ã¯ããã«
QRadar CE(Community Edition)ã¯ãããã詊ãããã ããŸããã§ããããã
DSMã远å ããããšã§å¯Ÿå¿ãããã°ãå¢ãããŠãããŸãã®ã§ãæ§ã
ãªãã°ãåã蟌ãã§åæã§ããŸããWindowsãªã©äžè¬çãªãã°ã§ããã°ã
æé ã«æ²¿ã£ãŠæ§æããã ãã§æ£èŠåããããã°ãå©çšã§ããŸãã
ãµããŒããããŠããDSMãå¹
åºãã®ã§ãããã«ã¹ã¿ã ã»ã¢ããªã±ãŒã·ã§ã³ã®ãã°ãªã©ãæšæºã§ã¯å¯Ÿå¿ããŠããªããã°åœ¢åŒãååšããŸãã
ä»»æåœ¢åŒã®ãã°ãåŠçã§ããããã«ããããã«ãQRadarã«ã¯
DSMãšãã£ã¿ãŒ ãšããæ©èœããããŸãã
DSMãšãã£ã¿ãŒã䜿çšããããšã§ãQRadar ãã€ãã³ãã»ããŒã¿ãããŒã·ã³ã°ããæ¹æ³ãã«ã¹ã¿ãã€ãºã§ããŸãã
DSMãšãã£ã¿ãŒã䜿çšããå Žé¢ã¯ã倧ããåã㊠2ã€ãããŸãã
- 1ã€ç®ã¯ãæšæºã§ãµããŒããããŠããã€ãã³ãã»ãœãŒã¹ã«å¯ŸããŠããŒã·ã³ã°ãäžæžããããããããã£ãŒã远å ããã±ãŒã¹
- 2ã€ç®ã¯ãã«ã¹ã¿ã ã»ãã°ãœãŒã¹ã®ããŒã·ã³ã°ãå®çŸ©ããã±ãŒã¹
ã§ããä»åã¯ã2ã€ç®ã®ã«ã¹ã¿ã ã»ãã°ãœãŒã¹ã®ããŒã·ã³ã°ã«ã€ããŠèª¬æããŸãã
ã«ã¹ã¿ã ã»ãã°ãœãŒã¹ã®ããã®DSMã¯ãUniversal DSM ã uDSM ãšåŒã°ããããšããããŸãããã ãæšæºã§ãµããŒããããŠããDSMã®äžã«ããå
éšçã« Universal DSM ã䜿çšããŠãããã®ããããŸãã®ã§ãå³å¯ã«ã¯ã€ã³ãŒã«ã§ã¯ãããŸãããããã§åãæ±ãç¯å²ã§ã¯ãã»ãŒåãããã«èããŠãåé¡ã¯ãªãã§ãããã
DSMã«é¢é£ããŠç»å ŽããæŠå¿µã«ãããããã³ã«ãããããŸãã
äžè¬çãªæè¡çšèªã«ããããã³ã«ã¯ååšããŸãããQRadar ã«ãããããããã³ã«ãã¯ãã¢ãžã¥ãŒã«ãšããŠã€ã³ã¹ããŒã«ãããæ§æãè¡ã察象ã§ãã
DSMã¯ããããã³ã«ãåŠçããåŸã®ãã€ããŒãã«å¯ŸããŠããŒã·ã³ã°ãæ£èŠåãè¡ããŸãã
DSMãšãããã³ã«ã®çµã¿åããã«ã¯ãµããŒãäžã®å¶éããããå
šãŠãèªç±ã«å
¥ãæ¿ããããšã¯ã§ããŸãããããããå€ãã®DSMã¯è€æ°ã®ãããã³ã«ã«å¯Ÿå¿ããŠããŸãã
ç¹ã«ã«ã¹ã¿ã DSMãäœæããããã®ããŒã¹æ©èœã§ãã Universal DSM ã¯ãå€ãã®ãããã³ã«ã«å¯Ÿå¿ããŠããŸãã
ãããã«æ»ã
DSMãšãã£ã¿ãŒã®æŠèŠ
DSMãšãã£ã¿ãŒã¯ãçµ±äžãããããã³ããšã³ããšããŠãè€æ°ã®ç°ãªãå
§éšã³ã³ããŒãã³ãã®äœæ/æ§æããªãã³ã«ãã¹ã/ã·ãã¥ã¬ãŒã·ã§ã³(ãã¬ãã¥ãŒæ©èœ)ãè¡ããŸãã
DSMãšãã£ã¿ãŒã§ã¯ãæ¬¡ã®æ§æãå¯èœã§ãã
- ãã°ãœãŒã¹æ¡åŒµ
- QRadar ã®æšæºå/æ£èŠåãã£ãŒã«ãã«å¯Ÿããæ§æè§£æã®åäœãå¶åŸ¡ããããã«äœ¿çšããŸãã
- ãã°ãœãŒã¹æ¡åŒµã«å«ãŸããããããã£ãŒïŒ
- EventName (ã€ãã³ãID) â
- EventCategory (ã€ãã³ãã»ã«ããŽãªãŒ) â
- SourceIp (éä¿¡å
IP)ãSourcePort (éä¿¡å
ããŒã)
- DestinationIp (å®å
IP)ãDestinationPort (å®å
ããŒã)
- SourceIpPreNAT (NATåã®éä¿¡å
IP)ãSourceIpPostNAT (NATåŸã®éä¿¡å
IP)ãSourcePortPreNAT (NATåã®éä¿¡å
ããŒã)ãSourcePortPostNAT (NATåŸã®éä¿¡å
ããŒã)
- DestinationIpPreNAT (NATåã®å®å
IP)ãDestinationIpPostNAT (NATåŸã®å®å
IP)ãDestinationPortPreNAT (NATåã®å®å
ããŒã)ãDestinationPortPostNAT (NATåŸã®å®å
ããŒã)
- SourceMAC (éä¿¡å
MAC)
- DestinationMAC (å®å
MAC)
- SourceIpv6 (IPv6éä¿¡å
)
- DestinationIpv6 (IPv6å®å
)
- DeviceTime (ãã°ã»ãœãŒã¹ã®æå»)
- Protocol (ãããã³ã«)
- UserName (ãŠãŒã¶ãŒå)
- HostName (ã¢ã€ãã³ãã£ãã£ãŒã»ãã¹ãå)
- GroupName (ã¢ã€ãã³ãã£ãã£ãŒã»ã°ã«ãŒãå)
- NetBIOSName (ã¢ã€ãã³ãã£ãã£ãŒNetBIOSå)
- ExtraIdentityData (ã¢ã€ãã³ãã£ãã£ãŒæ¡åŒµãã£ãŒã«ã)
- â
ã€ãã³ã ID ããã³ã€ãã³ãã»ã«ããŽãªãŒã®å®çŸ©ã¯å¿
é ã§ãã
-
ã«ã¹ã¿ã ã»ããããã£ãŒ
- ãã°ãœãŒã¹æ¡åŒµã«ã¯å«ãŸããªããä»»æã®å€éšããããã£ãŒãå®çŸ©ããããã«äœ¿çšããŸãã(URLãããã·ã¥å€ãªã©)
-
QID ãããã» ãšã³ããªãŒ
- QIDã¯ãQRadar ã®ã€ãã³ãã»ã¿ã€ãã®ãã£ã¯ã·ã§ããªãŒãæ§æãããã€ãã³ãå/ã€ãã³ã説æ/äžäœã«ããŽãªãŒã®ã¬ã³ãŒãã§ãã
- QRadarã¯ãæ£èŠåãããã€ãã³ãã®ååãšèª¬æãé倧床ãäžäœã«ããŽãªãŒãã°ããŒãã«åºæã®QID å€ãæã£ãŠããŸãã
- äžäœã«ããŽãªãŒ(LLC)ã¯ãäžäœã«ããŽãªãŒ(HLC)ã«çŽä»ããŠããŸãã
- äžäœã«ããŽãªãŒ(HLC)ã®äŸïŒèªèšŒãã¢ã¯ã»ã¹ããšã¯ã¹ããã€ãããã«ãŠã§ã¢ãããªã·ãŒâŠãªã©
- äžäœã«ããŽãªãŒ(LLC)ã®äŸïŒ(HLCããèªèšŒãã®å Žå) SSHã»ãã·ã§ã³éå§ãRADIUSèªèšŒå€±æãFTPãã°ã¢ãŠãã管çè
ã»ãã·ã§ã³éå§âŠãªã©
- QRadarã«å®çŸ©ãããŠããã«ããŽãªãŒã«ã€ããŠã¯ããã€ãã³ãã»ã«ããŽãªãŒããåç
§ããŠãã ããã
- ãã³ãïŒã«ããŽãªãŒã®ãããã§ãè€æ°ãã³ããŒã®FirewallãOSãªã©ãæ··åšããŠããŠããäŸãã°ãèªèšŒå€±æãã¯ã©ã®ãã°ã§ããèªèšŒå€±æããšããæå³ã§ãŸãšããŠæ±ãããšãã§ããŸãã
-
ã€ãã³ãã»ãããã³ã°
- DSM ããã°ã»ãœãŒã¹æ¡åŒµã«ããäœæããããã€ãã³ãã»ããŒã (ã€ãã³ã ID ãšã€ãã³ãã»ã«ããŽãªãŒ) ã QID ã¬ã³ãŒãã«é¢é£ä»ããŸãã
ãããã«æ»ã
DSMãšãã£ã¿ãŒã®éå§ãšäœ¿çš
DSM ãšãã£ã¿ãŒã«ã¯ãããã°ã»ã¢ã¯ãã£ããã£ãŒ ãã¿ããããã管çãã¿ããããã¢ã¯ã»ã¹ã§ãããããã€ãã³ã倿Žãžã®å¯Ÿå¿ãè¡ãããããªã£ãŠããŸãã
DSM ãšãã£ã¿ãŒã«ã¯ä»¥äžã®ããããã®æ¹æ³ã§éå§ããŸãã
ãâ¡ãã¡ãã¥ãŒããã管çããã¯ãªãã¯ããŸãã
ããã²ãŒã·ã§ã³ã»ã¡ãã¥ãŒã§ããããŒã¿ã»ãœãŒã¹ã > ãDSM ãšãã£ã¿ãŒããã¯ãªãã¯ããŸãã

ãŸãã¯
ããã°ã»ã¢ã¯ãã£ããã£ãŒãã¿ããã¯ãªãã¯ããŸãã
1 ã€ä»¥äžã®ã€ãã³ããéžæããŸãã
ããã²ãŒã·ã§ã³ã»ã¡ãã¥ãŒã§ããã¢ã¯ã·ã§ã³ã > ãDSM ãšãã£ã¿ãŒ ããéžæããŸãã

ãã®æ¹æ³ã¯ãæ¢ã«äœæããã«ã¹ã¿ã DSMããæŒããŠãããã°åœ¢åŒã远å å®çŸ©ããå Žåãªã©ã«äŸ¿å©ã§ãã
â»äžå³ã¯åèæ
å ±ã§ããQRadar CEã§ã¯ãã¹ããªã«ã«çžé¢ãå©çšã§ããŸããã
ãããã«æ»ã
ãµã³ãã«ã»ãã°ã«ã€ããŠ
ä»å䜿çšãããµã³ãã«ã»ãã°ã¯ã以äžããããŠã³ããŒãããããšãã§ããŸãã
UTF-8ã§ãšã³ã³ãŒããããŠãã(BOMãªã)ãè¡æ«ã¯LFã§ãã
SampleLog.logã«ã¹ã¿ã ã»ãã°ã®DSMå®çŸ©ãè¡ãå Žåãååšãããã°åœ¢åŒã®ãã¿ãŒã³ãå
šãŠæŸãåºãããšãéèŠã§ãã
ãã®ãµã³ãã«ã»ãã°ã«ã¯ã以äžã® 4çš®é¡ ã®ãã°åœ¢åŒãæ··åšããŠå«ãŸããŠããŸãã
2020/10/20 23:22,èªèšŒããã»ã¹,[548],èªèšŒã®è©Šè¡ username=user name ãã¹ã¯ãŒãã¯æ£ãããäžæ£ãªãã¹ã ip=172.30.34.90 2020/10/20 23:23,èªèšŒããã»ã¹,[18060],èªèšŒã®æå username=user name ip=172.30.34.90 port=53026 2020/10/20 0:30,èªèšŒããã»ã¹,[9279],ã»ãã·ã§ã³ã»ãªãŒãã³ username=user name 2020/10/20 0:30,èªèšŒããã»ã¹,[9279],ã»ãã·ã§ã³ã»ã¯ããŒãº username=user name |
ãã³ãïŒå®éã®ã·ã¹ãã ããåºåããããã°ã®ãã¿ãŒã³ã¯ããã£ãšå€ãããšãèããããŸãããã®ãããæåã«å
šãŠã®ãã¿ãŒã³ãæŽãåºããªããããããŸãããæ£èŠåã®ãããã³ã°ãè¡ãããŠããªããã°ã¯ããUnknownããšããç¹å¥ãªã«ããŽãªãŒãšããŠèšé²ãããŸããæ€çŽ¢ã§ãã®ã«ããŽãªãŒã«çµã蟌ãã ããã¢ã©ãŒãããããšãã§ãããããQRadarãéçšããªããæªç¥ã®åœ¢åŒãç¶ç¶çã«DSMãšãã£ã¿ãŒã§è¿œå å®çŸ©ããããšã§ãã«ã¹ã¿ã DSMãæŽç·ŽãããŠããããšãã§ããŸãã
ãµã³ãã«ã»ãã°ãæ£èŠåããããŸã§ã®æµãã¯ãäžå³ã®éãã§ãã

äžèŠãããšå°ãè€éã§ããããããã¯å
šãŠDSMãšãã£ã¿ãŒã®GUIã§èšå®ãããããXMLå®çŸ©ãäŸåé¢ä¿ãªã©ãåå¥ã«äœæã»ç·šéããå¿
èŠã¯ãããŸããã
ãããã«æ»ã
æŒç¿1ïŒã«ã¹ã¿ã DSMã®äœæ
ã«ã¹ã¿ã ã»ãã°ã®DSMãäœæããã«ããã£ãŠãæåã«å°çšã®ãã°ãœãŒã¹ã»ã¿ã€ããäœæããŸãã
次ã«ããµã³ãã«ã»ãã°ã®å
容ãDSMãšãã£ã¿ãŒã«èªã¿èŸŒãŸããå¿
é ãšãªãã·ã§ã³ã®ããããã£ãŒããç»é¢ã§ç¢ºèªããªããåãåºããŸãã
æåŸã«ãåãåºãããã°åœ¢åŒããšã«æ£èŠåããã€ãã³ãããããã³ã°ããçžé¢åæã§ã®å©çšã«é©ããæ§æãè¡ããŸãã
ãããã«æ»ã
1-1ïŒãã°ãœãŒã¹ã»ã¿ã€ãã®äœæ
æåã«ãå°çšã®ãã°ãœãŒã¹ã»ã¿ã€ããäœæããŸãã
ãUniversal DSMããšããã¿ã€ãããã®ãŸãŸå©çšããããšãã§ããŸããããã£ã«ã¿ãŒã®æè»æ§ãããã©ãŒãã³ã¹ã»ãã¥ãŒãã³ã°ã®èгç¹ã§ãæšå¥šã§ã¯ãããŸããã
ã
DSMãšãã£ã¿ãŒãžã®ã¢ã¯ã»ã¹ãšäœ¿çšãã§èª¬æããæ¹æ³ã®ãã¡ã1ã€ç®ã®ã
ãâ¡ãã¡ãã¥ãŒãã
ã管çããã¯ãªãã¯ãããæ¹æ³ã§DSMãšãã£ã¿ãŒãéå§ããŸãã
ããã°ãœãŒã¹ã»ã¿ã€ãã®éžæãã衚瀺ãããŸãã®ã§ãã
æ°èŠäœæããã¯ãªãã¯ããŸãã
ããã°ãœãŒã¹ã»ã¿ã€ãåãã«ã
TrainingSampleLog
(
â»)ãšå
¥åããŸãã
â»æ³šæïŒ ããããã®æŒç¿ãè¡ãããäžèšã®ã«ã¹ã¿ã DSMå®çŸ©ããã®ãŸãŸã€ã³ããŒããããå Žåã¯ãTrainingSampleLog ãšããååã¯äœ¿ããªãã§ãã ãããQRadarã«æ¢ã«åãååã®ãã°ãœãŒã¹ã»ã¿ã€ãåãããå Žåãã€ã³ããŒãã¯å€±æããŸãã
DSMãšãã£ã¿ãŒã§äœææžã¿ã®å®çŸ©ãµã³ãã«ã䜿çšããã«ã¯ã以äžã®ãã¡ã€ã«ãããŠã³ããŒããããâ¡ãã¡ãã¥ãŒããã管çããã¯ãªãã¯ãããã·ã¹ãã æ§æã > ãæ¡åŒµã®ç®¡çã ããã远å ãããããšã§ã€ã³ããŒãã§ããŸãã TrainingSampleLog-20201107164146.zip
â»IBMãæ£åŒã«å
¬éããŠããã³ã³ãã³ãã§ã¯ãªããããã€ã³ããŒãæã«çœ²åã®ãšã©ãŒãåºãŸãã
ãã³ãïŒ åãçç±ããã(ä»ã¯ååšããªããŠã)IBMãŸãã¯åãã³ããŒãæ£åŒã«DSMãæäŸããå Žåã«äœ¿ããããªãã°ãœãŒã¹ã»ã¿ã€ãåã¯ãã«ã¹ã¿ã DSMã®ãã°ãœãŒã¹ã»ã¿ã€ãåãšããŠé¿ããããšãããããããŸããäŸãã°æ¥é èŸãšããŠçµç¹åãå
¥ãããªã©ãè¡çªã®å¯èœæ§ãäœãããŠãã ããã |
å
ã®ç»é¢ã«ãªã¹ããããŠãããäœæããã°ããã®
TrainingSampleLog
ãéžã³ãã
éžæããã¯ãªãã¯ããŸãã

DSMãšãã£ã¿ãŒãéããŸãã

次ã®ã¹ãããã«é²ãåã«ãã
ã¯ãŒã¯ã¹ããŒã¹ãã«ãµã³ãã«ã»ãã°ã®ãµã³ããªã³ã°æ
å ±ã貌ãä»ããŠãããŸãããã
å³äžã®ãâãéçããŒã¯ãã¯ãªãã¯ããŠç·šéç¶æ
ã«ãã以äžã®ããã¹ããã³ããŒã»ã¢ã³ãã»ããŒã¹ãããŠããâããã§ãã¯ããŒã¯ãã¯ãªãã¯ããŸãã
<182>Nov 07 16:39:38 1.1.1.1 2020/10/20 23:22,èªèšŒããã»ã¹,[548],èªèšŒã®è©Šè¡ username=user name ãã¹ã¯ãŒãã¯æ£ãããäžæ£ãªãã¹ã ip=172.30.34.90 <182>Nov 07 16:39:39 1.1.1.1 2020/10/20 23:23,èªèšŒããã»ã¹,[18060],èªèšŒã®æå username=user name ip=172.30.34.90 port=53026 <182>Nov 07 16:39:40 1.1.1.1 2020/10/20 0:30,èªèšŒããã»ã¹,[9279],ã»ãã·ã§ã³ã»ãªãŒãã³ username=user name <182>Nov 07 16:39:41 1.1.1.1 2020/10/20 0:30,èªèšŒããã»ã¹,[9279],ã»ãã·ã§ã³ã»ã¯ããŒãº username=user name |
äžèšãšåãå
容ãããã¹ãã»ãã¡ã€ã«ã§å
¥æããã«ã¯ã
ãµã³ãã«ã»ãã°ã®ãµã³ããªã³ã° ããããŠã³ããŒãããŠãã ããã

ããã«ãããäžæ®µã®ã
ãã°ã»ã¢ã¯ãã£ããã£ãŒã®ãã¬ãã¥ãŒãæ¬ã«ã1è¡ = 1ã¬ã³ãŒã ãšããŠãã¬ãã¥ãŒãããŸãã
ãã³ãïŒ ãã¯ãŒã¯ã¹ããŒã¹ãã«ãµã³ãã«ã»ãã°ã®ãµã³ããªã³ã°æ
å ±ã貌ãä»ããéã«ã¯ãæåŸã®è¡ã®æ«å°Ÿã«æ¹è¡ãå
¥ããããã«ããŸããããããããã£ãŒãæ£èŠè¡šçŸã§åãåºãå Žåãªã©ãè¡æ«ãã©ããã®å€æã«åœ±é¿ãããå¯èœæ§ããããŸãã
ããµã³ãã«ã»ãã°ã«ã€ããŠãã§ç€ºãããã°ã»ãµã³ãã«ãããã®ãŸãŸDSMãšãã£ã¿ãŒã®ãµã³ããªã³ã°æ
å ±ãšããŠäœ¿çšããããšãã§ããŸãããå®éã®ãã°ãSyslogã§åãåãå Žåããã€ããŒãã«ã¯SyslogããããŒãä»ãããšã«æ³šæãå¿
èŠã§ããç»é¢äžã§è¡é ã§ãã£ããšãããå®éã®ãã€ããŒãã§ã¯è¡é ã§ã¯ãªãã£ãããããªã©ãæ£èŠè¡šçŸã®èšè¿°ã«åœ±é¿ãããå¯èœæ§ããããŸãã SyslogããããŒéšåã¯ãããŒã§ããããäŸãã°ããã¹ãã»ãšãã£ã¿ãŒã§ <182>Nov 07 16:39:38 1.1.1.1 (æåŸã¯åè§ã¹ããŒã¹) ãåè¡ã®å
é ã«ä»ããããšã§ã察å¿ã§ããŸãã |
ãããã«æ»ã
1-2ïŒæšæºããããã£ãŒãšã«ã¹ã¿ã ã»ããããã£ãŒã®åãåºã
ä»åã¯ã4çš®é¡ã®ãã°åœ¢åŒãå«ããµã³ãã«ã»ãã°ããã以äžã®ããããã£ãŒãåãåºããŸãã
çš®å¥ |
ããããã£ãŒå |
ãµã³ãã«ã»ããã¹ã |
åŒã®ã¿ã€ã |
å®çŸ©å
容ã®äŸ |
説æ |
æšæºããããã£ãŒ |
ãã°ã»ãœãŒã¹ã®æå» |
2020/10/20 23:23 |
æ£èŠè¡šçŸ |
åŒïŒ(\d{4}/\d{1,2}/\d{1,2} \d{1,2}:\d{1,2}), ãã©ãŒãããèšå®ã¹ããªã³ã°ïŒ$1 æ¥ä»åœ¢åŒïŒyyyy/MM/dd hh:mm |
ã |
ã€ãã³ãID â
|
èªèšŒã®æå
èªèšŒã®è©Šè¡
ã»ãã·ã§ã³ã»ãªãŒãã³
ã»ãã·ã§ã³ã»ã¯ããŒãº |
æ£èŠè¡šçŸ |
åŒïŒ,.*,.*,(.*?)\susername= ãã©ãŒãããèšå®ã¹ããªã³ã°ïŒ$1 |
1ã€ã®ãã°åœ¢åŒããšã«ããã®åœ¢åŒã代衚ãããŠããŒã¯ãªå€ãç¹å®ããå¿
èŠããããŸãã |
ã€ãã³ãã»ã«ããŽãªãŒ â
|
èªèšŒããã»ã¹ |
ãžã§ããªãã¯ã»ãªã¹ã(CSV) |
åŒïŒ$1 åºåãæåïŒ, |
ãã°ã«ã«ããŽãªãŒã«çžåœããæååãããå Žåã¯ãããåãåºããŸããç¹ã«ãªãå Žåã¯ããã°ãœãŒã¹å
šäœã§1ã€ã®ã«ããŽãªãŒãããªãDSMãå€ããããåºå®æååãè¿ãããã«æå®ããŠãæ§ããŸããã |
ãŠãŒã¶ãŒå |
user name |
1: æ£èŠè¡šçŸ |
åŒïŒusername=([\w\s]+)$ ãã©ãŒãããèšå®ã¹ããªã³ã°ïŒ$1 |
è¡æ«ã«ãŠãŒã¶ãŒåãäœçœ®ãããã¿ãŒã³çšã§ãã |
2: æ£èŠè¡šçŸ |
åŒïŒusername=([\w\s]+)\s ãã©ãŒãããèšå®ã¹ããªã³ã°ïŒ$1 |
è¡ã®éäžã«ãŠãŒã¶ãŒåãäœçœ®ãããã¿ãŒã³çšã§ãã |
éä¿¡å
IP |
172.30.34.90 |
æ£èŠè¡šçŸ |
åŒïŒip=([0-9.:]*) ãã©ãŒãããèšå®ã¹ããªã³ã°ïŒ$1 |
ã |
éä¿¡å
ããŒã |
53026 |
æ£èŠè¡šçŸ |
åŒïŒport=(\d{1,5}) ãã©ãŒãããèšå®ã¹ããªã³ã°ïŒ$1 |
ã |
ã«ã¹ã¿ã ã»ããããã£ãŒ |
AuthProcessId |
18060 |
æ£èŠè¡šçŸ |
åŒïŒ,.*,\[(.*)], ãã£ããã£ãŒã»ã°ã«ãŒãïŒ1 |
ã |
ãããã«æ»ã
æ£èŠè¡šçŸã®åãåºãæ¹
äžã®è¡šã«ãªã¹ããããåãåºãããããããã£ãŒããé ã«å®çŸ©ããŸãã
æšæºããããã£ãŒã¯ããããããããããã£ãŒãã¿ãã«å«ãŸããŠãããããã¹ã¯ããŒã«ããããã£ã«ã¿ãŒå
¥ååã«ããããã£ãŒåã®äžéšãå
¥åããŠçµã蟌ã¿ãŸãã
ç®çã®ããããã£ãŒãèŠã€ãã£ãã(äžå³ã®äŸã§ã¯ããã°ã»ãœãŒã¹ã®æå»ã)ãã
ã·ã¹ãã åäœã®ãªãŒããŒã©ã€ããã«ãã§ãã¯ãä»ããŸãã
ãåŒã®ã¿ã€ããããã
æ£èŠè¡šçŸããéžæãããåŒãã«æ£èŠè¡šçŸãèšè¿°ããããã©ãŒãããèšå®ã¹ããªã³ã°ãã«æ£èŠè¡šçŸã®ãã£ããã£ãŒã»ã°ã«ãŒãã«å¯Ÿå¿ãã倿°ãæå®ããŸãã
ããã°ã»ãœãŒã¹ã®æå»ãã¯æ¥ä»ã¿ã€ãã§ããããããæ¥ä»åœ¢åŒããšããŠãå
ã®ã€ãã³ãã§è¡šç€ºãããæ¥æã®åœ¢åŒã«äžèŽãããã¿ãŒã³ãæå®ããå¿
èŠããããŸãã
äŸãã°ããApr 17 2017 11:29:00ãã®å Žåãæå¹ãªæ¥æã®ãã¿ãŒã³ã¯ãMMM dd YYYY HH:mm:ssãã«ãªããŸãã
æ¥ä»åœ¢åŒã®æå®ã«ã€ããŠè©³ããã¯ã
Java Web ããŒãž ã«ãã SimpleDateFormat ã®æ
å ±ãåç
§ããŠãã ããã
ãOKããã¯ãªãã¯ãããšãããã°ã»ã¢ã¯ãã£ããã£ãŒã®ãã¬ãã¥ãŒãæ¬ã«ããã¯ãŒã¯ã¹ããŒã¹ãã«è²Œãä»ãããµã³ãã«ã»ãã°ã®å€ãåæ ãããŸãã
ãã³ãïŒ ãã¬ãã¥ãŒã«å€ãåæ ãããŠããªãå Žåã¯ãå®çŸ©ã«äœããã®åé¡ãããå¯èœæ§ãããããã®ãŸãŸãä¿åãããŠãå®éã®ãã°ãæ£ããããŒã·ã³ã°ã§ããŸããã |
ãããã«æ»ã
è€æ°ã®åŒãå®çŸ©ããæ¹æ³
1ã€ã®åŒã§å
šãŠã®ãã°åœ¢åŒã®ãã¿ãŒã³ãã«ããŒã§ããªãå Žåã¯ãç·è²ã®ã
ïŒããã¿ã³ãã¯ãªãã¯ããããšã§ãè€æ°ã®åŒãæå®ããããšãã§ããŸãã
å
ã«ãããããå€ã䜿çšãããŸãã®ã§ãåãã°åœ¢åŒãè€æ°ã®åŒã«ãããããå Žåã¯ãå®çŸ©é åºãéèŠã«ãªãå ŽåããããŸãã
åŒã®ã¿ã€ã«ãäžäžã«ãã©ãã°ããããšã§ãå®çŸ©åŸãé åºã倿Žã§ããŸãã
ãããã«æ»ã
ãžã§ããªãã¯ã»ãªã¹ã(CSVãªã©)ã®å®çŸ©æ¹æ³
ãžã§ããªãã¯ã»ãªã¹ãã®ä»£è¡šäŸã¯CSVã§ãã
åãåºãããã«ã©ã äœçœ®ãæå®ããåŒãšåºåãæåãæå®ããããšã§ãå€ãåãåºãããšãã§ããŸãã
ãããã«æ»ã
ã«ã¹ã¿ã ã»ããããã£ãŒã远å ããæ¹æ³
ãããããã£ãŒãã¿ãã«ã¯ãããããæšæºããããã£ãŒã远å ãããŠããŸãããã«ã¹ã¿ã ã»ããããã£ãŒãæåã§è¿œå ããããšãã§ããŸãã
ãŸãããããããã£ãŒãã¿ãã®ãã£ã«ã¿ãŒã®æšªã«ããã
ïŒããã¯ãªãã¯ããŸãã
衚瀺ããããã«ã¹ã¿ã ã»ããããã£ãŒå®çŸ©ã®éžæãç»é¢ã®äžéšã«ããããæ°èŠäœæããã¯ãªãã¯ããŸãã
ãååãã«ãAuthProcessIdããå
¥åãããä¿åããã¯ãªãã¯ããŸãã

ã«ã¹ã¿ã ã»ããããã£ãŒã远å ãããåŸã¯ãæšæºããããã£ãŒãšã»ãŒåæ§ã«å®çŸ©ãè¡ãããšãã§ããŸãã
ãããã«æ»ã
1-3ïŒã€ãã³ãã»ãããã³ã°ã®äœæ
ããããã£ãŒãåãåºããŠåºæã®ã€ãã³ããå®çŸ©ãããåŸã¯ãããããã€ãã³ãåãäžäœ/äžäœã«ããŽãªãŒã«ãããã³ã°ããå¿
èŠããããŸãã
ä»åã¯ã4çš®é¡ ã®ãã°åœ¢åŒãå«ããµã³ãã«ã»ãã°ã§ãã®ã§ãåºæã®ã€ãã³ãã 4çš®é¡ ãããŸãã
ã€ãã³ãID |
ã€ãã³ãã»ã«ããŽãªãŒ |
ã€ãã³ãå (QIDããšã«ãŠããŒã¯)
|
äžäœã«ããŽãªãŒ(HLC) |
äžäœã«ããŽãªãŒ(LLC) |
é倧床
|
èªèšŒã®è©Šè¡ |
èªèšŒããã»ã¹ |
General Authentication Failed |
èªèšŒ |
倱æããäžè¬èªèšŒ |
3 |
èªèšŒã®æå |
èªèšŒããã»ã¹ |
General Authentication Successful |
èªèšŒ |
æåããäžè¬èªèšŒ |
1 |
ã»ãã·ã§ã³ã»ãªãŒãã³ |
èªèšŒããã»ã¹ |
Auth Server Session Opened |
èªèšŒ |
éãããèªèšŒãµãŒããŒã®ã»ãã·ã§ã³ |
1 |
ã»ãã·ã§ã³ã»ã¯ããŒãº |
èªèšŒããã»ã¹ |
Auth Server Session Closed |
èªèšŒ |
éããããèªèšŒãµãŒããŒã®ã»ãã·ã§ã³ |
1 |
ãããã«æ»ã
ã€ãã³ãã»ãããã³ã°ã®å®çŸ©æ¹æ³
DSMãšãã£ã¿ãŒã®ã
ã€ãã³ãã»ãããã³ã°ãã¿ããããQID ã«ãããã³ã°ãã¹ããã€ãã³ã IDã ãšãã€ãã³ãã»ã«ããŽãªãŒãã®çµã¿åãããå
¥åããŸãã
ããã«ãããã«ãŒã«ãªã©ã®äœæã«äœ¿çšã§ããã·ã¹ãã ã確èªããã€ãã³ãã«ãã¡ã¿ããŒã¿ãæäŸã§ããããã«ãªããŸãã
ã
ïŒãããŒã¯ãã¯ãªãã¯ããŠãæ°èŠã€ãã³ãã»ãããã³ã°ã®äœæãç»é¢ã衚瀺ããã
ã€ãã³ãIDããšã
ã€ãã³ãã»ã«ããŽãªãŒããå
¥åããŠã
QIDã®éžæããã¯ãªãã¯ããŸãã

QIDã¯ãæ°èŠã«äœæããããšããæ¢åã®ã€ãã³ãããéžæããããšãã§ããŸãã
ãQIDã¬ã³ãŒããç»é¢ã®äžéšã«ããã
äžäœã«ããŽãªãŒãã
äžäœã«ããŽãªãŒãã
ãã°ã»ãœãŒã¹ã»ã¿ã€ããã¯ãããããããŠã³ã»ãªã¹ãã§ããããŒã¯ãŒããå
¥åããããšã§çµã蟌ãããšãã§ããŸãã
ã
QID/ååãã«ã¯ãçŽæ¥ããŒã¯ãŒããå
¥åããããšã§ãã
æ€çŽ¢ããã¯ãªãã¯ããéã®çµæãçµã蟌ãããšãã§ããŸãã
ç®çã«ãã£ãã€ãã³ããç¹å®ãããããããéžæããç¶æ
ã§ã
OKããã¯ãªãã¯ããŸãã
ä»åã¯æ°èŠã€ãã³ããäœæããŸãã®ã§ãã
æ°ããQIDã¬ã³ãŒãã®äœæããã¯ãªãã¯ããŸãã

ãQIDã¬ã³ãŒããç»é¢ã§ãæ°èŠã€ãã³ããäœæããŸãã
ãŸããã
ååããšã
説æããå
¥åããŸãã
ãUniversal DSMããªã©æ¢åDSMã«é¢é£ä»ããããå®çŸ©æžã¿ã€ãã³ããåèã«ãªããŸãã
次ã«ãã
ãã°ã»ãœãŒã¹ã»ã¿ã€ãããšããŠãç·šéäžã®
TrainingSampleLog
ãéžæãããŠããããšã確èªããŸãã
ã
äžäœã«ããŽãªãŒããšã
äžäœã«ããŽãªãŒããå²ãåœãŠãŸãã
ãã¡ããããUniversal DSMããªã©æ¢åDSMã«é¢é£ä»ããããå®çŸ©æžã¿ã€ãã³ããåèã«ãªããŸãã
ãã³ãïŒUniversal DSMã«å®çŸ©ãããŠããã€ãã³ããã«ããŽãªãŒã«ã€ããŠã¯ã
Universal_DSM.csv ãåç
§ããŠãã ããã
æåŸã«ã
é倧床ã(10段é) ãå²ãåœãŠãããã
ä¿åããã¯ãªãã¯ããŸãã

ãQIDã¬ã³ãŒããç»é¢ã«ãäœæããã°ããã®æ°ããQIDã¬ã³ãŒãã衚瀺ã»éžæãããŸãã®ã§ãã
OKããã¯ãªãã¯ããŸãã

ãã®åŸããæ°èŠã€ãã³ãã»ãããã³ã°ã®äœæãç»é¢ãåºãŸãã®ã§ãã
äœæããã¯ãªãã¯ããŸãã

ãã®äœæ¥ãããŠããŒã¯ãªãã°åœ¢åŒã®æ° (åèš4å) ç¹°ãè¿ãããšã§ãã€ãã³ãã»ãããã³ã°ãå®äºããŸãã
ããã°ã»ã¢ã¯ãã£ããã£ãŒã®ãã¬ãã¥ãŒããæŽæ°ãããåãã°åœ¢åŒã«å¯Ÿå¿ããã
ã€ãã³ãåããšé¢é£ããã
äžäœã«ããŽãªãŒãã®åã«ãèšå®ããå€ã衚瀺ãããŠããããšãããããŸãã

æåŸã«ã
ä¿åããã¯ãªãã¯ããŠãDSMãšãã£ã¿ãŒãçµäºããŸãã
ãããã«æ»ã
æŒç¿2ïŒã«ã¹ã¿ã DSMã®ãã¹ã[æ€çŽ¢ç·š]
äœæããã°ããã®ã«ã¹ã¿ã DSMãæ©èœããŠããããšã確èªããŸãããã
SampleLog.log ãããŠã³ããŒãããQRadar CEã«Syslog圢åŒã§éä¿¡ããŸãã
ãããã«æ»ã
2-1ïŒãã°ãœãŒã¹ã®å®çŸ©
QRadarã«ã¯ãã°ãœãŒã¹ã®èªåèªèã»äœææ©èœããããŸãããä»åäœæããã«ã¹ã¿ã DSMã«ã¯èªåèªèã®èšå®ãããŠããŸããã
ãã®ããããŸããã°ãœãŒã¹ã®å®çŸ©ãäœæããŸãã
ãâ¡ãã¡ãã¥ãŒããã管çããã¯ãªãã¯ããŸãã
ããã²ãŒã·ã§ã³ã»ã¡ãã¥ãŒã§ããããŒã¿ã»ãœãŒã¹ã > ããã°ã»ãœãŒã¹ããã¯ãªãã¯ããŸãã
ã远å ããã¯ãªãã¯ãã以äžãå
¥åããŸãã
ãã°ã»ãœãŒã¹å |
TrainingSample (ä»»æã®åå) |
ãã°ã»ãœãŒã¹ã®èª¬æ |
ä»»æã®èª¬æ |
ãã°ã»ãœãŒã¹ã»ã¿ã€ã |
TrainingSampleLog (DSMãšãã£ã¿ãŒã§äœæãããã°ãœãŒã¹ã»ã¿ã€ãã®åå) |
ãããã³ã«æ§æ |
Syslog (æªææžåãšè¡šç€ºãããããšããããŸãããåé¡ãããŸãã) |
ãã°ã»ãœãŒã¹ ID |
1.1.1.1 (ä»»æã®IPã¢ãã¬ã¹ãlogrun.pl ãªã©ãã°éä¿¡ããŒã«ã®æå®ãšåãããŸã) |
æå¹ |
â |
ã€ãã³ãã®çµ±å |
ãã§ãã¯ãå€ããŠãã ããã (ãã¹ãã§ç¢ºèªãããããããã) |
åä¿¡ãã€ããŒãã®ãšã³ã³ãŒã |
UTF-8 |
ã€ãã³ãã»ãã€ããŒãã®ä¿ç®¡ |
â |
ãã°ã»ãœãŒã¹æ¡åŒµ |
TrainingSampleLogCustom_ext (DSMãšãã£ã¿ãŒã§äœæãããã°ãœãŒã¹ã»ã¿ã€ãã«å¯Ÿå¿ãããã®) |

ã管çãç»é¢ã«ãã
â ãããã€ãããŠããªã倿ŽããããŸãã ã倿Žã®ãããã€ããã¯ãªãã¯ããŠãããããããã€ããŠãã ãããããšããèŠåã衚瀺ãããŸãã®ã§ãã
倿Žã®ãããã€ããã¯ãªãã¯ããŠãã°ãœãŒã¹ã®è¿œå ãã·ã¹ãã ã«åæ ãããŠãã ããã
ãããã«æ»ã
2-2ïŒãµã³ãã«ã»ãã°ã®åç
ãµã³ãã«ã»ãã°ãåçãããšãã
ãã°ã»ã¢ã¯ãã£ããã£ãŒãã¿ãã«æ£èŠåãããã€ãã³ãã衚瀺ãããŸãã
ããããQRadarèªèº«ã®ç®¡çã€ãã³ããå€ãæµããŠãããããããããããªã€ãã³ããèŠéããŠããŸããããããŸããã
ãã®ãããäºåæºåãšããŠãã£ã«ã¿ãŒãèšå®ããŠããããšãããããããŸãã
ãããã«æ»ã
ãã£ã«ã¿ãŒèšå®
ãŸããã
ãã°ã»ã¢ã¯ãã£ããã£ãŒãã¿ãã衚瀺ããŸãã
ã
ãã£ã«ã¿ãŒã®è¿œå ããã¯ãªãã¯ãã以äžãå
¥åããŸãã
- ãã©ã¡ãŒã¿ãŒïŒ
ãã°ãœãŒã¹[玢åŒä»ã]
- æŒç®åïŒ
次ãšçãã
- å€ïŒãã°ã»ãœãŒã¹ïŒ
TrainingSample
(ãã°ãœãŒã¹å®çŸ©ã§æå®ããä»»æã®åå)

以åŸã
ãã°ã»ã¢ã¯ãã£ããã£ãŒãã¿ãã«ã¯ãä»å远å ããã«ã¹ã¿ã DSMã®ãã°ã®ã¿ã衚瀺ãããŸãã
ãããã«æ»ã
ãµã³ãã«ã»ãã°ã®åçæ¹æ³
ãµã³ãã«ã»ãã°ã®åçã«ã¯ãããã€ãæ¹æ³ããããŸãã
1ã€ç®ã¯ãã
SIEMåŠç¿ã«æé©ãª QRadar Experience Center ã¢ããªã§ãŠãŒã¹ã±ãŒã¹ãæµããŠã¿ãŸããããã§ã玹ä»ãã Experience Centerã¢ããªã«åãã£ãŠããããã°ã®ã¢ããããŒã&åçæ©èœã§ãã
Experience Center ã¢ããªã®ã
â Upload logs to QRadarããšããã¡ãã¥ãŒãéžæãããšãã
Select Fileããã¿ã³ã®ã¯ãªãã¯ã§ä»»æã®ãã°ãã¡ã€ã«ãã¢ããããŒãã§ããŸãã®ã§ã
SampleLog.log ãã¢ããããŒãããŸãã
ã¢ããããŒãåŸãã
Nextããã¯ãªãã¯ããŠæ¬¡ã®ç»é¢ã«é·ç§»ãããšãã¢ããããŒããããã°ãåçã§ããã
â¶ããã¿ã³ããããŸãã
ãã°ãœãŒã¹ID (
Log Source Identifier) ãæå®ã§ããŸãã®ã§ãããã§ãã°ãœãŒã¹å®çŸ©ã§æå®ãããã®ãšåãIPã¢ãã¬ã¹ãæå®ããŠããåçããŠãã ããã

åŠç¿çšã®ã¢ããªã§ããããããã°ã®åçã¬ãŒãã¯æ¯èŒçé
ãèšå®ãããŠããããã³ããããã¹ããé²ãããå Žåã¯ã次ã®
logrun.pl
ã®æ¹ããããããããŸããã
ãããã«æ»ã2ã€ç®ã®æ¹æ³ã§ãã
logrun.pl
ã¯ãQRadar CEã«å
èµãããŠããã¹ã¯ãªããã§ãã
logrun.plã®æ§æã¯ã以äžã®éãã§ãã
/opt/qradar/bin/logrun.pl [-d <host>] [-p <port>] [-f filename] [-u <IP>] [-l] [-t] [-b] [-n NAME] [-v] <messages per second>
-d : éä¿¡å
ã®syslogãã¹ãïŒããã©ã«ãã§ã¯127.0.0.1ïŒ
-p : éä¿¡å
ããŒãïŒããã©ã«ãã§ã¯514ïŒ
-f : èªã¿åããã¡ã€ã«åïŒããã©ã«ãã§ã¯readme.syslogïŒ
-b : é
å»¶æéã®20%ã«åãã¡ãã»ãŒãžãããŒã¹ã
-t : syslogsãéä¿¡ããããã«UDPã§ã¯ãªãTCPã䜿çš
-v : ãã¡ã€ã«ããèªã¿åãè¡ã®è©³çްã衚瀺
-n : NAMEãsyslogããããŒã®ãªããžã§ã¯ãåãšããŠäœ¿çš
-l : ç¡éã«ãŒã
-u : è©ç§°çºä¿¡è
ãšããŠIP ã䜿çšïŒããã©ã«ãã§ã¯IP ããããŒãéä¿¡ããªãïŒ |
ãŸããWinSCPãªã©ä»»æã®SSH察å¿ãã¡ã€ã«è»¢éããŒã«ã§ã
SampleLog.log ãQRadar CEæ¬äœã«è»¢éããŸãã
䜿çšãããã£ã¬ã¯ããªãŒã¯ä»»æã§ããã
/root
ãªã©ã䜿çšã§ããŸãã
次ã«ãPuTTY ã Tera Termãªã©ã®ä»»æã®SSHã¿ãŒããã«ã»ãœããã䜿çšã㊠QRadar CEã³ã³ãœãŒã«ã«ãã°ã€ã³ãã
/opt/qradar/bin/logrun.pl
ã³ãã³ããçºè¡ããŸãã
[root@qce1 ~]# ls -l *log -rw-r--r-- 1 root root 13831 Nov 7 06:54 SampleLog.log
[root@qce1 ~]# /opt/qradar/bin/logrun.pl -u 1.1.1.1 -l -f SampleLog.log 1 generating 1 messages per second to 127.0.0.1:514 Ctrl-c to stop |
äžã®äŸã§ã¯ããã°ãœãŒã¹ID
1.1.1.1
ä»ã (
-u
ãªãã·ã§ã³) ã® Syslogã¡ãã»ãŒãžãã1ç§ã«
1
ä»¶ã〠QRadarèªèº«ã«ç¡éã«ãŒã (
-l
ãªãã·ã§ã³) ã§éä¿¡ããŸãã
ããã«ãããã
ãã°ã»ã¢ã¯ãã£ããã£ãŒãã¿ãã«ã¯ã以äžã®ãããªã«ã¹ã¿ã DSMã®æ£èŠåãããã¡ãã»ãŒãžã衚瀺ãããŸãã

次ã®ãã°æ€çŽ¢ã«äœ¿çšããŸãã®ã§ããã°ãã(æ°åéã»ã©)ãã°ãæµããQRadarã«ã€ãã³ããèããŠãã ããã
ãã®åŸã
Ctrl-C ã§
logrun.pl
ãæ¢ããŠãã ããã
ãããã«æ»ã
2-3ïŒãã°ã®æ€çŽ¢ãšã°ã©ãå
QRadarã®æ€çŽ¢æ©èœã¯å¹
åºããããããã§å
šãŠã説æããããšã¯äžå¯èœã§ãã
ãã®ãããæãåºæ¬çãªãã£ã«ã¿ãªã³ã°ã®ã¿ãæ±ããŸãã
詳ããã¯åèæç®ã«æããããã¥ã¢ã«ã®ãªã³ã¯ãªã©ãåç
§ããŠãã ããã
ãããŸã§ã®æé ã§ãçŸåšã
ãã°ã»ã¢ã¯ãã£ããã£ãŒãã¿ãã«ã¯ãäœæããã°ããã®ã«ã¹ã¿ã DSMã®ãã°ã ãã衚瀺ãããããã«ãªã£ãŠããŸãã
ãã®ç¶æ
ã§äžéšã®ãã¯ã€ãã¯ã»ãã£ã«ã¿ãŒãã«ããŒã¯ãŒããå
¥åãããšãæ¢ã«é©çšãããŠãããã£ã«ã¿ãŒã®ç¯å²å
ã§çµãèŸŒã¿æ€çŽ¢ãè¡ãããŸãã
ãŸãã
ãã¥ãŒãã®éžæã§ãã
éå»15åéããªã©ãéžæããŠãªã¢ã«ã¿ã€ã ã»ã¹ããªãŒãã³ã°åçã忢ããŠãã ããã
次ã«ãã
ã¯ã€ãã¯ã»ãã£ã«ã¿ãŒãã«ãã
詊è¡ããšå
¥åããŠã
æ€çŽ¢ããã¯ãªãã¯ããŠãã ããã

ããã«ãããæ¢ã«é©çšãããŠãããã°ãœãŒã¹ã®çµã蟌ã¿ã«å ããŠããã€ããŒãã«ã詊è¡ããšããæåãå«ãŸãããã°ã®ã¿ããªã¹ããããŸããã
次ã«ãã
衚瀺ããã
ãŠãŒã¶ãŒåãã«èšå®ããŸãã
ãŸããã°ã©ããé衚瀺ã®å Žåã¯ããã°ã©ãã®è¡šç€ºããã¯ãªãã¯ããŠãã ããã
ãã³ãïŒ ããäœããããããªãã£ãå Žåã¯ãæéãçµéããŠéå»15å以å
ã®ãã°ããªããªã£ãã®ãããããŸããã ãã®å Žåã¯ãã£ãšéå»ã®æéãŸã§å«ãããã«ããã¥ãŒãã®éžæã倿ŽããŠãã ããã |

ããã«ãããã詊è¡ããå«ããã°ãããŠãŒã¶ãŒåãããšã«ã°ã«ãŒãåããä»¶æ°ã®å€ããã®ããé ã«ã°ã©ãåããããšãã§ããŸããã
ããããã£ãŒãšããŠãŠãŒã¶ãŒåãåãåºããŠããããããã§ããã®ãããªåãå£ã®å¯èŠåã容æã«è¡ãªããŸãã
次ã«ãã
æ€çŽ¢ãã¡ãã¥ãŒããã
æ€çŽ¢ã®ç·šéããè¡ããæ€çŽ¢æ¡ä»¶ã®å€æŽãšãæ€çŽ¢çµæã«è¡šç€ºããããããã£ãŒã®è¿œå ãè¡ããŸãã
ã¯ã€ãã¯ã»ãã£ã«ã¿ãŒã¯ãã°ã«å«ãŸããæååã«äŸåããããæ±çšæ§ããããŸããã®ã§ããããåé€ãã代ããã«ãã«ããŽãªãŒããã倱æããäžè¬èªèšŒãã§ãããšããæ¡ä»¶ã远å ããŸãã
ãããŠãä»åã®ã«ã¹ã¿ã DSMã§è¿œå ãããAuthProcessIdããšããããããã£ãŒããæ€çŽ¢çµæã«å«ããããã«ã
ïŒããã¯ãªãã¯ããŠãåãã«è¿œå ããã
âããè€æ°åã¯ãªãã¯ããŠäžçªäžã«çœ®ããŸãã

ã
æ€çŽ¢ããã¯ãªãã¯ããããšã§ã倿Žãããæ¡ä»¶ã«åºã¥ãæ€çŽ¢çµæã衚瀺ãããŸãã

ä»åŸããã®æ¡ä»¶ã®æ€çŽ¢ããã€ã§ãã§ããããã«ãã
æ¡ä»¶ã®ä¿åããã¯ãªãã¯ããŸãã
â ã
æ€çŽ¢åããèšå®ããåçš®ãªãã·ã§ã³ãæå®ããŠãæåŸã«ã
OKããã¯ãªãã¯ããŸãã
â¡ã
ã¯ã€ãã¯æ€çŽ¢ã«å«ãããã«ãã§ãã¯ãå
¥ããŠãããšã
ã¯ã€ãã¯æ€çŽ¢ãã¡ãã¥ãŒã«è¿œå ããããæ€çŽ¢ãã¡ãã¥ãŒããåŒã³åºããªããŠããããã«æ€çŽ¢ã§ããããã«ãªããŸãã
ãããã«æ»ã
2-4ïŒAQLã«ããæ¡åŒµæ€çŽ¢ã®äœ¿çš
Ariel ç
§äŒèšèª (AQL) ã¯ãQRadarãåéãããã°ããããŒãæ ŒçŽããŠããAriel ããŒã¿ããŒã¹ãšéä¿¡ããããã«äœ¿çšããæ§é åç
§äŒèšèªã§ãã
AQL ã䜿çšããŠãAriel ããŒã¿ããŒã¹ã®ã€ãã³ãã»ããŒã¿ããããŒã»ããŒã¿ãç
§äŒããŸããSQLã«é¡äŒŒã®èšèªã§ãããç
§äŒã®ã¿ã§æŽæ°ãåé€ã¯ã§ããŸããã
ã³ã³ãœãŒã«ã§æ€çŽ¢ãã«ãŒã«æ¡ä»¶ã«äœ¿çšããã»ããREST APIãããAQLã䜿çšããã€ãã³ãããããŒã®æ€çŽ¢ãå¯èœã§ãã
AQLã¯éåžžã«å¹
åºãæ©èœãæã€ãããããã§å
šãŠã説æããããšã¯ã§ããŸããã
æ«å°Ÿã®
åèæç®ã®äžã«ãAQLã«é¢ããè³æãžã®ãªã³ã¯ãå«ãŸããŠããŸãã®ã§ããã²ã確èªãã ããã
AQLã®åºæ¬çãªæ§é ã¯ã以äžã®éãã§ãã

以äžã«AQLã®äžäŸã瀺ããŸãã
SELECT DATEFORMAT(starttime,'yyyy/MM/dd HH:mm:ss z') as 'Start Time', sourceip, destinationip, CATEGORYNAME(category) as 'Category', QIDDESCRIPTION(qid) as 'Event Name', username FROM events WHERE LOGSOURCENAME(logsourceid) ilike '%Training%' LAST 1 HOURS |
äž»ãªæ§æã¯ä»¥äžã®éãã§ãã
(å
šãŠãç¶²çŸ
ããŠããŸããã®ã§ã
åèæç®ã
補åã®ããã¥ã¢ã«ãåç
§ããŠãã ãã)
æ§é
|
説æ
|
SELECT ... FROM
|
AQLã¯SELECTããã¯ãããã€ãã³ãã®å Žå㯠FROM events ããããŒã®å Žå㯠FROM flows ãèšè¿°ããŸãã
|
WHERE ...
|
æ€çŽ¢æ¡ä»¶ãçµããŸãã
- æ¯èŒæŒç®å㯠=, !=, <, >, <=, >=
- è«çæŒç®å(
AND /OR /NOT )ã§è€æ°ã®æ¡ä»¶ãèšèŒã§ããŸãã
- ããããã£ãŒã®NULLå€ãã§ãã¯ã¯
IS NULL / IS NOT NULL
- å€ã®ç¯å²ã¯
BETWEEN A AND B
- A以äžB以äžã®æå³ãšãªããAããã³Bã®å€ãå«ãŸããŸãã
|
æéã®æå®
|
æéãæå®ããªããšçŽè¿5åéã®ã€ãã³ã/ãããŒãæ€çŽ¢å¯Ÿè±¡ãšãªããŸãã
- æéæå®ã¯QRadarã®ã€ãã³ãåä¿¡æé(starttime)ã«å¯ŸããŠè¡ãããŸãããã°ãœãŒã¹æé(devicetime)ã§ã¯ãªãããšã«æ³šæããŠãã ããã
- æ€çŽ¢æéæå®ã¯AQLã®äžçªæåŸã«èšèŒããŸãã
START /STOP ã«ããæå®
- START 'YYYY-MM-dd HH:mm' STOP 'YYYY-MM-dd HH:mm'
LAST ã«ããæå®
- LAST [æ°å] MINUTES/HOURS/DAYS
- 1ã§ãã£ãŠãè€æ°åœ¢ãLAST 1 HOURS
|
æ¥æã®ããããã£ãŒ
|
æ¥æé¢é£ã®ããããã£ãŒã¯UNIXã¿ã€ã ã¹ã¿ã³ãã®åœ¢åŒã§ç®¡çãããŠãããããéåžžã¯æŽåœ¢ããŠäœ¿çšããŸãã
DATEFORMAT ã«ããæŽåœ¢
- DATEFORMAT(ããããã£ãŒå, 'ãã©ãŒããããã¿ãŒã³æå')
- ãã©ãŒããããã¿ãŒã³æåã®äŸïŒ
- HH:mm:ss dd-MM-YYYY â 04:19:22 10-12-2014
- YYYY/MM/dd HH:mm:ss â 2014/11/08 04:19:11
- YYYY/MM/dd a hh:mm â 2014/11/08 AM 04:19
|
LIKE /ILIKE 'æ€çŽ¢æ¡ä»¶'
|
ãããŸãæ€çŽ¢ãè¡ããŸãã
% ãã¯ã€ã«ãã«ãŒããšãªããŸãã
ILIKE ã¯å€§æå/å°æåãåºå¥ããŸããã
|
MATCHES /IMATCHES 'æ€çŽ¢æ¡ä»¶'
|
æ£èŠè¡šçŸã䜿ã£ãæ€çŽ¢ãè¡ããŸãã
- æ£èŠè¡šçŸã«ããLIKEããèªç±åºŠã®é«ãèšè¿°ãå¯èœã§ãã
IMATCHES ã¯å€§æå/å°æåãåºå¥ããŸããã
|
TEXT SEARCH 'æ€çŽ¢æåå'
|
ãã¯ã€ãã¯ã»ãã£ã«ã¿ãŒããšããªãããã«ãããã¹ãæ€çŽ¢ãå¯èœã§ãã
- WHEREæ¡ä»¶ã®æåã«èšè¿°ããå¿
èŠããããŸãã
- WHEREæ¡ä»¶ã§TEXT SEARCH以å€ã®æ¡ä»¶ãšçµã¿åãããå Žåã¯ãANDæ¡ä»¶ãã䜿ããŸããã
|
éèš
|
GROUP BY
- æå®ããããããã£ãŒã§éçŽããŸãã
COUNT /UNIQUECOUNT
- ã¬ã³ãŒãæ°ãéèšããŸãã
- COUNT(*)ã®å Žåã¯ã¬ã³ãŒãç·æ°ãååŸããŸããCOUNT(ããããã£ãŒåïŒã§ããããã£ãŒãååšããã¬ã³ãŒãç·æ°ãååŸããŸãã
- UNIQUECOUNT(ããããã£ãŒåïŒã§ããããã£ãŒå€ã®éè€ãé€ããæ°ãååŸããŸãã
|
ORDER BY ...
|
衚瀺é åºãæå®ããŸãã
- éé ïŒããã©ã«ã)
- ORDER BY [ããããã£ãŒ or ãšã€ãªã¢ã¹å]ãASC
- æé
- ORDER BY [ããããã£ãŒ or ãšã€ãªã¢ã¹å]ãDESC
|
LIMIT
|
LIMIT [æ°å] ã®åœ¢åŒã§æå®ããçµæã®ååŸæ°ãå¶éããŸãã |
æååæäœ
|
STR æå®ããåŒæ°ãæååã«å€æããŸãã
STRLEN æååã®é·ããè¿ããŸãã
STRPOS æå®ããæååããããšã®æååã®äœãã€ãç®ã«å«ãŸããããè¿ããŸããååšããªãå Žåã¯-1ãè¿ããŸãã
SUBSTRING (string,m,n) æå®ããæååã®mçªç®ããnçªç®ãŸã§ãåãåºããŸãã
UPPER æå®ããåŒæ°ã®å€§æåãè¿ããŸãã
LOWER æå®ããåŒæ°ã®å°æåãè¿ããŸãã
CONCAT æå®ããåŒæ°ããã¹ãŠé£çµããæååã«ããŸãã
BASE64 æååãbase64ãšã³ã³ãŒãããŸãã
UTF8 æå®ããåŒæ°ãUTF8æååã«å€æããŸãã
REPLACEALL (æ£èŠè¡šçŸãå€æå¯Ÿè±¡ããããã£ã倿åŸã®æåå) æ£èŠè¡šçŸã«ããããããã¹ãŠã眮æããŸãã
REPLACEALL (æ£èŠè¡šçŸãå€æå¯Ÿè±¡ããããã£ã倿åŸã®æåå) æ£èŠè¡šçŸã«ãããããã¯ããã®æåã ã眮æããŸãã |
äžè¬ã«AQLã§ãã䜿ãããããããã£ãŒã颿°ã以äžã«ç€ºããŸãã
ããããã£ãŒå
|
説æ
|
sourceip
|
éä¿¡å
IP
|
sourceport
|
éä¿¡å
ããŒã
|
destinationip
|
å®å
IP
|
destinationport
|
å®å
ããŒã
|
username
|
ãŠãŒã¶ãŒå
|
qidname(qid ) qiddescription(qid )
|
ã€ãã³ãå/ã€ãã³ãã®èª¬æã«çžåœ (QIDã¯IDçªå·ã§ãããã®ãŸãŸã§ã¯èŠã¥ããã®ã§ãååã説æã«å€æãã颿°ãåŒã³åºããŠããŸã)
|
logsourcename(logsourceid ) logsourcegroupname(logsourceid ) logsourcetypename(logsourceid )
|
ãã°ãœãŒã¹å/ãã°ãœãŒã¹ã»ã°ã«ãŒã/ãã°ãœãŒã¹ã»ã¿ã€ãã«çžåœ (logsourceidã¯IDçªå·ã§ãããã®ãŸãŸã§ã¯èŠã¥ããã®ã§ååã«å€æããããæå±ããã°ã«ãŒããã¿ã€ããç¹å®ããŠååã衚瀺ãã颿°ãåŒã³åºããŠããŸã)
|
categoryname(category ) categoryname(highlevelcategory )
|
LLC(äžäœã«ããŽãª)å/HLC(äžäœã«ããŽãª)åã«çžåœ (category/highlevelcategoryã¯IDçªå·ã§ãããã®ãŸãŸã§ã¯èŠã¥ããã®ã§ã颿°ã§ååã«å€æããŠããŸã)
|
DATEFORMAT(starttime ,âYYYY-MM-dd HH:mm:ssâ) DATEFORMAT(devicetime ,âYYYY-MM-dd HH:mm:ssâ)
|
ãã°ã®åä¿¡æé/ããã€ã¹ã®ãã°æé(YYYY-MM-dd HH:mm:ss圢åŒ) starttime㯠QRadarããã°ãåä¿¡ããéã«èªåçã«ä»äžãããã¿ã€ã ã¹ã¿ã³ããdevicetimeã¯ãã°ã®ãã€ããŒãããåãåºããã¿ã€ã ã¹ã¿ã³ãã§ãã
|
eventcount
|
ã€ãã³ãã®æ°ãéåžžã¯1ãã€ãã³ãã®çµ±åãONã«ãªã£ãŠããå Žåã¯çµ±åãããã€ãã³ãæ°ã
|
â QRadarã³ã³ãœãŒã«ããAQLã䜿çšããå Žåãã
ãã°ã»ã¢ã¯ãã£ããã£ãŒãã¿ãã§ã
æ¡åŒµæ€çŽ¢ããéžæããŸãã
⡠次ã«ãå
¥åæ¬ã«AQLãå
¥åããŸããèªåè£å®ããšã©ãŒè¡šç€ºãªã©ãGUIã«æ¯æŽæ©èœããããŸãã
⢠æåŸã«ã
æ€çŽ¢ããã¯ãªãã¯ãããšãâ£ çµæã衚瀺ãããŸãã
ãããã«æ»ã
2-5ïŒAQLã«ããæ¡åŒµæ€çŽ¢ãšãªãã¡ã¬ã³ã¹ã»ã»ãã
QRadarã«ã¯ã
ãªãã¡ã¬ã³ã¹ã»ã»ãããšããæ©èœããããAQLãããã¢ã¯ã»ã¹ããããšãã§ããŸãã
ãªãã¡ã¬ã³ã¹ã»ã»ããã䜿çšããŠãã·ã³ãã«ãªãªã¹ã圢åŒã§ããŒã¿ãä¿ç®¡ã§ããŸãã
ãã³ãïŒ QRadarã«ã¯ããªãã¡ã¬ã³ã¹ã»ã»ããã®ä»ã«ãããªãã¡ã¬ã³ã¹ã»ãããããªãã¡ã¬ã³ã¹ã»ããŒãã«ãªã©ããã£ãšè€éãªããŒã¿ãæ±ããæ©èœããããŸãã 詳ããã¯ã補åããã¥ã¢ã«ããªãã¡ã¬ã³ã¹ã»ããŒã¿åéã®ã¿ã€ãããåç
§ããŠãã ããã |
䟵害ã®çè·¡ (IOC) ããŒã¿ãªã©ã®å€éšè
åšããŒã¿ããªãã¡ã¬ã³ã¹ã»ã»ããã«åã蟌ãããšãããããã¯ãŒã¯ã§çºçããã€ãã³ãããã³ãããŒããåéãããããžãã¹ã»ããŒã¿ (IP ã¢ãã¬ã¹ããŠãŒã¶ãŒåãªã©) ãä¿ç®¡ããããã«ãªãã¡ã¬ã³ã¹ã»ã»ããã䜿çšããããšãã§ããŸãã
ããã§ã¯ãç°¡åãªäŸãšããŠã
TrainingSampleUsers
ããšãããªãã¡ã¬ã³ã¹ã»ã»ãããäœæããŸãã
â ãâ¡ãã¡ãã¥ãŒããã管çããã¯ãªãã¯ããŸãã
ããã²ãŒã·ã§ã³ã»ã¡ãã¥ãŒã§ããã·ã¹ãã æ§æã > ããªãã¡ã¬ã³ã¹ã»ã»ãã管çããã¯ãªãã¯ããŸãã
â¡ã远å ããã¯ãªãã¯ãããšããæ°èŠãªãã¡ã¬ã³ã¹åéãç»é¢ãéããŸãã
â¢ãååãã«ãTrainingSampleUsersãããã¿ã€ããã«ãè±æ°å(倧/å°æåã¯ç¡èŠ)ããããšã¬ã¡ã³ãã®åç¶æéãã®ãæ¥æ°ãã®éšåã«ã1ããå
¥åãããäœæããã¯ãªãã¯ããŸãã
â£ãªãã¡ã¬ã³ã¹ã»ã»ãããäœæãããããã®ãªãã¡ã¬ã³ã¹ã»ã»ããã®ç»é¢ã®äžã®ã远å ããã¯ãªãã¯ããŸãã
â€ããªãã¡ã¬ã³ã¹ã»ã»ããã»ããŒã¿ã®è¿œå ãç»é¢ãéããŸãã®ã§ããå€ãã«ãroot,super,adminãããå颿åãã«ã,ã(ã«ã³ã)ãå
¥åããã远å ããã¯ãªãã¯ããŸãã
â¥ãããŸã§ã®æé ã§ã以äžã®å³ã®å³äžã«ããããã«ããå€ãã«3è¡ã远å ãããç¶æ
ã«ãªããŸãã

ãªãã¡ã¬ã³ã¹ã»ã»ããã®æºåãæŽã£ãããããã°ã»ã¢ã¯ãã£ããã£ãŒãã¿ãã«æ»ãã以äžã®AQLãå
¥åããŸãã
SELECT DATEFORMAT(starttime,'yyyy/MM/dd HH:mm:ss z') as 'Start Time', sourceip, destinationip, CATEGORYNAME(category) as 'Category', QIDDESCRIPTION(qid) as 'Event Name', username FROM events WHERE LOGSOURCENAME(logsourceid) ilike '%Training%' AND REFERENCESETCONTAINS('TrainingSampleUsers', REPLACEFIRST('(\w+)\s\w*', username, '$1')) LAST 1 HOURS |
1ã€åã®æŒç¿ã§äœ¿çšããAQLã®
WHERE
ã«ãæ°ããªæ¡ä»¶ãšããŠ
REFERENCESETCONTAINS
ã远å ãããŠããŸãã
ãã®é¢æ°ã¯ã第1åŒæ°ã§æå®ãããªãã¡ã¬ã³ã¹ã»ã»ããå
ã«ç¬¬2åŒæ°ã§æå®ããå€ãå«ãŸããŠãããã©ãããæ€æ»ããçåœãè¿ããŸãã
ãã®äŸã§ã¯ã
username
ããã®ãŸãŸæž¡ãã®ã§ã¯ãªãã
REPLACEFIRST
ã䜿çšããŠç©ºçœã§åºåãããåã®éšåã®æååã®ã¿ãåãåºãæ£èŠè¡šçŸãé©çšããŠããŸãã

ãã®æŒç¿ã§ã¯ãåçŽåããããã«Web UIãããªãã¡ã¬ã³ã¹ã»ã»ããã®ããŒã¿ãå
¥åããŸããããå®çšçãªå®è£
ã§ã¯ãã°åéã«ãããŠç¹å®ã®ã«ãŒã«ã«ãããããå Žåã®ããããã£ãŒãèªåçã«åéããããå€éšã®è
åšã€ã³ããªãžã§ã³ã¹æ
å ±ãREST APIã§äžãããããŸãã
ãªãã¡ã¬ã³ã¹ã»ã»ããã¯ãAQLã«ããã¢ãããã¯ãªæ€çŽ¢ã ãã§ãªããçžé¢åæã«ãŒã«ã®äžã§æŽ»çšããããšãå¯èœã§ãã
æ¯èŒçããããããå®è£
äŸããããã°ã
SIEMåŠç¿ã«æé©ãª QRadar Experience Center ã¢ããªã§ãŠãŒã¹ã±ãŒã¹ãæµããŠã¿ãŸããããã§èª¬æãããŠããŸãã®ã§ããèå³ã®ããæ¹ã¯ãã²ãã¡ããã芧ãã ããã以äžã«å³è§£ã®ã¿åŒçšããŠãããŸãã
ãããã«æ»ã
æŒç¿3ïŒã«ã¹ã¿ã DSMã®ãã¹ã[çžé¢åæç·š]
ãããŸã§ãã«ã¹ã¿ã DSMãäœæããããã¹ããã°ãæ£èŠåããŠåã蟌ã¿ããã®ãã°ãæ€çŽ¢ãããã°ã©ãåããæé ãèŠãŠããŸããã
ãããããããŸã§ã®åŠçã¯ãããããSIEMããšããããã¯ãããã°ç®¡çããŒã«ããšããå°è±¡ã ã£ãã®ã§ã¯ãªãã§ããããã
æ£èŠåã¯ãšããããéããŠæ€çŽ¢ããŠã°ã©ãã«ããã ããªãã°ãããŒã¿éãèšå€§ã«ãªããªããã°è¡šèšç®ãœããã§ãã§ãããã«æããŸãã
ããã§æåŸã«ããããŸã§ã®éçšã§æèããã«äœ¿ã£ãŠãããQRadarã®SIEMãšããŠã®åŽé¢ãã玹ä»ããŸãããã
ãããã«æ»ã
3-1ïŒçæããããªãã§ã³ã¹ã®ç¢ºèª
ä»åã®ã«ã¹ã¿ã DSMã¯ãQRadarã®æ£èŠåãããèªèšŒã€ãã³ãã®ç¯å²å
ã§å¶äœãããã®ã§ãããããæšæºå®è£
ãããŠããçžé¢åæã«ãŒã«ã§åŠçãããŸãã
ç¬èªã®ãã°ã§ããã«ãããããããIBMããã³ããŒãæäŸãããã°ãœãŒã¹ãšåæ§ã«æ¢åã«ãŒã«ã掻çšã§ããã®ã¯ãæ£èŠåãããŠãã匷ã¿ã§ãã
ã
ãªãã§ã³ã¹ãã¿ããã¯ãªãã¯ããŠããªãã§ã³ã¹äžèЧã衚瀺ããŠãã ããã
æããããããŸã§ã®
logrun.pl
ãªã©ã«ãããµã³ãã«ã»ãã°ã®ãã¹ãã«ãããè€æ°ã®ãªãã§ã³ã¹ãäžãã£ãŠããã®ã§ã¯ãªãã§ããããã

ãã®äžã®1ã€ãéããŠã¿ããšã
logrun.pl
ã§æµãã倧éã®ã€ãã³ããããªãã§ã³ã¹ãšãã1ã€ã®é¢é£æ§ã®äžã§ãŸãšãããããŠãŒã¶ãŒã調æ»ããããããã«éçŽãããŠããããšãããããŸãããªãã§ã³ã¹ã®ä»çµã¿ã§é¢é£ããã€ãã³ãããŸãšããŠãããŠããªããã°ããã£ãšå€ãã®éè€ããã¢ã©ãŒããäžãã£ãŠããããšã«ãªããŸãã
ãããã«æ»ã
3-2ïŒæšæºã«ãŒã«ã®å
容
ãªãã§ã³ã¹ã«è²¢ç®ããã«ãŒã«ã¯ãåãªãã§ã³ã¹ã®ç»é¢ããã
衚瀺ãïŒã
ã«ãŒã«ãã§ç¢ºèªã§ããŸãã

äŸç€ºããŠããã«ãŒã«ã¯ããèªèšŒå€±æããšããããã«ãã£ã³ã°ã»ãããã¯ã(ã«ãŒã«ã®ãµãèŠçŽ ) ã«ãã°ã®ã€ãã³ããããããããã€ãåã€ãã³ãã«å«ãŸããããŠãŒã¶ãŒåãããããã£ãŒã§ãåäžãŠãŒã¶ãŒåã 5åéã« 10件以äžèгå¯ãããå Žåã«ããªã¬ãŒããããã®ã§ãã
ã«ãŒã«å®çŸ©ã®äžã§ãã€ããŒãªã³ã¯ã«ãªã£ãŠããç®æã¯ããã¥ãŒãã³ã°ã®ããã«å€æŽå¯èœãªéšåã§ãããç°å¢ã«åãããŠèª¿æŽã§ããŸãã
QRadarã§ã¯ãèç©ããããã°ã«å¯ŸããŠæ§ã
ãªæ€çŽ¢ãã§ããããšã¯ãã¡ããã§ãããäžèšã®ãããªã«ãŒã«ã倿°æå¹åããããªã¢ã«ã¿ã€ã ã§å
¥ã£ãŠãããã°ã«å¯ŸããŠåžžã«ç®ãå
ãããŠããŸããã«ãŒã«ã¯
App Exchange ã§å€æ°å
¬éãããŠããŸãã®ã§ãå¿
èŠãªãã®ãåã蟌ãã§å¢åŒ·ã§ããŸãããå¿
èŠã§ããã°ã«ã¹ã¿ã ã»ã«ãŒã«ãäœãããšãã§ããŸãã
ãããã«æ»ãåèæç®
#QRadar