New features in IBM QRadar SIEM 7.2.3

Size: px

Start display at page:

Download "New features in IBM QRadar SIEM 7.2.3"

Ross Turner
5 years ago
Views:

1 New features in IBM QRadar SIEM Mangesh Patil - Kunal Ahuja 10/16/ IBM Corporation

2 Agenda : Advanced Searching Log Source Reporting Overlapping IP Support Cloud Installs Asset Tuning from the UI Date Type Parsing CMT(Content Management Tool) API in Qradar DataNodes in Qradar Important Links Demo Q & A IBM Corporation 2 04/03/2014

3 Advanced Searching - Scheduled Searches Scheduled Searches With we have the feature to allow saved searches to be scheduled to run at specific intervals. For Ex: If you want to run saved search everyday at 12:00 AM, you can do so using Report Wizard IBM Corporation

Users enter a name and select whether they want a new Offense for each search result or to have each

4 Advanced Searching - Scheduled Searches Scheduled Searches Offenses are created for the Scheduled Searches. Historical correlation is achieved using this. Users enter a name and select whether they want a new Offense for each search result or to have each search result appended to a single Offense. New Offense type Scheduled Search User must generate offense in order to save search results Offense List IBM Corporation

5 Advanced Searching - Scheduled Searches Scheduled Searches - Offense Details IBM Corporation

Advanced Searching - AQL in UI Users can now search using AQL (Ariel Query Language) in the UI Quick Filter

the default of Last 5 minutes is implied Users can enter time range using START/STOP syntax or LAST X

6 Advanced Searching - AQL in UI Users can now search using AQL (Ariel Query Language) in the UI Quick Filter has been moved to search header User can choose between Quick Filter (existing) and Advanced Search (new). Advanced Search will accept AQL syntax. When editing a search, choose between Basic and Advanced Searches When entering AQL without a time range, the default of Last 5 minutes is implied Users can enter time range using START/STOP syntax or LAST X MINUTES After results have been returned, user can use Select An Option to choose time range from the UI widget User selected UI values OVERRIDE AQL time syntax IBM Corporation

7 Advanced Searching - AQL in UI Benefits 'SQL like' support Mathematical and String operations Complex OR/AND/NOT conditions Result column naming 'Having' and 'Group By' support Full text search support Time and Date formatting Powerful function and analytics Event category, name etc. Logs source name and group Asset data Reference Set/Map/Table Time series and anomaly detection IBM Corporation

8 Advanced Searching - AQL in UI Functions IBM Corporation

9 Log Source Reporting IBM Corporation

10 Log Source Reporting Ability for users to generate reports on Log Sources, Log Source statuses, age and Activity Trends IBM Corporation

11 Log Source Reporting Ability for users to generate reports on Log Sources, Log Source statuses, age and Activity Trends IBM Corporation

12 Use - Log Source Reporting One-Click configuration for top Log Source report usecases Only include log sources that have not reported for X amount of time Only include log sources created since X amount of time Order the reports results by priority of Device type, Network, Protocol, etc IBM Corporation

13 Log Source Reporting Results IBM Corporation

14 Overlapping IP Support in Log Manager IBM Corporation

15 Overlapping IP Support Ability to differentiate Flows and Events with the same IP Address coming from different sources. QRadar Addressing Domains provide a simple yet powerful data tagging framework to support complex customer environments which include dedicated and shared infrastructure Domain tagging can be performed based on one or more of the following criteria: Custom Property Value (RegEx) Log Source/Log Source Group Event Collector Centralized UI provides single point of configuration for all Domain information Quick visualization of all configured Domains IBM Corporation

16 Contd... Support to define domains in terms of Events Log Sources/Log Source Groups Custom Event Properties Support multiple domains in search filters Support multiple domains in Custom Event Rule Support exporting multiple domains from QRadar IBM Corporation

17 Domains defined based on custom property values (regex) Enables segmentation of shared infrastructure such as IDS/IDP systems Based on QRadar Reference Data Collections and can be easily manipulated through QRadar RESTful APIs Ensure custom property has the Force Parse property selected Event Collector Client A Event Collector/Processor Console LS IDS Event Collector 14/01/ :39 user=chris action=edit sourceip= destip= /01/ :41 user=john action=delete sourceip= destip= /01/ :41 user=chris action=edit sourceip= destip= Client B IBM Corporation

18 Domains defined at the log source or log source group level Enables the use of shared QRadar infrastructure for multi-domain collection Event Collector Client A Event Collector/Processor Console LS LS Event Collector Client B IBM Corporation

19 Domains contain dedicated Event Collectors Future Proof Easily grow collection needs without complex reconfiguration Dedicated work load Ideal MSS service offering format Client A Event Processor Console Client B IBM Corporation

20 Domain search filter IBM Corporation

21 Domain rule test IBM Corporation

22 Asset Tuning from the UI IBM Corporation

23 Asset Tunings in the UI Ability for users to tune the asset profiler that managed the asset model IBM Corporation

24 Cloud Installs IBM Corporation

25 Cloud Support For Amazon and Softlayer Cloud Environments IBM Corporation

Cloud Installs QRadar Must be Locked Down in Cloud Installs It is absolutely crucial that all

It is unacceptable to install QRadar in uncontrolled environments with default passwords.

Root password Use a strong password that is unique for every instance you install.

login password for the system. Use your strong password at this stage.

public ports, notably 443 (https), 22 (ssh) and 10000 (webmin).

26 Cloud Installs QRadar Must be Locked Down in Cloud Installs It is absolutely crucial that all QRadar installations in cloud space be locked down securely. It is unacceptable to install QRadar in uncontrolled environments with default passwords. The following guidelines will help you fully secure your instance. Root password Use a strong password that is unique for every instance you install. Install password Remember that the password you supply when installing QRadar is set as the root login password for the system. Use your strong password at this stage. Firewall QRadar manages the host firewall, and by default it grants wide-open access to certain public ports, notably 443 (https), 22 (ssh) and (webmin). Before installing QRadar If you plan on locking down the installation you must modify iptables and inject rules before beginning the installation. After installing QRadar Ensure iptables are updated by running /opt/qradar/bin/iptables_update.pl IBM Corporation

27 Amazon Web Services Copy QRadar ISO from S3 Create EC2 Instance Install QRadar on EC2 Instance Softlayer Provision the server for install Login and Change Password Copy QRadar ISO and Mount image Install Missing Dependency Prepare Disks for QRadar Installation Install and Setup QRadar IBM Corporation

28 Custom Properties - Date Type Formatting IBM Corporation

Custom Properties - Date Type Formatting Ability to support date time values formatted using different locales in Custom Event Properties Various users have payloads

Choose DateTime Custom Properties Choose Locale The locale is the locale the Date is sent to QRadar.

A Date can be sent and then parsed in one locale (chosen on this screen) and then displayed in a different locale (chosen through the user preferences) Choose

29 Custom Properties - Date Type Formatting Ability to support date time values formatted using different locales in Custom Event Properties Various users have payloads with dates formatted for a specific locale. Supports extracting of date values in any formats which can then be used in rules, searching, reporting, etc. Choose DateTime Custom Properties Choose Locale The locale is the locale the Date is sent to QRadar. This is different than the locale that the Date will be displayed in. The user's locale (see Globalization) will determine the locale that the Date is displayed in. A Date can be sent and then parsed in one locale (chosen on this screen) and then displayed in a different locale (chosen through the user preferences) Choose Extracted Date/Time Format This is the format that the number is being sent to Qradar. The regex will extract a String, the Extracted Date/Time Format is the format of that date in the string that is extracted from the regex IBM Corporation

30 IBM Corporation

31 CMT (Content Management Tool) IBM Corporation

Content Management Tool is now available.

Easily import Content Bundles into any QRadar deployment We are version forward compatible. If you export from 7.2.

2.3 All dependencies are also exported All activities are audited Content Types Supported: Dashboards Saved

32 Content Management Tool is now available. With CMT you can : Export any security and configuration content in a portable format. Easily import Content Bundles into any QRadar deployment We are version forward compatible. If you export from you can import into and beyond. You can not go backwards, if you export from you can NOT import into All dependencies are also exported All activities are audited Content Types Supported: Dashboards Saved Searches Groups Group types Custom properties Custom rules Reports Retention Log sources Log source extension Reference Data, reference data keys, data elements /opt/qradar/bin/contentmanagement.pl IBM Corporation

33 API in QRadar IBM Corporation

IBM Security QRadar V7.2.3 introduces V2.0 of API endpoints. You must have administrative privileges in QRadar to access and use RESTful APIs.

Experimental Indicates that the API endpoint might not be fully tested and might change or be removed in the future without any notice.

3 introduces the SIEM API, which you can use to return a list of offenses. Asset model API QRadar V7.2.

34 IBM Security QRadar V7.2.3 introduces V2.0 of API endpoints. You must have administrative privileges in QRadar to access and use RESTful APIs. API endpoint stability The API endpoints are annotated as either experimental or stable. Experimental Indicates that the API endpoint might not be fully tested and might change or be removed in the future without any notice. Stable Indicates that the API endpoint is fully tested and supported. SIEM API QRadar V7.2.3 introduces the SIEM API, which you can use to return a list of offenses. Asset model API QRadar V7.2.3 introduces the Asset model API, which you can use to return a list of assets and update assets. Reference data API This release resolves an issue where the Reference data API endpoints processed Unicode parameters improperly. Help API The GET/help/capabilities response object structure is updated. The datatype parameter is now an attribute of the supportedcontenttypes parameter IBM Corporation

Use - API Ariel API In QRadar V7.2.3, Ariel API V0.1, which uses AQL V1 and V2, was deprecated and replaced by Ariel API V2.

3 introduces Ariel Query Language (AQL) V3, which includes the following features: Complex queries to retrieve data from the Ariel

functions. An InOffense operator in the WHERE clause to filter events and flows that are not in a particular offense.

RESTful API Use the Representational State Transfer (REST) application programming interface (API) to make HTTPS queries and integrate

35 Use - API Ariel API In QRadar V7.2.3, Ariel API V0.1, which uses AQL V1 and V2, was deprecated and replaced by Ariel API V2.0, which uses AQL V3. QRadar V7.2.3 introduces Ariel Query Language (AQL) V3, which includes the following features: Complex queries to retrieve data from the Ariel database AQL queries can link to asset data to refine the returned results by using the AssetProperty, AssetUser, and AssetHostname functions. An InOffense operator in the WHERE clause to filter events and flows that are not in a particular offense. New functions for accessing reference data. For more information about these functions, see the Ariel Query Language (AQL) guide. RESTful API Use the Representational State Transfer (REST) application programming interface (API) to make HTTPS queries and integrate IBM Security QRadar with other solutions. Enter the following URL in your web browser to access the technical documentation interface: You must have administrative user role permissions in QRadar to access and use RESTful APIs IBM Corporation

Data Node Appliance Phase II Data Nodes are now

displayed in UI API Support added Support to

data is scattered on all other data nodes in the

36 Data Node Appliance Phase II Data Nodes are now a truly Plug-and-Play expansion platform for all QRadar deployments. Automatic re-balancing Re-balance Progress displayed in UI API Support added Support to allow for no support on main Event Processor All data is scattered on all other data nodes in the cluster QRadar enabled support for 200+ managed hosts IBM Corporation

37 DEMO IBM Corporation

Important Links Support Portal: http://www-947.ibm.

1 7.2.3 Documentation: http://www-01.ibm.com/support/docview.wss?uid=swg27043094 Downloads: http://www-933.ibm.com/support/fixcentral/swg/selectfixes?

ibm.com/developerworks/community/forums/html/category?

38 Important Links Support Portal: productcontext= Documentation: Downloads: %2BSystems&product=ibm/Other+software/IBM+Security+QRadar+SIEM&release=7.2.0&platform= All&function=all Forums: 12:28:56 PM: communityuuid=48a cc-434f-9c78-3e9117bfd IBM Corporation

39 Question and Answer! IBM Corporation