Embed Size (px)
Citation preview
ThreatScape® App for QRadar: Overview, Installation and Configuration
December 16, 2015
© 2015 All rights reserved. iSIGHT Partners®, Inc. 2
App Description ...................................................................................................................................................... 3
System Requirements ............................................................................................................................................ 3
ThreatScape App for QRadar Installation and Configuration ................................................................................. 3
Configuration ...................................................................................................................................................... 3
Define iSIGHT Authorized Service .................................................................................................................. 4
ThreatScape App Admin Settings ................................................................................................................... 5
Configuration File ........................................................................................................................................... 7
ThreatScape App for QRadar Functionality ............................................................................................................ 7
iSIGHT Indicator Data in Reference Sets ............................................................................................................ 7
Recommended Rules .......................................................................................................................................... 8
IP Specific Rules .............................................................................................................................................. 9
URL Specific Rules ........................................................................................................................................... 9
Domain Specific Rules .................................................................................................................................. 10
Logging and Troubleshooting ............................................................................................................................... 10
ThreatScape App Specific Log .......................................................................................................................... 10
ThreatScape App Specific Logs ......................................................................................................................... 11
Troubleshooting Q&A ....................................................................................................................................... 11
© 2015 All rights reserved. iSIGHT Partners®, Inc. 3
App Description IBM QRadar is a market leader as per Gartner’s 2015 Magic Quadrant for SIEM. QRadar consolidates log source event data from thousands of device endpoints and applications distributed throughout a network. The ThreatScape App for QRadar facilitates the delivery of iSIGHT Partners ThreatScape Indicators to our customers' QRadar instances. Once consumed by a QRadar instance, the ThreatScape Indicators are treated as QRadar reference sets and can be used in search, correlation, reporting, and visualization workflows in the same manner as other data.
System Requirements The ThreatScape App for QRadar requires QRadar version 7.2.6 or higher, and 35.6KB of disk space.
ThreatScape App for QRadar Installation and Configuration The ThreatScape App for QRadar is available from IBM’s Security App Exchange:
http://www-‐03.ibm.com/software/products/en/qradar-‐siem
Configuration
Once the ThreatScape App is installed, the iSIGHT ThreatScape application should be visible in the Admin tab of the QRadar application, under Plug-‐Ins.
© 2015 All rights reserved. iSIGHT Partners®, Inc. 4
Define iSIGHT Authorized Service
The ThreatScape App requires various background jobs to retrieve iSIGHT indicator data. For background jobs to retrieve data automatically, we need to create the QRadar Authorized Service Security Token. Use the following procedure to generate the QRadar Security Token:
1. Click the Admin tab.2. On the navigation menu, click System Configuration.3. Click Authorized Services.
4. Click Add Authorized Service.
5. In the Service Name field, type a name for this authorized service. The name can be up to 255characters in length.
© 2015 All rights reserved. iSIGHT Partners®, Inc. 5
6. From the User Role list, select Admin.7. In the Expiry Date list, select the No Expiry check box.8. Click Create Service.
The confirmation message contains a authentication token field that you must copy into the iSIGHT ThreatScape App configuration, in the QRadar Security Token section to authenticate with the QRadar application.
ThreatScape App Admin Settings
Users are able to enter their API key information through API2 Server Configuration.
Configuration of indicators ingested is accomplished by selecting “Indicators of Compromise” or “Indicators of Warning” sets of iSIGHT indicators, and selecting the IP, Domain, MD5, SHA1, SHA256, URL and Filename indicators from Indicator Selection.
From Data Lifespan Settings, Time To Live (TTL) for indicators can be configured. TTLs are grouped into two groups: Short TTL and Long TTL for IP and Domain indicators. Other Indicators will never expire. Users should be able to modify the recommended TTL based on their own use case or internal weighting. Imported indicators should have a configurable TTL, with preset values that match the following:
o 60 Days for an IP address and Domain from last seen (drone)o 90 Days for an IP address and Domain from last seen (controller)o For MD5, SHA1, SHA256, URL and Filename indicator timeout will be forever.
© 2015 All rights reserved. iSIGHT Partners®, Inc. 6
The user should be able to configure the internal organization’s web proxy server from Network Proxy Settings by providing respective proxy details. To activate the web proxy settings, the user should click on the check box.
Polling Rate is the interval in seconds at which the QRadar application will poll the ThreatScape API for new indicators. Incremental load can be triggered manually by clicking the ‘Refresh Data Now’ button. From Initial Data Load, a historical indicator load can be triggered manually by entering days in ‘Days to Load’ and clicking on ‘Start Load’.
Note: In version 1 of the ThreatScape App, the initial load is limited to 90 days. iSIGHT Partners will evaluate expanding that limitation in future iterations.
Property Description APIv2 Server URL iSIGHT Threatscape endpoint URL. By default
it will be https://api.isightpartners.com APIv2 Server Public Key Threatscape API v2 public key APIv2 Server Private Key Threatscape API v2 private key APIv2 Endpoint There are two endpoints supported
view/iocs views/indicators
Polling Rate Polling interval for incremental data load. Suggested 3600 sec
Short TTL Time to live for indicators tagged as short TTL – IP, Domain
Long TTL Time to live for indicators tagged as long TTL Indicator Selection Indicators to be polled Days to Load Interval for full load. Load historical
indicator data
© 2015 All rights reserved. iSIGHT Partners®, Inc. 7
Start Load Load full load Refresh Data Now Load incremental data since last successful
run Save setting Save configuration Proxy Host Web Proxy IP/Hostname Proxy Port Web Proxy Port Proxy User Web Proxy Username Proxy Password Web Proxy Password QRadar Security Token QRadar Security Token available from Qradar
Authorized Services Field Definitions for Admin Settings
Configuration File
All of the configured values are saved into the application’s app_config.ini file. This file can be used to cross validate the configuration made from the User Interface. Key and Password values are stored encrypted.
ThreatScape App for QRadar Functionality The functionality of the ThreatScape App for QRadar is underpinned by ThreatScape API 2; the ThreatScape API is the repository from which the ThreatScape App for QRadar retrieves its data, after which QRadar users rely on the QRadar engine to leverage the ThreatScape API Data.
The ThreatScape App for QRadar automates ingestion of indicators and leverages QRadar’s new GUI Application framework to facilitate provisioning, correlation of iSIGHT indicators and easy access to intelligence context directly from the QRadar interface.
iSIGHT Indicator Data in Reference Sets Reference sets are the data store, which contain a set of elements within the QRadar environment. iSIGHT indicators are stored in reference sets. Following are the reference sets created by the ThreatScape App for Qradar.
© 2015 All rights reserved. iSIGHT Partners®, Inc. 8
You can create rules to detect log activity or network activity that is associated with the above reference set. For example, you can create a rule to detect when an unauthorized IP attempts to access your network resources.
Recommended Rules Rules perform tests on events, flows, or offenses, and if all the conditions of a test are met, the rule generates a response. If your events and flows fields do not get parsed properly, you may need to regex the IP, Domain, URL, and / or hash values from your logs as a custom field.
More info:
http://www.ibm.com/support/knowledgecenter/SS42VS_7.2.6/com.ibm.qradar.doc/t_qradar_regex_cus_prop.html?lang=en
It is recommended that users create a group for iSIGHT Partners rules. This can be accomplished using the standard procedure for creating rule groups in QRadar.
© 2015 All rights reserved. iSIGHT Partners®, Inc. 9
IP Specific Rules
Rule detail:
Apply iSIGHT Partners: Intel-‐informed ip value detected on events or flows which are detected by the Global system and when any of Destination IP, Source IP are contained in any of iSIGHT Partners IP Short TTL -‐ IP, iSIGHT Partners IP Long TTL -‐ IP
URL Specific Rules
© 2015 All rights reserved. iSIGHT Partners®, Inc. 10
Rule detail: Apply iSIGHT Partners: Intel-‐informed url value detected on events which are detected by the Local system and when any of URL (custom) are contained in any of iSIGHT Partners URL -‐ AlphaNumeric (Ignore Case) Domain Specific Rules
Rule Detail: Apply iSIGHT Partners: Intel-‐informed domain value detected on events which are detected by the Global system and when any of Domain are contained in any of iSIGHT Partners DOMAIN Long TTL -‐ AlphaNumeric (Ignore Case), iSIGHT Partners DOMAIN Short TTL -‐ AlphaNumeric (Ignore Case)
Logging and Troubleshooting
ThreatScape App Specific Log All ThreatScape App logs can be found at: /store/docker/vfs/dir/{dockerid}/log/app.log Application log files can also be accessed through the QRadar API endpoint:
© 2015 All rights reserved. iSIGHT Partners®, Inc. 11
https://<console_ip>/console/plugins/{application_id}/app_proxy/debug There are three levels of supported logging, configurable via the QRadar configuration:
Log Level Filename Description INFO
(Default) info.log The standard info log, used to track regular operation of the system.
ERROR error.log
The error log is used to track any exceptions that occur during software execution, including but not limited to, unexpected API calls and internal errors. Stack traces will be present where possible as well as pertinent state information.
DEBUG debug.log Debug logging of the system, not enabled by default.
ThreatScape App Specific Logs QRadar writes to a startup.log file to log high level actions initiated for the application, such as REST calls and message for application specific installation: /store/docker/vfs/dir/{dockerid}/log/startup.log Example: Dec 04 08:16:53 2015: pip install /src_deps/pip/ijson-‐2.2-‐py2.py3-‐none-‐any.whl 172.x.x.1 -‐ -‐ [04/Dec/2015 08:17:45] "GET /admin HTTP/1.1" 200 172.x.x.1 -‐ -‐ [04/Dec/2015 08:18:28] "POST /admin/save HTTP/1.1" 200 -‐ 172.x.x.1 -‐ -‐ [04/Dec/2015 08:18:45] "POST /admin/fullLoad HTTP/1.1" 200 -‐ 172.x.x.1 -‐ -‐ [04/Dec/2015 08:18:45] "POST /admin/checkLoadStatus HTTP/1.1" 200 – The app.log file contains most of the error statements that are related to the ThreatScape App for QRadar: /store/docker/vfs/dir/{dockerid}/log/app.log This file gets rolled over from app.log.1 through app.log.5.
Troubleshooting Q&A
Q) How does indicator data get fetched from the API Server? A) Fetching of indicator data is done in three different ways.
• After setting all required configuration values, User can click on Start Load at this point the app will fetch the data for number of days configured in the “Days to Load” section.
• After Start Load completes, the application will start to fetch the indicator data from API Server at the configured polling interval.
© 2015 All rights reserved. iSIGHT Partners®, Inc. 12
• If user wants to fetch the data before the polling interval then they can click on the Refresh Now button. The app will fetch the data from last data fetch time to the current time.
The ThreatScape App always saves the last successful data fetch time stamp in the applications configuration file. i.e. app_config.log Q) Reference Sets are not getting created? A) Check the application configuration for QRadar security token, ISIGHT API keys, API URL, polling interval and web proxy settings, if a web proxy is enabled. The respective error statement along with the status code is logged into the app.log file. Q) Refresh now functionality is not working? A) Check if other data pull operation is in progress or not. Check for latest “Server: get_load_status busy : [True]” message in the app.log. Value “True” reports data pull is in-‐progress. Q) How to identify the last successful indicator polling? A) The application logs the last successful indictor data fetch value into the app_config.ini. This file holds the last successful polling timestamp e.g “last_run = 1449217125”. The value is in epoch time format. Q) How to check which indicators are subscribed? A) The information for indicator subscription is available at application configuration UI itself. Same information is also available in the app_config.ini under [indicator_config] block. e.g. [indicator_config] domain = checked sha1 = checked url = checked ip = checked filename = checked sha256 = checked md5 = False Q) How to identify the last indicator data poll duration? A) Application fetches the indicator data from API Server for specific period of time. These details are available in the app.log. Locate “isightAPIClient.pullFeed(): fetchFrom: [epoch_time] query_execution_time: [epoch_time]” message. The difference between fetchFrom value and query_execution_time is the data poll duration. Q) Elements in the reference sets are not get updated on indicator data fetch. A) There are below mentioned cases where data will not get updated in reference sets.
• There is a duplicate data received or data is already in the reference set. • There is no new indicator data available from API Server. • Verify the validity of configured QRadar token.
© 2015 All rights reserved. iSIGHT Partners®, Inc. 13
• Verify the API keys are valid.
Q) There are no offence notes in the notes sections of Offence. A) There are below mentioned cases for this issue
• The Offence notes get updated at 15 mins of interval. • There is no information available at API server for the offence. • Verify the validity of configured QRadar token. • Verify the API keys are valid.
