Upload
others
View
1
Download
0
Embed Size (px)
Citation preview
IBMCLOUDDISCOVERYAPPFORQRADAR
GettingStarted
Updated:October26th,2017
©IBMCorp.2017
P a g e |1
©IBMCorp.2017
Introduction
Thisdocumentprovidesinstructionsforinstalling,configuring,andusingIBM®CloudDiscoveryAppforQRadar®. ThisQRadarextensionhelpsdetectwebapplicationusagepatternswithinanorganizationandtracksthefollowinginformation:
• Theapplicationsthatareusedonyournetworks • XForceThreatIntelligenceriskscore • Applicationaccessstatisticsforeachuser
Prerequisites
IBMCloudDiscoveryApp forQRadar requires a functional and licensed installation ofQRadarSIEMversion7.2.8(Patch8)or7.3(Patch4). Before you proceed: • QRadar limits the amount of memory that can be used by apps. IBM Cloud Discovery App requires minimum 4 GB memory which means QRadar console should be 64 GB or more. • The installation might fail due to a lack of available memory. This situation can occur if the amount of memory available for applications is decreased because other applications are installed. Theappalsorequiresoneormoreofthefollowingdevices:
• CiscoIronPort • McAfeeWebGateway • IBMSecurityNetworkProtection • WebsenseVSeries • CheckPointFireWall • PaloAltoPASeries • BluecoatSGAppliance
P a g e |2
©IBMCorp.2017
Configurealogsourcesothattheapphasstatisticstodisplay.Hereisanexampleoflogsourceconfigurationsetting
P a g e |3
©IBMCorp.2017
Installingtheapplication
Usethefollowinginstructionstoinstalltheapplication:
1. Download the IBMCloudDiscovery App forQRadar application from the IBMSecurityAppExchangePortalathttps://exchange.xforce.ibmcloud.com/hub.
2. LogintotheIBMQRadarconsoleasanadministrator.3. Go to the Admin tab and click Extensions Management in the System
Configurationsection.4. ClickAddandselecttheapplicationfilethatyoudownloaded.5. ClickAdd.6. LogoutandloginagainsothatyoucanseetheCloudDiscoverytabinformation.
Important note for QRadar 7.2.8: If you are upgrading from Cloud App Analytics v1.x to IBM Cloud Discovery App v2.0 on QRadar 7.2.8, then you should uninstall the existing Cloud App Analytics app v1.x and then perform installation of Cloud Discovery App 2.0 again.
.
P a g e |4
©IBMCorp.2017
ConfiguringtheapplicationOncetheapp install iscomplete,gotoAdmintabofQRadar,andscroll tothebottomofthescreen,tothe“Plug-ins”section.Here,youwillfind“CloudDiscovery”icon.Clickittolaunchtheconfigurationpanel.
P a g e |5
©IBMCorp.2017
Theapplicationconfigurationsettingspagehastwotabs:
Screen1:ApplicationConfigurationSettings:InputFeed
• Input Feed (Screen 1): Provide X-Force credentials, QRadar Token (see Generating
QRadar Authorization Token section below to generate the token). Once respectivevalues are provided, click on “Save Input Feed” to save the settings. Now, click onAnalyticsSettingsonthelefthandsidemenu,tomovetosecondtab.
IMPORTANT:X-Forcecredentialsareoptionalandtheapprunswithout itaswell.ThesecredentialsarerequiredfordailyrefreshofThreatintelligencedatafromX-ForceExchage,anditmakesmorethan6000dailyAPIcallstogetrequireddata.PleaseconfigureX-ForcecredentialsonlyifyourX-Forceapiquotaallowsthesame.
GeneratingQRadarAuthorizationToken
1. ClicktheAdmintabandgotoUserManagement→AuthorizedServices.2. IntheManageAuthorizedServicestab,clickAddAuthorizedService.3. ClickAddAuthorizedService.4. AddtherelevantinformationinthefollowingfieldsandclickCreateService:
a. In theServiceName field, type a name for this authorized service. Thenamecanbeupto255charactersinlength.
b. FromtheUserRolelist,selecttheAdminuserrole.c. From the Security Profile list, select the security profile that youwant to
assigntothisauthorizedservice.ThesecurityprofiledeterminesthenetworksandlogsourcesthatthisservicecanaccessontheQRadaruserinterface.
P a g e |6
©IBMCorp.2017
d. In theExpiryDate list, typeor selectadate thatyouwant this service toexpire.Ifanexpirydateisnotnecessary,selectNoExpiry.
5. Click the row that contains the service that you created, select and copy the tokenstringfromtheSelectedTokenfieldinthemenubar,andclosetheManageAuthorizedServiceswindow.
Screen2:AnalyticsSettings
• AnalyticsSettings(Screen2):CloudDiscoveryV2.0hasabuilt-inanalyticsenginethat
calculates the risks associatedwithCloudApplicationusage. Bydefault, theanalyticsengine runsonceevery12hours, however, this frequency canbe changedusingRiskAnalysisFrequencyfield.Withtime,theriskdecays,byafactorwhichcanbedefinedinRiskDecayFactor. Bydefault theriskdecay factor is0.5. Clickingon“SaveAnalyticsSettings”willsavethechanges.Use“RunNow”buttontostarttheon-demandriskanalysis.
P a g e |7
©IBMCorp.2017
Usingtheapplication
Youcanviewdiscoveredcloudapplicationsalongwithriskinsightsbasedonitsusageandthreatdata.Youcanusedropdowntoselectdurationtoviewdataforlast1day,7dayor30days
Dashboard
When the app interface is open via “Cloud Discovery” tab a dashboard is displayed thatprovidesapplication,userandviolationsdata:
• RiskyUsers • CriticalViolations • RiskyApplications• Threatintelligenceinsightsbasedonactivitydataforeachapplicationalongwiththreat
score(BubblechartfromCloudApplicationInsights)• Application status showing number of new discovered applications, approved
applicationsandunapprovedapplications(donutchartCloudApplicationInsights)• TopRiskyUsers• TopViolations• TopRiskyApplications
Click on the number below any of the three text (RiskyUsers, Critical Violations, and RiskyApplications)todrill-downtoviewrespectivedetailsonanewpage.Usebread-crumbsontoplefthandcornertocomebacktothedashboard.
P a g e |8
©IBMCorp.2017
Mousehoveronanyofthebubbletoviewapplicationname,numberofusersaccessingtheapplicationsandamountoftotaldatatransferred.
Toviewmoredetailsaboutthisapplication,clickonthebubbleandthedetailsareslide-outfromtheright.
This slide-outhas three tabs:Overview (showsapplicationproperties),Violations (shows theviolationsassociatedwithaccessingthisapplications)andActivity(amountofdatatransferredbyeachuser).Clickingonthe“DiscoveredApplications”willdrilldowntoshowdetailsofalltheapplicationsdiscoveredonthenetwork.TopRiskyUsers,TopViolationsandTopRiskyApplicationstableshowsthetopfiveriskyusers,topfiveviolations,andtoptenriskyapplicationsrespectivelysortedbytheassociatedriskscore.
P a g e |9
©IBMCorp.2017
Detailsoftheriskyuserorviolationortheapplicationcanbeviewedbyclickingtherespectiverow.Thedetailispresentedonaslide-out,asshowninthescreenbelow(foroneofthetopriskyuser):
Anapplicationcanbeanapproved( )fortheenterpriseuse,orunapproved( )oranotreviewed(new)( ).Thisstatecanbechangedbyclickingontheiconunder“Type”column,inTopRiskyApplicationstable.
Applicationsview
After you click the number under Risky Applications on the dashboard, the RiskyApplicationsviewisdisplayed:
P a g e |10
©IBMCorp.2017
Onthispage,youcanapproveorun-approveanapplication,eitherbyclickingtheicon(underApprovedcolumn)orusingthecheck-box(formulti-select).Moredetailsofanapplicationareslide-outfromright,byclickingontheapplicationname.Click on the number below Unapproved Applications, Applications with HighViolations,NewApplications,orTotalApplicationstofiltertheapplications’list.
Usersview AfteryouclickthenumberunderRiskyUsersonthedashboard,theRiskyUsersviewisdisplayed:
Thispageshowsthelistofalltheriskyusersinthesystem.Clickingonrowinthetableshowsthedetailsforauser,inaslide-outfromrighthandside. ClickonthenumberbelowActiveUsers,HighRiskUsers,orUsersUsingUnapprovedApplicationstofiltertheusers’list. Known Issue: Sorting this view on “Data Sent” values will result into “Data Loading has Failed” error. Please sort using other columns in the same view to display data. Fix will be introduced in next re-fresh.
ViolationsViewAfteryouclick thenumberunderCriticalViolationsonthedashboard, theCriticalViolationsviewisdisplayed:
P a g e |11
©IBMCorp.2017
Thispageshowsthelistofallthecriticalviolationsinthesystem.Clickingontheapplicationoruserinarowinthetableshowsthedetailsofthatviolationfortheapplicationortheuser,inaslide-outfromrighthandside. Click on the number below Critical Violations, High Severity Violations, or TotalViolationstofiltertheviolations’list.Known Issues:
1) If session is invalidated due to idle time out, then users might observe “Data Loading Failed” error on the UI. Please log-out and log-in again to QRadar to re-establish the session.
2) If your dashboard shows 0 discovered application, it could be due to failure in getting X-Force Exchange data. Many times, this happens if you have limited API quota with X-Force Exchange. In this case, you need to reinstall app and do not provide X-Force credentials during configuration.