IBM QRadar

 View Only

Reaqta and Randori content

By Gladys Koskas posted Tue March 21, 2023 10:50 AM

  

Hi guys

I can tell you already, 2023 is going to be a busy year, and it already started with the release of new integrations for Reaqta and Randori!

This post describes everything about the parsing of these two sources as well as the detection content that has been released for them.

Normalization

Reaqta

DSM

The DSM for Reaqta gets installed with auto-updates. If auto-updates are not enabled, you can download the most recent version of the RPMs from the IBM support website (https://www.ibm.com/support).

    • PROTOCOL IBMSecurityReaQtaRESTAPI RPM
    • DSM - IBMSecurityReaQta DSM RPM

DSM documentation can be found here.

Custom Properties

As for the Custom Properties, you can find the IBM Security QRadar Custom Properties for IBM Security ReaQta here on the App Exchange.

You can find all the necessary information parsed to create content such as Alert information (severity, impact, relevance, threat category, privilege level, etc), File info (name, directory, hash, size, etc). Details can be found in the documentation.

Randori

DSM

The DSM for Randori gets installed with auto-updates. Here again, if auto-updates are not enabled, you can download the most recent version of the RPMs from the IBM support website (https://www.ibm.com/support).

    • PROTOCOL IBMSecurityRandoriRESTAPI RPM
    • DSM IBMSecurityRandoriRESTAPI DSM RPM

DSM documentation can be found here.

Custom Properties

Just recently we also released the IBM Security QRadar Custom Properties for Randori here on the App Exchange. Once again you can find all the necessary information to create your own content, such as the criticality, the temptation, the priority and other characteristics (certificates, expired SSL, login pages, etc). All the details can be found in the documentation page.

Detection content

Today I am talking about ReaQta and Randori in the same blog post because they both have related content added to the IBM QRadar Security Threat Monitoring Content Extension.

ReaQta

Collecting ReaQta logs on top of the SIEM logs can help to:
  1. Increase the chances to detect some techniques that require a succession of events with higher credibility
  2. Add context and have a global view. An EDR alert can be in the same offense (or SOAR case) as firewall events tracking suspicious IOC or exchange logs tracking phishing emails, and help understand the big picture quicker than if you were looking at isolated events
  3. Create a unique view for the SOC operators where all the incidents can be prioritized globally
A simple rule example to accomplish this could be:
Apply Severe Alert from ReaQta on events which are detected by the Local system
and when the event matches Alert Severity (custom) is any of [medium or high]
and when the event matches Impact Level (custom) is greater than or equal to 75

It just needs the appropriate response to fit in your process.

 

On our side we included the IBM Security ReaQta log source type to the BB:DeviceDefinition: Endpoint Protection Devices in the Threat content extension, which means that all the rules using that Building Block will now trigger offenses when the conditions are met.

Here is the list of default rules:

These rules are meant to make use of the detection devices information and make a zoom-out from the alerts to identify :
  • if a threat is spreading through the network,
  • if a single machine is a threats incubator
  • if a threat gets cleaned but persist because only part of the threat has been removed or because the user keeps doing something that they shouldn't. 

This is how it looks like in the Log Activity:

The BB:DeviceDefinition: Endpoint Protection Devices can be reused to create many other rules and other types of content such as dashboards or reports.
Talking about dashboards, our unique @Alexandra Hurtado did an incredible job and created one dedicated to ReaQta. Here is what it looks like

You can get this dashboard here on the community !

Randori

Rules

A few rules have been added to monitor the events sent by Randori. Basically everything is around new target discoveries and change in the target priority and temptation which are of the most interesting informations to look at in terms of prioritization.

The Priority is a value between 0 and 200. It can be categorized under 3 levels:

  • Low: 0 - 20
  • Medium: 21 - 40
  • High: > 40

The rule New High Priority Target Detected is configured to open an offense when a new target with a score higher than 41 has been discovered and adds the Target ID to a Reference Set.

When the priority goes down, the Target ID is removed from the Reference Set. 

This means that only the high priority targets are stored in the Reference Set and can be used in other rules or types of content.

There are 4 levels of Temptation:

  • Low: 0-14
  • Medium: 15-29
  • High: 30-39
  • Critical > 40

In a similar way to the Priority value, there are 2 rules monitoring the High and Critical Temptation Targets (opening an offense and feeding Reference Sets), and 2 rules removing the target ID when the level goes down.

Dashboard

Another addition has been made to the Threat content extension. We've created an "Attack Surface Management Devices Overview", which provides a view on all the indicators we have talked about previously, as well as the most risky ports (to tune according to your needs).

I haven't described it in a while, so here are the steps to install the Dashboard:

  • Go to the Admin Tab. Click on Pulse - Dashboard

  • Then on Synchronize 
  • Go back to your Pulse app and click on New Dashboard. Select Templates
  • Select the Attack Surface Management dashboard and click on Install
That's it !
That's all I had to share today, I hope this helps and that you'll be able to create all the content you need with this base. 
If you are interested in reading more about QRadar Security Content, you can find the complete list of blog entries here.
0 comments
52 views

Permalink