Embed Size (px)
Citation preview
© Copyright IBM Corp. 2017
IBM CLOUD APP ANALYTICS
FOR QRADAR Getting Started
Updated: March 6, 2017
1 © Copyright IBM Corp. 2017
Introduction
This document provides instructions for installing, configuring, and using IBM® Cloud App
Analytics for QRadar®.
This QRadar extension helps detect web application usage patterns within an organization
and tracks the following information:
• The applications that are used on your networks
• XForce Threat Intelligence risk score
• Application access statistics for each user
Prerequisites
IBM Cloud App Analytics for QRadar requires a functional and licensed installation of
QRadar SIEM version 7.2.6 with Patch 1.
The app also requires one or more of the following devices:
• Cisco IronPort
• McAfee Web Gateway
• IBM Security Network Protection
• Websense V Series
• Check Point FireWall
• Palo Alto PA Series
• Bluecoat SG Appliance
Configure a log source so that the app has statistics to display. Here is an example of
log source configuration settings:
2 © Copyright IBM Corp. 2017
If you are using QRadar version 7.2.6, click on each of the following custom event
properties and then click Save:
• UrlHost
• SentBytes
• ReceivedBytes
This is due to a known issue with version 7.2.6 specifically.
3 © Copyright IBM Corp. 2017
Installing the application
Use the following instructions to install the application:
1. Download the IBM Cloud App Analytics for QRadar application from the IBM
Security App Exchange Portal at https://exchange.xforce.ibmcloud.com/hub.
2. Log in to the IBM QRadar console as an administrator.
3. Go to the Admin tab and click Extensions Management in the System
Configuration section.
4. Click Add and select the application file that you downloaded.
5. Click Add.
6. Log out and log in again so that you can see the App Analytics tab information.
Configuring the application
Use the following instructions to configure the app for your environment:
4 © Copyright IBM Corp. 2017
1. Click the Admin tab and go to User Management → Authorized Services.
2. In the Manage Authorized Services tab, click Add Authorized Service.
3. Click Add Authorized Service.
4. Add the relevant information in the following fields and click Create Service:
a. In the Service Name field, type a name for this authorized service. The
name can be up to 255 characters in length.
b. From the User Role list, select the Admin user role.
c. From the Security Profile list, select the security profile that you want to
assign to this authorized service. The security profile determines the
networks and log sources that this service can access on the QRadar user
interface.
d. In the Expiry Date list, type or select a date that you want this service to
expire. If an expiry date is not necessary, select No Expiry.
5. Click the row that contains the service that you created, select and copy the token
string from the Selected Token field in the menu bar, and close the Manage
Authorized Services window.
6. In the App Analytics app window, paste the authorized service token string into
the Authorization Token field.
7. Click Start.
Using the application
You can view different aspects of your application data using the dashboard.
Narrow down the list of users or apps by using the search field.
Adjust the time interval to be daily, weekly, or monthly by using the drop-down menu.
Dashboard
5 © Copyright IBM Corp. 2017
The App Analytics view displays when you open the interface and provides the following
application and user data:
• Applications discovered
• Applications not approved
• Applications that are high-risk
• Users
• Users that are high-risk
• Rogue activity
• Incoming traffic
Click the number under Applications Discovered to display the Applications list. Click the
number under Users to display the details for the users.
Applications view
After you click the number under Applications Discovered on the dashboard, the
Applications view displays.
6 © Copyright IBM Corp. 2017
Approve an application from this view by selecting the check box in the Approved
column.
Click a row to get the details of the application.
Filter the list by using the search field.
Application details
The application details view shows the statistics and the list of users.
7 © Copyright IBM Corp. 2017
Click the Yes or No link under Approved to toggle the approval of the application.
Click the XForce link to get more XForce details of the application. You can click each row
in the table to show the details for a user.
Users view
After you click the number under Users on the dashboard, the Users view displays.
8 © Copyright IBM Corp. 2017
This section shows the list of all users in the system. You can click each row in the table to
show the details for a user.
User details
The user details view shows statistics for the user and a list of applications they have
interacted with. You can search the list and you can click each entry to get more details on
the application.
9 © Copyright IBM Corp. 2017
Troubleshooting and known issues
Problem: The dashboard displays “Loading:” or “Loading: 100% complete”
but no data displays.
Solution: Ensure that you configure a log source as described in the
Prerequisites section above.
If you are using QRadar version 7.2.6, you might encounter this problem. If
so, perform the following steps to resolve the issue:
1. Go to Admin > Custom Event Property.
2. Search for "SentBytes", "ReceivedBytes", and “UrlHost”.
3. For each of these custom properties, open the property definition and
click on the Save button.
10 © Copyright IBM Corp. 2017
