IBM QRadar¶

Description¶

IBM QRadar is a comprehensive threat detection and response solution designed to help security teams efficiently manage and respond to security incidents. It operates as a Security Information and Event Management (SIEM) platform that collects, processes, aggregates, and stores network data in real-time to provide visibility into network security, generate alerts, and manage offenses for threat detection and prioritization.

The data that it collects includes event data (user logins, email activity, firewall denials) and flow data (network session information between hosts) from the network through devices called connectors. The raw data is normalized into a structured format usable for analysis. The collected data is then analyzed by a Custom Rules Engine that detects security offenses and alerts, then stores the data. The processed data is accessible via the QRadar Console for searches, analysis, reporting, and alerting. The web console provides a user interface for managing security tasks and investigations. For those who want to practice using this SIEM, the QRadar Community Edition (CE) is available for free.

QRadar CE server setup¶

This will cover how to install QRadar CE on a standalone virtual machine.

1. Create a new virtual machine that follows the required specifications:

   • Memory: min. 16-24 GB
   • Disk space: min. 200 GB
   • CPU: 4/6 cores
   • Network adapter: Bridge
   • Disc image: QRadar ISO

2. Start the VM and wait until you are prompted to enter halt, reboot, flatten, or wipe. Choose flatten to install.

3. After the initial installation, you will be given the same prompt again. Choose halt to shutdown.

4. Remove the installation media from the VM, then start it up again. Initial setup will continue automatically.

5. When it's done, you will be prompted to log in. The username is root and there is no initial password.

6. Accept the EULA.

7. In the new setup dialogue box, select Software Install, then Normal Setup, then configure your timezone settings.

8. After that, choose IPv4 for IP setup, then select your network interface.

9. Then, configure QRadar's functionality and network settings. For functionality, select "All-In-One" Console.

   Example network configuration

   • Hostname: qradar.local

   • IP Address: 192.168.1.77

   • Network Mask: 255.255.255.0

   • Gateway: 192.168.1.1 (IP address of your router)

   • Primary DNS: 8.8.8.8

10. Finish the installation. Access the QRadar CE Console on your browser by connecting to the server's IP address.

Log sources¶

This will cover adding log sources from clients on your network. Log sources include syslog-enabled devices, network logs, and web server logs, just to name a few.

To view your Log Sources, log in to the QRadar console, then navigate to Admin -> Data Sources -> Log Sources.

Syslog source configuration¶

Syslog is a standardized protocol used for sending, receiving, and storing log or event messages generated by devices, applications, and operating systems within a network. It allows these systems to transmit their event data to a centralized server, like your QRadar SIEM, which collects and manages these logs for monitoring and troubleshooting purposes.

Windows¶

1. Download WinCollect 10 from IBM Support.

2. Run the .msi installer from a PowerShell admin terminal:

   msiexec.exe /i wincollect-<version>.msi
   

3. When prompted, provide your QRadar server's IP address.

4. Complete the setup process.
   This WinCollect instance will then appear as a log source in your QRadar console.

Linux¶

1. Install the rsyslog package:

   For Debian-based

   sudo apt install rsyslog
   

2. Edit the rsyslog configuration file:

   sudo nano /etc/rsyslog.conf
   

   Write the following line to the file:

   rsyslog.conf

   *.* @192.168.1.77:514
   

   This routes all syslog traffic from this Linux host to your QRadar server's IP address via UDP port 514.

3. Restart the rsyslog service:

   sudo systemctl restart rsyslog.service
   

   This Linux rsyslog instance will then appear as a log source in your QRadar console.

HTTP/HTTPS log source configuration¶

A log collector and web proxy can be used in tandem to collect and forward HTTP/HTTPS connection logs from a client to the QRadar server.

Windows¶

QRadar configuration¶

1. Download and install the NxLog log collector and Squid web proxy.

2. In the QRadar console, click on the Log Sources tab and add a log source for Squid:

   Squid log source summary

   OverviewProtocol

   • Name: Squid Windows
   • Log Source Type: Squid Web Proxy
   • Protocol Type: Syslog

   • Log Source Identifier: (SOURCE_IP)

Squid configuration¶

1. Configure squid.conf to format the logs in QRadar format by adding these lines:

   logformat qradarformat %ts.%03tu %6tr %>a %Ss/%03>Hs %<st %rm %ru %un %Sh/%<A %mt
   access_log C:\Squid\var\log\squid\access.log qradarformat
   

2. Save and close the file.

NxLog configuration¶

1. In order for NxLog to send syslogs to QRadar, create an outbound rule for UDP port 514 on the Windows Firewall.

2. Add these lines to your nxlog.conf and save the file:

   <Input squid_input>
           Module  im_file
           File    "C:\\Squid\\var\\log\\squid\\access.log"
           SavePos TRUE
           ReadFromLast    TRUE
   </Input>
   
   <Output syslog_output>
           Module  om_udp
           Host    <QRADAR_IP>
           Port    514
           Exec    $Message = $raw_event;
   </Output>
   
   <Route squid_to_syslog>
           Path    squid_input => syslog_output
   </Route>
   

   Configuration explained

   This will take the logs collected and formatted by the Squid web proxy as input and forward it as syslog output to the IP address of the QRadar server via port 514.

3. Restart the nxlog service in Windows Services.

Windows proxy configuration¶

1. On your source Windows machine, open Settings -> Network & internet -> Proxy.

2. Next to Use a proxy server, click on Set up.

3. Enter 127.0.0.1 for the Proxy IP address and 3128 for the port. Click Save.

Test the log source¶

1. With the web proxy now running, open a browser window on your Windows source host and do a simple Google search.

2. Open an admin PowerShell terminal and run the following command:

   Get-Content "C:\Squid\var\log\squid\access.log" -Tail 10
   

   The output should contain TCP connection events like the following example:

   1753416199.965  4475 127.0.0.1 TCP_TUNNEL/200 3466 CONNECT www.google.com:443 - HIER_DIRECT/www.google.com -
   

   3. On the QRadar console's Log Sources and check that the Squid log source has an OK status.

3. Click on the Log Activity tab. Then, click Add Filter. Set the Parameter to Log Source [Indexed], Equals, Log Source: Squid Windows.

4. On the source host, go to any site, for example http://httpforever.com.

5. The log activity will show incoming TCP logs. They should have names like TCP_TUNNEL (HTTPS traffic) and TCP_MISS (HTTP traffic).

6. The event payloads should look something like this:

   TCP_TUNNEL payloadTCP_MISS payload

   1753417316.787  9146 127.0.0.1 TCP_TUNNEL/200 86513 CONNECT www.bing.com:443 - HIER_DIRECT/www.bing.com -
   

   1753417314.515  187 127.0.0.1 TCP_MISS/200 5172 GET http://httpforever.com/favicon.ico - HIER_DIRECT/httpforever.com image/x-icon
   

Log activity¶

Generate log events¶

This will cover Log Activity inspection through the QRadar console interface.

1. Click on the Log Activity tab on your QRadar console. This tab displays the logs from your QRadar server and other log sources you have set up.

2. On your Windows/Linux host's terminal, create a new user account:

   LinuxWindows PowerShell (Admin)

   sudo useradd <username>
   

   net user <username> <password> /add
   

3. Check the Log Activity tab for new events. Filter the results by the Source IP of your client.

4. Find the correct event which matches the action that was done on the client. Double click on the event to see the payload.

5. The event payload should look similar to the following:

   <86>Nov 8 13:22:08 debian useradd[2428]: new user,name=qradar,UID=1001,GID=1001,home=/home/qradar,shell=/bin/sh,from=/dev/pts/1
   

Rules and offenses¶

QRadar rules are logic conditions applied to events, flows, or offenses to detect suspicious activity in your network. These rules consist of a set of tests that, when met, trigger responses such as generating offenses or alerts.

Create rules¶

Rule A: Generate an offense on user account creation¶

1. Click on the Log Activity tab and find the event log that was collected from the previous exercise. Double click on it.

2. Scroll down the event log until you find its QID Name. Copy this QID to your clipboard. It is unique to this type of event on this client machine.

3. Click on the Offenses tab, then click on Actions -> New Event Rule.

4. The Rule Wizard will appear. Choose Events as the source for this rule. Click Next.

5. In the blank field next to Apply, and Notes at the bottom, type in User account added.

6. In the Rule Test Stack Editor, set the Test Group to All. Add the test which states:

   when the event QID is one of the following QIDs

7. The test will appear in the Rule box below. Click on the underlined QIDs to edit the test.

8. In the test configuration window, paste the QID you got from step 2 into the QID/Name field, and add it to the list. Close the window and click Next.

9. Enter the details of the event to dispatch, and click Next.

10. Review the rule summary before it gets deployed and click Finish. If needed, you can access this rule from the Offenses tab.

    Rule A test criteria

    

    Rule A summary

    

    Rule A test explained

    When a specific event QID is found, then an offense will be generated.

Rule B: Authentication failure after five attempts¶

1. Create another rule with the following test criteria:

   Rule B test criteria

   

   Rule B summary

   

   Rule B test explained

   When an event matches any kind of authentication failure AND it happens five times by the same user in the space of one minute, then an offense will be generated.

Test the rules¶

Manage offenses¶

Assign offenses to users¶

1. Assign an offense to an analyst by clicking on Actions -> Assign.

2. Click on the dropdown bar and click on the user you want to assign the ticket to. Click Save.

   An icon will appear in the offense status to indicate that the ticket has been assigned to a user.

Add notes to an offense¶

1. Add notes to an offense by clicking on Actions -> Add Note.

2. Write any description you would like, then click Add Note.

   An icon will appear in the offense status to indicate that a note was added to the ticket.

Close an offense¶

1. Close an offense by clicking on Actions -> Close.

2. Select the appropriate closing reason and add a brief note. Click OK.

   The offense is now closed and has disappeared from My Offenses. Clear the Exclude Closed Offenses filter to see closed events.

Extend the QRadar CE license¶

1. Go to the QRadar CE download page and click Download.

2. Scroll down and click on the download link next to the .key file.

3. Log in to the QRadar console. Navigate to Admin -> System and License Management.

4. Select the .key file you just downloaded and click Upload. Close the window.

5. Click the Display dropdown and click Licenses.

6. Click on the QRadar server, then click Allocate System to License. Confirm your changes and close the window.

7. Click Deploy License Changes.

   Verify license extension

   Check that the key listed on the Licenses page has been overwritten and extended to a later date.

8. Navigate to Admin -> System and License Management -> License Pool Management.

9. Change the EPS Allocation and FPM Allocation fields to 0.