Co-Authors: Colin Carle, Colin Hay, and Keith Degrace.
IBM Security QRadar is pleased to announce the release of the Universal Cloud Connector, which is designed to enable security teams to more easily ingest data from a wide range of REST API cloud-based applications and services for enhanced visibility. To address this new dynamic, the Universal Cloud Connector includes a new Universal Cloud REST API Protocol that enables you to create log sources for the acquisition of data from REST API compatible data sources that aren’t currently supported. With the Universal Cloud REST API Protocol, you can:
- Quickly and easily connect to REST API based cloud applications and services. As organizations and vendors continue their digital transformation to improve and modify their existing services, the ability to quickly adapt to these changes is critical. The Universal Cloud REST API Protocol allows for the integration of cloud based (or traditional on-premise) endpoints that are not currently supported by QRadar. Configuration of these data sources is clear and accessible using the Log Source Management App.
- Leverage pre-configured workflows for select data sources or create your own. A Universal Cloud REST API Protocol workflow defines the connection logic – a series of actions that are executed sequentially – for retrieving events. Using pre-configured workflows substantially reduces the time to create new log sources. Creating a new workflow or modifying an existing workflow allows you the flexibility to customize event data for your specific security use cases.
- Tailor the data for your specific use cases. Events received from log sources created using the Universal Cloud REST API Protocol may initially appear as unknown or stored. The DSM Editor can be used to define normalized properties, classify event data and extract custom event properties, ensuring that your data will provide valuable insight for activity in your network.
- Augment threat detection abilities. Connecting your data sources with the Universal Cloud REST API Protocol facilitates the applying security use cases and analytics to new environments. The analyst sees threat intelligence, asset information, rule details, risk indicators, and by leveraging QRadar’s Analyst Workflow, they’ll have access to key investigation information in their workspace, minimizing the need to, navigate elsewhere for additional context.
Before you begin
QRadar currently integrates with approximately 450 third-party devices. However, as organizations adapt to new technology, there is an immediate need to monitor network traffic for new data sources. As an example,
I’ll walk you through how to easily ingest data from a third party service, Duo Security. Note the following terminology as you configure the Universal Cloud REST API:
- The Workflow is an XML document that describes the event retrieval process. The Workflow defines one or more parameters, which can be explicitly assigned values in the Workflow XML or can derive values from the Workflow Parameter Values XML document. The Workflow consists of multiple actions that run sequentially. When you run the Workflow, the parameter values are added to the State, and the State can then be accessed and changed by actions as the Workflow runs.
- Workflow Parameter Values are the input parameters for a workflow instance, and are stored in an XML file. The Workflow Parameter Values are represented by a set of key/value pairs, and the key must match one of the parameters defined in the associated Workflow.
- The State is a JSON object that represents the data of a running Workflow. Since the State is not strictly defined, data is dynamically stored in the State.
Use Case for Duo Security - Authentication Logs
An organization may use Duo Security for Multi-Factor Authentication to adhere to best practices for security. A security analyst can use Duo Security logs (Authentication logs, Administrator logs) to build authentication based use cases.
Supported QRadar protocols are designed to connect to a specific service (such as AWS via their S3 REST API or Microsoft Azure via Azure Event Hubs), and typically only require some authentication or connection parameters. However, in this scenario, given that we will use the Universal Cloud REST API protocol, it’s necessary to get some additional information to configure the Workflow that will allow us to ingest the data we want to monitor.
First, we need to identify the endpoint from which we can source the admin logs. The Duo documentation indicates that the admin API ( https://duo.com/docs/adminapi) has a number of authentication and adminstration logs for the service. We are using the Log Source Management App to configure the log source for Duo Security, (i.e. Log Source Type – Duo Security (created using the DSM Editor) and, Protocol Type – Universal Cloud REST API) as shown in the figures below.
Testing the Workflow
The Workflow for Duo Security includes a test parameter that will help validate the log source setup. This will help identify any issues relating to user credentials or connection to the API endpoint itself. Once a connection to the API endpoint is established, the test will provide a preview of the sample events.
Event Mapping using QRadar's DSM Editor
Upon successful setup of your log source, the retrieved events may initially show as unknown (not classified) or stored (not parsed). The DSM Editor (as shown below), allows you to easily parse events and map them to the relevant QRadar low level category.
We can now see events with meaningful security value in the QRadar Log Activity Tab.
Investigating Malicious Activity using QRadar's Analyst Workflow
Once a log source has been successfully configured, and we are receiving events, we can implement security use cases or leverage rules that are included with QRadar to detect unusual activity in your network. In the example shown below, the rule “Multiple Login Failures for the Same User containing Administrator Login Failure” was triggered when multiple failed login attempts for the admin user were logged. We can easily investigate this incident using the Analyst workflow to identify the origin of this malicious activity on an Administrator’s account. With the Analyst workflow, the incident can be investigated to identify to origin of the malicious activity.
In conclusion, we’ve built the Universal Cloud Connector to allow you to quickly connect to REST API endpoints (such as Duo Security, OneLogin, Ping Identity and Zoom), easily adapt to changes to specified APIs, and quickly validate log source connections for rapid integration of data sources. With this streamlined workflow, you can monitor data from any system that makes event data available in an API response. The Universal Cloud Connector can be used for unsupported commercial APIs / open source APIs, and custom built APIs as part of Business Partner applications / Customer’s custom applications. Please visit the Universal Cloud REST API Github repository, where we encourage you to share your custom workflows with the QRadar community.
IBM Security QRadar Universal Cloud REST API DocumentationIBM Security QRadar Universal Cloud REST API GitHub RepositoryIBM Security QRadar Analyst WorkflowIBM Security QRadar Log Source Management AppIBM Security QRadar DSM Editor
Jose Bravo Tutorials:
Universal Cloud REST API Protocol Part One
Universal Cloud REST API Protocol Part Two