https://community.cisco.com/t5/endpoint-security/no-malware-events-seen-estreamer-integration-fmc-amp-ibm-qradar/m-p/3322724#M4875 <P>we have a similar problem</P> <P>&nbsp;</P> <P>Have you checked payload for malware traces? In my case i have traced some payloads with malware details etc , but they did not come from intended Log Source (i believe it should come from Log source Firesight)&nbsp; instead from Log source source snort@ firewall name and hence resulting in unknown event.</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>Please update if you have an answer by now</P> Wed, 31 Jan 2018 17:11:09 GMT santhakumar.saseendran 2018-01-31T17:11:09Z https://community.cisco.com/t5/endpoint-security/no-malware-events-seen-estreamer-integration-fmc-amp-ibm-qradar/m-p/3223051#M4872 <P>Hi Team,</P> <P>&nbsp;</P> <P>I need some assistance&nbsp;to have visibility for Malware events on&nbsp;IBM Qradar, the estreamer integration works fine and I can see events, IPS, Connection logs however I cant see any Malware events.</P> <P>&nbsp;</P> <P>I have tried to generate Malware events for both Network and Endpoint level (AMP VPC is also integrated with FMC) however I am unable to see any Malware logs/events. The connection events does report connection to the site from where I am downloading test Malware samples.</P> <P>&nbsp;</P> <P>The events are seen on the FMC however the SIEM/IBM Qradar is unable to report any information. Please suggest if we need to do anything additional.</P> Sat, 09 Mar 2019 01:45:16 GMT https://community.cisco.com/t5/endpoint-security/no-malware-events-seen-estreamer-integration-fmc-amp-ibm-qradar/m-p/3223051#M4872 tushar_bangia 2019-03-09T01:45:16Z https://community.cisco.com/t5/endpoint-security/no-malware-events-seen-estreamer-integration-fmc-amp-ibm-qradar/m-p/3223053#M4873 <P>I can only find below close matching caveat however the bug lacks information.</P> <DIV class="bugTitle">&nbsp;</DIV> <DIV class="bugId">CSCvc91960 -&nbsp;Streamed Malware events uses the connection event direction</DIV> <DIV class="bugId"><A href="https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvc91960" target="_blank">https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvc91960</A></DIV> <DIV class="bugId">&nbsp;</DIV> Mon, 27 Nov 2017 13:18:57 GMT https://community.cisco.com/t5/endpoint-security/no-malware-events-seen-estreamer-integration-fmc-amp-ibm-qradar/m-p/3223053#M4873 tushar_bangia 2017-11-27T13:18:57Z https://community.cisco.com/t5/endpoint-security/no-malware-events-seen-estreamer-integration-fmc-amp-ibm-qradar/m-p/3224482#M4874 <P><BR />Hello Tushar,</P> <P>&nbsp;</P> <P>Based on the info provided, I'd suggest you to contact IBM as well to double check settings and app logs.</P> <P>&nbsp;</P> <P>QRadar is using estreamer FMC API but ultimately it's IBM's app the one generating the data.</P> <P>&nbsp;</P> <P>I'd also suggest you&nbsp;should open a case to the FMC team as this is a matter of extensive investigation.</P> <P>&nbsp;</P> <P>Regards!</P> Wed, 29 Nov 2017 16:43:56 GMT https://community.cisco.com/t5/endpoint-security/no-malware-events-seen-estreamer-integration-fmc-amp-ibm-qradar/m-p/3224482#M4874 IvanCdC 2017-11-29T16:43:56Z https://community.cisco.com/t5/endpoint-security/no-malware-events-seen-estreamer-integration-fmc-amp-ibm-qradar/m-p/3322724#M4875 <P>we have a similar problem</P> <P>&nbsp;</P> <P>Have you checked payload for malware traces? In my case i have traced some payloads with malware details etc , but they did not come from intended Log Source (i believe it should come from Log source Firesight)&nbsp; instead from Log source source snort@ firewall name and hence resulting in unknown event.</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>Please update if you have an answer by now</P> Wed, 31 Jan 2018 17:11:09 GMT https://community.cisco.com/t5/endpoint-security/no-malware-events-seen-estreamer-integration-fmc-amp-ibm-qradar/m-p/3322724#M4875 santhakumar.saseendran 2018-01-31T17:11:09Z