IBM Security QRadar

 View Only

  • 1.  Analyst work flow app

    Posted Wed February 10, 2021 10:13 AM

    We installed the analysts work flow app that provides an alternate interface to QRadar that focuses on the security analyst role. 

    It looks nice and seems to have some good functionality but we have questions.

     

    My analyst tells me that CRE rule events do not show up there.  Those  are important for our event analysis and we would like to be able to see them. Is there a way to do that? 

     

    Also this only runs on the SIEM console. That is problematic, especially as we have dedicated 12 cores to our Apphost so that we wouldn't have to bog the console down with apps like this.

    What's up  with that, and is there a way to run this on the Apphost despite the install shell's dire warning about (read the following with a deep, ringing, authoritative James Earl Jones type voice) ONLY RUN THIS ON THE CONSOLE.

     

    Thanks for any help you folks can give.   I find myself impressed with the expertise that is often shown in this list.

     

    Regards,

    Daniel Sichel

     

    Daniel Sichel, Security Engineer, CISSP #422810

    Community Medical Centers

    Compliance Office – Information Systems Security

    1540 E. Shaw, Suite 101, Fresno CA. 93710

    Phone: (559) 724-4265 ext. 24265 | Fax: 559-724-4271

    Cell: (559) 230-9444

    dsichel@communitymedical.org

     

     



    ------------------------------- WARNING/CONFIDENTIAL: -------------------------------

    This email, including attachments, may contain information that is privileged, confidential,
    and/or exempt from disclosure under applicable law (including, but not limited to, protected
    health information). It is not intended for transmission to, or receipt by, any unauthorized
    persons. If the reader of this message is not the intended recipient you are hereby notified
    that any dissemination, distribution or copying of this communication is strictly prohibited.
    If you believe this email was sent to you in error, do not read it. Reply to the sender informing
    them of the error and then destroy all copies and attachments of the message from your system.
    Thank you.


  • 2.  RE: Analyst work flow app

    IBM Champion
    Posted Tue February 16, 2021 10:51 AM
      |   view attached
    Daniel,
    my guess is you are talking about the new QRadar UI (1.4.0.) available from the "Try the new UI" button in the QRadar menu.
    We are running 7.4.2.FP 2 in our lab running the new UI. As you already outlined this is special part of QRadar as it is not a standard container app listed in extensions management but designed to become integral part of QRadar in later releases. Pls make sure you are running at least the release and fixpack I mentioned.
    For your questions regarding app host this at least answers you 2nd questions in parts. The other answers need to be given by someone from IBM development.

    Regarding CRE rule events your analysts may be wrong. At least you can use search from the new UI menu and paste an AQL string you are using for listing your rule events from CRE, see picture.
    UI
    in my case 5 CRE events where found.
    Many thanks for your warm words about the community expert level. We live QRadar and love to help !
    BR Karl


    ------------------------------
    [Karl] [Jaeger] [Business Partner]
    [QRadar Specialist]
    [pro4bizz]
    [Karlsruhe] [Germany]
    [4972190981722]
    ------------------------------

    Original Message


  • 3.  RE: Analyst work flow app

    Posted Tue February 16, 2021 05:25 PM
    Thank you for providing that search. We are seeing some custom rule events natively without the search in the new UI. Others do not appear as indicated.  FInding them separately with another search then correlating them to our offense manually is a step back in functionality from what we have now.  Honestly and I don't want to sound harsh here, if I wanted my analysts to use complex queries to find things  this way, I would use Splunk.  Our analysts don't have advanced SLQ query skills and I don't want them to have to use them to find things in QRadar.  Part of what makes QRadar best of breed is that we can find things in our events and fows with an easy intuitive UI with zero knowledge of SQL.  The power of this thing is that you look for security issues in the way a securty analyst finds intuitive and easy to learn.  It is AWESOME for this purpose. 

    We really need the event name CRE Engine rule to appear in the GUI automatically for this to be usable. 

    But again, I really appreciate your quick and knowledgeable response. There is no way I could have come up with that myself.  Hopefully, this will be resolved somehow before this goes live. 

    Dan Sichel.

    ------------------------------
    _____________________
    Daniel Sichel
    ------------------------------

    Original Message


  • 4.  RE: Analyst work flow app

    IBM Champion
    Posted Wed February 17, 2021 05:47 AM
    Daniel,
    your welcome. This is a kind of misunderstanding. QRadar isnt rocket science. However in order to fully make use of it, at least one of your guys needs to climb the learning curve. This is not really different from other tools like the "S"word you mentioned :-)

    The AQL query I used in the search window shown above is just an example. If you want that appear "automatically" you just add a new widget based on the AQL search to your offense summary dashboard by selecting it from the list of widgets available. This is truly intuitive. You just need to define a new widget for this. The AQL search itself is a copy and paste from a slightly modified standard log activity search we use for CRE monitoring. There are many other searches available out of the box e.g. in use case manager available from the new UI as well. Learning AQL isnt needed at all to achieve this. You can use quick searches as well and use the Show AQL function to do the same thing. The screenshot is showing the new widget in my summary context.
    The new UI will develop fast. The list of "standard" widgets available is quite long already and there is a good chance that what you are looking for is already there. If not it will get provided soon. Just check for new dashboards made available or being recommended by assistance app.
    BR Karl
    cre


    ------------------------------
    [Karl] [Jaeger] [Business Partner]
    [QRadar Specialist]
    [pro4bizz]
    [Karlsruhe] [Germany]
    [4972190981722]
    ------------------------------

    Original Message


  • 5.  RE: Analyst work flow app

    Posted Wed February 17, 2021 08:39 AM
    Hello Daniel,

    To my knowledge the Analyst Workflow UI doesn't actively suppress the CRE events (or any other events) in any way, so they should be returned like anything else if they match a given search. But I'll check with the development team to see if this sounds like a known issue. They certainly aren't excluded by intent, but perhaps there's a defect in play here.

    The new UI is intended to be converted to a standard extension in the first half of 2021 so it should be runnable on the App Host at that time.

    Cheers
    Colin

    ------------------------------
    COLIN HAY
    IBM Security
    ------------------------------

    Original Message


  • 6.  RE: Analyst work flow app

    Posted Wed February 17, 2021 10:30 AM

    That sounds good to me, thanks.  I can provide an example my analyst asked about if it helps. From what I am hearing, it is very possible we are not seeing the CRE events for some other reason, although they do show up in the standard GUI for the offense that was brought to my attention. However, the analyst work flow is new to us, and it could always be the dreaded user error.

     

     

     

    Daniel Sichel, Security Engineer, CISSP #422810

    Community Medical Centers

    Compliance Office – Information Systems Security

    1540 E. Shaw, Suite 101, Fresno CA. 93710

    Phone: (559) 724-4265 ext. 24265 | Fax: 559-724-4271

    Cell: (559) 230-9444

    dsichel@communitymedical.org

     

     



    ------------------------------- WARNING/CONFIDENTIAL: -------------------------------

    This email, including attachments, may contain information that is privileged, confidential,
    and/or exempt from disclosure under applicable law (including, but not limited to, protected
    health information). It is not intended for transmission to, or receipt by, any unauthorized
    persons. If the reader of this message is not the intended recipient you are hereby notified
    that any dissemination, distribution or copying of this communication is strictly prohibited.
    If you believe this email was sent to you in error, do not read it. Reply to the sender informing
    them of the error and then destroy all copies and attachments of the message from your system.
    Thank you.



    Original Message


  • 7.  RE: Analyst work flow app

    Posted Wed February 17, 2021 12:02 PM
    Hi Daniel,

    The dev team isn't aware of any know issues around missing/suppressed CRE events (or missing events from any log source type), so if you could get an example that would help. Perhaps I'm misunderstanding the scenario.

    Cheers
    Colin

    ------------------------------
    COLIN HAY
    IBM Security
    ------------------------------

    Original Message


  • 8.  RE: Analyst work flow app

    Posted Thu February 18, 2021 11:41 AM

    Colin

    Thank you for looking at this issue. Here is an example of a CRE rule in the standard GUI that is not showing in analyst work flow. This came from my analyst.   I gotta warn you, he is a bulldog and won't give up on this. J

     

    Thanks for any help you can give us.

     

     

    Daniel Sichel

     

    Daniel Sichel, Security Engineer, CISSP #422810

    Community Medical Centers

    Compliance Office – Information Systems Security

    1540 E. Shaw, Suite 101, Fresno CA. 93710

    Phone: (559) 724-4265 ext. 24265 | Fax: 559-724-4271

    Cell: (559) 230-9444

    dsichel@communitymedical.org

     

     



    ------------------------------- WARNING/CONFIDENTIAL: -------------------------------

    This email, including attachments, may contain information that is privileged, confidential,
    and/or exempt from disclosure under applicable law (including, but not limited to, protected
    health information). It is not intended for transmission to, or receipt by, any unauthorized
    persons. If the reader of this message is not the intended recipient you are hereby notified
    that any dissemination, distribution or copying of this communication is strictly prohibited.
    If you believe this email was sent to you in error, do not read it. Reply to the sender informing
    them of the error and then destroy all copies and attachments of the message from your system.
    Thank you.



    Original Message