
sourceIP: $sourceIP$
eventName: $event$
timestamp: $timestamp$
Please investigate.
- Configure QRadar’s Email Server (This example used SendGrid as the SMTP relay)
- Log into QRadar as an Admin and go to Admin → System Settings.
- Click Email Server → Add.
- Enter the following (SendGrid’s SMTP Relay):
- Name: SendGrid
- Host Name: smtp.sendgrid.net
- Port: 587
- Use TLS
- User Name: apikey
- Password: "your_SendGrid_API_Key"
- From Address: alerts@yourdomain.com
- OK → Save → QRadar will test the connection.
Troubleshooting
Check the following section for information about errors and debugging:
- Verify the HTTP Receiver Service Is Up
systemctl status hostcontext
ss -tlnp | grep 12469
- Check port 514 and connection from SD to QRadar using nmap
- Check rsyslog configuration and service on source
systemctl status rsyslog
- Check your rsyslog configuration under /etc/rsyslog.d/*
- Inspect QRadar Logs for Errors
grep -i hostcontext /var/log/qradar.log
grep -i tls /opt/qradar/logs/hostcontext.log
Additional information
Useful links
ReversingLabs home page: https://www.reversinglabs.com/
ReversingLabs Spectra Detect: https://www.reversinglabs.com/products/spectra-detect
IBM QRadar: https://www.ibm.com/qradar