Encode Rule Explorer App v.0.2 for IBM QRadar Documentation
Encode Rule Explorer App for IBM QRadar, Copyright 207 Encode SA, All rights reserved. Revision to This Document Date Revision Description 30 June, 207 First edition for v.0.0 30 July, 207 Updated documentation 5 November, 207 v.0. 6 March, 208 v.0.2 - Bug fixes, UI improvements 2
Contents Introduction... 3 Audience... 3 Installation Requirements...3 Installation... 4 Steps to install your extension for QRadar SIEM (UI)...4 Steps to uninstall your extension for QRadar SIEM (UI)...7 Configuration... 8 Exporting Content from QRadar...8 Importing Content to the QRadar App...9 Using Rule Explorer... Navigation... Rules... 2 Building Blocks...3 Rule and Building Blocks Details...4 Known issues... 7 Introduction Encode Rule Explorer App for IBM QRadar allows operators to navigate through rules and building blocks, view test conditions, rule actions and responses as well the test conditions of the referenced building blocks all in one single view. It offers quick and easy navigation between rules/building blocks and their referenced in the test conditions. Other capabilities include identification of dependencies and dependents on other rules or building blocks. Useful for troubleshooting issues with the Custom Rule Engine and understanding complicated rules in QRadar. Audience This guide is for users of IBM QRadar systems who require to install the Encode Rule Explorer App. Installation Requirements The Rule Explorer App for QRadar has been tested on IBM QRadar version 7.2.8 as well as version 7.3.0 (patch 5+) and 7.3.. The Rule Explorer App is not tested for compatibility with QRadar < 7.2.8. The application is currently not compatible with previous patches of version 7.3.0 (patches 0-4). To install the QRadar App you will require QRadar Admin privileges. 3
Installation Please consult previous section of Installation Requirements first. Steps to install your extension for QRadar SIEM First you have to download the application from IBM X-Force Exchange which is a ZIP file. In order to install application, login to QRadar web application and select Admin tab. Under section System Configuration select Extensions Manager. In the pop up window click on Add button placed in upper right area. 4
Browse for ZIP file downloaded and check Install Immediately. Confirm installation by clicking Install in the pop up window. Wait for the installation to finish. 5
The installation in some cases shows that it finished with errors. However, this error is not fatal and the application should have been installed properly. Click OK. Now in Extensions Management you will see that application Installed successfully. Try to access the application under Rule Explorer tab. 6
Steps to uninstall your extension for QRadar SIEM In order to uninstall the application, login to QRadar web application and select Admin tab. Under section System Configuration select Extensions Manager. Under ALL ITEMS tab you will find application Rule Explorer. By clicking anywhere in application row, extra information will appear along with the Uninstall button. Confirm uninstalling in pop up window and wait until progress pop up disappears. If all goes well a final pop up window will display the uninstalling outcome. 7
Configuration Exporting Content from Qradar. Use SSH to log in to QRadar as the root user 2. Create a file named package.txt in the /tmp directory within the Qradar console with the following contents (In order for the app to function properly and not overload the system with a full content export): fgroup,all customrule,all 3. From the within /tmp directory, use the contentmanagement.pl script to export the custom content: - Issue the following commands cd /tmp /opt/qradar/bin/contentmanagement.pl --action export -content-type package - file package.txt The content is exported to a compressed file, for example, all-contentexport- 2050220803.zip. Caution: Systems with large amounts of custom rules may experience slow downs during the rule export process! 8
Importing Content to the QRadar App To import the exported content to the App use the following steps:. Unzip the exported content 2. Go to the QRadar App and navigate to Resources - > Storage 3. Select Upload under the section Manage Storage. 4. Select the xml file that was exported from the zip file in step (e.g. package.txt-contentexport-2050220803.xml). You can upload multiple content exports and select between each one under the Content Files menu at the top bar. 9
Once there are files in the App when you visit the storage menu option you can see the available files. 0
Using Rule Explorer Navigation The main window of the App is split into two columns/display sections. On the left the user is able to navigate through the groups of rules and building blocks. An indication on the right of each group shows how many rules or building blocks are included in this group. By clicking on a group, the right side of the screen will be updated with the rules included in that group or any subgroup.
Rules The following information is immediately available when selecting a rule group. Rule Information Field Name Field Description Name The name of the rule. Offense Whether the rule generates an offense {True, False}. Dispatched Whether the rule dispatches a new event {True, False}. Reference Set Whether the rule inserts data into a reference set and / Data or reference data {True, False}. Status The status of the rule {True, False}. If this value is greater than 0 it will be hoverable. Upon hovering the value a box is displayed with all the rule Dependencies dependencies. If this value is greater than 0 it will be hoverable. Upon hovering the value a box is displayed with all the rule Dependents dependents. If any custom properties are used in this rule the value of this field will be greater than 0. In that is the case Custom hovering the value will display a box with all the Properties custom properties. Creation Date The date the rule was created. Modification The date the rule was modified. Date Owner The owner of the rule. If the rule contains notes then a post-it icon will be displayed. If that is the case hovering the icon will Notes display the rule notes. It is also possible to limit the search results by using the Filter on the top of the right side of the screen 2
Building Blocks The following information is immediately available when selecting a building block group. Building Block Information Field Name Field Description Name The name of the rule. If this value is greater than 0 it will be hoverable. Upon hovering the value a box is displayed with all the Dependencies building block dependencies. If this value is greater than 0 it will be hoverable. Upon hovering the value a box is displayed with all the Dependents building block dependents. If any custom properties are used in this building block the value of this field will be greater than 0. In that is Custom the case hovering the value will display a box with all Properties the custom properties. Creation Date The date the building block was created. Modification The date the building block was modified. Date Owner The owner of the building block. If the rule contains notes then a post-it icon will be displayed. If that is the case hovering the icon will Notes display the building block notes. 3
It is also possible to limit the search results by using the Filter on the top of the right side of the screen. Rule and Building Blocks Details When clicking on a rule or building block name you can view further information. Under the test definitions the referenced rules or building blocks are highlighted with blue while the rest of the user configurable values are highlighted with yellow. For rules it is possible to view Rule Actions, Rule Responses and Limiter which are expandable fields if you click on the plus (+) icon. Under the Related section you can view the list of rules/building blocks that are used in the test definitions of the rule/building block you are currently viewing. You can expand each one by clicking on its name to view test definitions, notes or related rules/building blocks. You can drill down to the related rules/building blocks without any limit. If however you need to display all the information of a related 4
building block you can click on the arrow ( to this rule s/building block s page. ) at the right of the name and navigate On the top of the screen, on the right of the rule/building block name there are two icons - the tree ( ) and the reversed tree ( ). Hovering the tree will display all the rules/building blocks that are directly used in the test definitions of the rule/building block you are currently viewing. Hovering the reversed tree will display all the rules/building blocks that directly use the rule/building block you are currently viewing. 5
Clicking on the tree icon will display an actual tree. This view allows the operator to understand which rules/building blocks affect the behavior of the rule/building block he is currently viewing. The tree not only displays the rules/building blocks that are directly related to the rule/building block the user is viewing but also the related rules/building blocks of the related rules/building blocks. This is better understood in the following screenshot. Similar to the tree icon, clicking on the reversed tree icon will display a tree with the rules/building blocks that use the rule/building block currently viewed by the operator as well as the rules/building blocks that use these rules/building blocks. This view allows an operator to easily identify which resources are going to be affected by the changes he performs in one rule/building block. 6
Known issues The application is not compatible with patches 0-4 of Qradar v7.3.0 7