A Qradar Log Source Extension Walkthrough - SANS Institute

Download PDF
1 downloads 159 Views 1MB Size Report
Comment
authentication sources, and various operating systems and applications (Log Sources ... “Cisco IOS NetFlow efficiently
Interested in learning more about security?

SANS Institute InfoSec Reading Room This paper is from the SANS Institute Reading Room site. Reposting is not permitted without express written permission.

A Qradar Log Source Extension Walkthrough One of the first steps that any organization must take in order to reduce risk and improve overall security is to understand the activity that is taking place on their networks and computer systems. These activities are recorded in the log files these systems produce. As these systems have grown in speed and complexity, understanding this activity has become increasingly difficult.

AD

Copyright SANS Institute Author Retains Full Rights

A Qradar Log Source Extension Walkthrough and Case Study GIAC (GCIH) Gold Certification ! Author:!Michael!Stanton,[email protected]! Advisor:!Richard!Carbone! ! ! ! Accepted:! ! ! Abstract! One!of!the!first!steps!that!any!organization!must!take!in!order!to!reduce!risk!and! improve!overall!security!is!to!understand!the!activity!that!is!taking!place!on!their! networks!and!computer!systems.!!These!activities!are!recorded!in!the!log!files!these! systems!produce.!!As!these!systems!have!grown!in!speed!and!complexity,! understanding!this!activity!has!become!increasingly!difficult.!!For!this!primary! reason,!the!class!of!information!technology!solutions!referred!to!as!security! information!and!event!management!or!“SIEM”!has!increased!in!popularity!in!step! with!this!trend.!!SIEM!solutions!continue!to!evolve!as!they!are!deployed!within! commercial!enterprises,!the!public!sector!and!academia.!!A!leader!in!this!field,!IBM! Qradar,!is!consistently!given!high!marks!for!ease!of!configuration!(Gartner!2014).!! Unfortunately,!the!availability!of!documentation!for!one!of!the!most!critical!support! aspects!of!this!solution,!building!custom!log!source!extensions,!is!quite!limited.!!The! vendor,!IBM,!provides!a!technical!reference!but!illustrated!or!guided!primers!with! examples!are!almost!nonexistent.!!This!paper!will!introduce!SIEM,!walk!through!the! log!source!extension!creation!process!and!discuss!how!it!complements!the!overall! configuration!process!for!the!solution.!! !!!

! !

[VERSION!June!2012]!

! !

Qradar LSX Walkthrough! 2

!

1. Introduction! !

The acronym SIEM refers to “Security Information and Event Management”.

Due to the many and varied functions provided, a concise definition is illusive. Some consistently offered functions across all SIEM platforms include log and threat correlation, incident management and reporting (Swift 2006). Additional functions provided may also include active response, IT regulatory compliance, endpoint security, vulnerability assessment and advanced log search (Miller, Harris, Harper, VanDyke, Blask 2011). Miller’s definition leads to the conclusion that this class of multi-function system has evolved from a group of discrete software tools that each contribute to a unified security response platform (Miller 2011). Miller goes on to suggest that this is a logical evolution from such things as log aggregation platforms. As the solution matured, developers added correlation rules to assist with sifting through large amounts of disparate order="1" pattern-id="SourceIp" capture-group="7" /> This expression would match if we separated each octet in the pattern ID using parentheses. The seventh match group is represented in bold below: ! !

Device!Type:! !

Example!SampleTron!5000!(FakeOS)!

Device!Version:!

Fakeware!2.7.1!

Protocol:!

Syslog!

!

! Custom!Property!regular!expressions!for!Event!Viewer:! SampledID:!

!

SampledGroup:!

!

\sPolicy\sID\:\s(.*?)\;!

!

\sGroup\sName\:\s(.*?)\;!

! Common!Regular!Expressions:! IP!Address:! !

\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}!

Port!Number:!\d{1,5}! MAC!Address:!(?:[0d9adfAdF]{2}\:){5}[0d9adfAdF]{2}! Protocol:!

!

(tcp|udp|icmp|gre)!

Device!Time:! \w{3}\s\d{2}\s\d{2}:\d{2}:\d{2}! White!Space:! \s! Tab:! !

!

Match!Anything:!

\t! .*?!

! dd>! ! !

!

!

!

!

!

! !

!

! !

!

!

Michael!Stanton,[email protected]!

Qradar LSX Walkthrough! 23

! !

!

! !

!

! !

!

! !

!

! !

!

! !

!

! !

!

! !

!

! !

!

! !

!

! !

!

! !

!

! !

!

! !

!

! !

!

!

Michael!Stanton,[email protected]!

Qradar LSX Walkthrough! 24

! !

!

! !

!

! !

!

! !

!

! !

!

! !

!

! !

Michael!Stanton,[email protected]!

Last Updated: September 15th, 2017

Upcoming SANS Training Click Here for a full list of all Upcoming SANS Events by Location Rocky Mountain Fall 2017

Denver, COUS

Sep 25, 2017 - Sep 30, 2017

Live Event

SANS Baltimore Fall 2017

Baltimore, MDUS

Sep 25, 2017 - Sep 30, 2017

Live Event

Data Breach Summit & Training

Chicago, ILUS

Sep 25, 2017 - Oct 02, 2017

Live Event

SANS Copenhagen 2017

Copenhagen, DK

Sep 25, 2017 - Sep 30, 2017

Live Event

SANS London September 2017

London, GB

Sep 25, 2017 - Sep 30, 2017

Live Event

SANS Oslo Autumn 2017

Oslo, NO

Oct 02, 2017 - Oct 07, 2017

Live Event

SANS DFIR Prague 2017

Prague, CZ

Oct 02, 2017 - Oct 08, 2017

Live Event

SANS Phoenix-Mesa 2017

Mesa, AZUS

Oct 09, 2017 - Oct 14, 2017

Live Event

SANS October Singapore 2017

Singapore, SG

Oct 09, 2017 - Oct 28, 2017

Live Event

Secure DevOps Summit & Training

Denver, COUS

Oct 10, 2017 - Oct 17, 2017

Live Event

SANS Tysons Corner Fall 2017

McLean, VAUS

Oct 14, 2017 - Oct 21, 2017

Live Event

SANS Brussels Autumn 2017

Brussels, BE

Oct 16, 2017 - Oct 21, 2017

Live Event

SANS Tokyo Autumn 2017

Tokyo, JP

Oct 16, 2017 - Oct 28, 2017

Live Event

SANS Berlin 2017

Berlin, DE

Oct 23, 2017 - Oct 28, 2017

Live Event

SANS Seattle 2017

Seattle, WAUS

Oct 30, 2017 - Nov 04, 2017

Live Event

SANS San Diego 2017

San Diego, CAUS

Oct 30, 2017 - Nov 04, 2017

Live Event

SANS Gulf Region 2017

Dubai, AE

Nov 04, 2017 - Nov 16, 2017

Live Event

SANS Miami 2017

Miami, FLUS

Nov 06, 2017 - Nov 11, 2017

Live Event

SANS Milan November 2017

Milan, IT

Nov 06, 2017 - Nov 11, 2017

Live Event

SANS Amsterdam 2017

Amsterdam, NL

Nov 06, 2017 - Nov 11, 2017

Live Event

SANS Paris November 2017

Paris, FR

Nov 13, 2017 - Nov 18, 2017

Live Event

Pen Test Hackfest Summit & Training 2017

Bethesda, MDUS

Nov 13, 2017 - Nov 20, 2017

Live Event

SANS Sydney 2017

Sydney, AU

Nov 13, 2017 - Nov 25, 2017

Live Event

SANS London November 2017

London, GB

Nov 27, 2017 - Dec 02, 2017

Live Event

SANS San Francisco Winter 2017

San Francisco, CAUS

Nov 27, 2017 - Dec 02, 2017

Live Event

SIEM & Tactical Analytics Summit & Training

Scottsdale, AZUS

Nov 28, 2017 - Dec 05, 2017

Live Event

SANS Khobar 2017

Khobar, SA

Dec 02, 2017 - Dec 07, 2017

Live Event

SANS Munich December 2017

Munich, DE

Dec 04, 2017 - Dec 09, 2017

Live Event

European Security Awareness Summit 2017

London, GB

Dec 04, 2017 - Dec 07, 2017

Live Event

SANS Austin Winter 2017

Austin, TXUS

Dec 04, 2017 - Dec 09, 2017

Live Event

SANS Frankfurt 2017

Frankfurt, DE

Dec 11, 2017 - Dec 16, 2017

Live Event

SANS Bangalore 2017

Bangalore, IN

Dec 11, 2017 - Dec 16, 2017

Live Event

SANS SEC504 at Cyber Security Week 2017

OnlineNL

Sep 25, 2017 - Sep 30, 2017

Live Event

SANS OnDemand

Books & MP3s OnlyUS

Anytime

Self Paced