Managing Network Hierarchy: The Art, The Legend, and... A Python Script? - Introducing NHSuite for QRadar (contrib)
In the fast-paced arena of cybersecurity and monitoring, keeping up isn't just essential; it's a survival trait ๐ง .
Now, for those vintage lovers ๐ป who've been cozying up with IBM's QRadar for quite some time, you'll fondly remember the free QRadar network Hierarchy app. Ah, those were the days, werenโt they?
But, like all good things, our free treasured app decided to play hide-and-seek and disappeared from the free section of app exchange! ๐ต๏ธโโ๏ธ
@Ralph Belfiore dropped some wisdom ๐ง on us with his excellent article, "Network Hierarchy Management", published on November 10, 2022. His suggestion? Manually use the API โ๏ธ. Accurate? Yes. Handy? Depends on how you feel.
To bridge this tech-gap and inject some of that old charm back, I crafted a Python script ๐ NHSuite ๐ for myself first and decided to share to our QRadar Community on github (usefull for our global other CI/CD project with QRadar, but it's another story ๐).
The importance of Network Hierarchy in QRadar
๐ The primary goal is to provide context for cybersecurity analysts!
IBMยฎ Security QRadarยฎ leverages its network hierarchy to gain insights into your network traffic, offering a holistic view of all activities across your setup.
Interestingly, your network hierarchy in QRadar doesn't necessarily have to mirror the physical structure of your actual network. Instead, QRadar accommodates any structure defined by IP address ranges. This flexibility allows you to categorize your network based on various factors, be it geographical location, business segments, roles, or even specific traffic trends. By doing so, you can distinctly recognize network activities and apply robust security protocols. It's crucial to note that QRadar identifies every network within this hierarchy as local. To avoid any misinterpretations or false alarms, always ensure your network hierarchy is current.
The current setup of the Network Hierarchy is designed to support most standard networks. If you require more accurate or specific coordinate information for a public IP address, consider updating the IP addresses in the Network Hierarchy to better reflect your organization's requirements. Additionally, if your organization uses geographic data ๐ for private IP address ranges, think about incorporating country, latitude, and longitude details into the Network Hierarchy for those non-routable IP addresses. By embedding this geographic information for private IPs in the QRadar Network Hierarchy, you can enable advanced search functions for these IP ranges (like GEO::LOOKUP ๐ or GEO::DISTANCE ๐) , get the flag on log activity, and give administrators additional rule options.
Before delving into the functionalities of the ๐ NHSuite ๐ , let's underscore the importance of network hierarchy:
-
๐ท๏ธ Asset Classification: By defining your network topology in QRadar, assets can be automatically classified, aiding in better asset identification.
-
๐ Rule Logic: Rules can be configured to understand the context based on the network hierarchy. This can help in reducing false positives by understanding if an activity is internal-to-internal, internal-to-external, etc.
-
โ๏ธ Flow Processing: Helps in better understanding and visualizing network traffic patterns and flow directions (e.g., inbound, outbound).
-
๐ Contextual Analysis: Offers a more granular insight into incidents by providing context on where in the network topology an activity or offense took place.
In essence, the network hierarchy in QRadar helps users gain a better contextual understanding of their environment, optimizing security monitoring and incident response. It's absolutely necessary on a QRadar deployment and have to be part of your evolution and change management.
You can also take a tour on the documentation : Guidelines for defining your network hierarchy
NHSuite for QRadar: A brief Overview
Usage
๐ Usage : NHSuite.py --help
๐ค Export : Using -e or --export-file parameter
๐ฅ Import : Using -i or --import-file parameter
๐ Domain information : Using --check-domain parameter
โ๏ธ System information : Using the --check-version parameter
Core functionalities
- Streamlined Export and Import:
The tool permits seamless export of the network hierarchy into a universally accessible CSV format. Additionally, it supports the import of pre-defined network hierarchies, ensuring easy migration, restoration or update.
- Fetch and display domain information
In larger organizations with multiple domains, fetching domain-specific information becomes crucial. ๐ NHSuite ๐ integrates this functionality, directly interfacing with QRadar for real-time data retrieval.
๐ This greatly assists in mapping the domain name to its corresponding ID in your file (if you use Domain).
- ๐ Using -
-check-domain parameter to display Domain ID , Domain Name and Description for mapping your csv file if you use domain
- Fetch and display QRadar System Information
- ๐ Using the
--check-version parameter to display qradar host version information
- Error Management:
No tool is truly complete without comprehensive error handling. The tool is equipped to detect and log a wide range of errors, ensuring administrators of the platform are always informed of any inconsistencies or issues.
- Using the
error.log file generated
Access the ๐ NHSuite ๐ script on GitHub to delve into its code and documentation.
GitHub Link
Here is the link of the full project - contribution are welcome -
๐ Github Link : https://github.com/zoldax/NHSuite
Environment and prerequisite
The script can work directly on QRadar (Tested on 7.5.X) or on a remote Linux machine (Debian) meeting the requirements (preferred method)
Working directly on QRadar
Qradar > 7.5.0Python 3.6 (Use of f-strings))
The script has been designed with flexibility in mind. For those who have direct access and the required privileges, the script can operate directly on a QRadar system. We have verified its compatibility with QRadar versions 7.5.x. This direct method allows for streamlined integration and quick access to QRadar's features without the need for additional configurations.
However, there are some considerations when working directly on QRadar.
Working on a Remote Linux Machine (Preferred Method)
For a more isolated and controlled environment, we recommend executing the script on a remote ๐ง Linux machine. Our tests have particularly been positive on Debian-based systems.
This method has several advantages:
- ๐๏ธ Isolation: Running the script remotely ensures that QRadar's primary functions remain undisturbed. There's no risk of unintentionally consuming excessive resources on the QRadar system.
- ๐คธ Flexibility: A separate Linux machine provides more freedom for customization, debugging, and script optimization. This can be especially beneficial when integrating the script with other tools or systems.
- ๐ก๏ธ Security: Operating the script remotely can add a layer of security. By limiting direct access to the QRadar system, you can further safeguard against potential threats or mishaps.
๐ Requirements for the Remote Linux Machine:
- Python Version: Ensure that Python is installed, preferably a version that supports f-strings (Python 3.6 and above).
- Network Access: The remote machine should have network access to QRadar for API calls. Ensure that any firewalls or security groups allow for the necessary communication between the two systems.
- Required Libraries: The script might rely on specific Python libraries. These should be installed and kept updated on the remote machine
- Authentication: API authentication details, like tokens or credentials, should be securely managed. Consider using environment variables or secure configuration files.
๐งช Tested on my side on :
- debian Bullseye (11.7)
- Python 3.9.2
Requests==2.31.0urllib3==1.26.5
In conclusion, while both methods have their merits, using a remote Linux machine offers a balance of security, flexibility, and efficiency.
Depending on your organization's infrastructure, security guidelines, and resource availability, you can choose the method that fits best.
How do i start ?
Complete the config.txt according to your QRadar target, for example :
{
"ip_QRadar": "qradardemo.zoldax.local",
"auth": "a111b05c-cb81-4d2f-b286-2532f0c4baee",
"Version": "17.0",
"Accept": "application/json",
"verify_ssl": "False",
"ssl_cert_path": "None",
"safety": "on"
}
- ๐
ip_QRadar: Specifies the IP address or domain name of the QRadar instance.
- ๐
auth: Authentication token for requests to the QRadar API (Admin > Authorized Services)
- ๐ข
Version: Denotes the targeted version of the QRadar API (17 For QRadar 7.5.x)
- ๐
Accept: Sets the desired response format from QRadar API, typically application/json (Don't modify this one)
- ๐
verify_ssl: Decides if SSL certificate validation should occur when connecting to QRadar; not recommended to set as False in production.
- ๐
ssl_cert_path: Path for a custom SSL certificate chain. If no custom certificate, or if verify_ssl is False, can be set to None (The cert file is the CA pem file from your PKI)
- ๐ก๏ธ
safety:
- โ๏ธ on: Backs up the current hierarchy before any changes (in the safety folder)
- โ ๏ธ off: No backup made, caution advised especially in production.
Each parameter should be adjusted to align with the specifics of the user's QRadar environment and preferences.
๐ In the realm of cybersecurity, the subtleties of managing network hierarchies are foundational. Sometimes, we have to find new solutions when familiar ones fade away. This tool is as one of those practical solutions, aiming to fill the void left by the Network Hierarchy app no more available on app exchange.
๐ ๏ธ At its heart, the tool aims to help โ to offer a more straightforward approach to network hierarchy management, whether you're directly interfacing with QRadar or operating from a remote ๐ง Linux machine. Its functionalities, from error handling to data export, serve the user's needs without pretense.
๐ Furthermore the tool isn't just about functionalityโit's about adaptability. In the modern software development world, Continuous Integration and Continuous Deployment (CI/CD) have become foundational principles we saw that every day on the operational field. This ensure network hierarchy updates, backup, and changes to be consistently integrated, tested, and deployed to test environnement before production, and is part of a more global projet on my side ๐.
๐ค It's also worth noting that, by hosting the script on GitHub, there's an open invitation for everyone to contribute and improve upon it. It's a collaborative effort, and the real value of the tool will be determined by the community's engagement and feedback ๐ข (ideas for example : phpIPAM translation, etc...)
In summary, ๐ NHSuite ๐ is a humble attempt to make life a bit easier ๐.
Hope you enjoy.
Happy Network Managing!
Cheers ๐ป,
zoldax
#IBM Security#IBMChampions#IBMQRadar#QRadar-SIEM#Python
#Featured-area-2-home
#Featured-area-2
#ibmchampions-champions-in-action#ibmchampions-highlights#Highlights#Highlights-home#ibmchampions-highlights-home#Featured-area-1#Featured-area-1-home