Tunning

Third party check engine under the right-click menu

Posted on

Today we’d like to share how you can easily add an extra plugin to your QRadar. This can be useful when you want to do deep investigations in a easy way, just using the right-click function. As an example, let’s add IPVOID (http://www.ipvoid.com/) to check source/destination IPs which can be found in a QRadar event.

 

In order to achieve it, follow below steps:

1. Open a SSH session to your QRadar main console.

2. Make a copy of the ip_context_menu.xml template to the QRadar config folder:
[root@my_radar]# cp /opt/qradar/conf/templates/ip_context_menu.xml /opt/qradar/conf/

3. Add your “new third party search engine” by editing the ip_context_menu.xml file:
[root@my_radar]# vim /opt/qradar/conf/ip_context_menu.xml

3. Add the following line in the ip_context_menu.xml file. You can change the parameters according with your plugin:
<contextMenu>
<menuEntry name=”IPVOID Check” url=”http://www.ipvoid.com/scan/%IP%/&#8221; />
</contextMenu>

4. Restart the tomcat service
[root@my_radar]#service tomcat restart

5. Done! Now you can use your plugin. It will appear under the right click, More Options->Plugins->IPVOID Check.

 

Changing firewall rules

Posted on Updated on

By the original QRadar configuration, all the appliances comes with a pre-configured firewall rules in the OS. For testing purposes we can simple deactivate the firewall using the command “service iptables stop” (to stop the firewall) and “service iptables start” (to turn it back). But sometimes we need to update the firewall configuration aiming permanent changes.

In order to change firewall rules on your appliance you need to follow the below steps:

  • Connect through SSH to the appliance that you want to make modifications;
  • Login using ‘root’ account;
  • Edit one of the following files:
    • /opt/qradar/conf/iptables.pre
    • /opt/qradar/conf/iptables.post
    • /opt/qradar/conf/iptables-nat.post
  • Add your firewall rules in the file, for example:
    • -A INPUT -i eth0 -s x.x.x.x -j ACCEPT
  • Save the file with the ‘ :wq ‘;
  • Run /opt/qradar/bin/iptables_update.pl so your changes take effect;

With those steps your firewall configuration is now changed and will persist even in rebooting cases.

Changing the SSL Certificate

Posted on Updated on

In this post we are going to explain in a simply way how to change the SSL certificate of QRadar. For the folks that already worked with IBM products know how tricky it were, but with QRadar it is way easier. In less than 10 steps you can import your self-signed or trusted certificated into QRadar.

  • Get your self-signed or trusted certificate (remember: you need the public and private key);
  • Log into your QRadar console using SSH;
  • Transfer the certificate to some folder inside the QRadar, example:
    /certificates/qradar_priv_certificate.pfx    and   /certificates/qradar_public_certificate.cer
  • Execute the following command: /opt/qradar/bin/install_ssl_cert.sh -i
  • The script will ask you the path to the private certificate file. Just type the path you used on step 3.
  • The script can ask you the public certificate, just type the path you used on step 3;
  • To confirm the change, type ‘y’ and press enter;
  • After the completion, restart the hostcontext service using the command:
    service hostcontext restart
  • After the restarting the service, open the QRadar using HTTPs using your browser and verify the certificate;

Basically, the QRadar will make all the tricky part and will update the SSL certificate for you.

You can find the official documentation about the SSL certificate change in this link (that basically explain this 10 steps in 10 pages).