Skip to content

Integration of the Barac collector and the Qradar platform

Integration of the Barac collector and the Qradar platform

You are here:
  • Main
  • Integration
  • Integration of the Barac collector and the Qradar platform
< All Topics
Table of Contents

Qradar installation process (QIR)

Download link :https://developer.ibm.com/qradar/ce/

Step 1: Install the image on the VM

  • If the VM is in the cloud
    • No need to download the CentOS iso
    • Make sure to create a VM with Redhat v7.5 minimal OS
  • If the VM is locally based
    • Follow the steps to install CentOS/Redhat 7.5 minimal properly

Step 2: Prepare the environment

*Before installing Qradar be sure to check the following: Otherwise the installation Will fail*  

  • Disabling SELinux
  • Save/Reboot the system and check the results:
Une image contenant capture d’écran

Description générée avec un niveau de confiance très élevé
  • Partitions by default when you create a VM with Microsoft Azure
Une image contenant capture d’écran

Description générée avec un niveau de confiance très élevé

*Qradar will be installed on the OS partition*

  • Below is an example of a disk size error during the setup process (resulting from a problem with the partitions):
  • The solution to this is to extend the OS partition (See below):
  • Using the command: xfs_growfs -d /dev/sda2

Step 3: Installation procedures

  1. Upload the Qradar.iso file to the Redhat VM in the cloud
    1. Using Filezilla
    1. Using the command: scp QRadarCE7_3_1.GA.iso  integration@<IP>:/tmp/
  • Create a directory and mount the Qradar CE iso file using the commands:
    • sudo mkdir /media/cdrom
    • sudo mount –o loop /tmp/QRadarCE7_3_1.GA.iso  /media/cdrom
  •  
    • Run the Qradar setup
      • Use the command: Sudo /media/cdrom/setup
      • Accept the license agreement
        • When prompted, restart your system to install a kernel update. After which repeat the mounting step
    • Set the admin password
      • Use the command: sudo /opt/qradar/support/changePasswd.sh -a 
  • Restart the Tomcat
    • Use the command: sudo systemctl restart tomcat
  • Login to QradarCE user interface and accept the EULA

*Type the URL of the machine using any browser:

https://<ip-address of the machine>*


Step 4: Creating data sources

  • To make QRadar receive Syslog messages from a source. You must create and configure a dedicated log source using the Qradar user interface
  • Create new Log source Type
Une image contenant capture d’écran

Description générée avec un niveau de confiance très élevé
  • Give the Log source Type a name and click ” Save”
Une image contenant capture d’écran

Description générée avec un niveau de confiance très élevé
  • The new created log source type will need to be added to the Qradar log sources
    • Admin > Log sources > Add

Security events normalization

Step 1: Building log source extensions

  •  Events that come from the Barac ETV will contain information as is in the screenshot below:
  • The text file test.txt is where the events will be pushed to the Qradar
  • Qradar can now receive events however they cannot parse them. Qradar also cannot recognize the fields of the pushed event
  • To remedy this so Qradar can parse the event fields use the DSM editor
Une image contenant capture d’écran

Description générée avec un niveau de confiance très élevé
  • Log Activity > Select the event > Action > DSM Editor
Une image contenant capture d’écran

Description générée avec un niveau de confiance très élevé
  • To make Qradar parse the information of the payload:
    • Use the regular expression:
  • Parse the username:
Une image contenant capture d’écran

Description générée avec un niveau de confiance très élevé
  • Parse the event ID:
  • Parse the Event Category:
Une image contenant capture d’écran

Description générée avec un niveau de confiance très élevé
  • Parse the destination port:
Une image contenant capture d’écran

Description générée avec un niveau de confiance très élevé
  • Parse the destination IP:
Une image contenant capture d’écran

Description générée avec un niveau de confiance très élevé
  • Continue doing the same with all the fields you wish to parse
  • After parsing you push the event to the Qradar and see the changes
  • Now the event fields are recognized (parsed) however, the event hasn’t been mapped to the right event category and event name

Step 2: Building LSX (Mapping)

  • To make Qradar map an event:
    • Log Activity > Select the event > action > DSM Editor
    • Follow the highlighted buttons/sections of the following screenshots
Une image contenant capture d’écran

Description générée avec un niveau de confiance très élevé
Une image contenant capture d’écran

Description générée avec un niveau de confiance très élevé
Une image contenant capture d’écran

Description générée avec un niveau de confiance très élevé
  • After mapping we push the event to the Qradar to see the changes:
Une image contenant capture d’écran

Description générée avec un niveau de confiance très élevé
  • The event is parsed and mapped, now Qradar is able to make decisions based on the category of the event

Interacting with Qradar from the ETV platform

Step 1: Introduction to the ETV platform

Step 2: Pushing events using the Syslog method:

  • When adding a Log source:
    • Set the Protocol Configuration : Syslog
A screenshot of a cell phone

Description generated with very high confidence
  • The copie1.txt file is the file containing sample log events from the log source we would like to test
A close up of a sign

Description generated with very high confidence
  • We will be using the “logrun.pl” script in Qradar:
    • /opt/qradar/bin/logrun.pl -u myInternalSystem -f /home/integration/events/copie1.txt -v 1
      • “-f” tells the script to use the filename “copie1.txt”. This file is the source of the logs
      • “-u” tells the script which log source type will be used: “myInternalSystem” (The Log Source identifier of “baracioSystem”)
      • “-v 1” tells the script to send 1 event
  • By using the “logrun.pl” script Qradar sees the logs from the file (“copie1.txt”)
A screenshot of a cell phone

Description generated with very high confidence
  • The ETV platform is a set of Java scripts. Once a threat is detected, the ETV will generate log events with the following attributes:
    • eventName 
    • eventID 
    • eventCategory
    • username 
    • sourceip 
    • sourceport 
    • destinationip 
    • destinationport 
    • TimeLine 
    • Description
  • Everytime an attack is detected the ETV platform will:
    •  Write the attributes of the attack in “copie0.txt”
      • Transfer the file from the ETV platform to the Qradar server using SFTP
A screenshot of a social media post

Description generated with very high confidence
  • Due to the following script shell, Qradar will receive the new logs every time there are new incoming logs
A screenshot of a cell phone

Description generated with very high confidence
  • *A flow chart of the direction of ETV logs into Qradar, see below*
  • The script is automatically executed every 5 seconds, thanks to the Crontab
A screenshot of a computer

Description generated with high confidence

Now every time an event alert is generated by the ETV platform, the event will also be seen in Qradar

Step 3: Pushing events using the HTTP method:

  • First, we need to configure a log source:
    • Log source type: Universal DSM
    • Protocol configuration: HTTP Receiver
    • Log Source Identifier: Use the IP Address or Host name to identify the device
    • Communication Type: HTTP or HTTPs
      • PS : If you select HTTPs and Client Authentication as the communication type, you must set the absolute path to the client certificate. You must copy the client certificate to the QRadar®
    •  Listen port: 12470 (IMPORTANT: Do not use port 514. Port 514 is used by the standard Syslog listener)
    • Message pattern: .* (denotes the start of each event)
    • EPS Throttle: The maximum number of events per second (EPS) that you do not want this protocol to exceed. The default is 5000
A screenshot of a cell phone

Description generated with very high confidence
  • To make a new log source extension to parse the events choose Log Source Extension: BaracioSystemCustom_ext
  • The BaracioSystemCustom_ext is the extension of our system BaracioSystem, this extension is generated after the configuration we made with the DSM Editor.
  • Now the Qradar is ready to receive events from the ETV platform via HTTP
  • The ETV platform will use CURL to send events over HTTP
  • The ETV platform will use java code to generate the CURL query
  • The ETV platform will prepare the CURL query and execute it every time an attack is detected
  • CURL query example:
    • curl -k -X POST ‘http:/192.168.X.X:12470/’ -H’content-type: application/json’ -d ‘eventName=An account has been modified , eventID=55 , eventCategory=user modification , username=Hamdi , sourceip=192.168.1.22 , sourceport=6756 , destinationip=192.168.1.23 , destinationport=6756 , TimeLine=GMT , Description=blabla’
  • Tests and results:

Creating rules

Step 1: Creating searches

  • We need to be able to create searches that will be able to see the events that match our needs
  • The searches can be based on a lot of attributes:
    • Log Source Type 
    • IP addresses 
    • Usernames 
    • Event Category 
    • Event names 
    • Domain 
    • Ports etc …
  • Follow the following steps in order to create custom filters based on Event Category :
A screenshot of a cell phone

Description generated with very high confidence
  • Now the search has been applied, we can push the event with “User event Account Changed” as a “Low level category”. As you can see below the result is the specific event we were looking for

Step 2: Creating rules and offences using categories

  • In the following steps we will start to create rules for Qradar to generate offences
  • The rule is intended to fire offences every time an event sent to Qradar matches with the conditions we defined previously
    • Go to “Rules”
A screenshot of a cell phone

Description generated with very high confidence
  • Go to “New Event Rule”
A screenshot of a cell phone

Description generated with very high confidence
  • In the rule response we will configure the actions to occur when the rule is triggered
    • Dispatch new event: will send a new Event containing defined attributes to the Qradar, we can see this event in the log activity section
      • We can also e-mail or otherwise notify the Qradar user in notification section
      • We can execute custom action scripts to manipulate the firewall regarding who has API type access, or to delete/add users from the active directory, etc…
A screenshot of a cell phone

Description generated with very high confidence
A screenshot of a cell phone

Description generated with very high confidence
  • Review the rules summary:
A screenshot of a social media post

Description generated with very high confidence
  • Once we push an event that matches with the rule an offence is automatically sent as a notification on the Qradar console as you can see below:
  • Go to the “Offences” tab to review the information related to the offence (see below)
A screenshot of a social media post

Description generated with very high confidence
A screenshot of a cell phone

Description generated with very high confidence
A screenshot of a social media post

Description generated with very high confidence

Applications

Step 1: Download and install the SDK

  • SDK gives you the ability to:
    • Create your workspace
      • Test your application
      • Deploy the application to Qradar
  • The Qradar SDK must be downloaded from the IBM Security X-Force App Exchange and requires an IBM ID.
    • Installation and requirements:
      • A Python 2 version 2.7.9 or later (Python 3 is not supported)
  • Download and install python 2.7.9
A screenshot of a cell phone

Description generated with very high confidence
  • Check you have the correct version of python and change the path variable
A close up of a black background

Description generated with high confidence
  1. Download the SDK file
    1. Extract the Zip file:
      1. For Linux systems:
        1. Extract the contents of the SDK file archive, then run the install.ph script as root ./install.sh
        1. NB: you must run this script within its own folder
      1. For Windows systems:
        1. Extract the contents of the SDK file archive, then run the install.bat script as Administrator
  2. The SDK should be successfully installed:
A screenshot of a cell phone

Description generated with high confidence

Step 2: Creating the application

  • Once installed, the SDK is accessed using the qradar_app_creator command, which should be available on your path.
  • First, create a folder to contain your app: myapp
  • Generate a template app within the folder by using the command:
    • qradar_app_creator create  -w C:\Users\hamdiDesktop\myapp
      • “-w” for workspace
A screenshot of a cell phone

Description generated with very high confidence
  • This should successfully generate the app
A screenshot of a cell phone screen with text

Description generated with very high confidence
  • The entries in this folder will include:
    • app – contains source files for the app
    • manifest.json – JSON manifest that describes the app
    • qradar_appfw_venv –  Python virtual environment for running your app locally
    • run.py – default Python script for running your app locally
  • To customise your app, edit the manifest and add/update files in the app folder.

Step 3: Run the application

  • Run an app locally
    • To test your app locally before deploying it into a Qradar system, run this command:
      • qradar_app_creator run -w C:\Users\hamdi\Desktop\myapp
A screenshot of a cell phone

Description generated with very high confidence
  • Package an app locally
    • When your app is ready for deployment to a Qradar instance, use this command to package it into a zip file:
      • qradar_app_creator package -w C:\Users\hamdi\Desktop\myapp -p  C:\Users\hamdi\Desktop\com.barac.myapp.zip
A screenshot of a cell phone

Description generated with high confidence
  • Deploy an app
    • To deploy your app to the Qradar console, run this command:
      • qradar_app_creator deploy -q 40.x.x.x  -u admin -p C:\Users\hamdi\Desktop\com.mycompany.myapp.zip
    • Deployment will assign a new unique numeric identifier to your app
A picture containing sitting, window, table, black

Description generated with very high confidence
  • As you can see below, the application is successfully installed and running
  • Below you can see the app being displayed on Qradar
A screenshot of a cell phone

Description generated with very high confidence

Step 4: Pulse app

  • Qradar’s pulse app is available on the Qradar market space. We can download it and deploy it to Qradar
  • Qradar’s Pulse App is
    • Next generation visualizations in Qradar
      • Visualize your offences data in near to real-time
      • Track your security threats easily around the globe
      • Quick overview of what’s happening visually, helping you investigate your top offences
  • We will use the graphic method to install Pulse into Qradar
  • To do so, Check the following steps:
    • Go to “Extensions management”
  • Click “Add”
  • Add the Pulse app as an extension
A screenshot of a cell phone

Description generated with very high confidence
A screenshot of a cell phone

Description generated with very high confidence
A screenshot of a cell phone

Description generated with very high confidence
  • Now the Pulse app has been added you should be able to run it. It should look like the screenshots below:
A screenshot of a cell phone

Description generated with very high confidence
A screenshot of a cell phone

Description generated with very high confidence
A screen shot of a smart phone

Description generated with very high confidence
A picture containing black

Description generated with very high confidence

Conclusion 

After following the previous, the Barac-Qradar integration Barac-ETV Platform will be able to send attack events and alerts to the Qradar soc. Please note that these current steps are as of 10/10/19 and are subject to change in accordance with any updates to Barac and Qradar.