IBM Security QRadar

 View Only

  • 1.  Reference set auto update

    Posted Mon February 15, 2021 06:29 PM
    HI Everyone, 

    I want to auto update a reference set which contain a IP list I want to monitoring, anyone has any documentation on how to do this?

    Thank you for your help

    Regards

    ------------------------------
    Linsong Guo
    ------------------------------


  • 2.  RE: Reference set auto update

    IBM Champion
    Posted Tue February 16, 2021 09:55 AM
    Linsong,
    you are probably aware of how to update your custom reference data using the rule wizard.
    refset

    My guess is what you are really looking for is an external data feeds, e.g. STIX or TAXII.
    Pls refer to https://community.ibm.com/community/user/security/communities/community-home/digestviewer/viewthread?MessageKey=c7636b7d-b44a-4594-ad7a-07f746dffc67&CommunityKey=f9ea5420-0984-4345-ba7a-d93b4e2d4864&tab=digestviewer#bmc7636b7d-b44a-4594-ad7a-07f746dffc67
    BR
    Ka

    ------------------------------
    [Karl] [Jaeger] [Business Partner]
    [QRadar Specialist]
    [pro4bizz]
    [Karlsruhe] [Germany]
    [4972190981722]
    ------------------------------

    Original Message


  • 3.  RE: Reference set auto update

    Posted Fri February 19, 2021 12:18 AM
    Hi Ka

    I am looking form monitoring TOR exit node IP which means the reference set will contain a list of TOR exit node IP.

    I am thing about curl the list from TOR website and get imported into the reference set but not sure how to get the data into Qradar

    Cheers

    L



    Original Message


  • 4.  RE: Reference set auto update

    IBM Champion
    Posted Fri February 19, 2021 06:55 AM
    Linsong,
    understand. Good idea to integrate TOR IPs.
    Basically QRadar supports two methods.
    One is ReferenceDataUtil.sh CLI tool you can use to update your refdata. learning academy hast 3 courses available covering refsets.

    The other method is Rest API where you have many commands available to enhance your ref data.
    if you want to create your TOR list you call 
    curl -s -X POST -u admin -H 'Version: 12.0' -H 'Accept: application/json' 'https://192.168.1.80/api/reference_data/sets?element_type=ALN&name=TOR%20black%20list'
    afterwards you can bulk load or indivdually load IPs into it
    BR Karl

    ------------------------------
    [Karl] [Jaeger] [Business Partner]
    [QRadar Specialist]
    [pro4bizz]
    [Karlsruhe] [Germany]
    [4972190981722]
    ------------------------------

    Original Message


  • 5.  RE: Reference set auto update

    Posted Wed February 24, 2021 07:11 AM
    We're using referencedatautil.sh to load a reference set with a list of URLs from a phish feed. I wonder what is the best way to fire an event whenever a new entry has been added to the reference set?

    I looked in SIM-Audit2 but I can't find any system events related to the load. What is the best way to do it? Is there a way to invoque a rule from the CLI?

    ------------------------------
    Paulo Pires
    Security Analyst
    CGD
    ------------------------------

    Original Message


  • 6.  RE: Reference set auto update

    Posted Wed February 24, 2021 01:44 PM
    Paulo,
    if you make use of the API command given above you can ask for new entries in your ref data from CLI and check number of entries using wc -l versus your stored value. Script can be executed via scheduling using crontab
    You can trigger rules based on QID you write to SIM Audit using logger command if you like or run log run.pl in order to kickoff your event that triggers your rule. My solution would just use the ref set and compare to existing IP in your environment. Knowing about the new entries is kind of weak information from my understanding. However I am sure you know why 😊
    BR Karl

    ------------------------------
    Karl-Heinz Jaeger
    senior consultant
    pro4bizz GmbH
    Karlsruhe
    +4972190981722
    ------------------------------

    Original Message