QRadar

QRadar Right-Click Customization

By Ibrahim Najmi posted Thu February 21, 2019 07:52 AM

  

QRadar Right-Click Customization 

  • Topic: Customizing right-click options on QRadar to enhance Threat Intelligence capabilities
  • Authors:


Purpose

The purpose of this tutorial is to highlight how users can customize their QRadar user interface to improve their Threat Intelligence capabilities. We will look at two simple step-by-step customizations - IP address and port lookups on external Threat Intelligence websites.


Prerequisites

To complete this tutorial, we require root access to QRadar SSH on port 22. For the purpose of this tutorial, we will use the Bitvise SSH Client to complete the steps. The same set of commands can be performed with other SSH clients such as Putty.


1. IP Address Customization

Upon completion of this customization, the user should be able to gather more information, such as geographic location, WHOIS data, and communicating files about any displayed IP address on the QRadar user interface with just a right-click.

Below are some commonly used and well-known Threat Intelligence sources for IP addresses. In this tutorial, we will add these sources to QRadar. However, the list can be as big as one desires.

  • X-Force Exchange (by default)
  • AbuseIP DB
  • VirusTotal
  • Shodun
  • Threat Crowd
  • ThreatMiner

Below is a screenshot of what we aim to achieve in this tutorial.

Screenshot of right-click menu of an IP Address displaying the Threat Intelligence sources under "Plugin Options"


Step 1: Gathering of Threat Intelligence URLs

Each of our Threat Intelligence sources resides at a specific URL. The first step involves finding the specific search URL for each source. This may be achieved by visiting the website and performing a manual search. Ideally, we aim to compute a URL in which the IP address is explicitly mentioned.

For example:

In the URL https://some_website.com/search/1.2.3.4, we can see that the IP address 1.2.3.4 is being mentioned explicitly.

The need for such a URL is because we will replace the IP address with the variable %IP%. This variable is QRadar's notation of the IP address that we right-click. The above URL will now be transformed into https://some_website.com/search/%IP%.

Below are the final URLs for each of our example Threat Intelligence sources with the IP notation.

Source QRadar URL
X-Force Exchange (Default) https://exchange.xforce.ibmcloud.com/#/ip/%IP%
AbuseIP DB https://www.abuseipdb.com/check/%IP%
VirusTotal https://www.virustotal.com/#/ip-address/%IP%
Shodan https://www.shodan.io/host/%IP%
Threat Crowd https://www.threatcrowd.org/ip.php?ip=%IP%
ThreatMiner https://www.threatminer.org/host.php?q=%IP%


Step 2: Modifying the ip_context_menu.xml file


In this step, we will edit the ip_context_menu.xml file. We will add the newly gathered Threat Intelligence URLs to the XML file.

By default, the ip_context_menu.xml file will already include the X-Force Exchange URL.

To verify this, run the command: cat /opt/qradar/conf/ip_context_menu.xml. We should see an entry for X-Force Exchange as follows:

<menuEntry name="X-Force Exchange Lookup" url="https://exchange.xforce.ibmcloud.com/#/ip/%IP%" />

The process to add new sources is straightforward. We simply need to create a new self-closing <menuEntry/> element for each Threat Intelligence source.

Below are the entries for our sources.

<menuEntry name="AbuseIP DB Lookup" url="https://www.abuseipdb.com/check/%IP%" /> <menuEntry name="VirusTotal Intel" url="https://www.virustotal.com/#/ip-address/%IP%" /> <menuEntry name="Shodun.io Intel" url="https://www.shodan.io/host/%IP%" /> <menuEntry name="Threatcrowd Intel" url="https://www.threatcrowd.org/ip.php?ip=%IP%" /> <menuEntry name="ThreatMiner Intel" url="https://www.threatminer.org/host.php?q=%IP%" />


Once completed, save and close the file.

For the changes to take effect, the QRadar UI needs to be restarted. This can be done by issuing the command: systemctl restart tomcat


Step 3: Testing


Upon the completion of the above step, launch the QRadar user interface via a web browser. Navigate to the Offenses, Log Activity or Network Activity tab. Right-click on any IP address. For example, any IP address listed under the Source IP or Destination IP columns.

The right-click should reveal either:

  • More Options... > Plugin options... > {Threat Intelligence Source}
  • Plugin options... > {Threat Intelligence Source}


Click on your desired source and a new window should pop-up with the content. Below is a screenshot of the IP address 1.1.1.1 on AbuseIP DB.

Screenshot of AbuseIP DB showing results for the IP address 1.1.1.1


2. Destination Port Customization


Upon completion of this customization, the user should be able to gather more information, such as protocols, services, and known vulnerabilities about any displayed destination port on the QRadar user interface with just a right-click.

In this tutorial, we will add the Speed Guide TCP/IP Ports Database, a well-known Threat Intelligence source for port assignments.

Below is a screenshot of what we aim to achieve in this tutorial.

Screenshot of right-click menu of a Destination Port displaying the Threat Intelligence source under "Plugin Options"


Step 1: Gathering of Threat Intelligence URL


Similar to the customization above, we need to specify a search URL where the port is mentioned explicitly. In our case, the URL would be:

http://www.speedguide.net/port.php?port=<insert_some_port_here>

To use this URL with QRadar, we need to replace the port with the $destinationPort$ variable. This variable is QRadar's notation of the destination port that we right-click.

Below is the final URL for our example Threat Intelligence source with the destination port notation:

http://www.speedguide.net/port.php?port=$destinationPort$


Step 2: Modifying the arielRightClick.properties file


In the next step, we will edit the arielRightClick.properties file. We will add the newly gathered Threat Intelligence URL from the above step to this file.

Add the following lines of code to the file:

pluginActions=qidwebUrlAction,sourcePortScriptAction qidwebUrlAction.arielProperty=destinationPort qidwebUrlAction.text=Search on Port Guide qidwebUrlAction.url=http://www.speedguide.net/port.php?port=$destinationPort$

In the above lines of code, it is important to pay attention to the below fields.

  • arielProperty specifies which field would display the option when right-clicked. In our case, we want to enable the Threat Intelligence source as a right-click option on a destination port.
  • text specifies the text which is displayed as an option.
  • url specifies the QRadar-friendly URL that we constructed above.

Once completed, save and close the file.

For the changes to take effect, the QRadar web server needs to be restarted. This can be done by clicking on the Restart Web Server button navigable via Admin > Advanced > Restart Web Server.


Step 3: Testing


Upon the completion of the above step, launch the QRadar user interface via a web browser. Navigate to the Offenses, Log Activity or Network Activity tab. Right-click on any destination port. For example, any port listed under the Destination Port column.

The right-click should reveal:

  • Plugin options... > Search on Port Guide

Click on your desired source and a new window should pop-up with the content. Here is a screenshot of the port 135 on the Speed Guide Ports Database:

Screenshot of Speed Guide Ports Database showing results for the port 135


Conclusion


In this tutorial, we went through two step-by-step processes of customizing the QRadar user interface to enhance the analysis process. We added various Threat Intelligence sources for IP addresses and destination ports. As we have seen, the customizations simply involve gathering the right URLs in the QRadar notation and editing certain system files in the correct syntax.


References

  1. https://www.ibm.com/support/knowledgecenter/en/SS42VS7.3.0/com.ibm.qradar.doc/tCUSTOMIZINGTHERIGHTCLICKMENU.html
  2. https://www.ibm.com/support/knowledgecenter/en/SS42VS7.3.0/com.ibm.qradar.doc/tqradararieldbintegrationright_click.html
​​​​​
#QRadar
0 comments
88 views

Permalink