IBM-Qradar [SIEM]

Some notes from some online videos and IBM docummentations

First lets setup the community edition

Procedure

1. Download the QRadar Community Edition OVA file from IBM Developer https://developer.ibm.com/ qradar/ce/

2. Create a virtual machine with the OVA file that meets the following requirements: • Minimum: 8 GB RAM Note: You need 10 GB or more if you are using X-Force tests or Ariel queries. You need more RAM for some apps. Apps get 10% of available RAM, and this is divided between all apps. • Minimum 250 GB disk space • Minimum 2 CPU cores Note: For optimal performance, you need a minimum of 6 CPU cores if you are using X-force tests. You need a minimum of 8 CPU cores if you are using Ariel queries with X-force data. • You need at least one network adapter with access to the internet. Your system must have internet access, or QRadar Community Edition installation fails. Note: If you are using a locally hosted virtual machine with a local IP address, you must forward port 8444 to port 443 to access QRadar in a web browser. Forward port 2222 to port 22 to use ssh to connect to QRadar. • You need static public and private IP addresses for QRadar Community Edition. • The hostname must be a fully qualified domain name and cannot exceed 63 characters in length.

3. Log in as the root user and enter a password.

4. Start the set up process by typing the following command: ./setup

5. Press Enter to accept the CentOS end user license agreement (EULA).

6. Accept the QRadar Community Edition EULA. a) Press Space to advance through the EULA screen. b) Press q to be prompted to accept the EULA. c) Press Enter to accept the EULA.

7. Press Y to continue set up.

8. Enter a password for the admin account. Set a strong password that meets the following criteria:

Notes

Threat intelligence : يعنى اجمع بيانات عن المخترقين المستهدفين شركات مصر مثلا واشوف هل لقوا حلول للثغرات

POC: proof of concept (مقارنة ما بين كل العموامل المناسبة للبيئة بتاعتى)

FIM: file integrity monitoring (detect changes in files ,DBs,Network configuration files ,..) --> Tripwire

passive scan : observable all the traffic no hide (not detailed may cause FP) [IPS/IDS]

active scan : a host can hide from network (by power off) Qradar has a VM to work as vulnarability scan (paid feature) open vas : open source

PAM/IAM (Privildge/Identity acces managment): Privildge --> admins Identfiy --> normal users authenticate the loging and monitor its procces [name , password] cicso ice: for just network authentication

AligenVault OSSIM: open source [all features ]

syslog server: collect logs from diffrent hosts

Simple Network Management Protocol (SNMP) [UDP port 161] is an internet standard protocol used to monitor and manage network devices connected over an IP. SNMP is used for communication between routers, switches, firewalls, load balancers, servers, CCTV cameras, and wireless devices.

Windows --> WinCollect DB --> ODBC/JDBC to communicate or connect to other host

Normalization --> [standard] تحول كل اشكال كتابة البيانات فى اللوجز المختلفة الى شكل

Event: كل جهاز يبعتلى اى حدث عنده [Event Activity] Flow: اى باكت تعدى من عليك تبعتها [Network Activity]

DSM (Device Support Modules): [Normalization ] بيعرفنى اللوج ده خارج من اى سيستم عشان اقدر اعمل

Dashboard: saved search

UBA [User Behaviour Analysis]: track the user actions and alert if notice a diffrence [writting speed,..etc]

maximum 15 Dashboard - [7,9] Default Dashboard

IRC: used in C2 connection to make trojan chat the adversairy server

Notes: checked by another analyst Annotations: as Notes but created by system

Offence parameter:-

• Relevance: how important is the destination [50%]

• Severity: how high is the potential damage to destination [30%]

• Credibility: how valid is info from that source [20%]

Watson app: The QRadar Advisor with Watson app uses IBM Cognitive Artificial Intelligence to assist users with incident and risk analysis, triage and response, and enables security operations teams to do more, with greater accuracy. As a result, it helps reduce the time spent investigating incidents from days and weeks down to minutes or hours.

High-level category: the event Low-level category: more details about the event

Flow Directions:-

• L2L: local to local

• L2R: local to Remote

• R2L: Remote to local

• R2R: Remote to Remote

SuperFlows:-

• Type A --> Network Sweep [one src_ip --> many des_ip]

• Type B --> DDOS attack [many src_ip --> one dest_ip]

• Type C --> PortScan [one src_ip --> many ports in one dest_ip]

Building Block: complicated Test criteria without action used in Rules later "void" [كأنى بعرف فانكشن هرجع استخدمها تانى ]

Rule: Test criteria with action [if condition]

About Rules --> (1)create offense (2) add notation (3)send email (4) send notification on dashboard