Third party check engine under the right-click menu

Posted on

Today we’d like to share how you can easily add an extra plugin to your QRadar. This can be useful when you want to do deep investigations in a easy way, just using the right-click function. As an example, let’s add IPVOID (http://www.ipvoid.com/) to check source/destination IPs which can be found in a QRadar event.

 

In order to achieve it, follow below steps:

1. Open a SSH session to your QRadar main console.

2. Make a copy of the ip_context_menu.xml template to the QRadar config folder:
[root@my_radar]# cp /opt/qradar/conf/templates/ip_context_menu.xml /opt/qradar/conf/

3. Add your “new third party search engine” by editing the ip_context_menu.xml file:
[root@my_radar]# vim /opt/qradar/conf/ip_context_menu.xml

3. Add the following line in the ip_context_menu.xml file. You can change the parameters according with your plugin:
<contextMenu>
<menuEntry name=”IPVOID Check” url=”http://www.ipvoid.com/scan/%IP%/&#8221; />
</contextMenu>

4. Restart the tomcat service
[root@my_radar]#service tomcat restart

5. Done! Now you can use your plugin. It will appear under the right click, More Options->Plugins->IPVOID Check.

 

Advertisements

Installing a Device Adapter on the QRadar Risk Manager

Posted on Updated on

Today I was trying to install device adapters into the new QRadar Risk Manager 7.2. After sometime struggling (due the “incomplete” IBM documentation) I decided to create this post to help you guys to configure a new adapter in the Risk Manager. First things first, for those who don’t know, the QRadar Risk Manager need an adapter for each kind of device that you want to monitor the configuration. It means for example, if you have few Checkpoint Firewalls and few Cisco routers that you want to monitor the configuration, you will need to install the Checkpoint adapter and the Cisco adapter.

So, here’s the step by step to configure the adapters:

[All the files mentioned in this post can be found in this link, or at www.ibm.com/support/fixcentral ]

 

– Install the dependencies: (Only necessary in the first time configuration)

  • Download the rpm files: “ziptie-server” and “adapters-common” in your machine;
  • Connect to the Risk Manager server using SSH.
  • Create a new folder: /tmp/adapters
  • Copy the downloaded files from your computer into the new folder
  • Execute:  rpm -Uvh ziptie_filename.rpm   (use the ziptie file that you just transferred)
  • Execute:  rpm -Uvh adapterscommon_filename.rpm    (use the adapterscommon file that you just transferred)
  • Execute: service ziptie-server restart

 

– Install the adapter: (Repeat it for all the necessary adapters)

  • Download the rpm files for your adapter, example: cisco_adapter.rpm into your machine;
  • Connect to the Risk Manager server using SSH;
  • Copy the downloaded files from your machine to the folder /tmp/adapters ;
  • Execute:  rpm -Uvh cisco_adapter.rpm   (Change the filename for the adapter downloaded)
  • Execute: service ziptie-server restart

 

After those steps your adapter will be ready for use.

If you want, you can check the official IBM documentation in this link, but I found some missing steps on it.

Checking if GUI is working on the IMM

Posted on

Hi guys, sometimes you’re not able to log in to the IMM web interface and check many information regarding event processor/ collector. If the GUI is down you can go through the following easy steps:

  •  ssh to the IMM,
  • check if the server is running:     system>     ssl
    • if it’s running try to reset the IMM.
    • if the server is not running just turn it on:          system>   ssl se on

IMM Troubleshooting

QRadar and Big Data

Posted on

Today I was reading about the new QRadar integration with the IBM BigData solution. Instead of writing down here, I decided to share with you guys a very nice video that summarize the benefits of this integration.

 

(Part 1) QRadar Basics and Big Data

 

(Part 2) QRadar BigData Extension:

 

I hope you guys enjoy the videos. You can also check more from the author in his youtube channel.

Centralized vs. Distributed collecting

Posted on

One of the main questions when designing the architecture of a QRadar environment is using a centralized (with or without clustering) or a distributed deployment. It means, should we create a cluster of QRadar in a specific network or should we distribute our collectors across the networks? As usual, the answer is: Depends.

The following pictures summarize the benefits and cons of the both cases.

Centralized
Centralized Deployment

In the Centralized scenario, all the servers and collectors are in the same network. It makes the deployment and management way easier since we have just one point of maintenance and one point to “care about”, and it is very important especially when we have a geographically spread environment. But having all the SIEM solution in one network means that all the environment will need to connect to the cluster. In other words, the firewalls will allow traffic between the QRadar cluster and any server. Considering that some collection methods involves windows authentications, it means that if someone get access to the QRadar cluster network, the person will have access to any device on the network.  Another bad point of this kind of deployment is the network failure tolerance. Lets say that the router in the border of the QRadar network goes down, all the log collection will be lost.

 

Distributed
Distributed Deployment

 

The distributed collection usually takes more time (and money) to implement and requires more time/resources to maintain, since the appliances will be distributed physically and logically. But the advantages are clear. With a distributed deployment the main QRadar console will have access only to its’ collectors, and nothing more. It means that if someone get access to the main SIEM network, the person will be able only to send packets to very specific IPs (collectors), and since the QRadar collectors are completely hardened, the security risk involved on this deployment is very low. Another benefit of the distributed deployment is the network failure tolerance. Considering the same case of a broken router in the QRadar console network, in this case the collectors will not have connection with the main console and will buffer the logs. After the network connectivity being restored, the logs will be synchronized with the main console.

As you guys noticed, the Distributed deployment can bring some good advantages compared with the Centralized one. But each company is a different case. Is up to you as an architect decide which deployment will fit your client need.

Do you have any suggestion or comment? Drop us a line in the comments!

Easy way to copy a file to all managed hosts

Posted on

Hi guys, today I’d like to present you another very useful command which you can use on a daily basics. Sometimes there is a need of coping a file to your all managed hosts. There is a very easy way to do this by using:

/opt/qradar/support/all_servers.sh -p file

… this will copy the “file” to the /tmp directory of all appliances.

After the file transfer, you can use the tips on this post to run commands all across your environment regarding with the new files.

One example of using this command, is transferring your  security policies to all the environment and after deploying the configuration using the all_servers script.

Do you have any use cases for this feature? Drop us a line in the comments!

QRadar Certification – Certified Deployment Professional (C2150-196)

Posted on Updated on

IBM recently released the new “IBM Security QRadar Certified Deployment Professional” or also called ” IBM Security QRadar SIEM V7.1 Implementation”. For the most of the people certifications are just accomplishments to attach on their CV, but the real value of the certification is not the paper itself, but is the study to get the certification. Even people that work years with the product, when studying to the certification discover new features or new ways to work with the solution, and being certified (after the proper study) gives you the necessary confidence that at least you already saw all the features of the product and you are able to use the tool in its best way.

The new certification (code C2150-196) consists in a 90-minutes test containing 64 questions involving all the phases of the project. From installing the hardware to tuning the rules. As mentioned in the first paragraph, studying and getting certified will give you a broader vision about the product, not only the tasks that you are used. The test passing score is 70%, a high score compared to another certifications from IBM, and as it involves all phases of the project, you should dedicate part of you time to study the tool.

The best way to prepare yourself to the certification is exploring the tool. Don’t try to go to the certification having never even logged on QRadar. Another good source of information, is the study guide from IBM that you can find on this link. It basically provides you with all the topics of the certification.

A personal tip to you is focus in the following categories: Difference between the versions (SIEM, LogManager, etc); theory behind the offences (how it is generates, how to configure the rules, etc); Interface usage (where can you find the features, how to do things in the interface, etc); and Solution Architecture (Components).

Another suggestion for people who have budget for it, go for the IBM classes. I went to two QRadar courses (2 years ago) and both were very helpful and practical. The courses were filled with useful exercises and hands-on activities. The bad point is the prices, but usually the companies pays for the training. To learn more about the IBM QRadar course, check this link out.

After studying the study guide (or attending the official training), exploring the tool and practicing the theory, you will be good to go for the certification. To get more information about how to schedule your certification visit the official IBM learning center.