OK so you have deployed SIEM in your organization and you started receiving millions of logs or events NOW what?
What is Use Case?
UseCase OR Alert condition is the organization's policy defined for the infrastructure's devices and people. These events or alerts are monitored by the SOC team/Analysts.
Use of the use case:
Is either to give an info to the analyst on a particular event happening at this time e.g xyz user took remote RDP session to critical server OR an alert to the analyst to take action on the spot and raise an alarm of an incident e.g admin of the firewall has made 5 rule changes within 5 mins, other example is a new user was giving an admin rights on the firewall without getting the approval for that user as per the defined process of the organization
Terminology:
Rule: is the complete logic to form one alert and it may contain BB, IP address, Protocol or other components to form a complete policy.
BB (Building block): BB is bunch of events are categorized and bundled together to be called in a rule to make it more manageable.
QID: is the way Qradar identify the events from other devices to map them properly and get parsed result.
Severity: it shows the amount of the threat
Credibility: reliability of the witness. Credibility increases if multiple sources reports the same type of event or attack
Relevance: less important areas of the network have lower relevance. you can change the weight of the network while configuring the network hierarchy
Transforming the policy into QRadar's logic:
QRadar comes out of the box with around 500 rules/usecases configured some of them might be good to go and keep them enabled but other rules/usecases you need to review and check whether they are alright for your environment or not. other than the rules it comes with predefined BB (Building Blocks) BB is bunch of events are categorized and bundled together to be called in a rule e.g. (BB:CategoryDefinition: Authentication Failures) behind this BB you will find all the events which are related to the failure authentication including telnet,ssh,user log-in failure of window..etc
Note: having the right events/Flows sent to QRadar makes the use case successful
Use case 1
Potential virus outbreak
such event should be collected from the anti-virus system you are having in the network e.g. McAfee, Kasper or whatever is the system you are using. The above is taken from Kaspersky where QRadar maps its event of detecting a virus into the QID 74000042, Now after making the first condition which says if the event is of this QID we go to the second logic or condition which says if that event is seen atleast 1 time with the same virus name but it is reported by different IP addresses with a span of 5 mints then generate an alert
Use case 2
Alert on running team viewer before even establishing connection
whenever you start Team-viewer it will try to establish connection with destination port 5938 and the connection of the user/machine will go to hit the firewalls and then go out. In the depicted rule I have set 3 conditions:
1- The event should have the Dst port 5938
2- log sources which will tell about the event containing the port number e.g. firewalls
3- the protocol which team viewer get established on e.g. TCPtcp_ip
Below use cases are mix of different sectors based on their policies and event of interest:
1- Detecting new VPN connectivity from everywhere but not from china. (mostly done from the events received by the firewalls)
2- NMAP Scan (this is from flows. by default QRadar identify around 400 applications but NMAP is not one of them)
This is how it is configured:
apply NMAP Scan on the flows which are detected by the (Local/Remote (depends if you have remote flow processor or you are only using the AIO appliance)) system
AND when flow matches any of the following flows scan, Recon: Aggressive local L2L scanner detected, Recon: local L2L scanner detected
AND when the flow context is local 2 local, local 2 remote
3- Ping Sweep
4- XSS Attacks
5- SQL injection
6- If a new port has opened on the firewall for in/out traffic
7- If FTP site has been accessed from unknown address
8- If tunneled data is detected on the network
9- If RAR files are being continuously uploaded in some fixed partition size format
10-If online messengers are used to chat and transfer files
11-If malicious traffic is seen hitting critical servers of the infra
12-detecting bit torrent or P2P traffic
13-if the firewall has critical policy change (now this differ from one brand to another as you might not find the same naming of the event in all brands the same)
14-If x number of changes have been made on a firewall over x period of time by x user
15-If a new user/admin has been created on critical server or network device or firewall
16-If machine's time has changed
17-If a remote session was taken to a critical server for more than an hour
18-Network resources have been accessed in non working hours
19-If on leave/ex-employee user credentials have been used in anyway
20-If credentials are sent in clear text
21-Any config change
22-Agent has been tampered
23-If an infected machine receives an SSH log in attempt
24-What recent servers were attacked with an exploit against a recent scan of the same server
25-OS fingerprint event has occurred by an attacker
26-Auditing has been removed, changed or altered
27-Access to any device from other than the admin or authorized users
28-Similar account login from different geographical places
29-Multiple login failures from the same username ip address to the same destination and followed by success
30-taking sessions ssh, telnet etc on non standard port
31-success login to disabled accounts
32-Restart/Shutdown critical servers
33-Hostile email attachments
34-Attacks on internet gateways
35-Track on each new virus detected on the environment
What is Use Case?
UseCase OR Alert condition is the organization's policy defined for the infrastructure's devices and people. These events or alerts are monitored by the SOC team/Analysts.
Use of the use case:
Is either to give an info to the analyst on a particular event happening at this time e.g xyz user took remote RDP session to critical server OR an alert to the analyst to take action on the spot and raise an alarm of an incident e.g admin of the firewall has made 5 rule changes within 5 mins, other example is a new user was giving an admin rights on the firewall without getting the approval for that user as per the defined process of the organization
Terminology:
Rule: is the complete logic to form one alert and it may contain BB, IP address, Protocol or other components to form a complete policy.
BB (Building block): BB is bunch of events are categorized and bundled together to be called in a rule to make it more manageable.
QID: is the way Qradar identify the events from other devices to map them properly and get parsed result.
Severity: it shows the amount of the threat
Credibility: reliability of the witness. Credibility increases if multiple sources reports the same type of event or attack
Relevance: less important areas of the network have lower relevance. you can change the weight of the network while configuring the network hierarchy
Transforming the policy into QRadar's logic:
QRadar comes out of the box with around 500 rules/usecases configured some of them might be good to go and keep them enabled but other rules/usecases you need to review and check whether they are alright for your environment or not. other than the rules it comes with predefined BB (Building Blocks) BB is bunch of events are categorized and bundled together to be called in a rule e.g. (BB:CategoryDefinition: Authentication Failures) behind this BB you will find all the events which are related to the failure authentication including telnet,ssh,user log-in failure of window..etc
Note: having the right events/Flows sent to QRadar makes the use case successful
Use case 1
Potential virus outbreak
Use case 2
Alert on running team viewer before even establishing connection
whenever you start Team-viewer it will try to establish connection with destination port 5938 and the connection of the user/machine will go to hit the firewalls and then go out. In the depicted rule I have set 3 conditions:
1- The event should have the Dst port 5938
2- log sources which will tell about the event containing the port number e.g. firewalls
3- the protocol which team viewer get established on e.g. TCPtcp_ip
Below use cases are mix of different sectors based on their policies and event of interest:
1- Detecting new VPN connectivity from everywhere but not from china. (mostly done from the events received by the firewalls)
2- NMAP Scan (this is from flows. by default QRadar identify around 400 applications but NMAP is not one of them)
This is how it is configured:
apply NMAP Scan on the flows which are detected by the (Local/Remote (depends if you have remote flow processor or you are only using the AIO appliance)) system
AND when flow matches any of the following flows scan, Recon: Aggressive local L2L scanner detected, Recon: local L2L scanner detected
AND when the flow context is local 2 local, local 2 remote
3- Ping Sweep
4- XSS Attacks
5- SQL injection
6- If a new port has opened on the firewall for in/out traffic
7- If FTP site has been accessed from unknown address
8- If tunneled data is detected on the network
9- If RAR files are being continuously uploaded in some fixed partition size format
10-If online messengers are used to chat and transfer files
11-If malicious traffic is seen hitting critical servers of the infra
12-detecting bit torrent or P2P traffic
13-if the firewall has critical policy change (now this differ from one brand to another as you might not find the same naming of the event in all brands the same)
14-If x number of changes have been made on a firewall over x period of time by x user
15-If a new user/admin has been created on critical server or network device or firewall
16-If machine's time has changed
17-If a remote session was taken to a critical server for more than an hour
18-Network resources have been accessed in non working hours
19-If on leave/ex-employee user credentials have been used in anyway
20-If credentials are sent in clear text
21-Any config change
22-Agent has been tampered
23-If an infected machine receives an SSH log in attempt
24-What recent servers were attacked with an exploit against a recent scan of the same server
25-OS fingerprint event has occurred by an attacker
26-Auditing has been removed, changed or altered
27-Access to any device from other than the admin or authorized users
28-Similar account login from different geographical places
29-Multiple login failures from the same username ip address to the same destination and followed by success
30-taking sessions ssh, telnet etc on non standard port
31-success login to disabled accounts
32-Restart/Shutdown critical servers
33-Hostile email attachments
34-Attacks on internet gateways
35-Track on each new virus detected on the environment
How to re-open closed offenses in QRadar?
ReplyDeleteYou can't reopen the closed offenses.
DeleteRegarding USe Case 20: How can we proceed in configuring the use case in QRadar.
ReplyDeleteShort Answer: Use the Use Case Mgr > Filter > Get Name > ..
DeleteLong Answer: Ask Jose Bravo,
DIY: Use the Web Browser day & night
Hi,
ReplyDeleteI am learning to write rules in QRadar, i need big time help. is there any personal email ID that i can send email directly with questions.
Thanks and Regards,
Srujan Kumar.
what problems are you having with the rules??
ReplyDeleteHi,
ReplyDeletewhat actions are needed to rule get triggered
hi every one i want create an XSS attack rule, kindly tell what conditions i apply
ReplyDeleteI want to detect any base64 value in payload
ReplyDeleteI want some usecases in Qradar with AWS cloud
ReplyDelete