Harvard-ITSecurity / qradar-seculert-push

What is it?

A way to grab Seculert’s Crime Servers and Threat Intelligence Records (via their API) and push them into QRadar’s Remote Networks, which then you can build Rules upon. The beauty of this is that in reality it shows you how to more generally push custom “BAD” IPs/Networks into QRadar and auto-deploy them. You can use any list of IPs/networks. If it’s CSV, it should be an absolute breeze to import.

How does it work?

You need to go into ‘seculert_qradar.pl’ and edit the ‘#START USER CONFIG’ section. The first variable you will see is the “seculert” api key – which you can get from your Seculert account (fantastic service http://seculert.com), but again, this can be easily be any CSV list. The idea is that you download both feeds and convert them into the “IP” format that QRadar understands with the “Network” (in this case ‘SECULERT’) ID and the Sub-ID (in this case ‘CS’ and ‘TIR’). Then you pull the existing remotenet.conf file, and prune out the old SECULERT list, and then merge in the new one that you just pulled. Then you upload the new file back to QRadar and auto-trigger the deployment (here is the real qradar magic).

Read more and get the script on GitHub.

Advertisements

New features in QRadar 7.1

Stolen from the QRadar 7.1 Release notes:

 

  • Upgraded Operating System – QRadar 7.1 includes a substantial upgrade to the operating system. During the upgrade process on your system, the following operating system updates occur:
    • For systems that previously used the CentOS operating system, the operating system is replaced with the Red Hat Linux 6.2 operating system.
    • For systems that previously used the Red Hat Linux 5.7 operating system, the operating system is upgraded to the Red Hat Linux 6.2 operating system.

      If your system is configured with off-board storage solutions, you are required to remount your storage solutions during the upgrade process. We recommend that you carefully read the Upgrading to QRadar Release 7.1 Guide and the Reconfiguring Offboard Storage After Upgrading to QRadar 7.1 Technical Note.

  • New WinCollect Agent – QRadar 7.1 introduces WinCollect and the WinCollect agent for collecting and managing Windows-based events using the Admin tab in QRadar. For more information on WinCollect, see the WinCollect User Guide.
  • New Vulnerability Details Page on the Assets Tab – QRadar 7.1 introduces the Research Vulnerability Details window, which you can access from the Assets tab. The Research Vulnerability Details window provides information about known vulnerabilities detected by third-party scanners. Vulnerability information and identifiers are sourced from external references, such as the Open Source Vulnerability Database (OSVDB) and National Vulnerability Database (NVDB). QRadar 7.1 also includes the ability to import vulnerability data from scanners that do not store data with OSVDB or NVDB references, such as IBM Appscan Enterprise.
  • New Index Management – The Index Management feature is accessed from the Admin tab. Index Management allows you to control database indexing event properties. By enabling indexing on event properties, you can optimize the speed of your searches.
  • New Dedicated Event Collector Appliance and Supporting Store and Forward – QRadar 7.1 introduces the QRadar 1501 appliance, which is a dedicated Event Collector. This appliance is also available as the QRadar 1590 virtual appliance.
  • Using Store and Forward accessed from the Admin tab, you can now store events on your dedicated Event Collector during your business hours. These events can be forwarded to an Event Processor during periods of time when the transmission does not negatively affect your network bandwidth. For example, you can configure a dedicated Event Collector to only forward events to an Event Processor during non-business hours, such as midnight until 6 AM.
  • Updated VFlow Collector Installation Procedure – The VFlow Collector installation procedure is updated to make the process consistent with the virtual appliance installation process. For more information, see the QRadar Installation Guide.

QRadar and QRM 7.1 are Generally Available!

The QRadar Product Management team is very glad to announce the General Availability (GA) of QRadar SIEM and Risk Manager Version 7.1.  Another major milestone of the QRadar product, QRadar 7.1 delivers several new key features to meet the needs of our current and future customers, a new appliance and new tools to provide more flexibility in deploying the QRadar solution, and great usability features to increase the visibility to more security intelligence data, as well as the ability to better optimize and tune QRadar.

The new features of QRadar SIEM 7.1 consist of:

  • Index Management:  More refined control over the creation of indexes used for searches and exposure of field and index usage statistics, enabling more efficient storage utilization and performance optimization.
  • Store and Forward: Capability of collecting and storing events by a new appliance, Event Collector (EC), in a remote location and forwarding events to an upstream Event Processor for analysis based on a pre-determined policy,  allowing effective log collection at remote network locations with unreliable network connections or bandwidth constraints.
  • Import/Export of Security Contents: Ability to export security and configuration content on a QRadar system to an external, portable format which then can be imported into another QRadar system, with a command line interface, enabling quick deployment of a new QRadar system or sharing of security contents across systems.
  • Vulnerability Details Screen – Enhanced GUI screens to display detailed vulnerability data imported from third party vulnerability scanner products, allowing customers to fully explore the nature and relevance of vulnerabilities on the hosts involved in QRadar detected incidents and offenses.
  • WinCollect: Complete centralized control of local and remote Windows event collection, with bulk adding of servers, per server troubleshooting, automated deployment and update of policy and agent itself.  Also includes tuning for different environments and support for latest capabilities like XPath queries.

The new features of QRM 7.1 consist of:

  • P2P Networks: Support for point-to-point networks, such as VPNs and serial links. This allows customers to add these links to their QRM network topology.
  • Firewall Rule Reporting: Perform comprehensive reporting on firewall rules, including shadowed, most and least used rule reports. Reports can be generated across multiple firewalls and is full integrated into the QRadar reporting engine.
  • Enhanced Policy Monitoring:  Monitor policy question passes and failures, typically required for compliance reporting. Customers can now generate reports that show that network policies have been in compliance over a given period of time, in addition to those which were not compliant.

QRadar HowTo: Adjust Severity from Payload

The way that QRadar assigns severity is based on the QID. So each event that has a specific event name gets mapped to a specific QID, then gets a specific severity. This is a very good model for many scenarios. However, there are other situations that require parsing the severity out of the event and overriding the QID set severity. For example, you may get a more generic QID like “Threat Detected”. These all get put in at a high severity, which throws off several out-of-the-box rules and makes your magnitude score less useful.

To change this, it will take several steps. First you must create a Custom Extracted Property to pull out the new severity. Be sure to check the box for “Optimize for rules and reports”. I’ll use Snort and Palo Alto as an example. I created a new property called “Event Severity” and used this regex:

\[Priority:\s+(\d+)

Here’s one for Palo Alto:

\(\d+\),.*?,(\w+)

Snort uses a number 1-5 and Palo Alto has 5 different text strings (low, medium, high, etc.). The next step is to create five rules for each log source type. Here’s an example of the snort rule.

Apply Snort Severity Adjustment – 1 on events which are detected by the Local system
and when the event(s) were detected by one or more of Snort Open Source IDS
and when the event matches Priority is 1

Or Palo Alto:

Apply PASeries Severity Adjustment – Low on events which are detected by the Local system
and when the event(s) were detected by one or more of Palo Alto PA Series
and when the event matches PA Severity is low

The rule response for these rules is to set the Severity to the appropriate number and annotate the event. Both of these examples have 5 levels of severity, so I used 2, 4, 6, 8, and 10 in QRadar.  Create all five rules and you are set!

Now you should get better magnitude scores and less false positives from rules like “Exploit: Exploits Events with High Magnitude Become Offenses”.

TSIEM to QRadar Transition Guide, finally published!

This publication took longer to get through the gears of IBM, but it’s now publicly available. Don’t forget, this guide covers transitioning from IBM Tivoli Compliance Insight Manager (TCIM) as well.

Click here to download the IBM Tivoli Security Information and Event Manager to IBM QRadar Transition Guide.

Abstract:

IBM Tivoli Security Information and Event Manager (TSIEM) was developed as a compliance management monitoring and reporting product for various operating systems, applications and devices. IBM acquired Q1 Labs in 2011 with its industry-leading security intelligence platform QRadar, providing a security solution that can be used across the entire network.

Anyone who is planning a transition of TSIEM to QRadar should read this document first to deter-mine what steps should be considered to create a transition plan. This document provides a high level description of the steps rather than the detailed technical description of how to perform the actual transition. Tooling is not part of this document although the description may help in designing such tooling. IBM Services or any other IBM Business Partner can help produce the appropriate toolbox to automate the transition. The customer should be prepared to keep their TSIEM installation to support historical reporting or log archive management to meet their compliance or audit requirements. This transition document therefore should only address the replacement of TSIEM by QRadar within the context of regulatory compliancy.

This document will provide a basic overview of TSIEM to QRadar data migration capabilities and options, as well as data storage principles.

Transitioning from TSIEM to QRadar – Terminology

The transition guide from IBM Tivoli Security Information and Event Manager (TSIEM) to IBM QRadar is essentially complete. I still have to get it formatted to the standard template, though. We are also figuring out internally where to post it officially, but once I fix the formatting, it will be available here.

Until then, you can wet your appetite with this terminology chart.

TSIEM

QRadar

Agent Adaptive Log Exporter, Event Processor
Agent group Log Source Group
Alerts Rule Response
Archiving Data Backup & Restore
Audited machine Asset and/or Log Source
Backup & Restore Backup & Restore
Chunk No equivalent – data is stored together in Ariel
Compliance Dashboard Dashboard
Compliance Management Module No equivalent – all reports are included in QRadar
Consolidation component Magistrate
Credential Store Credentials are stored in Postgres
Depot Ariel
Distribution Email distribution is configured within the report definition
Enterprise Server 31xx console in a distributed deployment
Event Source Log Source
Forensics component Payload search (with optional indexing)
Group Definitions Building Block
GSL Parser Universal Device Support Module (uDSM) XML file
GML Mapper Map Event – available in the GUI
Launchpad (Tivoli Integrated Portal) Console GUI
Log Continuity Report No equivalent due to use of syslog for most log sources
Log History Report QRadar report called “Errors and Failures”
Log Manager Dashboard Log Sources in the Admin tab
Log Management Activity Report QRadar report: (Daily, Weekly, or Monthly) Log/Event Distribution by Category
Log Management component QRadar Log Manager
Log Management Depot Investigation

Tool

Payload search (with optional indexing)
Log Management Retrieval Tool >“Raw Log” view in Log Activity
Normalization component Built-in to QRadar, required part of the event processor
Policy Building Block
Policy Explorer/Editor Rules/Building Blocks Editor
Policy Generator QRadar Tuning Guide
Regulations Contained within QRadar reports
Reporting Database No equivalent – QRadar is real-time, with all data going into the same Ariel datastore
Security Information Management (SIM) component Security Information and Event Management (SIEM) component
Security Group All QRadar deployments use one User store, the console appliance, unless external authentication is configured
Scoping User Role (scope by network hierarchy) and User Account (scope by Log Sources)
Significance Magnitude
Special Attention Rule Building Block or Rule
Standard Server All-in-one Console
Trending Time Series
User Information Source Reference Set
User Roles User Roles
W7 No equivalent term, but QRadar has a standard normalization scheme as well

TSOM, TSIEM, and QRadar at IBM Pulse

IBM Pulse has begun in Las Vegas!  Monday morning I will be presenting at the “Proven Practices Workshop: Security” from 10-11am in the Expo Theater 1.  I will have copies of the pre-release version of “Transitioning from Tivoli Security Operations Manager to QRadar” Redpaper, but all you blog followers out there can get it here.

Transitioning from TSOM to QRadar v1.0

I will be getting this submitted as an official IBM Redpaper.  I’m still working on the TSIEM to QRadar paper, but I’ll be talking about it tomorrow.