Upload
buituong
View
234
Download
5
Embed Size (px)
Citation preview
QRadar 7.2.7 Feature DiscussionIBM SECURITY SUPPORT OPEN MIC
Reminder: You must dial-in to the phone conference to listen to the panelists. The web cast does not include audio.
USA toll-free: 866-803-2141 USA toll: 1-203-607-0460
Participant passcode: 3744658
Slides and additional dial in numbers: http://ibm.biz/Bd4UGn
NOTICE: BY PARTICIPATING IN THIS CALL, YOU GIVE YOUR
IRREVOCABLE CONSENT TO IBM TO RECORD ANY STATEMENTS THAT
YOU MAY MAKE DURING THE CALL, AS WELL AS TO IBM’S USE OF SUCH
RECORDING IN ANY AND ALL MEDIA, INCLUDING FOR VIDEO POSTINGS ON
YOUTUBE. IF YOU OBJECT, PLEASE DO NOT CONNECT TO THIS CALL.June 22, 2016
2 IBM Security
Panelists
• Jeremy Mathers – QRadar User Interface Team Lead
• Dwight Spencer – Principal Solutions Architect & Co-founder of Q1 Labs
• Adam Frank – Principal Solutions Architect
• Jeff Rusk – Development Manager, QRadar L3 Engineering
• Jason Keirstead – QRadar Architecture Team
• Greg Davis – QRadar Architecture Team
• Joey Maher – QRadar Technical Support Team Lead
• Ellen Pit – QRadar Quality Lead
Presenter: Jonathan Pechta – Support Technical Writer / Support Content Lead
Moderator: Jack Cam – Support Manager
Announcements
4 IBM Security
QRadar 7.2.8 – Future API Changes
QRadar 7.2.8 introduces V7.0 endpoints
API 4.0 will be removed
APIs 5.0 and 5.1 will be marked as deprecated
QRadar Support Knowledgebase
A new master tech note was released that contains links to all support content currently published. As we work on new articles, this page will be refreshed to include new content.
Where?http://ibm.biz/qradarknowledge
5 IBM Security
QRadar Protocol Changes
New protocols being released by our IBM Integration team will sort certificates by protocol. New releases also include more security and restrict where administrators can keep certificates. New protocols installed make copies of existing certificates to the proper protocol directory.
For example:/opt/qradar/conf/trusted_certificates/<protocol>/opt/qradar/conf/trusted_certificates/lea
QRadar – YUM vs RPM
As of the most recent QRadar automatic update, development has added more support for YUM commands. Administrators and users will notice that our documentation examples will start using YUM commands, which are now preferred over using RPM commands to prevent patch and dependency issues.
yum install DSM-BluecoatProxySG-7.2-20160530121732.noarch.rpm
yum –y install DSM-BluecoatProxySG-7.2-20160530121732.noarch.rpm
This replaces rpm –Uvh commands
yum search WinCollect
This replaces rpm –qa | grep WinCollect
6 IBM Security
Keeping up with the latest QRadar information
Administrators and users who need to keep up with changes to QRadar should ensure they are signed up for the following information:
1. IBM My Notifications (email or RSS feeds for your IBM Products)- Go to: http://www.ibm.com/software/support/einfo.html- Click the Subscribe Now button.- In the Product lookup search field, type QRadar.- Click Subscribe next to products you want information about.- Configure your delivery preferences.
2. QRadar Support Newsletter – May newsletter: http://ibm.biz/qradarmay2016
How to sign-up for the email list:To subscribe to the QRadar Support Newsletter send an e-mail to [email protected] with the subject line: snl subscribe SecIntel
To unsubscribe, send an e-mail to [email protected] with the subject line: snl unsubscribe SecIntel
3. QRadar Forums - http://ibm.biz/BdR2kC
Ask us questions directly.
Agenda
8 IBM Security
QRadar 7.2.7 Feature Discussion Agenda
Upgrade Instructions
New to this version
Offense Indexing
Lazy Search Enhancement
Performance Updates
Custom Columns
Per Log Source EPS & Reporting
AQL Changes
System and License Management Changes
Reference Data Changes
API Changes
Extension / Application Framework Updates
Upgrading
10 IBM Security
Upgrade - Instructions
Software Upgrade Questions (any version)
– http://www.ibm.com/support/docview.wss?uid=swg21651118
– This article outlines the software upgrade progression to get from QRadar version x --> y. If a customer calls with upgrade questions or cannot find the proper software to upgrade, you can direct them to this article.
Patch & Upgrade Best Practices
– Run a configuration backup & download the file before upgrade
– Ensure all HA pairs have the PRIMARY system active, and the secondary is online
– place patch files in /store/patches/
– stage the patch/upgrade file out to all managed hosts, if required
– Patch console first, then all managed hosts simultaneously, not using "patch all“
Upgrades versus ISOs
– Admins use SFS files to patch/upgrade a system to QRadar 7.2.7
– New installations use ISO files.
HA Considerations
– Note, patches should not ever be run on the HA secondary, if it's the active host - you should fail back to the primary. IF the primary is offline/failed for some period of time, the upgrade for the entire deployment should be delayed.
Offense Indexing
12 IBM Security
Incident Detection and Management – Offense Indexing Uses
QRadar 7.2.7 introduces the ability to “index” or chain offenses together using any custom property. This includes all database properties including custom properties. Custom properties that use this feature must be enabled and optimized.
This expands our default 12 normalized custom properties to use any custom properties in QRadar. Values matching the custom property selected are added to the offense without extra work required from the administrator.
13 IBM Security
Incident Detection and Management – Response Limiter
New custom columns are available as a drop-down in the user interface.
14 IBM Security
Incident Detection and Management – Response Limiter
Administrators or users can also use custom properties in a response limiter to limit notifications for a reoccurring custom property. This feature ensures that null values are counted by the response limiter and do not fire notifications.
15 IBM Security
Incident Detection and Management – Deletion Framework
Custom Property Deletion
When you attempt to delete custom properties, you are now notified of any dependencies, including offenses indexed by that custom property.
Lazy Search in QRadar 7.2.7
17 IBM Security
Search Enhancements – Lazy Search - Use
Lazy Search is a new Quick Filter capability introduced in QRadar 7.2.7 that is optimized for more tactical use cases such as the threat hunting or IOC searching.
Retrieves the first (up to) 1000 results matching the filter criteria and returns those immediately to the user along with a time series graph showing the distribution of the results over the search timeframe.
Reduces impact on the deployment by restricting the search to just the indices and not the events/flows themselves. Reduces impact on the network by only return a subset of the results until the analyst make the decision that the entire result is necessary.
A Quick Filter search will utilize the Lazy Search functionality when the following conditions are met:
The only filter is the Quick Filter
The search is on a time range (not real-time or Last Minute)
Performance Changes in QRadar 7.2.7
19 IBM Security
New Disk Compression*
All QRadar 7.2.7 versions and forward utilize our new, highly efficient compression mechanism for all stored
data.
No more compress/decompress cycles
• Data is always compressed on disk and all decompression occurs in memory with no rewrite to disk.
Up to 10X faster search
• Overall reduction in IO due to data always being compressed. This means searching on compressed
data in 7.2.7 is even faster than uncompressed data in 7.2.6!
Better overall system performance
• Reduced disk reads and writes, lower CPU load leads to more consistent system resource utilization
with less spikes.
• Faster data rebalancing with Data nodes
Simplifies retention planning
• User no longer need to consider compression when setting up retention. In fact, the option is no longer
even available. Users simply decide how long to keep data and when it can be deleted
20 IBM Security
Disk Compression – Retention Interface Updates
The event and flow retention interface has been updated to remove compression options
from the user interface as new installations of QRadar 7.2.7 include continuous / always on
data compression.
21 IBM Security
A number of general performance improvements across various aspects of the platform are also included
in QRadar 7.2.7:
Hardware Optimization
• QRadar auto tunes to the hardware platform and doesn’t simply match platform to our xx05 or xx28
profile.
• QRadar can now leverage hardware even larger than our own xx28 platform
Accumulator Global Views (GVs) Increased
• QRadar can now track up to 300 global views, up from the 130 prior to 7.2.6
• Directly translates to increased anomalous and behavioral threat detection capabilities
Pipeline Stability and Performance
• 10% reduction in CPU load compared to 7.2.6
• Burst handling will no longer report false positives of event rate over license
Other performance updates to QRadar 7.2.7
Custom Columns in QRadar 7.2.7
23 IBM Security
Log & Network Activity Enhancements - Custom Columns
In 7.2.7, we have continued our efforts to optimize a number of activities performed by
our users day in and day out. In this release, we have focused on the manipulation of the
columns in both the log and flow activity screens.
• The addition of a quick access screen to add/remove columns means that users no
longer have to defer to the Search->Edit Search screens to adjust the columns present
in their search.
• The ability to save a column layout and recall it later with a single click.
Click!
24 IBM Security
Search Enhancements – Custom Columns - Use
When editing the column layout of a search, you now have the option to save the layout
25 IBM Security
Search Enhancements – Delecting Custom Columns
After saving the column layout, you can delete it by selecting the layout and clicking the “Delete Column Layout” button
EPS Per Log Source UI & Reporting in QRadar 7.2.7
27 IBM Security
Per Log Source EPS Reporting
Log Source EPS Reporting lists the average EPS for each log source on both the Log Source screen as well
as in our Log Source reports, allowing users/administrators to quickly identify “noisy” or “expensive” log
sources as well as highlight potential configuration issues with log sources that are failing to report
AQL Changes in QRadar 7.2.7
29 IBM Security
Search Enhancements – AQL - Use
Two forms of conditional logic have been added to AQL statements in QRadar 7.2.7:
- IF/THEN/ELSE- CASE
The first form, IF/THEN/ELSE, allows users to perform simple conditional evaluation based on the condition contained within the IF.
Example: User wants to query the user associated with all events but realizes that the events may not contain the necessary user information so they decide to leverage the Asset database to fill in the gaps if possible.
select sourceip, if username is NULL then ASSETUSER(sourceip) else username
as username from events group by username last 2 DAYS
The second form, CASE, allows users to perform similar logic to IF/THAN/ELSE except with more conditional comparisons.
Example: User may want to expand the response code from a set of Blue Coat Proxy Logs
select case “BCReponseCode” when 200 then ‘OK’ when 404 then ‘Not Found’
when 401 then ‘Not Authorized’ else ‘N/A’ end from events where
LOGSOURCETYPENAME(devicetype) ilike ‘%bluecoat%’ last 2 days
See Conditional logic in AQL queries for more information.
System & License Management Changes in QRadar 7.2.7
31 IBM Security
Bonded Network Interface - Use
Administrators can now perform simple interface bonding as well as provide more advanced configuration capabilities without utilizing third party tools.
Where do I find this feature?Admin tab > System and License Management > Double-click an appliance > Network Interfaces
32 IBM Security
Get logs – Collect Application Extension Logs
Getlogs now has the ability to collect log
data for our Applications.
Where?System and License Management > Actions > Collect Log Files
NOTE: Administrators who want to leverage
application extensions on their Console should be using QRadar 7.2.6 Patch 4 or later.
Reference Data Changes in QRadar 7.2.7
34 IBM Security
Remove from Reference Data Collections
Administrators can now configure a rule response to remove items from reference data collections.
Rules can be configured to delete from:
Reference Set
Reference Map
Reference Map of Sets
Reference Map of Maps
Reference Table
API Changes in QRadar 7.2.7
36 IBM Security
API Updates
7.2.7 introduces QRadar V6.0 API endpoints
The following APIs have been removed: Version 2.0, 3.0, and 3.1 endpoints.
The following APIs have been added in 7.2.7:
• Help API endpoints
• Offenses API endpoints
• QRadar Vulnerability Manager API endpoints
• System API endpoints
37 IBM Security
API Updates – Help API Endpoints
– The following APIs have been added in 7.2.7
/api/help/versionsRetrieves a list of version documentation objects currently in the system.
/api/help/versions/{version_id}Retrieves a single version documentation object.
/api/help/resourcesRetrieves a list of resource documentation objects currently in the system.
/api/help/resources/{resource_id}Retrieves a single resource documentation object.
/api/help/endpointsRetrieves a list of endpoint documentation objects that are currently in the system.
/api/help/endpoints/{endpoints_id}Retrieves a single endpoint documentation object.
– The following endpoint has been removed
/help/capabilitiesLists all QRadar API capabilities.
38 IBM Security
API Updates – Offense API Endpoints
–The following APIs have been added in 7.2.7
/api/help/versionsRetrieves a list of version documentation objects currently in the system.
/api/help/versions/{version_id}Retrieves a single version documentation object.
/api/help/resourcesRetrieves a list of resource documentation objects currently in the system.
/api/help/resources/{resource_id}Retrieves a single resource documentation object.
/api/help/endpointsRetrieves a list of endpoint documentation objects that are currently in the system.
/api/help/endpoints/{endpoints_id}Retrieves a single endpoint documentation object.
/help/capabilitiesLists all QRadar API capabilities.
39 IBM Security
API Updates - Offenses API endpoints
– The following APIs have been added in 7.2.7
/api/siem/offenses_typesRetrieves all offense types.
/api/system/servers/{server_id}/network_interfaces/EthernetRetrieves an offense type structure that describes the properties of an offense type.
– The following endpoints are updated:
/api/siem/offensesRetrieves a list of offenses currently in the system.
/api/siem/offenses/{offense_id}Updates an offense.
40 IBM Security
API Updates - QRadar Vulnerability Manager API endpoints
– The following APIs have been added in QRadar 7.2.7
/api/qvm/saved_searchesNew endpoints for working with vulnerability saved searches
/api/qvm/saved_searches/{saved_search_id}Retrieves a saved search.
/api/qvm/saved_searches/{saved_search_id}/vuln_instancesCreates the Vulnerability Instances search.
/api/qvm/saved_searches/vuln_instances/{task_id}/statusRetrieves the current status of a Vulnerability Instance present in the asset model.
/api/qvm/saved_searches/vuln_instances/{task_id}/statusRetrieves the status of a Vulnerability Instance.
/api/qvm/saved_searches/vuln_instances/{task_id}/results/vuln_instancesLists the Vulnerability Instances returned from a saved search.
/api/qvm/saved_searches/vuln_instances/{task_id}/results/assetsLists the Vulnerability Instances assets returned from the saved search.
/api/qvm/saved_searches/vuln_instances/{task_id}/results/vulnerabilitiesLists the Vulnerability Instances vulnerabilities returned from the saved search.
41 IBM Security
API Updates - System API endpoints
The following APIs have been added in 7.2.7
/api/system/servers/{server_id}/network_interfaces/bondedCreates a new bonded network interface.
/api/system/servers/{server_id}/network_interfaces/bonded/{device_name}Removes a bonded network interface.
– The following APIs have been updated in 7.2.7
/api/system/servers/{server_id}/network_interfaces/bondedRetrieves a list of the bonded network interfaces based on the supplied server ID.
/api/system/servers/{server_id}/network_interfaces/bonded/{device_name}Updates an existing bonded network interface.
/api/system/servers/{server_id}/network_interfaces/EthernetRetrieves a list of the Ethernet network interfaces based on the supplied server ID.
/api/system/servers/{server_id}/network_interfaces/ethernet/{device_name}Updates an Ethernet network interface based on the supplied server ID and device name.
42 IBM Security
API Updates - QRadar Vulnerability Manager API endpoints
– The following APIs have been removed in 7.2.7
/api/qvm/savedsearches
/api/qvm/vulninstances
43 IBM Security
API Resources
QRadar API doc link
– https:// QRADAR_CONSOLE_IP/api_doc
Developer Works Forum to discuss, share and troubleshoot APIs
– https://www.ibm.com/developerworks/community/forums/html/forum?id=b02461a3-9a70-4d73-94e8-c096abe263ca
API Samples and Examples on GitHub
– https://github.com/ibm-security-intelligence/api-samples
NOTE: Code samples for QRadar 7.2.7 are still in validation with our quality team. These API code samples are expected to be released in two weeks. As always, administrators can use the API forums to keep up-to-date on when these code samples are posted.
Code samples are published by QRadar development as a learning tool for administrators and developers to understand how to leverage features in the QRadar API.
Extension / Application Framework Updates in QRadar 7.2.7
45 IBM Security
Extension / Framework Enhancements
Resource Specification
Application writers can now specify the amount of RAM necessary for the
applications to run. The defaults from 7.2.6 will still exist but now apps can
specify higher requirements and have higher default memory allocations.
This feature is important for applications that will be performing resources
intensive operations such as advanced analytics
Automatic upgrade of apps when being deployed from the SDK
Numerous enablement updates in preparation for the SDK Application (App for
writing Apps)
© Copyright IBM Corporation 2016. All rights reserved. The information contained in these materials is provided for informational purposes only, and is provided AS IS without warranty of any kind,
express or implied. Any statement of direction represents IBM's current intent, is subject to change or withdrawal, and represent only goals and objectives. IBM, the IBM logo, and other IBM products
and services are trademarks of the International Business Machines Corporation, in the United States, other countries or both. Other company, product, or service names may be trademarks or service
marks of others.
Statement of Good Security Practices: IT system security involves protecting systems and information through prevention, detection and response to improper access from within and outside your
enterprise. Improper access can result in information being altered, destroyed, misappropriated or misused or can result in damage to or misuse of your systems, including for use in attacks on others.
No IT system or product should be considered completely secure and no single product, service or security measure can be completely effective in preventing improper use or access. IBM systems,
products and services are designed to be part of a lawful, comprehensive security approach, which will necessarily involve additional operational procedures, and may require other systems, products
or services to be most effective. IBM does not warrant that any systems, products or services are immune from, or will make your enterprise immune from, the malicious or illegal conduct of any party.
THANK YOUhttps://www.facebook.com/IBM-Security-Support-221766828033861/
xforce.ibmcloud.com
@askibmsecurity
youtube/user/ibmsecuritysupport
FOLLOW US ON:
securityintelligence.com
QRadar Forums: https://ibm.biz/BdR2kC