IBM Security QRadar

Did you think of monitoring QRadar ?

By Gladys Koskas posted 14 days ago

  

Are you monitoring of one of the most important security device?

 

Proxies, cloud, IPS, databases… These are the devices we monitor everyday, looking for potential security issues or breaches. But what about the device that is in charge of collecting all this data and alerting? One of the more important security devices in your infrastructure is QRadar itself!

The IBM QRadar Security Analytics Self Monitoring will help you detect suspicious behavior and answer audit requirements.

In this blog we are going to answer the following “How can I” questions with scenarios included in the content pack.

How can I:

  • Understand quickly that I am under attack or that something is wrong with my configuration?
  • Detect if someone tried to corrupt data on QRadar?
  • Be alerted if have a managed host unreachable?
  • Ensure that I meet my compliance auditing requirements?

 

Scenarios Highlight

How can I understand quickly that I am under attack or that something is wrong with my configuration ?

Once you have a QRadar system running and tuned, the number of offenses generated everyday should be fairly constant.

A spike in the number of offenses created could mean that you are under attack (ie: D/Dos, Reconnaissance, Exfiltration). If it is not the case, then it could be an issue with QRadar’s configuration (ie: rule creation/tuning not optimized).

If the number of offenses decreases suddenly, once again it could mean that you have a problem with QRadar’s configuration (ie: log collection, parsing), someone may have been too greedy with the tuning, or worse, rules might have been disabled for a wrong reason.

Regardless of if these are real alerts or false positives, a great change in the number of offenses created must be evaluated. To address this problem, we assume that a variation of 40% is significant enough to trigger an investigation.

Apply QRadar Audit: Unusual Number of Offenses Created when time series data is being aggregated by Start Time, Last Time, Event Name
and when the average value (per interval) of SUM(EventCount) over the last 2 hours is at least 40% different from the average value (per interval) of the same property over the last 24 hours



How to detect if someone tried to corrupt data on QRadar?

As stated previously, QRadar’s configuration through the web interface can have a huge impact on detection capabilities, but changes made through the CLI are also very important and could be catastrophic.

Legal evidence is stored in /store, with enough access, one can decide to remove or modify payloads to hide suspicious behavior. But there is a way to monitor suspicious access to this data.

Apply QRadar Audit: Payload deleted or modified on events which are detected by the Local system
and when the event(s) were detected by one or more of SIM Audit
and when the event QID is one of the following (28250184) A user executed a command from the command prompt
and when the event matches Command (custom) matches any of expressions [(vi|rm|mv|cp).*payload_(events|flows)~\d _\d~\S{16}~\S{16}~\d.* or echo.*>.*payload_(events|flows)~\d _\d~\S{16}~\S{16}~\d.*]


This rule will alert if anyone is taking any modification action on the payloads with vi or vim (for file editing), echo > (to empty the file), rm (to delete), mv or cp (to override the file).


This is not the only place to monitor, some other files are important and their integrity is critical. The QRadar Audit: Potential sensitive file modification Rule allows you to watch any file you consider as sensitive in your QRadar deployment. The rule is prepopulated with the bash_history file and is meant to be tuned to meet your requirements.

Apply QRadar Audit: Potential sensitive file modification on events which are detected by the Local system
and when the event(s) were detected by one or more of SIM Audit
and when the event QID is one of the following (28250184) A user executed a command from the command prompt
and when the event matches Command (custom) matches any of expressions [(vi|rm|mv|cp).*\.bash_history or echo.*>.*\.bash_history]



How can I be alerted if I have a managed host unreachable?

Managed hosts are sending their status regularly via QRadar logs. The QRadar Audit: QRadar Host Unavailable Rule allows you to monitor if there is a communication problem between the hosts.

Apply QRadar Audit: QRadar Host Unavailable on events which are detected by the Local system
and when the event QID is one of the following (38750003) Information Message
and when the event matches Host status (custom) matches any of expressions [UNKNOWN or FAILED]
and when at least 8 events are seen with the same Source IP, Host status (custom) in 5 minutes



How can I ensure that I meet my compliance auditing requirements?

The IBM QRadar Analytics Self Monitoring Content Extension provides 5 reports meant to cover some main aspects of audit requirements.

  • QRadar Audit - User Authentication Activity: One of the primary legal requirements for a SOC is to keep a trace of users authentications
  • QRadar Audit - System warnings and errors: System availability and well function is a core requirement for a SOC
  • QRadar Audit - Modifications overview: To prove that changes were legit (to customers for an MSSP, or in the context of an audit as an example), modifications to the system must be recorded
  • QRadar Audit - Searches Executed: Some compliance require to track information accessed by the analysts (ie: GDPR)
  • QRadar Audit - Offense Closure Report: This report allows to have an overview of the detection capabilities (true vs false positive), do statistics for the SOC, provide information to the CISO, etc
DXrRIGLBSraHG4CX9QpI_temp.png
VOF9sDhQqMGkgv30wjQb_temp.png

You can go further in the searches / reporting with all the properties included in the content extension.
  • CRE Name
  • Previous CRE Name
  • Rule ID
  • Rule Filters
  • Previous Rule Filters
  • Rule Notes
  • Previous Rule Notes
  • Rule Description
  • Previous Rule Description
  • Offense ID
  • Offense Closed Reason
  • Offense Closed Comment
  • Search Executed
  • API Search ID
  • System Status
  • Command
  • QidMap ID
  • QidMap Name
  • QidMap description


Other Use Cases

The IBM QRadar Analytics Self Monitoring Content Extension provides additional rules around authentication, supplementing the default ones and allowing to configure a custom threshold for your QRadar devices that shouldn’t be accessed by anyone.

The QRadar Audit: QRadar Hosts Rule is in charge of filling automatically a Reference Set with your deployment’s IP addresses, offering an easy option for rules customization (additional detection or false-positive exclusions).


The IBM QRadar Analytics Self Monitoring Content Extension also includes a pulse dashboard, which can help to have a global overview of your environment.

QRadar configuration

Install the Content Extension

The IBM QRadar Analytics Self Monitoring Content Extension is dedicated to QRadar, by downloading it, you already have all the prerequisites at your disposal.

Tuning

The content extension is mostly "plug and play". Only 1 rule requires tuning: QRadar Audit: Potential sensitive file modification. It requires for you to add the list of files / directories that you consider to be sensitive.
As mentioned earlier, the rule QRadar Audit: Payload deleted or modified is in charge of monitoring the data part, only the configuration is left for you to decide.
The rule QRadar Audit: QRadar Host is automatically populating the QRadar Deployment Reference Set with all the IP addresses of all your QRadar hosts and Apps, giving you an easy tool to tune false positives in any rule if necessary.

JJPvZGQORmC6sJclrY40_temp.png



In conclusion, the only steps are to download the content extension on the App Exchange, follow the instructions provided in the rules for tuning, and please don't hesitate to give us any feedback or ideas, these packs are built for you, tell us what you need.


#QRadar
#Highlights-home
#Highlights
0 comments
427 views

Permalink