Endpoint Detection and Response (EDR) is becoming increasingly important considering the myriad types of security threat vectors. Many enterprises provide their employees with multiple endpoints, which if left unattended and unprotected can become the entry point for any malware or ransomware. Combining an EDR solution with an SIEM seems to be an optimum option to deal with this security challenge. In this blog, we cover one of the many integration possibilities for the Reaqta EDR and IBM QRadar SIEM products.
What is IBM QRadar SIEM?
In cybersecurity, Security Information and Event Management (SIEM) consists of technologies that provide analysis, threat mitigation and logging of security events and packets of data flowing in the wire within a network. SIEM provides a general view of all technical infrastructure, with specific data of security events and flows and the mitigation of any security threat vectors that are found in the environment. A SIEM solution responds to advanced threats which cannot be analysed with general monitoring tools.
IBM QRadar SIEM is one of the most popular SIEM solutions in the market today. It has been the Leader in the Gartner’s Magic Quadrant for more than a decade now. It helps you to quickly uncover existing and potential threats by using its advanced analytics capabilities. It also provides many useful features such as centralized visibility, flexible deployment, automated intelligence, machine learning, and pro-active threat hunting.
What is ReaQta?
ReaQta is an Endpoint Threat Detection and Response solution that uses Artificial Intelligence driven behavioural analysis to detect and respond to various advanced threats and protect the organisation from any security breach. ReaQta uses its proprietary NanoOS Technology to remain invisible to attackers as well as to provide visibility into the system at the hypervisor level. Traditional endpoint management solutions are mostly signature based and are incapable of zero-day attacks. ReaQta on the other hand uses behavioural detection approach, which monitors events generated by every process and in case of any suspicious behaviour, it triggers an alert. When an alert is triggered, the agent switches to deep monitoring mode to collect more data to enrich the alert. Thus, it achieves low storage and bandwidth consumption and logs only the information that matters. Apart from detecting the threats, ReaQta also provides robust solution for quick and automated response where it can isolate and de-isolate the endpoints and interact with endpoints in real time leveraging its Live-Response feature.
Integration Scenario 1: Exfiltration Rule
In this scenario, various log sources and flow sources are connected to IBM QRadar SIEM which can detect advanced threats using its ready to use and customizable, powerful correlation rules. QRadar has correlation rules across different categories such as anomaly detection, exfiltration, exploitation etc. If QRadar detects any suspicious activity in the network, it can use the endpoint management capabilities of ReaQta to secure and isolate the endpoint devices which could be laptops, virtual machines, or mobile devices. Once the threat is mitigated, we can de-isolate the same endpoints using ReaQta.
Let us now consider a use case where we use the exfiltration rule of QRadar to detect a huge file being transferred over wire. The following is the image from the Rules section of QRadar:
The Large Outbound transfer high rate of transfer rule is configured to detect a flow, where more than 0.5 GB data is being transferred and when at least 10 such flows are detected having same source IP and destination port & IP.
If the test conditions in a QRadar rule are met, one of the actions that can be taken is to run a custom script. Executing custom script is a powerful feature of QRadar which allows us to perform automated custom actions to prevent any security incident. Learn more about custom actions here.
In this case, we will define a custom action called reaqta_isolation which in turn will call a script called isolate_script.sh. This script uses the ReaQta API to isolate the end point that is exfiltrating the data and looks like below. Notice that it takes an IP address as a parameter; we will pass the IP of the box that we need to isolate as a parameter to this script:
#!/bin/bash
r_secret=QwiKkdynzczikZcoJ0Ukg
r_id=8e335c-b05a-4429-98a8-932ae70bd847
#Obfuscated IP
hive_ip=xx.xx.xx.xx
e_ip=$1
#Get authentication token
json=$(curl -X POST -k --silent -H 'Content-Type: application/json' "https://$hive_ip/rqt-api/1/authenticate" --data '{ "id": "'"$r_id"'", "secret": "'"$r_secret"'"}')
#Extract token value
token1=`echo $json |jq -r .token`
echo "Received authentication Token:"
echo $token1
echo " "
echo "Getting endpoint id for ip:$e_ip"
endpoint_id=$(curl GET -k --silent -H 'Content-Type: application/json' -H "Authorization: Bearer $token1" "https://$hive_ip/rqt-api/1/endpoints/?ip=$e_ip")
e_id=`echo $endpoint_id |jq -r .result[0].id`
echo "Isolating endpoint with ID:$e_id"
isolate=$(curl -X POST -k --silent -H 'Content-Type: application/json' -H "Authorization: Bearer $token1" "https://$hive_ip/rqt-api/1/endpoint/$e_id/isolate/")
echo $isolate
The r_secret variable is used to store the “secret” value which is required for authentication API and r_id is the ID that is required for that API (to get these values in the Reaqta GUI, navigate to the Administration tab --> API Application)
When run from the command line, the isolate_script.sh script runs like below (IP addresses have been deliberately obfuscated):
[root@machine1 test_scripts]# ./isolate_script.sh xx.xx.xx.xx
Received authentication Token:
eyJhbGciOiJkaXIiLCJlbmMiOiJBMjU2Q0JDLUhTNTEyIn0HuK-zpwwBgg1xy-PZ_7P7A.bHyT-cuFAZypJ3NTCWwRQXW_G57642T9mWQCnNiql-WJ3zTs5w3ay8CJ2Hy0Gt3Jsp7WlWd2RIe0WKGVZZGon6P7ROk_CCXFZaMBPzX5bh5dcwYlV7H6oHRmDRcRdfd6Q.G3kt56SxY8EkDb2U7yD76iMwdM-dWHfJhbSTKwc-s0s
Getting endpoint id for ip:xx.xx.xx.xx
Isolating endpoint with ID:85458573843445312
{"message":"Endpoint offline","details":{"endpointId":"85458573843445312","lastSeenAt":"2022-05-11T19:43:09.525Z"}}
NOTE: The IDs and the tokens mentioned above have been deliberately mangled for security reasons.
In the QRadar GUI, the Custom Action looks like this:
Once the Custom Action is ready, we will then modify the Large Outbound transfer high rate of transfer rule to execute that custom action when this rule is triggered.
The rule response page with this configuration from QRadar is as shown below:
As the Rule Summary (see image below) mentions, we have:
- A rule that detects the host that is sending more data to an external network than received.
- As rule response a severity 1 event will be dispatched by QRadar’s custom rule engine, which will also be a part of an offense.
- A custom action script will be executed.
Integration Scenario 2: Exploit Rule
This QRadar exploit rule called Multiple Exploit Types Against Single Destination detects if a destination is being exploited by one or more backdoors or trojans.
Like in Scenario (1), in the rule response section, we have chosen to execute the custom action script called reaqta_isolation that isolates a given endpoint using ReaQta API capabilities.
The rule when triggered will create a offense in Qradar and also execute the script to isolate the Endpoint.
ReaQta Endpoint Dashboard:
Whenever the above-mentioned rules are triggered, along with offense generation in IBM Qradar, the custom script will be executed. This script isolates the endpoint, thus protecting it from any potential threat. ReaQta offers an impressive dashboard which shows us the current status of the endpoints:
After logging in to ReaQta, click on Endpoints. In summary section, we can see total number of endpoints being managed by the hive server currently. It also shows the current number of isolated and non-isolated endpoints.
In the next section, a list of all endpoints is shown. A special red icon is shown in “Status” column of the list for isolated endpoints.
Note, even though the endpoint is isolated, you will see a green dot. This is for the agent connection which is still live with the endpoint and is one of the powerful features of ReaQta.
Endpoint Details View:
From the list, if you click the endpoint, and “View Endpoint” button, a detailed endpoint dashboard is shown.
It gives details about the machine viz. Architecture, agent version, CPU information, MAC address etc.
Another powerful feature available on this page is the “Live Response”. Even though the endpoint is isolated, endpoint can still be partly managed by the ReaQta agent. Remember the agent communication is still kept intact, even if we have isolated the endpoint. Using “Live Response” we can still execute commands to see the services, processes running on endpoint. Other commands available can be seen by clicking on the “+” plus symbol.
Deisolate using ReaQta GUI:
Once the risk is mitigated, and you want to bring back the endpoints to your enterprise network, you can deisolate the endpoint. From the endpoint details page, there is ”De-isolate” button which helps to restore the connections for the endpoint.
Once the deisolation request is confirmed, after a few minutes or at times after a page refresh, you will see endpoint is now back in network
Through this blog we showed you two use-cases of integrating IBM QRadar SIEM with ReaQta. More such use cases can be created using the sample script given in this blog and other features of the ReaQta API.
If you have any questions regarding any of the points mentioned above or want to discuss this further, feel free to get in touch with us.
Boudhayan Chakrabarty (Bob): bochakra@in.ibm.com
Vikram Khopade: vikhopad@in.ibm.com
Prabhupada Satapathy: prabhupada.satapathy@ibm.com
Special thanks to Darshan Donni (dardonn1@in.ibm.com) for reviewing and approving this article.