Administration

Proactively identifying performance issues with the HCF plugin

Posted on Updated on

In the last post, we talked about the Health Check Framework (HCF) and its benefits. Since I’ve been using the plugin for over a month I was able to collect useful performance information and identify some potential performance issues even before they occur. In this post, you will learn how to proactively monitor your system performance and prevent potential performance issues from happening.

First, you will need to install the Health Check Framework plugin. The installation process is quite straightforward: all you need is to go to your IBM app store on your QRadar environment, search for “Health Check Framework” and install it following the steps on the screen. With the plugin installed, you can start by browsing the plugin interface and extracting a report about your system performance. In this report, you will see a lot of details about your system, such as CPU Usage, Disk Usage, EPS, FPM, heavy reports, current users, etc.

Report generated by the Health Check Framework (HFC) – A holistic view of your environment, note the number of tabs on the report

 

In my case, we are planning to expand the scope of servers monitored by QRadar, so I wanted to understand if we would need any hardware upgrades. For testing purposes, I disabled the log collection of 30 Windows servers that were currently being monitored and I noticed that the RAM memory usage reduced by around 5% (see images below). Obviously, this number will vary according to the server usage, but this test gave me a rough estimation that for each 30 servers my RAM memory usage will increase around 5%. So with the help of the HCF plugin, I was able to identify hardware upgrades to accommodate the monitoring of new servers, avoiding system outages due to lack of resources during the scope expansion.

Before disabling Windows test servers – Memory used ~40GB

 

After disabling the Windows servers – Memory used: ~38GB

 

Even if you’re not planning to expand your scope, you can use historical performance data to proactively identify issues. For example, let’s say, your QRadar monitors a new e-commerce website. The number of logs you get depends on the traffic your website has. With the historical data, you will be able to identify a performance trend: as the e-commerce website becomes more popular, the EPS increases and the CPU/Memory usage also increases. With this data, you will be able to estimate at which point in time you will need a hardware upgrade, avoiding any unexpected system outages due to lack of resources.

Another very interesting data that I found in this report was the “Event Average Payload Size”, which as the name says, tells you the average size of logs received. This can be very useful to identify hard drive requirements when expanding your EPS.

Using the same plugin I was also able to identify heavy reports and rules that were severely impacting the performance of my QRadar environment. After reviewing and fixing the queries of the reports and rules, it was noticed a considerable reduction in the CPU usage.

Chart extracted from the HCF report – Identifying heavy rules

 

Monitoring the performance of your system puts you in a proactive posture in relation to your environment. Being proactive means that you will not be firefighting issues as before, but instead, monitoring and planning upgrades ahead to avoid issues even before they happen.

QRadar New Features (7.2.5 – 7.2.7)

Posted on Updated on

Since my last post several new features were introduced on QRadar. In the last couple of years, IBM is really trying to stay ahead of its competitors (and also trying to catch up and in some forgotten features). In this post I want to discuss about the new capabilities that I believe are significant improvements in the new versions of QRadar (7.2.5 – 7.2.7).

  • Multitenancy: Probably the feature that all the SOC service providers were waiting for. Now it’s possible to have multiple clients in one single QRadar installation, meaning that if you monitor QRadar for more than one company now you can see all your clients in one single dashboard. This feature also allow you to assign a specific amount of EPS for each tenant, making it easy to control the SIEM usage for each client. There’s a lot of improvements with this feature, so if you want more information just check the official IBM video about this feature.
  • Historical Correlation: Several times in the past I struggled with the fact it was not possible to apply a new offense rule to past events. I had to use several bash tricks to be able to replay logs. However, in the latest versions of QRadar it is possible to “replay” historical logs to figure out if your new offense rule happened in the past. IBM also has a good video about this topic.
  • Deployment Editor: Finally IBM got rid of the java applet that managed the QRadar deployment. The new QRadar 7.2.7 allows you to manage your appliances through the web interface!
  • Custom Action Scripts: This is a feature that can be powerful if well written or dangerous if misconfigured. It can be powerful because allow an offense to trigger any action on an external system, for example, allow you to write an script that creates a new firewall rule if an “brute-force offense” is observed. At same time this is a great feature, the pentester side of me can see a lot of potential vulnerabilities with this feature: basically you’re allowing an script to execute a command in a server based on an input of a log received from a non-trusted device, meaning that if someone properly craft a syslog, they may be able to inject a command into your script. It’s not easy, but it may be possible. So make sure you properly sanitize the inputs in your action script. Also, make sure you properly configure the access to the script file (since it probably will contain access keys to other systems)
  • Data Obfuscation: This feature basically obfuscate sensitive data coming in the logs. For example: let’s say that your application use as user-id the credit card number of the customer (which is NOT recommended), then your application sends the user-id to QRadar as part of the logs of some action. With this feature, you can obfuscate the user-id to ensure your SOC team will NOT see the credit card number of your customers. Check this IBM video for more information, they discuss where you can apply data obfuscation and where you shouldn’t apply it.

 

There are several other new features in the new QRadar versions but the above are the ones that in my opinion really aggregated value to the tool! Check out the IBM channel on Youtube, you can find several videos about the new QRadar features! What is your favorite new QRadar feature?

Third party check engine under the right-click menu

Posted on

Today we’d like to share how you can easily add an extra plugin to your QRadar. This can be useful when you want to do deep investigations in a easy way, just using the right-click function. As an example, let’s add IPVOID (http://www.ipvoid.com/) to check source/destination IPs which can be found in a QRadar event.

 

In order to achieve it, follow below steps:

1. Open a SSH session to your QRadar main console.

2. Make a copy of the ip_context_menu.xml template to the QRadar config folder:
[root@my_radar]# cp /opt/qradar/conf/templates/ip_context_menu.xml /opt/qradar/conf/

3. Add your “new third party search engine” by editing the ip_context_menu.xml file:
[root@my_radar]# vim /opt/qradar/conf/ip_context_menu.xml

3. Add the following line in the ip_context_menu.xml file. You can change the parameters according with your plugin:
<contextMenu>
<menuEntry name=”IPVOID Check” url=”http://www.ipvoid.com/scan/%IP%/&#8221; />
</contextMenu>

4. Restart the tomcat service
[root@my_radar]#service tomcat restart

5. Done! Now you can use your plugin. It will appear under the right click, More Options->Plugins->IPVOID Check.

 

Installing a Device Adapter on the QRadar Risk Manager

Posted on Updated on

Today I was trying to install device adapters into the new QRadar Risk Manager 7.2. After sometime struggling (due the “incomplete” IBM documentation) I decided to create this post to help you guys to configure a new adapter in the Risk Manager. First things first, for those who don’t know, the QRadar Risk Manager need an adapter for each kind of device that you want to monitor the configuration. It means for example, if you have few Checkpoint Firewalls and few Cisco routers that you want to monitor the configuration, you will need to install the Checkpoint adapter and the Cisco adapter.

So, here’s the step by step to configure the adapters:

[All the files mentioned in this post can be found in this link, or at www.ibm.com/support/fixcentral ]

 

– Install the dependencies: (Only necessary in the first time configuration)

  • Download the rpm files: “ziptie-server” and “adapters-common” in your machine;
  • Connect to the Risk Manager server using SSH.
  • Create a new folder: /tmp/adapters
  • Copy the downloaded files from your computer into the new folder
  • Execute:  rpm -Uvh ziptie_filename.rpm   (use the ziptie file that you just transferred)
  • Execute:  rpm -Uvh adapterscommon_filename.rpm    (use the adapterscommon file that you just transferred)
  • Execute: service ziptie-server restart

 

– Install the adapter: (Repeat it for all the necessary adapters)

  • Download the rpm files for your adapter, example: cisco_adapter.rpm into your machine;
  • Connect to the Risk Manager server using SSH;
  • Copy the downloaded files from your machine to the folder /tmp/adapters ;
  • Execute:  rpm -Uvh cisco_adapter.rpm   (Change the filename for the adapter downloaded)
  • Execute: service ziptie-server restart

 

After those steps your adapter will be ready for use.

If you want, you can check the official IBM documentation in this link, but I found some missing steps on it.

Checking if GUI is working on the IMM

Posted on

Hi guys, sometimes you’re not able to log in to the IMM web interface and check many information regarding event processor/ collector. If the GUI is down you can go through the following easy steps:

  •  ssh to the IMM,
  • check if the server is running:     system>     ssl
    • if it’s running try to reset the IMM.
    • if the server is not running just turn it on:          system>   ssl se on

IMM Troubleshooting

QRadar and Big Data

Posted on

Today I was reading about the new QRadar integration with the IBM BigData solution. Instead of writing down here, I decided to share with you guys a very nice video that summarize the benefits of this integration.

 

(Part 1) QRadar Basics and Big Data

 

(Part 2) QRadar BigData Extension:

 

I hope you guys enjoy the videos. You can also check more from the author in his youtube channel.

Centralized vs. Distributed collecting

Posted on

One of the main questions when designing the architecture of a QRadar environment is using a centralized (with or without clustering) or a distributed deployment. It means, should we create a cluster of QRadar in a specific network or should we distribute our collectors across the networks? As usual, the answer is: Depends.

The following pictures summarize the benefits and cons of the both cases.

Centralized
Centralized Deployment

In the Centralized scenario, all the servers and collectors are in the same network. It makes the deployment and management way easier since we have just one point of maintenance and one point to “care about”, and it is very important especially when we have a geographically spread environment. But having all the SIEM solution in one network means that all the environment will need to connect to the cluster. In other words, the firewalls will allow traffic between the QRadar cluster and any server. Considering that some collection methods involves windows authentications, it means that if someone get access to the QRadar cluster network, the person will have access to any device on the network.  Another bad point of this kind of deployment is the network failure tolerance. Lets say that the router in the border of the QRadar network goes down, all the log collection will be lost.

 

Distributed
Distributed Deployment

 

The distributed collection usually takes more time (and money) to implement and requires more time/resources to maintain, since the appliances will be distributed physically and logically. But the advantages are clear. With a distributed deployment the main QRadar console will have access only to its’ collectors, and nothing more. It means that if someone get access to the main SIEM network, the person will be able only to send packets to very specific IPs (collectors), and since the QRadar collectors are completely hardened, the security risk involved on this deployment is very low. Another benefit of the distributed deployment is the network failure tolerance. Considering the same case of a broken router in the QRadar console network, in this case the collectors will not have connection with the main console and will buffer the logs. After the network connectivity being restored, the logs will be synchronized with the main console.

As you guys noticed, the Distributed deployment can bring some good advantages compared with the Centralized one. But each company is a different case. Is up to you as an architect decide which deployment will fit your client need.

Do you have any suggestion or comment? Drop us a line in the comments!