QRadar Feature Discussion IBM SECURITY SUPPORT OPEN MIC

Transcription

1 QRadar Feature Discussion IBM SECURITY SUPPORT OPEN MIC Reminder: You must dial-in to the phone conference to listen to the panelists. The web cast does not include audio. USA toll-free: USA toll: Participant passcode: Slides and additional dial in numbers: June 22, 2016 NOTICE: BY PARTICIPATING IN THIS CALL, YOU GIVE YOUR IRREVOCABLE CONSENT TO IBM TO RECORD ANY STATEMENTS THAT YOU MAY MAKE DURING THE CALL, AS WELL AS TO IBM S USE OF SUCH RECORDING IN ANY AND ALL MEDIA, INCLUDING FOR VIDEO POSTINGS ON YOUTUBE. IF YOU OBJECT, PLEASE DO NOT CONNECT TO THIS CALL.

2 Panelists Jeremy Mathers QRadar User Interface Team Lead Dwight Spencer Principal Solutions Architect & Co-founder of Q1 Labs Adam Frank Principal Solutions Architect Jeff Rusk Development Manager, QRadar L3 Engineering Jason Keirstead QRadar Architecture Team Greg Davis QRadar Architecture Team Joey Maher QRadar Technical Support Team Lead Ellen Pit QRadar Quality Lead Presenter: Jonathan Pechta Support Technical Writer / Support Content Lead Moderator: Jack Cam Support Manager 2 IBM Security

3 Announcements

4 QRadar Future API Changes QRadar introduces V7.0 endpoints API 4.0 will be removed APIs 5.0 and 5.1 will be marked as deprecated QRadar Support Knowledgebase A new master tech note was released that contains links to all support content currently published. As we work on new articles, this page will be refreshed to include new content. Where? 4 IBM Security

5 QRadar Protocol Changes New protocols being released by our IBM Integration team will sort certificates by protocol. New releases also include more security and restrict where administrators can keep certificates. New protocols installed make copies of existing certificates to the proper protocol directory. For example: /opt/qradar/conf/trusted_certificates/<protocol> /opt/qradar/conf/trusted_certificates/lea QRadar YUM vs RPM As of the most recent QRadar automatic update, development has added more support for YUM commands. Administrators and users will notice that our documentation examples will start using YUM commands, which are now preferred over using RPM commands to prevent patch and dependency issues. yum install DSM-BluecoatProxySG noarch.rpm yum y install DSM-BluecoatProxySG noarch.rpm This replaces rpm Uvh commands yum search WinCollect This replaces rpm qa grep WinCollect 5 IBM Security

6 Keeping up with the latest QRadar information Administrators and users who need to keep up with changes to QRadar should ensure they are signed up for the following information: 1. IBM My Notifications ( or RSS feeds for your IBM Products) - Go to: - Click the Subscribe Now button. - In the Product lookup search field, type QRadar. - Click Subscribe next to products you want information about. - Configure your delivery preferences. 2. QRadar Support Newsletter May newsletter: How to sign-up for the list: To subscribe to the QRadar Support Newsletter send an to isssprt@us.ibm.com with the subject line: snl subscribe SecIntel To unsubscribe, send an to isssprt@us.ibm.com with the subject line: snl unsubscribe SecIntel 3. QRadar Forums - Ask us questions directly. 6 IBM Security

7 Agenda

8 QRadar Feature Discussion Agenda Upgrade Instructions New to this version Offense Indexing Lazy Search Enhancement Performance Updates Custom Columns Per Log Source EPS & Reporting AQL Changes System and License Management Changes Reference Data Changes API Changes Extension / Application Framework Updates 8 IBM Security

9 Upgrading

10 Upgrade - Instructions Software Upgrade Questions (any version) QRadar (any patch level or above) is the minimum version to upgrade to QRadar This article outlines the software upgrade progression to get from QRadar version x --> y. If a customer calls with upgrade questions or cannot find the proper software to upgrade, you can direct them to this article. Patch & Upgrade Best Practices Run a configuration backup & download the file before upgrade Ensure all HA pairs have the PRIMARY system active, and the secondary is online place patch files in /store/patches/ stage the patch/upgrade file out to all managed hosts, if required Patch console first, then all managed hosts simultaneously, not using "patch all Upgrades versus ISOs Admins use SFS files to patch/upgrade a system to QRadar New installations use ISO files. HA Considerations Note, patches should not ever be run on the HA secondary, if it's the active host - you should fail back to the primary. IF the primary is offline/failed for some period of time, the upgrade for the entire deployment should be delayed. 10 IBM Security

11 Offense Indexing

12 Incident Detection and Management Offense Indexing Uses QRadar introduces the ability to index or chain offenses together using any custom property. This includes all database properties including custom properties. Custom properties that use this feature must be enabled and optimized. This expands our default 12 normalized custom properties to use any custom properties in QRadar. Values matching the custom property selected are added to the offense without extra work required from the administrator. 12 IBM Security

13 Incident Detection and Management Response Limiter New custom columns are available as a drop-down in the user interface. 13 IBM Security

14 Incident Detection and Management Response Limiter Administrators or users can also use custom properties in a response limiter to limit notifications for a reoccurring custom property. This feature ensures that null values are counted by the response limiter and do not fire notifications. 14 IBM Security

15 Incident Detection and Management Deletion Framework Custom Property Deletion When you attempt to delete custom properties, you are now notified of any dependencies, including offenses indexed by that custom property. 15 IBM Security

16 Lazy Search in QRadar 7.2.7

17 Search Enhancements Lazy Search - Use Lazy Search is a new Quick Filter capability introduced in QRadar that is optimized for more tactical use cases such as the threat hunting or IOC searching. Retrieves the first (up to) 1000 results matching the filter criteria and returns those immediately to the user along with a time series graph showing the distribution of the results over the search timeframe. Reduces impact on the deployment by restricting the search to just the indices and not the events/flows themselves. Reduces impact on the network by only return a subset of the results until the analyst make the decision that the entire result is necessary. A Quick Filter search will utilize the Lazy Search functionality when the following conditions are met: The only filter is the Quick Filter The search is on a time range (not real-time or Last Minute) 17 IBM Security

18 Search Enhancements How do I adjust a lazy search time frame? Lazy Search is a new Quick Filter capability introduced in QRadar that is optimized for more tactical use cases such as the threat hunting or IOC searching. Retrieves the first (up to) 1000 results matching the filter criteria and returns those immediately to the user along with a time series graph showing the distribution of the results over the search timeframe. Reduces impact on the deployment by restricting the search to just the indices and not the events/flows themselves. Reduces impact on the network by only return a subset of the results until the analyst make the decision that the entire result is necessary. A Quick Filter search will utilize the Lazy Search functionality when the following conditions are met: The only filter is the Quick Filter The search is on a time range (not real-time or Last Minute) 18 IBM Security

19 Performance Changes in QRadar 7.2.7

20 New Disk Compression* All QRadar versions and forward utilize our new, highly efficient compression mechanism for all stored data. No more compress/decompress cycles Data is always compressed on disk and all decompression occurs in memory with no rewrite to disk. Up to 10X faster search Overall reduction in IO due to data always being compressed. This means searching on compressed data in is even faster than uncompressed data in 7.2.6! Better overall system performance Reduced disk reads and writes, lower CPU load leads to more consistent system resource utilization with less spikes. Faster data rebalancing with Data nodes Simplifies retention planning User no longer need to consider compression when setting up retention. In fact, the option is no longer even available. Users simply decide how long to keep data and when it can be deleted 20 IBM Security

21 Disk Compression Retention Interface Updates The event and flow retention interface has been updated to remove compression options from the user interface as new installations of QRadar include continuous / always on data compression. 21 IBM Security

22 Other performance updates to QRadar A number of general performance improvements across various aspects of the platform are also included in QRadar 7.2.7: Hardware Optimization QRadar auto tunes to the hardware platform and doesn t simply match platform to our xx05 or xx28 profile. QRadar can now leverage hardware even larger than our own xx28 platform Accumulator Global Views (GVs) Increased QRadar can now track up to 300 global views, up from the 130 prior to Directly translates to increased anomalous and behavioral threat detection capabilities Pipeline Stability and Performance 10% reduction in CPU load compared to Burst handling will no longer report false positives of event rate over license 22 IBM Security

23 Custom Columns in QRadar 7.2.7

24 Log & Network Activity Enhancements - Custom Columns In 7.2.7, we have continued our efforts to optimize a number of activities performed by our users day in and day out. In this release, we have focused on the manipulation of the columns in the Log Activity & Network Activity tabs. The addition of a quick access screen to add/remove columns means that users no longer have to defer to the Search->Edit Search screens to adjust the columns present in their search. The ability to save a column layout and recall it later with a single click. 24 IBM Security

25 Search Enhancements Custom Columns - Use When editing the column layout of a search, you now have the option to save the layout. The Save Column Layout button only displays when you add, remove, or change the order of the Columns fields in the user interface IBM Security

26 Search Enhancements Delecting Custom Columns After saving the column layout, you can delete it by selecting the layout and clicking the Delete Column Layout button 26 IBM Security

27 EPS Per Log Source UI & Reporting in QRadar 7.2.7

28 Per Log Source EPS Reporting Log Source EPS Reporting lists the average EPS for each log source on both the Log Source screen as well as in our Log Source reports, allowing users/administrators to quickly identify noisy or expensive log sources as well as highlight potential configuration issues with log sources that are failing to report 28 IBM Security

29 AQL Changes in QRadar 7.2.7

30 Search Enhancements AQL - Use Two forms of conditional logic have been added to AQL statements in QRadar 7.2.7: - IF/THEN/ELSE - CASE The first form, IF/THEN/ELSE, allows users to perform simple conditional evaluation based on the condition contained within the IF. 30 IBM Security Example: User wants to query the user associated with all events but realizes that the events may not contain the necessary user information so they decide to leverage the Asset database to fill in the gaps if possible. select sourceip, if username is NULL then ASSETUSER(sourceip) else username as username from events group by username last 2 DAYS The second form, CASE, allows users to perform similar logic to IF/THAN/ELSE except with more conditional comparisons. Example: User may want to expand the response code from a set of Blue Coat Proxy Logs select case BCReponseCode when 200 then OK when 404 then Not Found when 401 then Not Authorized else N/A end from events where LOGSOURCETYPENAME(devicetype) ilike %bluecoat% last 2 days See Conditional logic in AQL queries for more information.

31 System & License Management Changes in QRadar 7.2.7

32 Bonded Network Interface - Use Administrators can now perform simple interface bonding as well as provide more advanced configuration capabilities without utilizing third party tools. Where do I find this feature? Admin tab > System and License Management > Double-click an appliance > Network Interfaces 32 IBM Security

33 Get logs Collect Application Extension Logs Getlogs now has the ability to collect log data for our Applications. Where? System and License Management > Actions > Collect Log Files NOTE: Administrators who want to leverage application extensions on their Console should be using QRadar Patch 4 or later. 33 IBM Security

34 Reference Data Changes in QRadar 7.2.7

35 Remove from Reference Data Collections Administrators can now configure a rule response to remove items from reference data collections. Rules can be configured to delete from: Reference Set Reference Map Reference Map of Sets Reference Map of Maps Reference Table 35 IBM Security

36 API Changes in QRadar 7.2.7

37 API Updates introduces QRadar V6.0 API endpoints The following APIs have been removed: Version 2.0, 3.0, and 3.1 endpoints. The following APIs have been added in 7.2.7: Help API endpoints Offenses API endpoints QRadar Vulnerability Manager API endpoints System API endpoints 37 IBM Security

38 API Updates Help API Endpoints The following APIs have been added in /api/help/versions Retrieves a list of version documentation objects currently in the system. /api/help/versions/{version_id} Retrieves a single version documentation object. /api/help/resources Retrieves a list of resource documentation objects currently in the system. /api/help/resources/{resource_id} Retrieves a single resource documentation object. /api/help/endpoints Retrieves a list of endpoint documentation objects that are currently in the system. /api/help/endpoints/{endpoints_id} Retrieves a single endpoint documentation object. The following endpoint has been removed /help/capabilities Lists all QRadar API capabilities. 38 IBM Security

39 API Updates Offense API Endpoints The following APIs have been added in /api/help/versions Retrieves a list of version documentation objects currently in the system. /api/help/versions/{version_id} Retrieves a single version documentation object. /api/help/resources Retrieves a list of resource documentation objects currently in the system. /api/help/resources/{resource_id} Retrieves a single resource documentation object. /api/help/endpoints Retrieves a list of endpoint documentation objects that are currently in the system. /api/help/endpoints/{endpoints_id} Retrieves a single endpoint documentation object. /help/capabilities Lists all QRadar API capabilities. 39 IBM Security

40 API Updates - Offenses API endpoints The following APIs have been added in /api/siem/offenses_types Retrieves all offense types. /api/system/servers/{server_id}/network_interfaces/ethern et Retrieves an offense type structure that describes the properties of an offense type. The following endpoints are updated: /api/siem/offenses Retrieves a list of offenses currently in the system. /api/siem/offenses/{offense_id} Updates an offense. 40 IBM Security

41 API Updates - QRadar Vulnerability Manager API endpoints The following APIs have been added in QRadar /api/qvm/saved_searches New endpoints for working with vulnerability saved searches /api/qvm/saved_searches/{saved_search_id} Retrieves a saved search. /api/qvm/saved_searches/{saved_search_id}/vuln_instances Creates the Vulnerability Instances search. /api/qvm/saved_searches/vuln_instances/{task_id}/status Retrieves the current status of a Vulnerability Instance present in the asset model. /api/qvm/saved_searches/vuln_instances/{task_id}/status Retrieves the status of a Vulnerability Instance. /api/qvm/saved_searches/vuln_instances/{task_id}/results/vuln_instances Lists the Vulnerability Instances returned from a saved search. /api/qvm/saved_searches/vuln_instances/{task_id}/results/assets Lists the Vulnerability Instances assets returned from the saved search. /api/qvm/saved_searches/vuln_instances/{task_id}/results/vulnerabilities Lists the Vulnerability Instances vulnerabilities returned from the saved search. 41 IBM Security

42 API Updates - System API endpoints The following APIs have been added in /api/system/servers/{server_id}/network_interfaces/bonded Creates a new bonded network interface. /api/system/servers/{server_id}/network_interfaces/bonded/{device_name}removes a bonded network interface. The following APIs have been updated in /api/system/servers/{server_id}/network_interfaces/bonded Retrieves a list of the bonded network interfaces based on the supplied server ID. /api/system/servers/{server_id}/network_interfaces/bonded/{device_name} Updates an existing bonded network interface. /api/system/servers/{server_id}/network_interfaces/ethernet Retrieves a list of the Ethernet network interfaces based on the supplied server ID. /api/system/servers/{server_id}/network_interfaces/ethernet/{device_name} Updates an Ethernet network interface based on the supplied server ID and device name. 42 IBM Security

43 API Updates - QRadar Vulnerability Manager API endpoints The following APIs have been removed in /api/qvm/savedsearches /api/qvm/vulninstances 43 IBM Security

44 API Resources QRadar API doc link QRADAR_CONSOLE_IP/api_doc Developer Works Forum to discuss, share and troubleshoot APIs API Samples and Examples on GitHub NOTE: Code samples for QRadar are still in validation with our quality team. These API code samples are expected to be released in two weeks. As always, administrators can use the API forums to keep up-to-date on when these code samples are posted. Code samples are published by QRadar development as a learning tool for administrators and developers to understand how to leverage features in the QRadar API. 44 IBM Security

45 Extension / Application Framework Updates in QRadar 7.2.7

46 Extension / Framework Enhancements Resource Specification Application writers can now specify the amount of RAM necessary for the applications to run. The defaults from will still exist but now apps can specify higher requirements and have higher default memory allocations. This feature is important for applications that will be performing resources intensive operations such as advanced analytics Automatic upgrade of apps when being deployed from the SDK Numerous enablement updates in preparation for the SDK Application (App for writing Apps) 46 IBM Security

47 THANK YOU FOLLOW US ON: QRadar Forums: securityintelligence.com xforce.ibmcloud.com Copyright IBM Corporation All rights reserved. The information contained in these materials is provided for informational purposes only, and is provided AS IS without warranty of any kind, express or implied. Any statement of direction represents IBM's current intent, is subject to change or withdrawal, and represent only goals and objectives. IBM, the IBM logo, and other IBM products and services are trademarks of the International Business Machines Corporation, in the United States, other countries or both. Other company, product, or service names may be trademarks or service marks of others. Statement of Good Security Practices: IT system security involves protecting systems and information through prevention, detection and response to improper access from within and outside your enterprise. Improper access can result in information being altered, destroyed, misappropriated or misused or can result in damage to or misuse of your systems, including for use in attacks on others. No IT system or product should be considered completely secure and no single product, service or security measure can be completely effective in preventing improper use or access. IBM systems, products and services are designed to be part of a lawful, comprehensive security approach, which will necessarily involve additional operational procedures, and may require other systems, products or services to be most effective. IBM does not warrant that any systems, products or services are immune from, or will make your enterprise immune from, the malicious or illegal conduct of any party.