Scribd
Upload
42 views10 pages

QDATA LDAP Data Enrichment For QRadar Admin Guide 2.0.6

Uploaded by

Luis Rodriguez
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
42 views10 pages

QDATA LDAP Data Enrichment For QRadar Admin Guide 2.0.6

Uploaded by

Luis Rodriguez
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 10

QLean for IBM Security

www.scnsoft.com
QRadar SIEM: Admin Guide

QDATA
LDAP DATA ENRICHMENT
FOR IBM SECURITY
QRADAR SIEM
ADMIN GUIDE

© 2022 ScienceSoft™ | Page 1 from 10


QDATA LDAP Data Enrichment for
IBM Security QRadar SIEM: Admin
Guide

Table of Contents
Overview ........................................................................................................................................ 3
Supported Versions ...................................................................................................................... 4
QDATA LDAP Data Enrichment Installation ................................................................................ 5
Downloading QDATA App ............................................................................................................................. 5
Installing QDATA App ................................................................................................................................... 5
Configuring QDATA App ............................................................................................................................... 5
Usage ............................................................................................................................................. 6
Adding New Import Task ............................................................................................................................... 6
Naming the Reference Table Fields .............................................................................................................. 8
Working with Tasks ....................................................................................................................................... 8
Backup / Restore........................................................................................................................... 9
Troubleshooting............................................................................................................................ 9
Appendix A: Release notes ........................................................................................................ 10
2.0.0 ........................................................................................................................................................ 10
2.0.1 ........................................................................................................................................................ 10
2.0.2 ........................................................................................................................................................ 10
2.0.3 ........................................................................................................................................................ 10
2.0.4 ........................................................................................................................................................ 10
2.0.5 ........................................................................................................................................................ 10
2.0.6 ........................................................................................................................................................ 10

© 2022 ScienceSoft™ | Page 2 from 10


QDATA LDAP Data Enrichment for
IBM Security QRadar SIEM: Admin
Guide

Overview
QDATA LDAP Data Enrichment for IBM Security QRadar SIEM (hereinafter QDATA App), is QRadar extension
to synchronize QRadar Reference Sets and Tables content with information from Active Directory or any other
LDAP-based storage.
QDATA App supports multiple tasks with either periodic or scheduled sync at specific time of the day,
complex LDAP queries, advanced configuration, per-task statistics and in-app logging.

QDATA App perfectly fit scenario when you need to develop a correlation rule to be triggered on user action
from specific account type or group.

Sample use cases may include:

 Windows administrative account accessing restricted servers


 HR users logged to BA file-share server
 Exchange server admin accessing non-owned mailbox
 Etc.

Using simple flat list with usernames (reference set), it’s just a matter of configuring proper LDAP query in
QDATA App and adding something like “when any of Username are contained in any of
Corp_Admin_Accounts” as rule test.

QDATA App is a free tool and available under Apache 2 license. Full text of the license is available on the
official website: https://www.apache.org/licenses/LICENSE-2.0

© 2022 ScienceSoft™ | Page 3 from 10


QDATA LDAP Data Enrichment for
IBM Security QRadar SIEM: Admin
Guide

Supported Versions
Supported QRadar versions are:
 7.4.2 and higher

NOTE: QDATA App is developed by ScienceSoft Inc. and not supported by IBM. You can request your own
custom QRadar app to be developed, request QRadar profession services or get support for this particular
app via following email address: [email protected].

© 2022 ScienceSoft™ | Page 4 from 10


QDATA LDAP Data Enrichment for
IBM Security QRadar SIEM: Admin
Guide

QDATA LDAP Data Enrichment Installation


QDATA App is distributed as a QRadar extension.
In order to install LDAP App please follow the steps below.

Downloading QDATA App


 Go to https://exchange.xforce.ibmcloud.com/hub
 Login using your IBMid
 Filter by Type: Application
 Select QDATA extension
 Click Download button at the top right corner
 Save the extension zip file

Installing QDATA App


 Login to QRadar UI
 Go to Admin tab
 Open Extensions Management
 Click Add button
 Select Install immediately checkbox, click Browse button, locate the extension file downloaded
from IBM App Exchange and click Add button
 Confirm on all steps and wait for installation to finish. This may take a while.
 Close Extensions Management window, press Ctrl+F5 to fully reload QRadar UI. New QDATA
App icon will be added to QRadar Admin tab.

Configuring QDATA App


 Login to QRadar UI
 Go to Admin tab
 Create new Authorized Service
 Open QDATA App interface
 On the initial run you’ll be presented with a configuration field to enter Authorization Token
 Enter Authorization Token generated on previous step (1)
 Press Save button to save configuration

© 2022 ScienceSoft™ | Page 5 from 10


QDATA LDAP Data Enrichment for
IBM Security QRadar SIEM: Admin
Guide

Usage
Adding New Import Task
Follow steps below to add new import task:

 In QRadar UI, navigate to Admin tab


 Open QDATA LDAP Data Enrichment Application
 Press Add new configuration entry button

 Populate all fields:


1. Entry Name – name of your newly created task
2. LDAP IP/Hostname – IP/Hostname of your Active Directory server (AD)
3. LDAP Port – TCP port of your AD server
4. SSL – select (YES or NO) whether to use secured connection (depends on AD server
configuration)
5. Username – username with rights sufficient to get users and attributes from AD server
(username can be just plain user name or DOMAIN\username pair - depends on LDAP
server configuration)
6. Password – corresponding password
7. Search Base – search base for query (for example if domain of your organization is
yourdomain.com search base could be DC=yourdomain,DC=com)
8. Search Filter – search filter for query (for more information about AD search filters refer to
https://social.technet.microsoft.com/wiki/contents/articles/5392.active-directory-ldap-syntax-
filters.aspx)
9. Search Attributes – search attributes (for example sAMAccountName or sn)
10. Ref Data Name – name of Reference Data Set or Table (keep in mind that it should be
unique across all reference data entities regardless of reference data type)
11. Reference Data Type – choose either Set or Table
12. Reference Data Value Type – (applies only when Reference Data Type is Set) – select
either ALNIC or ALN
13. Purge – if set to YES, then the corresponding QRadar Reference Data Entity set on step 10
will be purged before updates are made
14. Skip Incomplete Entries – if set to YES, will skip QRadar Reference Data entry creation
when any of the requested attribute is missing, otherwise the missing attribute will be
assigned an ‘n/a’ value
15. Fields To Combine – available for Reference Sets only, specify a comma separated list of
AD attributes – space-joined values will be used as the resulting value to fill Reference Set
(for example you can join first and last names)
16. Run Every/At – select task type (At – scheduled, Each – periodic)
17. Minutes - (applies only when Run value is Every) – specifies at interval in minutes to run the
task
18. At – you can set your task to be run on a scheduled basis

© 2022 ScienceSoft™ | Page 6 from 10


QDATA LDAP Data Enrichment for
IBM Security QRadar SIEM: Admin
Guide

19. Time - (applies only when Run value is At) – set time
20. Days - (applies only when Run value is At) – set the number of days between runs
 Press Save button to save configuration

© 2022 ScienceSoft™ | Page 7 from 10


QDATA LDAP Data Enrichment for
IBM Security QRadar SIEM: Admin
Guide

Naming the Reference Table Fields


Starting with QDATA v2.0.5 you can give custom names to LDAP attributes. To do this please follow the next
pattern specifying “Search Attributes”: <LDAP Attribute Name> AS <Custom Reference Table Field Name>.
For example, to create “UserAccount” reference table field that will correspond to sAMAccountName LDAP
attribute type the following: sAMAccountName AS UserAccount.

Working with Tasks


1. Timestamp – displays the timestamp for the last action
2. Status – displays the status for the last task run (Status “Done with error” can mean that the task failed
to fetch all the requested attributes for some LDAP entries. See task execution log (6) for more details)
3. Run button – press to run the task immediately
4. Edit button – press to edit/view task details

© 2022 ScienceSoft™ | Page 8 from 10


QDATA LDAP Data Enrichment for
IBM Security QRadar SIEM: Admin
Guide

5. Delete button – press to delete the task entry


6. Task execution log – contains information about the last task run

Backup / Restore
To backup/restore your configuration press Gear button and select the action desired:

Notice: Due to security considerations Authentication Token and Configuration passwords are not included
into backup file. You will need to re-enter all passwords after the restoration process is over.

Troubleshooting
 If you have any problems with QDATA App execution then you can contact the support team:
[email protected]
 To download application’s log files press Gear button at the top of the windows

© 2022 ScienceSoft™ | Page 9 from 10


QDATA LDAP Data Enrichment for
IBM Security QRadar SIEM: Admin
Guide

Appendix A: Release notes


2.0.0
SDK v2 migration

2.0.1
NLS support added for filters
Security fixes

2.0.2
Backup/Restore feature added

2.0.3
Error reporting improved

2.0.4
Skip incomplete entries feature added

2.0.5
Reference Table fields naming added

2.0.6
Fixed compatibility issues for QRadar v.7.3.3

© 2022 ScienceSoft™ | Page 10 from 10

You might also like