In case you've missed it: This is what happened so far in 2021 with QRadar security content

View Only

In case you've missed it: This is what happened so far in 2021 with QRadar security content

By Gladys Koskas posted Wed June 30, 2021 09:33 AM

Like

We've gone half through the year, you're probably thinking of a way to escape during the summer... I'll be honest, me too !
But in the meantime I figured it would still be a good idea to share with you some highlights of what happened in H1-2021 on the security content side and some additional content essentials!

What's new

Additional content for Hybrid-Cloud environments

The Hybrid Cloud Use Cases content extension proposes rules and reports to support hybrid environments using AWS, Azure, Office 365 and VMware.

The pack contains 37 rules and building blocks covering topics like VM sprawl, right management, suspicious authentication activity or suspicious resource management to name only a few.

We wrote a blog to talk about a few use cases in detail: Detect suspicious activity in your AWS, Azure, VMware and O365 environments

We also published another blog related this pack and dedicated to VMware and CVE-2021-21985: How can QRadar help with VMware monitoring and the CVE-2021-21985 publication?

Content extension	Update date	Update description
IBM Security QRadar Content Extension for Hybrid Cloud Use Cases	May 26, 2021	12 new custom properties, 18 new custom rules and building blocks 7 new saved searches 2 new reports
IBM QRadar Custom Properties for VMware	Apr 29, 2021	New custom property expression for Role Name
IBM QRadar Content Extension for Amazon AWS	Jun 7, 2021	19 new custom properties for Amazon AWS Application Load Balancer Access Logs 1 new custom property Finding ID for Amazon GuardDuty
IBM QRadar Content Extension for Office 365	Mar 29, 2021	New custom properties: Role Name, ObjectName, Audit Flag, Policy Name, ObjectType, Content Information, Search Executed.
IBM QRadar Content Extension for Azure	May 21, 2021	New custom properties: AccountID, Alert Severity, Object ID, Object Type, MFA Used, Volume ID, User ID New custom property expressions for: Role Name, Target User Name

CEP Rebaselining

In QRadar, thanks to the DSMs, every source IP goes to the field Source IP, every username goes to Username, makes sense! So why should it be different for other properties such as URL, Filename, or Threat Name ?
In reality it shouldn't...

The issue is that a lot of custom properties have been released since 2008, and sometimes when many people work on a gigantic topic, things can go a little bit off and a cleaning session is necessary.

Bare with me and I'll give you a good example !
We used to have "BytesReceived", "Bytes From Server" and "ReceivedBytes" for devices such as firewalls, proxy, etc.
In 7.4.3 it is not the case anymore ! These 3 properties have been linked behind an alias called "Bytes Received".

To know more about the project, please visit Wendy's QRadar 7.4.3: Custom Event Property Rebaselining! blog, she included a 5 minutes video with great explanations !

Talking about Wendy, she is so cool that she also recorded a 2 min video to show you very quickly how to search for relevant content in the Use Case Manager app !

New custom properties have been released

Custom properties have been released for 6 new devices, 3 existing ones have been updated.

IBM Security QRadar Custom Properties for Apache	Jun 7, 2021	New content pack including 10 custom properties
IBM QRadar Content Extension for Amazon AWS (Load Balancer)	Jun 7, 2021	19 new custom properties for Amazon AWS Application Load Balancer Access Logs 1 new custom property Finding ID for Amazon GuardDuty
IBM QRadar Custom Properties for Cisco Firepower (Syslog)	Apr 29, 2021	New content pack including 19 custom properties
IBM Security QRadar Custom Properties for Microsoft IIS	Apr 29, 2021	New content pack including 10 custom properties
IBM QRadar Custom Properties for Microsoft Windows (German)	Apr 15, 2021	New content pack including 21 custom properties
IBM QRadar Content Extension for Amazon AWS (GuardDuty)	Mar 30, 2021	18 new custom properties for Amazon Amazon GuardDuty

F5 vulnerability announcement

In March, F5 announced 7 vulnerabilities and fixes for both Big-IP and Big-IQ.
If you are interested in learning how to watch services, implement management interface monitoring, watch for suspicious commands or get an overview on patching status, please have a look at our F5 vulnerability announcement and QRadar monitoring dedicated blog,

Content essentials

We talked a lot about these packs already, so I'll be concise and use this section as a kind of library where you can find all the content you need.

QRadar Self Monitoring

-> Purpose: Securing QRadar itself and meet compliance requirements
-> Blog: Did you think of monitoring QRadar ?
-> Pack on the App Exchange: IBM QRadar Security Analytics Self Monitoring

Endpoint Content Extension

-> Purpose: Monitoring of Windows (Security event logs, Sysmon and PowerShell) and Linux (Auditd)
-> Blog #1: Endpoint monitoring essentials for QRadar
-> Blog #2: Anatomy of a ransomware attack
-> Pack on the App Exchange: IBM QRadar Endpoint Content Extension

Data Exfiltration

-> Purpose: Monitoring Exfiltration with Cloud, Mail, Proxy, Firewall, IDS/IPS, DLP devices
-> Blog: Need help to monitor data exfiltration ?
-> Pack on the App Exchange: IBM QRadar Data Exfiltration Content Extension

If you are interested in reading more about QRadar Security Content, you can find the complete list of blog entries here.

0 comments

43 views

IBM Security QRadar