Understanding the UBA Risk Score
The Use Behaviour Analytics (UBA) app is one of the most interesting QRadar apps. It allows you to detect internal threats, such as rouge employees and compromised accounts. The UBA works by observing the behaviour of each user and attributing a risk score for each person. For each UBA rule triggered, the risk score for the user is incremented. In this way you can track which users are performing risky (or abnormal) actions. Once a user surpass the company risk threshold, an offence is generated for the user. If a user stays a long period of time without having any risky action, then the risk is gradually decreased, which is called risk decay.
To exemplify the risk score concept, take a look on the figure above. Let’s imagine that John access a suspicious website. This triggers an UBA rule that increase his user risk by 10 points. Then, John logs into a server and escalate his privileges to root for the first time. Again, an UBA rule is triggered and his risk is increased. After that, he does not present any risky behaviour for 8 hours, so his score slowly starts to decay. Eight hours later, John dumps an entire SQL database, increasing his risk again. After that, he SSH into a server in Russia, which also increases his score. At this point, his risk is higher than the company threshold risk, so an offence is generated for John. After that, even if John’s risk decay, his offence will still be open.
This example shows the real value of the UBA app, since each small action is not enough for a traditional rule-based offence. However the combined actions are indeed suspicious and the UBA app was able to detect it.
If you want to learn more about the UBA and other QRadar apps, check this online course in which the main QRadar apps are presented.
Using RSyslog to monitor and forward log files to QRadar
Although it is possible to use SSH/SFTP/SCP to collect log files with QRadar, that option may not be the most appropriated for every company. Those collection methods, called pull-collection, requires an extra account in the system (so QRadar can login to collect the log). Moreover, the pull-collection methods collect the logs in an interval (usually, 5 minutes), meaning that logs may take up to 5 minutes to arrive in QRadar.
One alternative for collecting logs stored in files is using the rsyslog service, which is already pre-installed in the majority of the RedHat and CentOS versions. Those services are able to monitor a log file and forward each new log line to QRadar.
The first step is to check which version of rsyslog you have:
$ rsyslogd -version
If you have the newer rsyslog versions (7.x or above), then edit the /etc/rsyslog.conf file and add the following lines:
#### Load the file reader module #### module(load="imfile" PollingInterval="10") #### Configure to read a file #### input(type="imfile" File="/var/log/logfile1.log" Tag="LogFileName:" StateFile="/var/spool/rsyslog/state-LogFileName" Severity="info" Facility="local3") #### Forward the logs to QRadar local3.info @@qradar_ip_address:514
If you have the legacy versions (5.x or below), then edit the /etc/rsyslog.conf file and add the following lines:
##### Load file reader module ####### $ModLoad imfile ##### Configure to read a file ######## $InputFileName /var/log/logfile1.log $InputFileTag LogFileName: $InputFileStateFile state-LogFileName $InputFileSeverity info $InputFileFacility local3 $InputRunFileMonitor ##### Set the file monitoring for every 10 seconds ###### $InputFilePollInterval 10 ##### Forward logs in local3.info to Qradar ####### local3.info @@qradar_ip_address:514
After the changes being done on the rsyslog.conf file, all you have to to is restart the service:
$ systemctl stop rsyslog $ systemctl start rsyslog
To check if the service was started without errors, check the status by:
$ systemctl status rsyslog
If everything worked well, your service should be started without any errors.
One very common issue is when the rsyslog is not able to access the log file. This usually happens due to the SELinux service, which blocks access to sensitive files on the machine. To check if that is the case, temporarily disable the SELinux by using the following command:
$ setenforce 0
After that, restart rsyslog and check if the error persist. If it the issue is solved, then all you have to do is adding an exception to your SELinux to allow rsyslog to access the specific log file.
Using Syslog-ng to monitor and forward log files to QRadar
Although it is possible to use SSH/SFTP/SCP to collect log files with QRadar, that option may not be the most appropriated for every company. Those collection methods, called pull-collection, requires an extra account in the system (so QRadar can login to collect the log). Moreover, the pull-collection methods collect the logs in an interval (usually, 5 minutes), meaning that logs may take up to 5 minutes to arrive in QRadar.
One alternative for collecting logs stored in files is using the syslog-ng service, which is already pre-installed in the majority of the newer Linux releases. This service can be used to monitor a specific file (in smaller intervals, such as 10 seconds) and in case of any changes, send the logs to QRadar. The configuration is fairly simple, here are the steps:
- Check if the syslog-ng is installed:
$ service syslog-ng status
if not installed, install using:
$ apt-get install syslog-ng
- Edit the syslog-ng configuration file (usually at: /etc/syslog-ng/syslog-ng.conf), inserting the following lines:
source s_logfile1 { file("[[[PATH_TO_FILE]]]" follow_freq(10) flags(no-parse)); }; destination d_qradar { tcp("[[[QRADAR_COLLECTOR_IP]]]" port(514) template("<$PRI>$DATE $HOST $MESSAGE\n")); }; log { source(s_logfile1); destination(d_qradar); };The first line adds a “file monitoring” rule to the specific file. You can update the file monitoring frequency (in seconds) by changing the follow_freq parameter.
The second line adds a syslog destination, if you already had syslog-ng configured for another log monitoring, this line may not be necessary.
The third line adds a logging action from the source file to the destination syslog recipient. - Restart the syslog-ng service
$ service syslog-ng restart
- Done! You can now check on QRadar if logs are coming.
- If you need to troubleshoot, you can check the syslog-ng logs by using the following commands:
$ syslog-ng $ service syslog-ng status
QRadar 7.3.1, should you upgrade?
The IBM QRadar 7.3.1 was released in the beginning of 2018. However, several companies still using past versions of the tool. One of the most asked question every time a new release is out is “Why should I upgrade?”. To answer this question, I compiled a list of interesting improvements in the past four major releases. This list was based on the official IBM release notes and several QRadar open mics.
- Indexing offence by any field, including custom fields
- Customize columns on log activity tab, create custom layouts
- See average EPS for each log source, on admin tab and reports
- Support of if/then/else and case statements on AQL queries
- Release of a software version of QRadar
- All logs and flows are compressed when stored
- Paging on searches (improving search performance)
- Change network interface configuration through the web console (IP address, interfaces, bonding, etc)
- Change firewall rules through the web console
- New APIs for QVM and incident retrieval
- Resource restrictions for specific users (searches)
- X-Force is already included in the QRadar subscription
- Reference sets are now domain specific, each client has their own domain set
- Data retention buckets now can be per tenant
- Offence assignment is improved and offence screen support tenants
- Web interface for DSM editor
- AQL support nested queries
- IBM Security Master Console now included with qradar. Provides a holistic view of the environment
- EPS/FPM is now a shared pool that can be distributed across devices
- QRadar now runs on RedHat 7.3, which allows LVM for partition management. It also uses the SystemD for service management, meaning that you have to use “systemclt” to manage things in the system, like service start/stop
- Activation keys are not necessary anymore. You select the type on a list
- No more limit on log source numbers. The limit is by EPS
- Tenant management is improved, the tenants can create their own reference sets and custom properties.
- AQL now supports advanced statements, such as session queries, bitwise operators and functions.
- Apps now can be outsourced to an external AppNode
- New interfaces for remote networks and remote services
- Java deployment editor doesn’t exist anymore, all device management happens through the admin interface
- New login screen, new logos and design.
- New app called Pulse, very interesting dashboards, provide “SOC Views” and fancy graphs
- Custom properties can now be based in AQL queries
- Now it is possible to identify if QRadar inverted the flow in the network activity tab
- Minor patch updates does not cause downtime anymore
- Event collection now runs as a separated service, meaning you can restart just the event collection in a device
- New left side menu, allows creating shortcuts and favourites
- Browser-based notifications
- New “QRadar Deployment Intelligence App” provides a lot of system health information
- Possibility to enforce password policy
- New “QRadar Assistant App” comes already with QRadar. It gives tips on how to use the tool, suggest apps, and provide a live feed of the IBM Security Support twitter.
- Log source auto-detection can now be controlled, allowing only certain types of log sources to be auto-detected
- Auto-discovery of event properties.
- New offering of a Data Storage solution for QRadar, this allows to some of the logs to be collected only and not parsed by the pipeline (saving EPS). This can be interesting if one of the devices is on debug mode.
- Support to JSON formats in log source extension parsing
- AQL can now be targeted by event processor, improving search time
- Geolocation is improved. Now you can manually enter the geolocation of IPs on the network hierarchy, so maps are correct.
- New App Developer Center, so people can develop their own apps with the IBM SDK
- Rules can now be triggered by distance on geolocation. “If a traffic comes from more than 100km from here”..
- The vulnerability manager and risk manager are completely redesigned.
- The incident forensics module supports packet capture and more advanced features
Investigating Ransomware Infections with QRadar
Ransomware is the nightmare of most of system administrators and security officers. It’s an emerging threat and the trend unfortunately is upward: more and more companies are being hit by ransomware, from small shops to large corporations.
In a previous post we discussed on how to use your QRadar to detect ongoing ransomware infections. In this post we will be discussing how to investigate ransomware attacks using your SIEM.
You may be wondering, “why bothering if it’s too late?”. It is extremely important to understand the vectors exploited and the timeline of the attack so we can avoid future infections and even stop current ransomware attacks.
Here’s a list of items to check using your QRadar:
- Anti Virus logs: That seems the most obvious thing to check. We can try to identify if the antivirus detected the threat and which was the first computer affected (the “entry point”). We can also check if the users infected had turned their antivirus off or if the ransomware was not even detected by the antivirus (a potential zero-day).
- Network Traffic: The majority of the ransomware strains communicate to a Command & Control server for two main reasons: synchronize the malware data, and in some cases, exfiltrate sensitive data. You can use your QRadar to find if your machines are connecting to a new external IP. For example, if you had all your HR laptops infected, and in the same period you observe all the laptops connecting to a new specific IP, that’s most likely the command and control server. You can blacklist this IP in your firewalls and create custom rules on QRadar to alert in case new machines trying to connect to this IP.
- Windows Logs: The windows logs can provide a lot of useful information
- Network Connection Logs: You can try to identify the command and control server by the windows network logs. Those logs can also indicate an anomalous number of connections in a port. For example, the latest ransomware threats were exploiting a vulnerability in the SMB protocol, so if you see an unusual number of connections on port 139 or 445, that may indicate a ransomware proliferating into your network. If that’s the case, you can disable the vulnerable service or block the connections on the windows firewall.
- File Modification Logs: As discussed in this previous post an ongoing ransomware infection generates a lot of “file update” logs. If you detect an anomalous number of file update logs, that may indicate a ransomware threat.
- USB Logs: Most of the ransomware attacks spread through emails and webpages, but they can also be delivered through infected USB sticks. If you know the approximate time of the infection, you can check for USB logs, looking for inserted devices. If the source is a USB stick, contact the user and make sure other people do not do the same.
- Email Logs: Most of the ransomware strains use an email phishing campaign as entry point in a company. Check your email logs (example: Microsoft Exchange logs) for suspicious attachments sent to internal users. If you find the first person infected, you can find the sender and prevent other people of receiving similar emails and getting infected.
- HTTP Logs: Ransomware can also be distributed through malicious websites. If you have your HTTP proxy logs, check for unusual downloads or unusual websites. If you find the source of the ransomware it is easy to block the access and avoid that other users get infected.
Having a proper incident investigation will help you to reduce the impact of an ongoing ransomware attack and may help you to prevent future attacks.
How do you investigate your ransomware attacks? Share with us in the comments.
QRadar Insights 