IBM Security QRadar

 View Only
Expand all | Collapse all

Qradar QVM

  • 1.  Qradar QVM

    Posted Tue June 30, 2020 10:02 AM
    Hi All, 

    I would like to know that how can I do a vulnerability scanning on AWS instances from existing on prem quradar (All in one VM appliance) infra. 

    if not possible then  what could be the alternative better solution

    Thanks and Regards

    Jojo

    ------------------------------
    Jojo Abraham
    ------------------------------


  • 2.  RE: Qradar QVM

    Posted Wed July 01, 2020 10:05 AM
    QRADAR QVM allows for internal (you do that with QVM tool)  and external scans (that you schedule). I am not sure if you need AWS to OK an internal scan or not? (it might be detected as potential threat)  You can do an external or discovery scan would be my recommendation. Is your deployment of QRadar an All In One instance or Distributed?

    ------------------------------
    Richard Gingras
    QRadar SME
    IBM Security
    Cambridge MA
    ------------------------------



  • 3.  RE: Qradar QVM

    Posted Wed July 01, 2020 12:53 PM
    Hi Richard

    Yes, my deployment is All in one console and it is on premise. Our requirement is to have a period "Internal" vul scan on different vpc instances

    What is the feasible solution


    Thanks and Regards

    Jojo Abraham




  • 4.  RE: Qradar QVM

    Posted Wed July 01, 2020 01:10 PM
    Have you considered bringing in the VPC Flow Logs and correlating them as Flows vs Syslog this provide great visibility vs syslog? Otherwise I believe you might need to deploy as distributed let me check.

    ------------------------------
    Richard Gingras
    QRadar SME
    IBM Security
    Cambridge MA
    ------------------------------



  • 5.  RE: Qradar QVM

    Posted Wed July 01, 2020 03:38 PM
    Spin up an qvm image in the subnet. You prob have to open some backend ports for reporting back.

    ------------------------------
    Richard Gingras
    QRadar SME
    IBM Security
    Cambridge MA
    ------------------------------



  • 6.  RE: Qradar QVM

    Posted Thu July 02, 2020 02:05 AM
    Ok, that means perhaps we require Managed host as scanners on each subnet right ?




  • 7.  RE: Qradar QVM

    Posted Thu July 02, 2020 09:22 AM
    That would be a fair assumption

    ------------------------------
    Richard Gingras
    QRadar SME
    IBM Security
    Cambridge MA
    ------------------------------



  • 8.  RE: Qradar QVM

    Posted Thu July 02, 2020 10:04 AM
    Hi , 
    I would like to suggest u and its good to have it . AWS GuardDuty

    GuardDuty is a intelligent threat detection service. It analyzes billions of events across your AWS accounts from AWS CloudTrail (AWS user and API activity in your accounts), Amazon VPC Flow Logs (network traffic data), and DNS Logs (name query patterns).

    we are using in daily basis and we are getting notification on real time.. hope this can help u

    Regards

    ------------------------------
    Joaquin Martinez Hernandez
    ------------------------------



  • 9.  RE: Qradar QVM

    Posted Fri July 03, 2020 06:47 AM
    Can you please help me understand the ports needs to be open for scanner and Console communication.

    Please be informed that we are using Qradar infra only for vul scanning purpose

    Thanks in advance

    Jojo Abraham




  • 10.  RE: Qradar QVM

    Posted Mon July 06, 2020 07:23 AM

    If I understood correctly, you were looking for the requirements for communication between All-in-One/Console and QVM scanner instances? If so, this QRadar Port Usage article on knowledge center might help.
    If you were referring to what you need to open for the scan to be "usable", then it would depend on the type of scan you had in mind, compliance requirements etc. In general (from the compliance perspective) usually I would expect for the internal scans to have the scanner's IP address whitelisted during the scan (so no obstacles create a false result nor the scan trigger or overload the protection and monitoring systems implemented in between).  ​



    ------------------------------
    Dusan VIDOVIC
    ------------------------------



  • 11.  RE: Qradar QVM

    Posted Wed July 01, 2020 03:40 PM
    Find out what the scan requirements are. What's the guest os's. Have you spoken with Tech Support?

    ------------------------------
    Richard Gingras
    QRadar SME
    IBM Security
    Cambridge MA
    ------------------------------