IBM QRadar

Hello Community,

I  need Rule which detects if someone connects to my VPN successfully outside of my country. My country is the Republic of Georgia, shortly Georgia.

thank you



------------------------------
Davit Ubilava
System Administrator
Delta Consulting LLC
Tbilisi,Georgia
------------------------------

Hi,

First, you need to install "QRadar User Behavior Analytics app", which enables blocking of users from different geographical locations through the building block "UBA: User Geography, Access from Unusual Locations" and other associated rules.

This screenshot illustrates a use case in my company, which effectively prevented users from other countries <g class="gr_ gr_1028 gr-alert gr_spell gr_inline_cards gr_run_anim ContextualSpelling ins-del multiReplace" id="1028" data-gr-id="1028">attemptintg</g> to get access to our VPN.

------------------------------
Nam Tran Quoc
------------------------------

Original Message:
Sent: Mon October 28, 2019 04:01 AM
From: Davit Ubilava
Subject: Need Rule which detects if someone connects to my VPN successfully outside of my country. My country is the Republic of Georgia, shortly Georgia.

Hello Community,

I  need Rule which detects if someone connects to my VPN successfully outside of my country. My country is the Republic of Georgia, shortly Georgia.

thank you

------------------------------
Davit Ubilava
System Administrator
Delta Consulting LLC
Tbilisi,Georgia
------------------------------

Hi,
I would not go as far as saying that the use case exposed by Davit requires UBA. All you need is a rule that detects VPN connections that are not initiated from Georgia. As a first step, you might want to review the following video from Jose Bravo: https://youtu.be/u-iiDgX4PjM (aka "QRadar Monitoring VPN access from countries you do not do business with").
Hope this is useful.

------------------------------
Jean-Luc Labbe
Cognitive Security Intelligence, Europe
IBM Security
------------------------------

Original Message:
Sent: Tue October 29, 2019 04:55 AM
From: Nam Tran Quoc
Subject: Need Rule which detects if someone connects to my VPN successfully outside of my country. My country is the Republic of Georgia, shortly Georgia.

Hi,

First, you need to install "QRadar User Behavior Analytics app", which enables blocking of users from different geographical locations through the building block "UBA: User Geography, Access from Unusual Locations" and other associated rules.

This screenshot illustrates a use case in my company, which effectively prevented users from other countries to get access to our VPN.

------------------------------
Nam Tran Quoc

Original Message:
Sent: Mon October 28, 2019 04:01 AM
From: Davit Ubilava
Subject: Need Rule which detects if someone connects to my VPN successfully outside of my country. My country is the Republic of Georgia, shortly Georgia.

Hello Community,

I  need Rule which detects if someone connects to my VPN successfully outside of my country. My country is the Republic of Georgia, shortly Georgia.

thank you

------------------------------
Davit Ubilava
System Administrator
Delta Consulting LLC
Tbilisi,Georgia
------------------------------

Hello,
Is it right?


------------------------------
Davit Ubilava
System Administrator
Delta Consulting LLC
TbilisiGeorgia
------------------------------

Original Message:
Sent: Tue October 29, 2019 06:58 AM
From: Jean-Luc Labbe
Subject: Need Rule which detects if someone connects to my VPN successfully outside of my country. My country is the Republic of Georgia, shortly Georgia.

Hi,
I would not go as far as saying that the use case exposed by Davit requires UBA. All you need is a rule that detects VPN connections that are not initiated from Georgia. As a first step, you might want to review the following video from Jose Bravo: https://youtu.be/u-iiDgX4PjM (aka "QRadar Monitoring VPN access from countries you do not do business with").
Hope this is useful.

------------------------------
Jean-Luc Labbe
Cognitive Security Intelligence, Europe
IBM Security

Original Message:
Sent: Tue October 29, 2019 04:55 AM
From: Nam Tran Quoc
Subject: Need Rule which detects if someone connects to my VPN successfully outside of my country. My country is the Republic of Georgia, shortly Georgia.

Hi,

First, you need to install "QRadar User Behavior Analytics app", which enables blocking of users from different geographical locations through the building block "UBA: User Geography, Access from Unusual Locations" and other associated rules.

This screenshot illustrates a use case in my company, which effectively prevented users from other countries to get access to our VPN.

------------------------------
Nam Tran Quoc

Original Message:
Sent: Mon October 28, 2019 04:01 AM
From: Davit Ubilava
Subject: Need Rule which detects if someone connects to my VPN successfully outside of my country. My country is the Republic of Georgia, shortly Georgia.

Hello Community,

I  need Rule which detects if someone connects to my VPN successfully outside of my country. My country is the Republic of Georgia, shortly Georgia.

thank you

------------------------------
Davit Ubilava
System Administrator
Delta Consulting LLC
Tbilisi,Georgia
------------------------------

First, create a rule that captures your VPN logins.  (Maybe you can leverage the Building Blocks, or just look for the qid's for a successful login...)

Once you've got a basic rule detecting all logins, add the following AQL as an "and" condition:

GEO::LOOKUP(sourceip, 'physical_country') ilike '%"name":"Georgia"%'

If you're using the free MaxMind dataset included with QRadar, you'll probably end up with false positives and false negatives, but on the whole it should work well.

Good luck!

------------------------------
Jeremy Nielson
------------------------------

Original Message:
Sent: Mon October 28, 2019 04:01 AM
From: Davit Ubilava
Subject: Need Rule which detects if someone connects to my VPN successfully outside of my country. My country is the Republic of Georgia, shortly Georgia.

Hello Community,

I  need Rule which detects if someone connects to my VPN successfully outside of my country. My country is the Republic of Georgia, shortly Georgia.

thank you

------------------------------
Davit Ubilava
System Administrator
Delta Consulting LLC
Tbilisi,Georgia
------------------------------

Davit, please also check this out:
https://community.ibm.com/community/user/security/blogs/jeff-rusk1/2019/08/19/geographic-data-enhancements

------------------------------
Jean-Luc Labbe
Cognitive Security Intelligence, Europe
IBM Security
------------------------------

Original Message:
Sent: Tue October 29, 2019 08:55 AM
From: Jeremy Nielson
Subject: Need Rule which detects if someone connects to my VPN successfully outside of my country. My country is the Republic of Georgia, shortly Georgia.

First, create a rule that captures your VPN logins.  (Maybe you can leverage the Building Blocks, or just look for the qid's for a successful login...)

Once you've got a basic rule detecting all logins, add the following AQL as an "and" condition:

GEO::LOOKUP(sourceip, 'physical_country') ilike '%"name":"Georgia"%'

If you're using the free MaxMind dataset included with QRadar, you'll probably end up with false positives and false negatives, but on the whole it should work well.

Good luck!

------------------------------
Jeremy Nielson

Original Message:
Sent: Mon October 28, 2019 04:01 AM
From: Davit Ubilava
Subject: Need Rule which detects if someone connects to my VPN successfully outside of my country. My country is the Republic of Georgia, shortly Georgia.

Hello Community,

I  need Rule which detects if someone connects to my VPN successfully outside of my country. My country is the Republic of Georgia, shortly Georgia.

thank you

------------------------------
Davit Ubilava
System Administrator
Delta Consulting LLC
Tbilisi,Georgia
------------------------------