IBM Security QRadar SOAR

 View Only
  • 1.  Security Concern about Microsoft Exchange for IBM Resilient

    Posted Mon January 11, 2021 10:26 AM
    Hi Everyone,

    There is a "Microsoft Exchange for IBM Resilient" App in IBM App Exchange. May I ask if this app's functionality will reveal/return mail body or attachment to anyone who can use the exchange_find_emails function? We will worry about the exposure of mail's confidential data, for example financial report or payroll, to the improper user.

    Is there any suggestion to this kind of issue? Thank you.

    ------------------------------
    Andrew Sheng
    ------------------------------


  • 2.  RE: Security Concern about Microsoft Exchange for IBM Resilient

    Posted Tue January 12, 2021 08:59 AM
    Some of the app functions do read messages and returns that data as a Function return value. A workflow could then use that data as it sees fit. Are you worried about the Resilient administrator? That person would have the username/password of the mailbox anyway, so wouldn't be increasing information leaks there. Are you concerned about the Workflow Designer or the analyst?

    Ben

    ------------------------------
    Ben Lurie
    ------------------------------



  • 3.  RE: Security Concern about Microsoft Exchange for IBM Resilient

    Posted Tue January 12, 2021 09:25 AM
    Hi Andrew,

    There are 2 IBM Microsoft integrations: Exchange (On-Prem) and Exchange Online (in the Cloud). The primary use case
    is determining if emails in an organization are phishing and deleting or quarantining emails that are flagged as "dangerous".

    I am most familiar with the Exchange Online integration as I wrote that one.  The On-Prem exchange_find_emails function
    will return a list of emails matching the search criteria.  I believe the example workflow included creates artifacts of the
    emails found by the function including the sender email address, the subject and the email body.  You can create your own workflow
    that does not expose the email body. 

    It is assumed that the Resilient user is a SOC analyst who already has elevated privileges in an organization.

    Let me know if you need more information!

    AnnMarie

    ------------------------------
    AnnMarie Norcross
    ------------------------------



  • 4.  RE: Security Concern about Microsoft Exchange for IBM Resilient

    Posted Thu January 14, 2021 11:34 AM
    Edited by Andrew Sheng Thu January 14, 2021 11:37 AM
    Hi Ben and AnnMarie,

    I appreciate your prompt response to my question, and I'm sorry for responding late.
    I installed the Exchange (On-Prem) integration app. From your answer, I know that the app should be able to return the whole object of an email fitting the query criteria. And then the workflow designer can design what he/she wants to retrieve through the workflow.
    So here is my concern: what if the designer makes a workflow to get the confidential data from an email and then modify or remove the workflow?
    So far, I think it would become an issue of how to arrange the roles and permissions, and setup the regulations for those roles of higher rights in Resilient.
    Any idea?

    ------------------------------
    Andrew Sheng
    ------------------------------



  • 5.  RE: Security Concern about Microsoft Exchange for IBM Resilient

    Posted Thu January 14, 2021 04:27 PM
    what if the designer makes a workflow to get the confidential data from an email and then modify or remove the workflow?
    A Master Admin in Resilient has the privilege to do it.
    If a does it, it will be logged (Workflow creation, adjustment, Rules...).
    If a run it, he will need an incident. The incident will show who does what, and what changes were made, and all the history of all field changes, even if he removes notes and field content.
    If he has the privilege to delete the incident - which is not recommended for production - he could delete the incident. Track will still exist in the audit part.
    At the end, my suggestion is also to work Resilient has any security privilege tool : forward logs to Siem, and create alert rules. If a user, admin if a system, look for VIP private info, it should raise an alert! You could forward logs from the Integration server where those request to Exchange are made, and where the trace exists.
    Note: if the admin can use a tool (Resilient) with the correct API key to access this information, he could also just write a python code to do the same out of the Tool (Resilient) GUI. Log analysis on the target and who access those VIPs personal info should also be logged on the target (Exchange) and raise alerts if it occurs..


    ------------------------------
    BENOIT ROSTAGNI
    ------------------------------



  • 6.  RE: Security Concern about Microsoft Exchange for IBM Resilient

    Posted Wed January 20, 2021 10:19 PM
    Hi BENOIT,

    Sorry to reply you late. I'm grateful to your suggestions! They are useful and I think we'll have a lot of work to do. :)

    ------------------------------
    Andrew Sheng
    ------------------------------