QRadar's osquery integration overview
Available now on IBM Fix Central is QRadar’s osquery integration. QRadar's DSM for osquery supports the following queries:
docker_container_mounts
docker_container_processes
docker_containers
file_events
listening_ports
process_open_sockets
sudoers
users
Each query represents a monitored view of your Linux Operating Systems and records state changes of the Linux Operating System.
Supported Queries
By default in QRadar, the supported queries run on 10 second intervals, and osquery only generates data for changes in state between queries. If successive object modifications result in a net zero state change, osquery will not capture the modifications as there is no net change between queries. A shorter query interval can mitigate this scenario; however, this may impact osquery performance on the host system.
For example:
The 'users’ table containing records (A, B, C) is queried. During the 10 second querying interval, record (D) is added and quickly removed. This activity will not be captured in a successive query, as there is no change in state recorded between queries.
Examples of a few more queries that are supported in this release;
Configure rsyslog on your Linux System
The rsyslog service must be installed on your Linux system you intend to use as a logging server. To send events to your QRadar Event Collector, the /etc/rsyslog.conf file must be edited to add the following entry to the end of the file;local3.info @@<QRadar_IP_address>:12468
Configure osquery on your Linux System
osquery is used to monitor and log changes of your Linux system over time, and QRadar's integration includes a qradar.pack.conf file to be added to your osquery host. This qradar.pack.conf file contains a list of supported queries to provide you insight into snapshots of your processes running in your Linux System at that point in time.
We have added the qradar.pack.conf, to the list of packs in the osquery.conf file:
Configure osquery log source in QRadar
In QRadar, an osquery log source must be created to retrieve events using the TCP multiline syslog protocol. The TCP multiline syslog protocol is an inbound/passive protocol that uses regular expressions to identify the start and end pattern of multiline events.
TCP Multiline protocol source supports gateway functionality and when selected, events that flow through the log source can be routed to other log sources based on the source name tagged on the events. To learn more about the Gateway Log Source Methodologies, check out the blog.
To conclude, in QRadar's Log Activity tab you can now monitor events that are generated by the queries triggered by osquery and contribute to a number of use cases for threat detection. A couple use cases to look forward to with this integration are:
- Detecting system compromise and indicators of attempted credential theft
- Detecting activity indicative of privilege escalation
- Detecting suspicious processes that may indicate the presence of an attacker on a compromised system
- Detecting indicators of C2s or active data exfiltration