IBMCLOUDDISCOVERYAPPFORQRADAR

GettingStarted

Updated:October26th,2017

©IBMCorp.2017

P a g e |1

©IBMCorp.2017

Introduction

Thisdocumentprovidesinstructionsforinstalling,configuring,andusingIBM®CloudDiscoveryAppforQRadar®. ThisQRadarextensionhelpsdetectwebapplicationusagepatternswithinanorganizationandtracksthefollowinginformation:

• Theapplicationsthatareusedonyournetworks • XForceThreatIntelligenceriskscore • Applicationaccessstatisticsforeachuser

Prerequisites

IBMCloudDiscoveryApp forQRadar requires a functional and licensed installation ofQRadarSIEMversion7.2.8(Patch8)or7.3(Patch4). Before you proceed: • QRadar limits the amount of memory that can be used by apps. IBM Cloud Discovery App requires minimum 4 GB memory which means QRadar console should be 64 GB or more. • The installation might fail due to a lack of available memory. This situation can occur if the amount of memory available for applications is decreased because other applications are installed. Theappalsorequiresoneormoreofthefollowingdevices:

• CiscoIronPort • McAfeeWebGateway • IBMSecurityNetworkProtection • WebsenseVSeries • CheckPointFireWall • PaloAltoPASeries • BluecoatSGAppliance

P a g e |2

©IBMCorp.2017

Configurealogsourcesothattheapphasstatisticstodisplay.Hereisanexampleoflogsourceconfigurationsetting

P a g e |3

©IBMCorp.2017

Installingtheapplication

Usethefollowinginstructionstoinstalltheapplication:

1. Download the IBMCloudDiscovery App forQRadar application from the IBMSecurityAppExchangePortalathttps://exchange.xforce.ibmcloud.com/hub.

2. LogintotheIBMQRadarconsoleasanadministrator.3. Go to the Admin tab and click Extensions Management in the System

Configurationsection.4. ClickAddandselecttheapplicationfilethatyoudownloaded.5. ClickAdd.6. LogoutandloginagainsothatyoucanseetheCloudDiscoverytabinformation.

Important note for QRadar 7.2.8: If you are upgrading from Cloud App Analytics v1.x to IBM Cloud Discovery App v2.0 on QRadar 7.2.8, then you should uninstall the existing Cloud App Analytics app v1.x and then perform installation of Cloud Discovery App 2.0 again.

.

P a g e |4

©IBMCorp.2017

ConfiguringtheapplicationOncetheapp install iscomplete,gotoAdmintabofQRadar,andscroll tothebottomofthescreen,tothe“Plug-ins”section.Here,youwillfind“CloudDiscovery”icon.Clickittolaunchtheconfigurationpanel.

P a g e |5

©IBMCorp.2017

Theapplicationconfigurationsettingspagehastwotabs:

Screen1:ApplicationConfigurationSettings:InputFeed

• Input Feed (Screen 1): Provide X-Force credentials, QRadar Token (see Generating

QRadar Authorization Token section below to generate the token). Once respectivevalues are provided, click on “Save Input Feed” to save the settings. Now, click onAnalyticsSettingsonthelefthandsidemenu,tomovetosecondtab.

IMPORTANT:X-Forcecredentialsareoptionalandtheapprunswithout itaswell.ThesecredentialsarerequiredfordailyrefreshofThreatintelligencedatafromX-ForceExchage,anditmakesmorethan6000dailyAPIcallstogetrequireddata.PleaseconfigureX-ForcecredentialsonlyifyourX-Forceapiquotaallowsthesame.

GeneratingQRadarAuthorizationToken

1. ClicktheAdmintabandgotoUserManagement→AuthorizedServices.2. IntheManageAuthorizedServicestab,clickAddAuthorizedService.3. ClickAddAuthorizedService.4. AddtherelevantinformationinthefollowingfieldsandclickCreateService:

a. In theServiceName field, type a name for this authorized service. Thenamecanbeupto255charactersinlength.

b. FromtheUserRolelist,selecttheAdminuserrole.c. From the Security Profile list, select the security profile that youwant to

assigntothisauthorizedservice.ThesecurityprofiledeterminesthenetworksandlogsourcesthatthisservicecanaccessontheQRadaruserinterface.

P a g e |6

©IBMCorp.2017

d. In theExpiryDate list, typeor selectadate thatyouwant this service toexpire.Ifanexpirydateisnotnecessary,selectNoExpiry.

5. Click the row that contains the service that you created, select and copy the tokenstringfromtheSelectedTokenfieldinthemenubar,andclosetheManageAuthorizedServiceswindow.

Screen2:AnalyticsSettings

• AnalyticsSettings(Screen2):CloudDiscoveryV2.0hasabuilt-inanalyticsenginethat

calculates the risks associatedwithCloudApplicationusage. Bydefault, theanalyticsengine runsonceevery12hours, however, this frequency canbe changedusingRiskAnalysisFrequencyfield.Withtime,theriskdecays,byafactorwhichcanbedefinedinRiskDecayFactor. Bydefault theriskdecay factor is0.5. Clickingon“SaveAnalyticsSettings”willsavethechanges.Use“RunNow”buttontostarttheon-demandriskanalysis.

P a g e |7

©IBMCorp.2017

Usingtheapplication

Youcanviewdiscoveredcloudapplicationsalongwithriskinsightsbasedonitsusageandthreatdata.Youcanusedropdowntoselectdurationtoviewdataforlast1day,7dayor30days

Dashboard

When the app interface is open via “Cloud Discovery” tab a dashboard is displayed thatprovidesapplication,userandviolationsdata:

• RiskyUsers • CriticalViolations • RiskyApplications• Threatintelligenceinsightsbasedonactivitydataforeachapplicationalongwiththreat

score(BubblechartfromCloudApplicationInsights)• Application status showing number of new discovered applications, approved

applicationsandunapprovedapplications(donutchartCloudApplicationInsights)• TopRiskyUsers• TopViolations• TopRiskyApplications

Click on the number below any of the three text (RiskyUsers, Critical Violations, and RiskyApplications)todrill-downtoviewrespectivedetailsonanewpage.Usebread-crumbsontoplefthandcornertocomebacktothedashboard.

P a g e |8

©IBMCorp.2017

Mousehoveronanyofthebubbletoviewapplicationname,numberofusersaccessingtheapplicationsandamountoftotaldatatransferred.

Toviewmoredetailsaboutthisapplication,clickonthebubbleandthedetailsareslide-outfromtheright.

This slide-outhas three tabs:Overview (showsapplicationproperties),Violations (shows theviolationsassociatedwithaccessingthisapplications)andActivity(amountofdatatransferredbyeachuser).Clickingonthe“DiscoveredApplications”willdrilldowntoshowdetailsofalltheapplicationsdiscoveredonthenetwork.TopRiskyUsers,TopViolationsandTopRiskyApplicationstableshowsthetopfiveriskyusers,topfiveviolations,andtoptenriskyapplicationsrespectivelysortedbytheassociatedriskscore.

P a g e |9

©IBMCorp.2017

Detailsoftheriskyuserorviolationortheapplicationcanbeviewedbyclickingtherespectiverow.Thedetailispresentedonaslide-out,asshowninthescreenbelow(foroneofthetopriskyuser):

Anapplicationcanbeanapproved( )fortheenterpriseuse,orunapproved( )oranotreviewed(new)( ).Thisstatecanbechangedbyclickingontheiconunder“Type”column,inTopRiskyApplicationstable.

Applicationsview

After you click the number under Risky Applications on the dashboard, the RiskyApplicationsviewisdisplayed:

P a g e |10

©IBMCorp.2017

Onthispage,youcanapproveorun-approveanapplication,eitherbyclickingtheicon(underApprovedcolumn)orusingthecheck-box(formulti-select).Moredetailsofanapplicationareslide-outfromright,byclickingontheapplicationname.Click on the number below Unapproved Applications, Applications with HighViolations,NewApplications,orTotalApplicationstofiltertheapplications’list.

Usersview AfteryouclickthenumberunderRiskyUsersonthedashboard,theRiskyUsersviewisdisplayed:

Thispageshowsthelistofalltheriskyusersinthesystem.Clickingonrowinthetableshowsthedetailsforauser,inaslide-outfromrighthandside. ClickonthenumberbelowActiveUsers,HighRiskUsers,orUsersUsingUnapprovedApplicationstofiltertheusers’list. Known Issue: Sorting this view on “Data Sent” values will result into “Data Loading has Failed” error. Please sort using other columns in the same view to display data. Fix will be introduced in next re-fresh.

ViolationsViewAfteryouclick thenumberunderCriticalViolationsonthedashboard, theCriticalViolationsviewisdisplayed:

P a g e |11

©IBMCorp.2017

Thispageshowsthelistofallthecriticalviolationsinthesystem.Clickingontheapplicationoruserinarowinthetableshowsthedetailsofthatviolationfortheapplicationortheuser,inaslide-outfromrighthandside. Click on the number below Critical Violations, High Severity Violations, or TotalViolationstofiltertheviolations’list.Known Issues:

1) If session is invalidated due to idle time out, then users might observe “Data Loading Failed” error on the UI. Please log-out and log-in again to QRadar to re-establish the session.

2) If your dashboard shows 0 discovered application, it could be due to failure in getting X-Force Exchange data. Many times, this happens if you have limited API quota with X-Force Exchange. In this case, you need to reinstall app and do not provide X-Force credentials during configuration.