IBM CLOUD DISCOVERY APP FOR QRADAR

Transcription

1 IBM CLOUD DISCOVERY APP FOR QRADAR Getting Started Updated: January 31 st, 2018

2 Page 1 Introduction This document provides instructions for installing, configuring, and using IBM Cloud Discovery App for QRadar. This QRadar extension helps detect web application usage patterns within an organization and tracks the following information: The applications that are used on your networks XForce Threat Intelligence risk score Application access statistics for each user Prerequisites IBM Cloud Discovery App for QRadar requires a functional and licensed installation of QRadar SIEM version 7.2.8(Patch 8 and above) or 7.3(Patch 4 and above). Before you proceed: QRadar limits the amount of memory that can be used by apps. IBM Cloud Discovery App requires minimum 4 GB memory which means QRadar console should be 64 GB or more. The installation might fail due to a lack of available memory. This situation can occur if the amount of memory available for applications is decreased because other applications are installed. The app also requires one or more of the following devices: Cisco IronPort McAfee Web Gateway IBM Security Network Protection Websense V Series Check Point FireWall Palo Alto PA Series Bluecoat SG Appliance

3 Page 2 Configure a log source so that the app has statistics to display. Here is an example of log source configuration setting <IP>

4 Page 3 Installing the application Use the following instructions to install the application: 1. Download the IBM Cloud Discovery App for QRadar application from the IBM Security App Exchange Portal at 2. Log in to the IBM QRadar console as an administrator. 3. Go to the Admin tab and click Extensions Management in the System Configuration section. 4. Click Add and select the application file that you downloaded. 5. Click Add. 6. Log out and log in again so that you can see the Cloud Discovery tab information. Important note for QRadar 7.2.8: If you are upgrading from Cloud App Analytics v1.x to IBM Cloud Discovery App v2.0.1 on QRadar 7.2.8, then you should uninstall the existing Cloud App Analytics app v1.x and then perform installation of Cloud Discovery App again..

5 Page 4 Configuring the application Once the app install is complete, go to Admin tab of QRadar, and scroll to the bottom of the screen, to the Plug-ins section. Here, you will find Cloud Discovery icon. Click it to launch the configuration panel.

6 Page 5 The application configuration settings page has two tabs: Screen 1: Application Configuration Settings: Input Feed Input Feed (Screen 1): Provide X-Force credentials (see Obtaining the XForce API key and password section below to know procedure to obtain it), QRadar Token (see Generating QRadar Authorization Token section below to generate the token). Once respective values are provided, click on Save Input Feed to save the settings. Now, click on Analytics Settings on the left hand side menu, to move to second tab. IMPORTANT: X-Force credentials are optional and the app runs without it as well. These credentials are required for daily refresh of Threat intelligence data from X-Force Exchange, and it makes more than 6000 daily API calls to get required data. Please configure X-Force credentials only if you have an active internet connection from your QRadar. Obtaining the XForce API key and password Before you begin You must have an IBM ID for accessing X-Force Exchange API and generating X-Force Exchange API key and password. Register for an IBM ID at IBM X-Force Exchange. Procedure 1. Log in to the IBM X-Force Exchange website with an active IBM ID. 2. View your user profile, and then go to the Settings page to create a new API key/password pair.

7 Page 6 o o o Ensure to save your password for future use. You can view the API key but not the password when revisiting the IBM X-Force Exchange website. Your API key and password is associated with your IBM ID, and is not allowed to be shared with others. Despite API keys and passwords do not expire, you can generate a new set of API key and password by following the steps described here. Your old API key/password pair will be invalid when a new pair is generated. Generating QRadar Authorization Token 1. Click the Admin tab and go to User Management Authorized Services. 2. In the Manage Authorized Services tab, click Add Authorized Service. 3. Click Add Authorized Service. 4. Add the relevant information in the following fields and click Create Service: a. In the Service Name field, type a name for this authorized service. The name can be up to 255 characters in length. b. From the User Role list, select the Admin user role. c. From the Security Profile list, select the security profile that you want to assign to this authorized service. The security profile determines the networks and log sources that this service can access on the QRadar user interface. d. In the Expiry Date list, type or select a date that you want this service to expire. If an expiry date is not necessary, select No Expiry. 5. Click the row that contains the service that you created, select and copy the token string from the Selected Token field in the menu bar, and close the Manage Authorized Services window.

8 Page 7 Screen 2: Analytics Settings Analytics Settings (Screen 2): Cloud Discovery V 2.0 has a built-in analytics engine that calculates the risks associated with Cloud Application usage. By default, the analytics engine runs once every 12 hours, however, this frequency can be changed using Risk Analysis Frequency field. With time, the risk decays, by a factor which can be defined in Risk Decay Factor. By default the risk decay factor is 0.5. Clicking on Save Analytics Settings will save the changes. Use Run Now button to start the on-demand risk analysis.

9 Page 8 Using the application You can view discovered cloud applications along with risk insights based on its usage and threat data. You can use drop down to select duration to view data for last 1 day, 7day or 30 days Dashboard When the app interface is open via Cloud Discovery tab a dashboard is displayed that provides application, user and violations data: Risky Users Critical Violations Risky Applications Threat intelligence insights based on activity data for each application along with threat score (Bubble chart from Cloud Application Insights) Application status showing number of new discovered applications, approved applications and unapproved applications (donut chart Cloud Application Insights ) Top Risky Users Top Violations Top Risky Applications Click on the number below any of the three text (Risky Users, Critical Violations, and Risky Applications) to drill-down to view respective details on a new page. Use bread-crumbs on top left hand corner to come back to the dashboard.

10 Page 9 Mouse hover on any of the bubble to view application name, number of users accessing the applications and amount of total data transferred. To view more details about this application, click on the bubble and the details are slide-out from the right. This slide-out has three tabs: Overview (shows application properties), Violations (shows the violations associated with accessing this applications) and Activity (amount of data transferred by each user). Clicking on the Discovered Applications will drill down to show details of all the applications discovered on the network. Top Risky Users, Top Violations and Top Risky Applications table shows the top five risky users, top five violations, and top ten risky applications respectively sorted by the associated risk score.

11 Page 10 Details of the risky user or violation or the application can be viewed by clicking the respective row. The detail is presented on a slide-out, as shown in the screen below (for one of the top risky user): An application can be an approved ( ) for the enterprise use, or unapproved ( ) or a not reviewed (new) ( ). This state can be changed by clicking on the icon under Type column, in Top Risky Applications table. Applications view After you click the number under Risky Applications on the dashboard, the Risky Applications view is displayed:

12 Page 11 On this page, you can approve or un-approve an application, either by clicking the icon (under Approved column) or using the check-box (for multi-select). More details of an application are slide-out from right, by clicking on the application name. Click on the number below Unapproved Applications, Applications with High Violations, New Applications, or Total Applications to filter the applications list. Users view After you click the number under Risky Users on the dashboard, the Risky Users view is displayed: This page shows the list of all the risky users in the system. Clicking on row in the table shows the details for a user, in a slide-out from right hand side. Click on the number below Active Users, High Risk Users, or Users Using Unapproved Applications to filter the users list. Known Issue: Sorting this view on Data Sent values will result into Data Loading has Failed error. Please sort using other columns in the same view to display data. Fix will be introduced in next re-fresh. Violations View After you click the number under Critical Violations on the dashboard, the Critical Violations view is displayed:

13 Page 12 This page shows the list of all the critical violations in the system. Clicking on the application or user in a row in the table shows the details of that violation for the application or the user, in a slide-out from right hand side. Click on the number below Critical Violations, High Severity Violations, or Total Violations to filter the violations list. Known Issues: 1) If session is invalidated due to idle time out, then users might observe Data Loading Failed error on the UI. Please log-out and log-in again to QRadar to re-establish the session. 2) If your dashboard shows 0 discovered application, it could be due to failure in getting X-Force Exchange data. Many times, this happens if you do not have stable internet connection to X-Force. In this case, you need to reinstall app and do not provide X-Force credentials during configuration. Cloud Discovery app will run with cached X-Force data in this case.