LAB – Creating Rules

In this lab, you create and test a rule to launch an offense

Exercise 1 - Considering the Evidence

You want to detect when the same QRadar user deletes asset profiles that QRadar has created
recently. The Asset Profiler of QRadar dispatches events when it creates and deletes asset profiles
and their characteristics. These events carry the information necessary for your purpose.

Task 1 Creating and deleting asset profile

To create and delete an asset profile manually, perform the following steps:

1. Log in to the QRadar web interface.

2. Navigate to the Assets tab.
3. To create an asset profile, click the Add Asset button in the toolbar.
4. For IP Address, enter 192.168.99.99 or any other address not used by an already existing asset
profile.
 5. To create the new IP Address, click Add.
6. Select the Default Domain.
7. To create the new asset profile, click Save.

8. To refresh the listed asset profiles, click the double arrow icon in the upper-right corner of the
QRadar Console.
9. To Locate the asset profile that you just created:
o From the Assets tab, click Add Filter.
o In Search Parameter(s) select IPv4 Address equals 192.168.99.99.

o Click OK.

10. To delete the asset profile, select it and, from the Actions drop-down list, select Delete
Asset.

Task 2 Locating events from Asset Profiler

QRadar dispatched events to record your creation and deletion of an asset profile. To locate these
events, perform the following steps:
1. Navigate to the Log Activity tab.
2. To reset to the default view, double-click the Log Activity tab.
3. To display events from the last 15 minutes, in the View drop-down list, select Last 15 minutes.
4. To display only events in the Asset Profiler high level category, perform the following steps to create
a filter:

a. Click Add Filter in the toolbar.

b. In the Parameter drop-down list, select the Category [Indexed] search parameter.
c. In the Operator drop-down list, select Equals.
b. In the High-Level Category drop-down list, select Asset Profiler.

d. To filter the events, click the Add Filter button.

e. As a result, the table on the Log Activity tab displays only asset-related events:

These events record your creation and deletion of an asset profile. Any attempt to hide an
unauthorized service by deleting asset profiles that QRadar created automatically leads to the
same trail of evidence. Therefore, you have found the events that your custom rules and building
blocks need to use.

Task 3 Exploring events and outlining solution

If you double-click the Asset Profiler events to navigate to the details, the fields and payload lead
you to the following considerations:

Asset Deleted Event

You need to detect the attempt to hide a temporary service when a QRadar user deletes an
asset profile. Therefore, your rules need to watch Asset Deleted events.
Temporary Asset Profiles

Evidence for the attempt to hide an unauthorized service is that its asset information exists only
temporarily in QRadar.

The Asset Deleted event does not carry any lifetime information.

To get the lifetime of an asset profile, you need to match a deletion event to the related creation
event and use the time of both events.

To match events from the Asset Profiler concerning the same asset profile, carry the same asset
ID in their payload.

To extract the asset ID from the payload, you will create custom event properties later in this
exercise.

IP Address Created event

For several reasons, you need to use the Asset IP Address event instead of the Asset
Creation event:

- It is unlikely, but asset profiles can exist without an IP address.

- For this purpose, only asset profiles with IP addresses are relevant because an
unauthorized service requires an IP address.
- Asset profiles can have more than one IP address.
- The perpetrator could install the unauthorized service with a new IP address on an old
host shortly before it is decommissioned.
- In this case, the asset profile was created a long time ago, but the IP address exists only
temporarily.
- For simplification, omit the case of a temporary port.

Asset IP Address Deleted event

When a QRadar user manually removes an IP address from an asset profile but does not delete
the asset profile itself, QRadar SIEM dispatches an Asset IP Address Deleted event.

For simplification, this exercise omits Asset IP Address Deleted events.

When an entire asset profile is deleted, QRadar SIEM dispatches only an Asset Deleted
event, not an Asset IP Address Deleted event.

Same QRadar User

Occasionally QRadar users might delete asset profiles shortly after their creation for legitimate
reasons.

To avoid false positives, you only need to be alerted by an offense if the same QRadar user
deletes recently created asset profiles more than once.
For this purpose, you need to extract the user name from the payload of Asset Deleted events
using a custom event property later in this exercise.

End of Exercise 1
Exercise 2 - Creating custom event properties
To make the required information in the event payloads usable by custom rules and building blocks,
create three custom event properties.

Task 1 Capturing Asset ID from IP Address Created events

To capture the asset ID from IP Address Created events in a custom event property, perform the
following steps:
1. If you have navigated to the details of an event, click Return to Event List on the left in the
toolbar to display the list of events from the Asset Profiler in the Log Activity tab.
2. To navigate to the details of an IP Address Created event, double-click it.
3. To open the Custom Event Property Definition window, click Extract Property in the
toolbar.
4. In the Custom Event Property Definition window, scroll down to the Property Definition
section and perform the following steps:
a. Enable New Property.
b. For New Property, enter the following name:
Asset ID
c. Enable Parse in advance for rules, reports, and searches.

5. Scroll down to the Property Expression Definition section and perform the following steps:
a. Select Category.
b. For RegEx, enter the following regular expression:
assetId=(.*?)\t
 6. Click the Save button.
The Custom Event Property Definition window closes.

7. The Log Activity tab still displays the details of the IP Address Created event.

8. To display the list of events from the Asset Profiler again, click Return to Event List on
the left in the toolbar.

Task 2 Capturing Asset ID from Address Deleted events

To capture the asset ID from Asset Deleted events in a custom event property, perform the
following steps:
1. Still on the Log Activity tab with the filter on the high-level category Asset Profiler, double-
click an Asset Deleted event to navigate to its details.
2. To open the Custom Event Property Definition window, click Extract Property in the
toolbar.
3. In the Custom Event Property Definition window, scroll down to the Property Definition
section and perform the following steps:
a. Enable Existing Property.
b. For Existing Property, select Asset ID.
c. Enable Parse in advance for rules, reports, and searches.
4. Scroll down to the Property Expression Definition section and perform the following steps:
a. Enable Category.
b. For RegEx, enter the following regular
expression:
assetId=(.*?)\t
5. Click the Save button.
6. The Custom Event Property Definition window closes.
7. The Log Activity tab still displays the details of the Asset Deleted event.
Do not navigate away.
 Task 3 Capturing QRadar Username from Address Deleted events

1. To capture the user name of the QRadar user who deletes an asset profile from each
Asset Deleted event, perform the following steps to create a custom event property:

2. To open the Custom Event Property Definition window, click Extract Property in the
toolbar.

3. In the Custom Event Property Definition window, scroll down to the Property Definition
section and perform the following steps:

a. Enable New Property.

b. For New Property, enter the following name:

QRadar Username

c. Enable Parse in advanced for rules, reports, and searches.

4. Scroll down to the Property Expression Definition section and perform the following steps:
a. Enable Category.
b. For RegEx, enter the following regular expression:

causedBy=USER:(.*?)\t

5. Click the Save button

The Custom Event Property Definition window closes

Task 4 Capturing QRadar Username from IP Address Created events

1. To capture the user name of the QRadar user who creates an asset profile from any IP
Address Created event, perform the following steps to create a custom event
property.
2. In the Log Activity tab, locate and open the IP Address Created event.
3. To open the Custom Event Property Definition window, click Extract Property in
the toolbar.
4. In the Custom Event Property Definition window, scroll down to the Property
Definition section and perform the following steps:

a. Select Existing Property.

b. Select Property:

QRadar Username

5. Enable Parse in advanced for rules, reports, and searches.

6. Scroll down to the Property Expression Definition section and perform the following steps:

a. Enable Category.
b. For RegEx, enter the following regular expression:

causedBy=USER:(.*?)\t
7. Click the Save button

The Custom Event Property Definition window closes

End of Exercise 2
Exercise 3 - Creating the first solution using building blocks and a custom rule
You need to detect when a QRadar user deletes an asset profile shortly after it has been
created with an IP address.

Your test needs to look for an Asset Deleted event that occurs shortly after an IP Address
Created event with the same asset ID.

To test for such a sequence of events, QRadar provides function tests.

These function tests take custom rules or building blocks as parameters.

Task 1 Exploring and choosing a sequence function test

To select a sequence function test, perform the following steps:

1. Navigate to the Offenses tab.

2. Click Rules in the left pane.

3. From the Actions drop-down list, select New Event

Rule. The Rule Wizard opens.

4. If the Rule Wizard starts with its welcome page, read the introductory text and enable Skip
this page when running this rules wizard.

5. To navigate to the Rule Test Stack Editor, click Next twice.

6. For Test Group, select Functions - Sequence.

7. You need the CRE to create an offense if an Asset Deleted event occurs a certain time after
an IP Address Created event occurs with the same asset ID. To choose a sequence
function test for this purpose, browse the sequence function tests listed.
Hint: To locate the required sequence function test, enter the following text in the Type
to Filter field:

when these rules match at least this many times in this many minutes after
any of these rules match with the same event properties
Notice these rules placeholders.

This sequence function test expects custom rules or building blocks as arguments.

Therefore, you need to create building blocks before you can create the custom rule that
generates the intended offense.

Task 2 Creating building block to tag Asset Deleted events

To create a building block to test for the Asset Deleted event category, perform the following
steps:
1. Do not close the Rule Wizard.

2. Use the opened Rule Wizard to create the required building blocks.
If you added the sequence function test in the previous step, click the red minus (-) icon next
to the sequence function test to remove it.

3. For Test Group, select Event Property Tests.

4. To locate the required event property test, enter in the Type to Filter field the following
text: categories

5. Click the green plus (+) icon next to the following test:
when the event category for the event is one of the following categories

6. The underlined green term categories is a parameter. To open a window to select the
categories that you want to test for, click categories.

7. To filter for the required category -> Select High Level Category “Asset Profiler”.
 8. Select Low Level Category “Asset Deleted”.

9. Click Add and click Submit

10. Verify that your Rule Test Stack Editor looks like the following screen capture.

11. To open a window to create a building block with the event category test, click Export as
Building Block.

Note: To easily distinguish predefined rules and building blocks from your development, it is a
best practice to establish a naming convention. Many users choose to use the name of their
organization or department as a prefix with a dash (-).

12. For Building Block Name, enter the following name:

Exercise-BB:CategoryDefinition:AssetDeleted

13. To create the building block, click Save.

 The window closes

Do not close the Wizard

Task 3 Creating a building block to tag IP Asset Created events.

To create the second building block to test for the IP Address Created event category, perform the
following steps in the still-open Rule Wizard:

1. If not still selected, for Test Group, select Event Property Tests.
2. Click the green plus (+) icon next to the following test:

when the event category for the event is one of the following categories

3. To open a window to select the categories that you want to test for, click categories.

4. To filter for the required category -> Select High Level Category “Asset Profiler”

5. Select Low Level Category “Asset IP Address Created”.

6. To add the category to the test, click Add and then Submit. The window closes.
7. Verify that your Rule Test Stack Editor looks like the following screen capture.

8. To open a window to create a building block with the event category test click Export as
Building Block.
9. For Building Block Name, enter the following name:

Exercise-BB:CategoryDefinition:Asset IP Address Created

10. To create the building block, click Save.

The Windows Closes.
11. To close the Rule Wizard, Click Cancel.
12. To close the confirmation pop-up window, click OK.

Task 4 Creating group for your custom rules and building blocks

To locate the custom rules and building blocks that you create more easily for your organization,
pool them in a group. Unless the Exercise group already exists, perform the following steps to
create it:

1. While still in the Rules section of the Offenses tab, click Groups in the toolbar to open the
Rule and Building Block Groups window.

2. To create a group, click New Group.

3. The Group Properties window opens.

4. In the Group Properties window, enter Exercise for Name

 5. To create the group, click OK.

6. The Group Properties window closes.

7. Close the Rule and Building Block Groups Window.

Task 5 Adding building blocks to your group

You can add new custom rules to a group while you create them in the Rule Wizard.

Unlike custom rules, you can add building blocks to a group only after you have created them and
finished the Rule Wizard.

To add your two new building blocks to the Exercise group, perform the following steps:
1. Still in Rules on the Offenses tab, in the Display drop-down list in the toolbar, select
Building Blocks to list all building blocks.

2. To locate the building blocks that you created, in the Search Rules field, enter exer and
press Enter.

3. To open the Choose Group window, select both of your building blocks and, from the
Actions drop-down list, select Assign Groups.
 4. To assign groups in the Choose Group window, enable the Category Definitions and
Exercise groups.

5. Click Assign Groups.

6. The Choose Group window closes

Note: When you need to locate all custom rules and building blocks that you have developed,
first in the Display drop-down list, select Rules or Building Blocks, and then select Exercise
in the Group drop-down list.

Task 6 Creating a custom rule to detect possible policy violation

To create the custom rule with the sequence function test that you located at the beginning of
this exercise, perform the following steps:
1. Still in Rules on the Offenses tab, from the Actions drop-down list, select New Event
Rule. The Rule Wizard opens.

2. For Test Group, select Functions - Sequence.

3. To locate the required sequence function test, enter in the Type to Filter field the following
text: when these rules match at least this many times in this many minutes after any of these rules match
with

4. Click the green plus (+) icon next to the following test:

and when these rules match at least this many times in this
many minutes after any of these rules match with the same event
properties
 5. To configure the test, click the green underlined parameters and provide the values from
the following table.

Parameter Setting
these rules Exercise-BB:CategoryDefinition: Asset Deleted
this many 1
this many minutes change to 2 days
Exercise-BB:CategoryDefinition: Asset IP Address
after these rules Created
event properties AssetID (custom)

6. Verify that your Rule Test Stack Editor looks like the following screen capture

Task 7 Testing for two events with the same QRadar Username

To generate the custom rule only if the same QRadar user deletes recently created asset
profiles more than once, add to the custom rule a counter function test. Perform the
following steps:
1. Still in the Rule Test Stack Editor, for Test Group, select Functions - Counters.

2. To locate the required counter function test, enter in the Type to Filter field the following
text: withthesameeventpropertiesi

3. Click the green plus (+) icon next to the following test:
when at least this many events are seen with the same event
properties in this many minutes

4. To configure the test, click the green underlined parameters and provide the values from
the following table.

Parameter Setting
this many 1
event properties QRadar Username (custom)
this many minutes change to 2 days
5. Verify that your Rule Test Stack Editor looks like the following screen capture

6. For the custom rule name in the Apply field, enter the following name:

Exercise-Policy:TemporaryAssetProfiles

Note: QRadar SIEM comes with predefined custom rules to detect policy violations. The
names of these custom rules begin with Policy. This exercise uses the prefix Exercise- to
distinguish the predefined custom rules from your development to detect policy violations

7. To assign the custom rule to the Exercise group, scroll down in the list of groups and enable
Exercise.

8. To document the custom rule in the Notes field, enter the following text:

This rule fires when a QRadar user deletes asset profiles shortly after
they have been created

Make sure your rule looks like this:

Task 8 Configuring rule responses

To have an offense created for the possible policy violation that the custom rule tests for,
perform the following steps:

1. To navigate to the Rule Response, click Next.

2. Under Rule Action, enable Ensure the detected event is part of an offense.

3. For Index offense based on, select Rule.

4. Verify that your Rule Wizard looks like the following screen capture.

5. Still on the Rule Response page of the Rule Wizard, under Rule Response, enable Dispatch
New Event. Subsequently, the rule responses expand to many options under Dispatch New
Event.

6. To configure the rule response under Dispatch New Event, provide the settings from the following
table

Option Setting
Event Name Temporary Asset Profiles
QRadar user deleted asset
profiles shortly after they
Event Description have been created
Severity 6
Credibility 3
Relevance 4
High-Level Category Suspicious Activity
Low-Level Category Rouge Device Detected
Ensure the dispatched event is part of an
offense Enable
Index offense based on Rule
This information should set
or replace the name of the
Offense Naming associated offense(s)
 7. Verify that your Rule Wizard looks like the following screen capture

8. To navigate to the Rule Summary, click Next

9. To create the rule, click Finish.

10. The Rule Wizard closes.

Task 9 Verifying solution

To verify whether your development creates an offense, create two asset profiles and delete them
right away

1. Repeat Exercise 1 – Task 1 on page 5 through step 11

2. To locate the new offense, navigate to the Offenses tab > All Offenses.

3. Sort the offenses by Id.

4. It might take up to 5 minutes until QRadar SIEM displays the new offense. To refresh the
listed offenses, click the double arrow icon in the upper-right corner of the QRadar SIEM web
interface.
End of Exercise 3
Exercise 4 - Creating a second solution using a reference set and custom
rules

In this exercise, you follow an alternative approach to detect short-lived asset profiles. Instead of
the sequence function test, you use a reference set.

Task 1 Creating reference set for asset IDs

To create a reference set, perform the following steps:

1. Go to the Admin tab.

2. To open the Reference set Management Window, click the Reference set Management
icon.
3. To create a reference set, click Add.
4. In the New Reference Set window, follow these steps to create the reference set:

a. Type “Exercise Asset Watchlist” in the name box

b. Set the type to alphanumeric
c. Clear the Lives Forever” checkbox
d. Enter number 2 in the field for the number of days For Time to Live of Elements
e. Select Since Last Seen
f. For the “When the elements expire”, select Log each element in a separate log entry

Note: QRadar SIEM can detect an additional IP address for an asset profile whose
asset ID is already stored in the reference set. In this case, the time to live for this
asset ID needs to start from zero again. Therefore, choose Since last seen.

g. To create the reference set, click Create. The New Reference Set window closes.

5. Close the Reference Set Management Window

Task 2 Creating a custom rule to add to the reference set

To create a custom rule that adds the asset IDs of profiles that receive a new asset IP
address to the reference set, perform the following steps:

1. Navigate to the Offenses tab.

2. In the left pane, click Rules.
3. From the Actions drop-down list, select New Event Rule.
4. The Rule Wizard opens. Click next twice.
5. For Test Group, select Event Property Tests.
6. To locate the required event property test, enter in the Type to Filter field the following
text: categories
7. Click the green plus (+) icon next to the following test:

when the event category for the event is one of the following
categories

To open a window to select the categories that you want to test for, click categories.
8. To filter for the category for this building block, select High-Level Category: Asset Profiler
and Low-Level Category: Asset IP Address Created.

9. Click Add

10. Click Submit.

11. The window closes

Note: In the previous exercise, you created a building block with the same test.
 You can test for a match of this building block instead of for the category.
A test on the category consumes about the same amount of resources as a test on a building
block.
Therefore, reusing the building block is not a benefit in this case.

12. For the custom rule name in the Apply field, enter the following name:

Exercise-Policy: Asset IP Address Created

13. To assign the custom rule to the Exercise Group, scroll down in the list of groups and
enable Exercise

14. To document the custom rule in the Notes field, enter the following text:

Asset profiles of hosts used for unauthorized activities might be deleted

manually to hide them. As a preparation to notice manual deletions, this
custom rule records the asset IDs of all new IP addresses in a watchlist.

15. Verify that your Rule Test Stack Editor looks like the following screen capture

Task 3 Configuring rule responses

To add each asset ID that the custom rule fires for to the reference set, perform the following
steps:
1. To navigate to the Rule Response, click Next.
2. In the Rule Response section, enable Add to a Reference Set.
3. After the Add the field, select Asset ID (custom).
4. For of the event or flow payload to the Reference Set, select Exercise: Asset Watchlist
- AlphaNumeric.
5. Add Value as Shared Data
6. Verify that your Rule Wizard looks like the following screen capture.

7. To navigate to the Rule Summary, click Next.

8. To create the custom rule, click

Finish. The Rule Wizard
closes.

Task 4 Creating a custom rule to detect possible policy violation

To create the custom rule that uses a reference set to detect when the same QRadar user deletes
recently created asset profiles more than once, perform the following steps:
1. Still in Rules on the Offenses tab, from the Actions drop-down list, select New Event
Rule.

2. The Rule Wizard opens.

3. For the custom rule name in the Apply field, enter the following name:
Exercise-Policy:HidingUnauthorizedService

4. Add three tests so that the Rule Test Stack Editor looks like the following screen capture.
 5. Configure the three tests so that the Rule Test Stack Editor looks like the following
screen capture. To configure the test, click the green underlined parameters and provide
the values listed in the screen capture:

6. Still in the Rule Test Stack Editor, to assign the custom rule to the group Exercise, scroll
down in the list of groups and enable Exercise.

7. To document the custom rule in the Notes field, enter the following text:
This rule fires when a QRadar user appears to try to hide an
unauthorized service from QRadar SIEM.

Task 5 Configuring rule responses

To have an offense created for the possible policy violation that the custom rule tests for,
perform the following steps:

1. To navigate to the Action & Rule Response, click Next.

2. Select “Ensure the detected event is part of an offense” in the Rule Action
3. Complete the Rule Response page so that it looks like the following screen capture.
4. The response of this custom rule is like the response of the last custom rule in the previous
exercise

If you would enter the same values for both rules, you could not easily distinguish which rule
created the events and offenses. Therefore, enter the following values to make events and
offenses from the two rules distinguishable:

– For Event Name, enter the following name:

Hiding Unauthorized Service
– For Event Description, enter the following description:

QRadar user appears to try to hide an unauthorized service from QRadar SIEM.

– Optionally enable Annotate this offense and enter the following text:

Short-lived asset profiles.

5. To navigate to the Rule Summary, click Next.

6. To create the custom rule, click Finish.

The Rule Wizard closes.

Task 6 Disabling custom rule from the previous solution

Optionally, before you verify whether your development creates an offense, disable the custom
rule that you created during the last exercise.

Building blocks cannot be disabled, and anyway, do not affect your verification because they do
not create offenses.
 Note: As a best practice, always have only one custom rule create an offense for the
indicator that you need to monitor.

To disable the custom rule from the previous exercise, perform the following steps:

1. Still in Rules on the Offenses tab, in the Group drop-down list in the toolbar, select
Exercise. The table displays the custom rules in the group.

Note: The table displays the custom rules in the group, but not the building blocks. If you need to
display the group’s building blocks but not the custom rules, in the Display drop-down list, select
Building Blocks.

2. Select the Exercise-Policy: Temporary Asset Profiles custom rule.

3. From the Actions drop-down list, select Enable/Disable.

Task 7 Verifying solution

To verify whether your development creates an offense, create two asset profiles and wait one
minute before deleting them.

1. Repeat Exercise 1 – Task 1 through step 10

2. To locate the new offense, navigate to the Offenses tab.

3. It might take up to 5 minutes until QRadar SIEM displays the new offense. To refresh the
listed offenses, click the double arrow icon in the upper-right corner of the QRadar SIEM web
interface.

Attention: After creating the first asset profile, wait at least one minute before deleting it. In the
meantime, you can create the second asset profile. Delete it after at least one minute, too.
Otherwise, the custom rule might not fire because it can take up to one minute until an
added element appears in a reference set.
4. To locate the new offense, navigate to the Offenses tab.

5. It might take up to two minutes for QRadar SIEM to display the new offense. To refresh
the listed offenses, click the double arrow icon in the upper-right corner of the QRadar SIEM web
interface.

You can also navigate to Admin tab > Reference Set Management, and confirm that you see
two elements populated in the Exercise Asset Watchlist reference set.

End of Exercise 4

End of Lab