The way that QRadar assigns severity is based on the QID. So each event that has a specific event name gets mapped to a specific QID, then gets a specific severity. This is a very good model for many scenarios. However, there are other situations that require parsing the severity out of the event and overriding the QID set severity. For example, you may get a more generic QID like “Threat Detected”. These all get put in at a high severity, which throws off several out-of-the-box rules and makes your magnitude score less useful.
To change this, it will take several steps. First you must create a Custom Extracted Property to pull out the new severity. Be sure to check the box for “Optimize for rules and reports”. I’ll use Snort and Palo Alto as an example. I created a new property called “Event Severity” and used this regex:
Here’s one for Palo Alto:
Snort uses a number 1-5 and Palo Alto has 5 different text strings (low, medium, high, etc.). The next step is to create five rules for each log source type. Here’s an example of the snort rule.
Apply Snort Severity Adjustment – 1 on events which are detected by the Local system
and when the event(s) were detected by one or more of Snort Open Source IDS
and when the event matches Priority is 1
Or Palo Alto:
Apply PASeries Severity Adjustment – Low on events which are detected by the Local system
and when the event(s) were detected by one or more of Palo Alto PA Series
and when the event matches PA Severity is low
The rule response for these rules is to set the Severity to the appropriate number and annotate the event. Both of these examples have 5 levels of severity, so I used 2, 4, 6, 8, and 10 in QRadar. Create all five rules and you are set!
Now you should get better magnitude scores and less false positives from rules like “Exploit: Exploits Events with High Magnitude Become Offenses”.
I posted an article a few months ago, One day in Taipei. I pride myself on being able to hit a major city and quickly get all the “must-do’s” out of the way. I usually do lots of walking, trying to get a sense of the city beyond it’s touristy areas. Like my day in Taipei, there is usually some improvising, but normally it goes well. This time in Tokyo was different.
See, I am working again in Taipei, but managed to get a 24 hour layover in Japan and my way to Taiwan. I was very excited, since I have never visited Japan. I arrived late Saturday night, where I made my first and biggest mistake. If you get anything from this article, please remember to get cash at the airport when travelling internationally. Especially if you plan on visiting Tokyo on the weekend. Read the full story below to understand why.
I did some planning before my trip, but got everything lined up at the hotel Saturday night. Here was my rough itinerary:
Sushi Dai for breakfast in the Tsukiji Fish Market. I looked up the websites and found out that while the fish market would not be selling anything, Sushi Dai opened at 5 am.
Ryogoku Kokugikan for watching a real Sumo Tournament. Luckily, there was one going on this weekend.
I had noted down a few more maybe’s, if there was time, like Shinjuku Gyoen National Garden and Tokyo City View. I started the day at 5 am, hoping to beat some crowds at Sushi Dai. Unfortunately, the recent 13 hours time change did not treat so well, and I slept horribly. When I first woke up, I felt like I was 6, and it was the night before going to Disney. I sat up in bed thinking “Let’s do this!” — only to look at the clock and realize I had only slept 2 hours. I napped on and off, took a emergency call from my wife (it was only lost keys – no one when to the hospital), and finally rolled out of bed at 5.
There were not any easy subway trains from my hotel to the fish market, so I decided to do the 25 minute walk. As I left the hotel, I asked if they had an ATM. They did not, but pointed be toward a bank. It was the wrong direction, so I decided to hit one on my way down. I found plenty of ATMs at convenience stores, but they only took Japanese cards. I finally found a bank, but the ATM vestibule didn’t open until 8 am! Why?! Thinking this was a minor fail, I kept walking to the Fish Market.
A side note here. September in Tokyo is HOT. Humidity just like Atlanta in August and highs in the 90s. It wasn’t too bad at 5:30 am, but by 7, I was sweating like a hog.
Okay, I got there, and it seemed very quiet. I ask for directions for Sushi Dai and headed on in to the restaurant section of the Fish Market. Everything was closed, including Sushi Dai! I couldn’t believe it. After wondering around to make sure there was nothing open, I sighed and headed to the closest subway station to reach the next waypoint, the Sumo Tournament. That’s when I found out that the subway ticket machines didn’t take any of my American credit cards. The ticket counter wasn’t open yet (it wouldn’t open until 10).
Hot and hungry, I looked at the map and found a cluster of restaurants on another side of the Fish Market in the Tsukiji neighbourhood. I walked over there, trying every ATM and bank I can find (with no luck). Once there, none of the small, locally-owned sushi places took credit cards. I finally found a convenience store that took my Visa. I got a big water, some gum, and the best thing ever to cure my hot and hungry: ice cream in a squeezable pouch. Just like the applesauce pouches in the states. It was glorious.
I started walking back into downtown desperately seeking a functional ATM, but decided to bite the bullet and just take a cab to the Sumo Tournament. It was so nice to be seated in an air-conditioned car. I get to the Ryogoku Kokugikan arena about 7:30 AM, and there is already a decent line. I get lined up and asked if the arena took credit cards. They said, only for reserved seating. General admission, at ¥2100 ($27) was cash only, but there was reserved seating for ¥3,600 ($46), ¥5,900 ($75), and ¥8,500 ($108). I thought about it and decided that it’s inside, it’s something uniquely Japanese, and I really want to sit down for a while. They opened the gates at 8 AM and started drumming from the tower pictured to the left. I finally get up to the front to buy my ticket, and I am told the $46 dollar tickets were sold out. I was not about to pay $75 for a tournament that I wasn’t even going to sick around for. I just wanted to see a couple of matches, take some pictures, and move on. After all, I only had one day!
Extremely discouraged, I head toward Akihabara Electric City. It’s only two metro stops away. Still having no cash, I walked to it. It seemed a lot closer on Google Maps, but it was a long 1.5 miles away. I finally get there around 9 am, and everything is closed. Some stores open at 9:30, while most opened at 10. I went on a hunt for an ATM. I found one attached to a bank. It had the Visa and AmEx logon on the door, and it was open! I breathed a sigh of relief as I head into the vestibule. Then I discovered the ATM didn’t have an “English” button! I continued to walk around, but all the ATMs attached to banks were the same type. Why the hell did the ATMs in the convenience stores — the ones that don’t take anything but Japanese cardsb — have an English button, but these didn’t!?!? I sat in a coffee shop (that didn’t take credit either), nursed my water while, and let my legs rest while I waited for the Electric City to come alive.
I finally had travel success. The stores were insane, as were the arcades. The card games over here are very popular, and they have RFID so you can play them in the arcade. They have fantasy games, sports games, and of course Pokémon. There as a huge row of 3-6 year old’s lined up with their Pokémon cards and mothers in tow. I was surprised to not see any Yu-Gi-Oh, but I did see Dragon Ball-Z. Gundam is still very popular (it was my gateway animé as a kid). They have arcade games where you place your Gundam figurine and (probably with RFID, too) it detects it, allowing you to play your own Gundam in the game. There were WOW-like multi-player arcade games with controllers plus touch screen. Very cool to watch the experts play. They had a lot of dancing games with Kinect-like technology, but the rage right now is Project DIVA, an arcade and Playstation game. This game had a queue in every arcade only 30 minutes after the arcades opened up. I also strolled through some weird gadget shops, Manga stores, and few computer stores.
Energized after finally having some enjoyable travel experiences, I head to the Akihabara train station to try yet again to find a cash machine, then I saw it: a Travelex! I hustle over, brimming with the thoughts of have some Yen in my pocket, only to have my hopes crushed yet again. The Travelex stored in Tokyo are only open Monday-Friday. Apparently, people don’t need to exchange money on the weekend in Japan. All was not lost, however. It was well into the day, and the train ticket office was open. ¥160 charged to the credit card got me to Meiji Shrine.
What a change of scenery! I was not expecting such a thick forest in the heart of Tokyo, It was was full of birds and insects, singing and buzzing. Only a few minutes down the path to the shrine, and I couldn’t hear the city noise any more. The shrine its self was relaxing and beautiful. Which is why it is favoured for weddings. While I sat, relaxed, and let my feet rest, I watch three wedding parties parade by. I enjoyed the peacefulness before moving on to Yoyogi Park, right next door.
This was a different kind of relaxation: watching families have fun. There is nothing that soothes the soul better better than the sounds of children laughing and playing. I longed to be with my family. There was multitude of street performers from drummers to artists to, um, this guy pictured to the left. I felt like I was back home watching crazy Japanese game shows on YouTube, but it real life. It was time for a bit more ice cream (yay, convenience stores that take credit) before heading to the busiest pedestrian crossing in the world. I happened upon a Vietnamese Festival with wonderful smelling food vendors. Still having no cash, I kept any eye out for sushi and told my stomach to hush.
As I got closer to the Shibuya Crossing, the stores starting getting more trendier and more familiar. This was a pretty nice area of town. According to the Internets, the best view of the the crossing was on the second floor of a Starbucks. I passed three (!) Starbucks before finding the right one. Got there just in time for it to start raining. I literally laughed out loud at my travel misfortune and watched everyone take cover and NOT cross the damn street. I decided to wait it out, much to the chagrin of the paying customers with their Apple products. I played on my nearly-dead Android and finally took this video. After I hit stop, the phone shut its self down. Luckily I had already looked up my belated lunch stop on Trip Advisor – Umegaoka Sushi No Midori. It was very good.
With a dead phone, sore and tired feet, and still plenty of time to get my plane, I decided enough was enough and went to Tokyo station to ride the Narita Express to the airport. The guy at the ticket booth was very nice and gave me directions to platform 4. Bags in hand, I go upstairs to the platform, wondering why there were just stairs and no escalator. I drag my luggage up the stairs, and after a few minutes of looking around, I realized that I do not see the words “Narita Express” or any airplane logos around. The train arrives and it is a normal subway train. I head back down stairs, find a security guard, find another one that can speak English, and find out that I need to be at the underground platform number 4. I look at my ticket and realize that this train left in one minute! I grab all my bags and start down three separate escalators to reach the platform. Quick, car number 10 – hurry, the conductor is yelling something! I dive in just as the door closed!! I made it!
Only I didn’t. This wasn’t the Narita Express. This was a normal JR train. And look, it’s an “express”, just not the one I needed. Again, I laughed out loud and sat down. I watched five stations fly by until I could get off and head back to Tokyo Station. Fifteen minutes go by and I was on my way back to Toyko Station. When I got back, I would have to go up three sets of escalators, exit the station, and go back to the ticket booth. All seats on the real Nartia Express are reserved. I would have to buy another seat on the next train.
When I got back to Tokyo Station, I had realized my mistake with platform 4. The real Narita Express had already left. I jumped on the train on Platform 3 – the wrong side. As I was figuring this out, I noticed that the next Narita Express was right there. And it was leaving in two minutes. I climbed on board, and no one was in my assigned seat. I sat down and breathed a sigh of relief as the train left the station.
Sweaty and tired, I reflected on the string of calamities this trip had been. It was tough, but I couldn’t classify it as a travel disaster. I’ve read some real horror stories online. This was day just full of FAIL. No broken bones, no arrest warrants, just a bucket full of fail. Just know this. It will be a long time before I forget to get cash at the airport when travelling internationally.