QRadarCafe13 - 2021 12 17

Download as pdf or txt
Download as pdf or txt
You are on page 1of 46

QRadar Café Agenda

Episodio 13 - 20211217 • Introducción

Liher Elgezabal
• Novedades
Threat Management Technical Sales
• Blogs
Pablo Roberto
Threat Management Technical Sales • Log4Shell
Emilio Andrés • TechNotes
Threat Management Technical Sales
• Curiosidades
Marta Perez
Threat Management Technical Sales • CustomApp – MitreInfo4Offenses
• Links Interesantes
• Q&A( Microfono Abierto)

IBM Security / © 2020 IBM Corporation 1


Notificaciones QRadar Café

IBM Security / © 2020 IBM Corporation 2


Sesiones previas QRadar Café
2021-11-19 QRadar Café EP12 (QRadar XDR, Analyst Workflow, Pulse - Dashboard avanzados)

2021-10-15 QRadar Café EP11 (Analyst Custom Searches)

2021-09-17 QRadar Café EP10 (Master Skills University 2021, Wincollect 10)

2021-07-16 QRadar Café EP9 ( Event & Flow Exporter, Network Threat Analytics, Virtual Master Skills University, ...)

2021-06-18 QRadar Café EP8 (QRadar IaaS, Version 7.4.3, novedades apps Certificate Management, QDI,... )

2021-05-21 QRadar Café EP7 (Edición Extendida. Ver contenido abajo)

2021-04-16 QRadar Café EP6 (Novedades, Log Source Management, RFEs, Recolección de eventos Windows)

2021-03-18 QRadar Café EP5 (Novedades , HA/DR y Backups, y Aggregated Data)

2021-02-19 QRadar Café EP4 (Threat Intelligence v2 , Windows sizing , Retention Buckets)

2021-01-15 QRadar Café EP3 (Subtécnicas de MITRE en UseCaseManager, Sysflow Content Extension, FireEyeRedTeam,
Sunburst, Best Practices y Tech notes)

2020-12-18 QRadar Café EP2 (QRadar 7.4.2, UBA 4.0, Network Visibility, Universal Cloud Connector, Sysflow)

2020-11-27 QRadar Café EP1 (Apps esenciales: UBA, Watson, Use Case Manager, Assistant,...)

IBM Security / © 2020 IBM Corporation 3


Sesiones previas Monográficos
2021-12-03 Monográfico -QRadar &FlashSystem

2021-11-05 Monográfico- DSM Editor


2021-10-01 Monográfico - Autenticación fuerte en QRadar: SSO y MFA

2021-06-04 Monográfico - QRadar Advisor with Watson


2021-05-07 Monográfico - Pulse
2021-03-05 Monográfico - Disconnected Log Collector

2021-02-05 Monográfico - User Behavior Analytics

2020-12-11 Monográfico - Use Case Manager

IBM Security / © 2020 IBM Corporation 4


Sesiones previas Edición Extendida
Implementación de casos de uso en despligues multinacionales (Andoni Valverde - Responsable CSIRT
Global - Iberdrola)
Extrategias de recolección en Windows en QRadar (Roberto Ivars - Analista Seguridad - Sector Financiero)
Casos de uso de QRadar para la detección de amenazas en la nube (Álvaro Garnica - Senior Security
Systems Consultant - Viewnext)

Tareas de Administración

Fine tuning y optimización del entorno


Herramientas avanzadas para el diagnostico del rendimiento

Cloud Pak for Security


Charla con Jose Bravo

IBM Security / © 2020 IBM Corporation 5


Q&A

IBM Security / © 2020 IBM Corporation 6


Calendario

Viernes, 21 Enero 2022 9:30


Qradar Café – Episodio 14
- URL: https://ibm.biz/qradar-cafe-webex
Ask Me Anything (+30 mins)

Al final del QRadar Café nos quedaremos para responder


a preguntas abiertas sobre Qradar XDR

IBM Security / © 2020 IBM Corporation 8


Versión recomendada en producción

7.4.3 FP4

IBM Security / © 2020 IBM Corporation 9


IBM QRadar Café

Log4Shell (CVE-44228)

IBM Security / © 2021 IBM Corporation 10


11

Log4Shell (CVE-44228): Links útiles.


Página principal de IBM para esta vulnerabilidad: An update on the Apache Log4j CVE-2021-44228 vulnerability
https://www.ibm.com/blogs/psirt/an-update-on-the-apache-log4j-cve-2021-44228-vulnerability/

QRadar: Addendum to Apache Log4j CVE-2021-44228 vulnerability information


https://www.ibm.com/support/pages/node/6526712

Security Bulletin: Log4j as used in IBM® Disconnected Log Collector is vulnerable to remote code execution (CVE-2021-44228)
https://www.ibm.com/support/pages/node/6526178

Detection of Log4Shell (CVE-2021-44228) using QRadar


https://community.ibm.com/community/user/security/blogs/adam-frank/2021/12/13/detection-of-log4shell-using-qradar

Publicada firma de IBM XGS/Proventia (IPS):


https://exchange.xforce.ibmcloud.com/xpu/XPU%204112.12214

Webinar de IBM Security XForce:


https://event.on24.com/wcc/r/3570143/66C51D1B65F9821B262E9E0A36CC69C1
Title: Log4j Zero-Day Vulnerability: What You Need to Know Now
Date: Wednesday, December 15, 2021
Time: 11:00 AM Eastern Standard Time (17:00 CET)
Duration: 1 hour
IBM Security / © IBM Corporation 2021 12

QRadar: Addendum to Apache Log4j CVE-2021-44228 vulnerability information


IBM Security / © IBM Corporation 2021 13

QRadar: Addendum to Apache Log4j CVE-2021-44228 vulnerability information


IBM QRadar Café

Blogs
https://community.ibm.com/community/user/security/communities/community-home/recent-community-blogs?communitykey=f9ea5420-0984-4345-
ba7a-d93b4e2d4864&tab=recentcommunityblogsdashboard

IBM Security / © 2020 IBM Corporation 14


Blogs

15
Blogs

16
Blogs

17
Blogs

l Real-time Detection of Log4Shell using QRadar


l Additional Detection of Log4Shell using known IOCs
l XForce Collection
l Detect Historical instances of Log4Shell (AQL)
l Using Kestrel Threat Hunting to find instances of Log4Shell in
your environment
l Mitigation Recommendations & Additional Resources

18
Blogs

19
Blogs

20
Blogs

21
IBM QRadar Café

Novedades
https://exchange.xforce.ibmcloud.com/hub/QRadar

IBM Security / © 2020 IBM Corporation 22


Apps
The picture The picture
can't be can't be
displayed. -Added QID condition and several QRadar displayed. -Can view more than 3 agents in the
conditions to visual search builder WinCollect Agent drop down
-Added right-click menu options to quickly filter -Notification for available updates correct
results in the search table when directed to internal AU server OR
-Accessibility improvements when no internet connection available to
-Performance improvements QRadar

The picture The picture


can't be can't be -Increased the chart legends size to
displayed. displayed. display more items.
-Increased accuracy of data displayed on
Network charts.
-Increased accuracy of data displayed on
Process OOM charts.
-Added units in the hover-over menu for
Rules and Offenses charts.

IBM Security / © 2020 IBM Corporation 23


Content Extension

IBM Security / © 2020 IBM Corporation 24


Thrid Party Apps

IBM Security / © 2020 IBM Corporation 25


IBM QRadar Café

Technical Notes
https://www.ibm.com/community/qradar/home/knowledge/

IBM Security / © 2020 IBM Corporation 26


Tech-notes

The QRadar upgrade to V7.4.2 or later requires you to run a migration script on the Console appliance. This script
migrates the High Availability (HA) file system from GlusterFS to Distributed Replication Block Device on all Event
Collectors in your deployment (only collectors)

IBM Security / © 2020 IBM Corporation 27


https://www.ibm.com/support/pages/node/6436719
Tech-notes

When patching a App Host that has been detached from the deployment, the installer can hang when 'Applying
presql script' in the QRadar command line interface. Administrators who experience this issue can confirm the
process ID for the IMQ service and apply the described workaround to continue the upgrade. It is critical that
administrators do NOT attempt to reboot or force the installer to quit, but use the IMQ service instructions
provided in this technical note to allow the App Host upgrade to continue

IBM Security / © 2020 IBM Corporation https://www.ibm.com/support/pages/node/6428037 28


Tech-notes

A security bulletin is issued to users on several QRadar versions identifying CVEs related to CentOS6 base
images used in QRadar applications. Administrators are advised per the security bulletin to upgrade applications
to mitigate the security issue.

IBM Security / © 2020 IBM Corporation https://www.ibm.com/support/pages/node/6514023 29


Tech-notes

The installation output of a manual rpm installation shows that the rpm was installed successfully, however the
DSM or Protocol is not displayed as an option on the Log Source Management App.

IBM Security / © 2020 IBM Corporation https://www.ibm.com/support/pages/node/6509516 30


Tech-notes

What steps can administrators review before they attempt to update their QRadar deployment?

IBM Security / © 2020 IBM Corporation https://www.ibm.com/support/pages/node/738599 31


IBM QRadar Café

Best Practices
https://github.com/qradar-cafe/

IBM Security / © 2020 IBM Corporation 32


IBM QRadar Café

MitreInfo4Offenses

IBM Security / © 2020 IBM Corporation 33


Problemática: ¿Qué tácticas y técnicas del Mitre
han sido utilizadas en una Offensa?
Alternativas:
• Analyst Workflow App
Por defecto no se muestra la informacion de Mitre

• QRadar Advisor with Watson

IBM Security / © 2020 IBM Corporation 34


Problematica: ¿Como obtengo la información?
SELECT TACTICS::TACTICS(RULENAME(ENUMERATION('+ruleidlist+'))) AS \'Tacticas\' FROM events LIMIT 1

IBM Security / © 2020 IBM Corporation 35


Opción: Analyst Custom Search

IBM Security / © 2020 IBM Corporation 36


Solución: Creamos una app

https://www.ibm.com/docs/en/qsip/7.4?topic=types-fragments-type
https://www.ibm.com/docs/en/qsip/7.4?topic=apps-custom-fragments-example#c_appfw_samples_CustFrags
IBM Security / © 2020 IBM Corporation 37
Componentes de la app: manifest.json

IBM Security / © 2020 IBM Corporation 38


Componentes de la app: view.py

Se obtiene la información de la ofensa


y se añade HTML personalizado

Creamos la lista de rule_ids

Creamos AQL

Ejecutamos una búsqueda


sincrona en Ariel

Obtenemos el resultado

Renderizamos HTML

IBM Security / © 2020 IBM Corporation 39


Componentes de la app: mitreinfo.html ( Jinja Template)

IBM Security / © 2020 IBM Corporation 40


Resultado: MitreInfo4Offenses

https://github.com/qradar-cafe/QRadarApp-MitreInfo4Offenses
IBM Security / © 2020 IBM Corporation 41
Valora QRadar
Gartner - https://www.gartner.com/reviews/home

TrustRadius - https://www.trustradius.com/

IT Central Station - https://www.itcentralstation.com/

G2 - https://www.g2.com/

IBM Security / © 2020 IBM Corporation 42


Calendario

Viernes, 21 Enero 2022 9:30


Qradar Café – Episodio 14
- URL: https://ibm.biz/qradar-cafe-webex
IBM QRadar Café

Ask me Anything

IBM Security / © 2020 IBM Corporation 44


Links Interesantes
QRadar Café – http://ibm.biz/qradar-cafe
QRadar Café Github - https://github.com/qradar-cafe

QRadar 101 - https://www.ibm.com/community/qradar/

Knowledge Center - https://www.ibm.com/support/pages/accessing-ibm-qradar-product-documentation

Security Learning Academy - https://www.securitylearningacademy.com/

Open Mics - https://www.ibm.com/support/pages/qradar-list-open-mic-events-and-presentations-updated

Jose Bravo chanel - https://www.youtube.com/user/jbravovideos

IBM Community - https://community.ibm.com/community/user/security/home

IBM Support - https://www.ibm.com/support

IBM Fixcentral - https://www.ibm.com/support/fixcentral

IBM Security / © 2020 IBM Corporation 45

You might also like