QRadar 3.2.1

tags: python | SIEM | Security Analytics | Automate Intelligence | Automate Containment

Description

Integration with IBM QRadar supports CDC users by providing the extraction of logs and observables from the QRadar platform. This enables CDC users to make informed decisions regarding incident response.

IBM QRadar Security Information and Event Management (SIEM) helps Security teams accurately detect and prioritize threats across the enterprise. By consolidating log events and network flow data from thousands of devices, endpoints, and applications distributed throughout your network, QRadar correlates this information and aggregates related events into single alerts, to accelerate incident analysis and remediation.

IBM QRadar has provided CyberProof with a REST API, which is integrated with the CDC. The CDC receives new offenses as alerts from the QRadar offense service.

All the read information is passed on to the CDC in the form of an alert, with information stored as raw information and observables.

CyberProof has provided CLIs to add or update the configuration to map the CDC alert closing reason to a closed offense in QRadar. Any CDC closing reason can be mapped as a string, since the closing reason in QRadar can be kept dynamic.

Customer Configuration

1. Navigate to 'Admin' pane -> 'Authorized Services'.
2. Click 'Add Authorized Service'.
3. Enter a meaningful service name; e.g., CDC_API,
   User Role: Admin,
   Security Profile: Admin
4. Expiry date – Check the 'No Expiry' tab.
   Note: If an expiry date is set for this API token, please make sure to document the date and create a new API token. Send it to a CyberProof representative prior to the old key's expiration date, as this can cause the API to expire and it will break the QRadar - CDC integration.
5. Click 'Create Service'.
6. Highlight the new Authorized Services we've just created and copy the token from the top row.
7. Provide the QRadar instance URL/IP, Port and API Token in a secure way with the CDC Deployment team, for further configuration of the pack.

CDC Command Lines

* **add_and_replace_custom_events_fields_cli**
Replaces/adds custom events fields to Azure Blob. Custom fields takes precedence over dynamic fields. Only unique custom fields will be stored. A dynamic field will be removed if it is added as a custom field.

CLI Example: add_and_replace_custom_events_fields_cli --fields="API Path, CATEGORYNAME(category) AS 'Category name', URL". 
Aggregate Fields Examples: 
QIDDESCRIPTION(qid) as 'Event Description' 
QIDNAME(qid) as 'Event Name' 
ASSETPROPERTY('Location',sourceip) AS source_asset_location 
ASSETPROPERTY('Location',destinationip) AS destination_asset_location 
LOGSOURCENAME(logsourceid) as 'Log Source' 
DOMAINNAME(domainid) AS 'Domain name'

* **clear_custom_events_fields_cli**
Clears custom events fields from Azure Blob.

* **extend_custom_events_fields_cli**
Extends custom events fields to Azure Blob. Only unique custom fields will be stored. Example: extend_custom_events_fields_cli --fields="qid,location"

* **get_custom_events_fields_cli**
Gets events fields from Azure Blob.

Workflows

* **add_update_replace_custom_events_fields**
Replace/adds events fields to Azure Blob.

* **clear_custom_events_fields**
Clears custom events fields from Azure Blob.

* **close_alert**
Close the alert in QRadar.

* **execute_query**
Execute the AQL query in QRadar.

* **get_custom_events_fields**
Gets events fields from Azure Blob.

* **inject_qradar_alert_to_cdc**
Enrich QRadar alerts and push them to the CDC.

* **push_qradar_alerts_to_redis**
Enrich QRadar alerts and push them to the CDC.

* **update_dynamic_events_fields**
Fetch and update the non-empty fields of events tables.

Rules

* **new_offense**
Triggered when a new offense is created.

* **close_alert**
Close alerts (i.e., offenses) in QRadar.

* **update_dynamic_events_fields_trigger**
Triggered at poll intervals to fetch and update the non-empty fields from the QRadar events table to Azure Storage/Redis.

Sensors

* **OffensesSensor**
Sensor to pull all offenses details from QRadar and auto update non-empty fields from the QRadar events table to Azure Storage/Redis.

Poll interval - 30s

Triggers

* **update_dynamic_events_fields_trigger**
Auto updates non-empty fields from the QRadar events table to Azure Storage/Redis.

Closing Reason Config Management

• Closing reason config management utility facilitates the mapping of the closing reason selected in the CDC to the closing reasons in QRadar - through the closing reason config.
• The closing reason config map can be easily updated through CDC Resource Utils CLIs that adds, updates and removes the configuration.
  Please refer to the CDC Resource Utils Integration documentation for more information on closing reason config management.
• Closing reasons are dynamically created and linked to a closed offense in QRadar.
  Any CDC closing reason can be mapped as any string, since closing reasons in QRadar are dynamic.
• The QRadar closing reason config map contains mapping of the CDC closing reason name to QRadar's dynamic closing reasons.
• A new closing reason is created in QRadar if the mapping is not present in QRadar.
• The closing reason is defaulted to 'unknown' when the closing reason config map is not configured, or the CDC closing reason mapping is not present in the config map.

Closing Reason Config Map

YAML qradar: Benign Positive: Yellow Alert False Positive - Incorrect alert logic: Green Alert False Positive - Incorrect data: Gray Alert True Positive: Red Alert

Known Issues

No known issues