fireeye isight app for qradar · ibm qradar is a market leader as per gartner [s î ì í ñ magic...

FireEye, Inc. | 1440 McCarthy Blvd. Milpitas, CA 95035 | 408.321.6300 | 877.FIREEYE (347.3393) | [email protected] | www.FireEye.com 1 © 2016 FireEye, Inc. All rights reserved. FireEye is a registered trademark of FireEye, Inc. All other brands, products, or service names are or may be trademarks or service marks of their respective owners. WP.CSEG.EN-US.042016

FIREEYE ISIGHT APP FOR QRADAR OVERVIEW, INSTALLATION AND CONFIGURATION


CONTENTS

App Description 3

System Requirements 3

Installation and Configuration 3

Configuration 3

Define FireEye iSIGHT Authorized Service 4

App Admin Settings 5

Configuration File 7

App Functionality 7

FireEye iSIGHT Indicator Data in Reference Sets 7

Embedded FireEye iSIGHT Rule: 8

Upgrade from App version 1.0.1 / 1.0.2 to 1.1.0: 12

Logging and Troubleshooting 16

App Specific Logs 16

Other App Logs 16

Troubleshooting Q&A 17


App Description IBM QRadar is a market leader as per Gartner’s 2015 Magic Quadrant for SIEM. QRadar consolidates log source event data from thousands of device endpoints and applications distributed throughout a network. The FireEye iSIGHT Intelligence App for QRadar facilitates the delivery of FireEye iSIGHT Indicators to our customers' QRadar instances. Once consumed by a QRadar instance, these Indicators are treated as QRadar reference sets and can be used in search, correlation, reporting, and visualization workflows in the same manner as other data.

System Requirements The FireEye iSIGHT Intelligence App for QRadar is supported on QRadar version 7.2.8 with patch 8 and QRadar 7.3.0 with Patch 4 SFS. The app requires a minimum of 100 KB of disk space. App version 1.1.0 requires 500MB of memory.

Installation and Configuration The FireEye iSIGHT Intelligence App for QRadar is available from IBM’s Security App Exchange: http://www-03.ibm.com/software/products/en/QRadar-siem

Configuration Once the App is installed, the FireEye iSIGHT Intelligence application should be visible in the Admin tab of the QRadar application, under Plug-Ins.

http://www-03.ibm.com/software/products/en/qradar-siem


Define FireEye iSIGHT Authorized Service

The FireEye iSIGHT Intelligence App requires background jobs to retrieve FireEye iSIGHT indicator data. For background jobs to retrieve data automatically, we need to create the QRadar Authorized Service Security Token. Use the following procedure to generate the QRadar Security Token:

1. Click the Admin tab. 2. On the navigation menu, click System Configuration. 3. Click Authorized Services.

4. Click Add Authorized Service.


5. In the Service Name field, type a name for this authorized service. The name can be up to 255 characters in length.

6. From the User Role list, select Admin. 7. In the Expiry Date list, select the No Expiry check box. 8. Click Create Service.

The confirmation message contains an authentication token field that you must copy into the FireEye iSIGHT Intelligence App configuration, in the QRadar Security Token section to authenticate with the QRadar application.

App Admin Settings Users will be able to enter their API key information through API2 Server Configuration. Configuration of indicators ingested is accomplished by endpoint “Indicators of Compromise” and selecting IP, Domain, MD5, SHA1, SHA256, URL and Filename indicators from Indicator Selection. From Data Lifespan Settings, Time to Live (TTL) for indicators can be configured. TTLs are grouped into two groups: Short TTL and Long TTL for IP and Domain indicators. Other Indicators will never expire. Users should be able to modify the recommended TTL based on their own use case or internal weighting. Imported indicators should have a configurable TTL, with preset values that match the following:

o 60 Days for an IP address and Domain from last seen (Non-Cyber Espionage) o 90 Days for an IP address and Domain from last seen (Cyber Espionage) o For MD5, SHA1, SHA256, URL and Filename indicator timeout will be forever.


Users will be able to configure the internal organization’s web proxy server from Network Proxy Settings by providing respective proxy details. To activate the web proxy settings, the user should click on the check box. Polling Rate is the interval in seconds at which the QRadar application will poll the FireEye iSIGHT API for new indicators. Incremental load can be triggered manually by clicking the ‘Refresh Data Now’ button. From Initial Data Load, a historical indicator load can be triggered manually by entering the historical date (since when data needs to be pulled into the system) in the ‘Load Data’ field and clicking on ‘Start Load’. Users can load historical data up to 4 years.

Property Description

APIv2 Server URL FireEye iSIGHT Intelligence API URL. By default, this will be https://api.iSIGHTpartners.com

APIv2 Server Public Key FireEye iSIGHT Intelligence API v2 public key (API Key)

APIv2 Server Private Key FireEye iSIGHT Intelligence API v2 private key (Secret)

APIv2 Endpoint FireEye iSIGHT Intelligence V2 endPoints (view/iocs).

Polling Rate Polling interval for incremental data load. Suggested 3600 sec

Short TTL Time to live for indicators tagged as short TTL – IP, Domain

Long TTL Time to live for indicators tagged as long TTL

Indicator Selection Indicators to be polled

Load Data Input field for historical data load (load data since date).

Start Load Initiate process for full data load

https://api.isightpartners.com/


Refresh Data Now Load incremental data since last successful run

Load offense Metadata Offense Metadata flag to load API metadata for offense source, on the Offense summary page.

Save setting Save configuration

Proxy Host Web Proxy IP/Hostname

Proxy Port Web Proxy Port

Proxy User Web Proxy Username

Proxy Password Web Proxy Password

QRadar Security Token QRadar Security Token available from QRadar Authorized Services

Field Definitions for Admin Settings

Configuration File All the configured values are saved into the application’s app_config.ini file. This file can be used to cross validate the configuration made from the User Interface. Key and Password values are stored in encrypted format.

App Functionality The functionality of the FireEye iSIGHT Intelligence App for QRadar is underpinned by FireEye iSIGHT Intelligence API v 2; this API is the repository from which the App for QRadar retrieves its data, after which QRadar users rely on the QRadar engine to leverage the API Data. The FireEye iSIGHT Intelligence App for QRadar automates ingestion of indicators and leverages QRadar’s new GUI Application framework to facilitate provisioning, correlation of FireEye iSIGHT indicators and easy access to intelligence context directly from the QRadar interface.

FireEye iSIGHT Indicator Data in Reference Sets Reference sets are the data store, which contain a set of elements within the QRadar environment. FireEye iSIGHT indicators are stored in reference sets. Following are the reference sets created by the FireEye iSIGHT Intelligence App for QRadar.


Users can create rules to detect log activity or network activity that is associated with the above reference set. For example, users can create a rule to detect when an unauthorized IP attempts to access their network resources.

Embedded FireEye iSIGHT Rule: Basic rules for IP, Domain, URL and Hash (MD5, SHA1 and SHA256) are included in FireEye iSIGHT Intelligence QRadar App v1.1.0.


a) FireEye_IP_Rule_Standard: FireEye ISIGHT IP matching rule to check if the source IP or destination IP in event is present in FireEye iSIGHT IP reference set, then generate an offense.

b) FireEye_IP_Rule_Custom: FireEye ISIGHT IP matching rule to check if the IP in event payload is present in FireEye iSIGHT IP reference set, then generate an offense.

c) FireEye_Domain_Rule: FireEye ISIGHT domain matching rule to check if the domain present in event payload is present in the FireEye ISIGHT domain reference set, then generate an offense.

d) FireEye_URL_Rule: FireEye ISIGHT URL matching rule to check if the url present in event payload is present in the FireEye ISIGHT URL reference set, then generate an offense.

e) FireEye_MD5_Rule: FireEye iSIGHT MD5 matching rule to check if the MD5 hash present in event payload is present in the FireEye iSIGHT MD5 reference set, then generate an offense.

f) FireEye_Sha1 Rule: FireEye iSIGHT SHA1 matching rule to check if the SHA1 hash present in event payload is present in the FireEye iSIGHT SHA1 reference set, then generate an offense.

g) FireEye_Sha256 Rule: FireEye iSIGHT SHA256 matching rule to check if the SHA256 hash present in event payload is present in the FireEye iSIGHT SHA256 reference set, then generate an offense.

Note: The regular expressions used in URL and Domain custom property do not include support for special language characters. With the QRadar app version 1.1.0, users can now view API offense source metadata on offense summary page for offenses that are generated by above FireEye rules, or if offense Type is Source IP or Destination IP. Offense source metadata will be visible only if load metadata option is enabled on Admin config page. User can also view the complete HTML report for offense source metadata. Number of records shown in offense API metadata is restricted to 5.

Users need to double click on offense source to view metadata

Result once user double clicks on offense source


Also starting version 1.1.0, users do not need to access MySIGHT to view the complete HTML report through IP right click on “all offenses”. Users can view complete HTML report in the QRadar browser itself. Number of records shown on IP right click is restricted to 10. Currently right click functionality is available only for IP (if offense Type is Source IP or Destination IP), and on “All offenses”. To view HTML report for other indicators like URL, Domain and Hash, users need to open an offense and can view the API metadata and HTML report by enabling load metadata option on admin config page.

User action: right click on IP address

User screen after right click user action


Upgrade from App version 1.0.1 / 1.0.2 to 1.1.0: Reference set data which used to start with “iSIGHT Partners” for previous versions, has been changed to “FireEye iSIGHT Intelligence” from version 1.1.0. The following steps recommended for upgrade. Upgrade on QRadar Version -7.3.0 Patch 1 SFS and till Patch 4 SFS 1)Upgrade the FireEye iSIGHT App from version 1.0.1 or 1.0.2 to 1.1.0 through extension management. 2)Once the upgrade is successful, kindly logout and login again to reflect the changes for app version 1.1.0 3) Kindly set the Load data date in the format (mm/dd/yyyy) for loading historical API data on FireEye Admin configuration page and save settings. Customers can load up to 4 years of Historical data. Note: step 3 is very important for upgrade in FireEye app version 1.1.0 as load date has been changed from number to date format. 4) Click “start load” to load the API historical data in QRadar.

Upgrade on QRadar Version -7.2.8 with patch 8 Kindly note we don’t support FireEye iSIGHT app upgrade (1.0.1 or 1.0.2 to 1.1.0) in version 7.2.8 with patch 8 by having previous version (1.0.1 or 1.0.2) installed and then try to upgrade with new version (1.1.0). Below are the steps for doing app replace on version 7.2.8 with patch 8. 1)Kindly take the backup up of API keys and network proxy settings from UI. 2)Delete the existing FireEye iSIGHT App. 3)Install FireEye iSIGHT App version 1.1.0 through extension management. 4)After successful installation, kindly set the required configurations on the admin configuration page. Also, kindly set the Load data in the format (mm/dd/yyyy) to load historical data. By default, it will be three months prior to current date. 5) Click start load to load the API historical data in QRadar. Impact on existing Rules: - From version 1.1.0, the app includes embedding of basic rules for IP, Domain, URL and hash. These basic rules are pointing to new reference data set starting with “FireEye iSIGHT Intelligence”. As we are not updating the older reference-set “iSIGHT Partners”, hence existing rules pointing to “iSIGHT Partners” reference data set will not able to generate offense for the latest indicators data coming from API. User have a choice to use either our embed rules or can use existing rules. In case user want to use their existing rules, then you need to modify existing rules pointing to new reference set data “FireEye iSIGHT Intelligence” as shown in the below example.


Steps to change existing rules:

1) Navigate to existing rule and open it. 2) Click on “these event property”. 3) Search with FireEye keyword in event property wizard.

4) Select relevant property related to on existing rule and click on submit button. 5) Now Click on “these reference sets(s)” 6) Search for FireEye keyword in reference sets wizard.

7) Select relevant reference set related to that specific rule and click on submit button. 8) Click on Finish button.


Offense Metadata Load For existing rules: - If User wants to view API offense source metadata on offense summary page for offenses that are generated by their existing rules, then ensure that offense Type in offense is as below. IP –Source IP, Destination IP, FireEye_IP_property (custom) Domain- FireEye_Domain_property (custom) MD5 HASH- FireEye_MD5_property (custom) SHA1 HASH- FireEye_Sha1_property (custom) SHA256 HASH- FireEye_Sha256_property (custom) URL - FireEye_URL_property (custom)

Example: - Steps to see metadata by modifying existing rule:

1) Open any existing rule which is linked to “FireEye iSIGHT Intelligence” reference sets 2) Click on Next button 3) In the Rule action section, select FireEye custom property according to rules from “Index offense based on”

dropdown box. e.g. For IP rule user can select source IP or destination IP as per use case.

4) Select Dispatch New event from Rule response section.


In the Rule response section, select FireEye custom property according to rule from “Index offense based on” dropdown box. E.g. For IP user can select source IP or destination IP as per use case.

5) Keep other settings as it is. 6) Click on finish button.

Offense Metadata Load For existing rules: - If user wants to view API offense source metadata on offense summary page for offenses that are generated by their existing rules, then ensure that offense Type in offense is as below. IP –Source IP, Destination IP, FireEye_IP_property (custom) Domain- FireEye_Domain_property (custom) MD5 HASH- FireEye_MD5_property (custom) SHA1 HASH- FireEye_Sha1_property (custom) SHA256 HASH- FireEye_Sha256_property (custom) URL - FireEye_URL_property (custom)


Customers can also refer embedded FireEye rules to see how they have been compiled to get above offense type for loading offense metadata on offense summary. In case of duplication of rules between existing rules and rules embedded due to 1.1.0, it is recommended to have only one rule.

Logging and Troubleshooting

App Specific Logs All FireEye iSIGHT Intelligence App logs can be found at: V 7.3.0: /store/docker/volumes/qapp-{dockerid }/log/app.log V 7.2.8: /store/docker/volumes/qapp-{dockerid }/_data/log/app.log Application log files can also be accessed through the QRadar API endpoint: https://<console_ip>/console/plugins/{application_id}/app_proxy/debug There are three levels of supported logging, configurable via the QRadar configuration:

Log Level Filename Description

INFO (Default) info.log The standard info log, used to track regular operation of the system.

ERROR error.log

The error log is used to track any exceptions that occur during software execution, including but not limited to, unexpected API calls and internal errors. Stack traces will be present where possible as well as pertinent state information.

DEBUG debug.log Debug logging of the system, not enabled by default.

Other App Logs QRadar writes to a startup.log file to log high level actions initiated for the application, such as REST calls and message for application specific installation: V 7.3.0: /store/docker/volumes/qapp-{dockerid}/log/startup.log V 7.2.8: /store/docker/volumes/qapp-{dockerid}/_data/log/startup.log Example: Dec 04 08:16:53 2015: pip install /src_deps/pip/ijson-2.2-py2.py3-none-any.whl


172.x.x.1 - - [04/Dec/2015 08:17:45] "GET /admin HTTP/1.1" 200 172.x.x.1 - - [04/Dec/2015 08:18:28] "POST /admin/save HTTP/1.1" 200 - 172.x.x.1 - - [04/Dec/2015 08:18:45] "POST /admin/fullLoad HTTP/1.1" 200 - 172.x.x.1 - - [04/Dec/2015 08:18:45] "POST /admin/checkLoadStatus HTTP/1.1" 200 – The app.log file contains most of the error statements that are related to the FireEye iSIGHT App for QRadar: V 7.3.0: /store/docker/volumes/qapp-{ dockerid }/log/app.log 7.2.8: /store/docker/volumes/qapp-{dockerid}/_data/log/app.log This file gets rolled over from app.log.1 through app.log.5.

Troubleshooting Q&A Q) How does indicator data get fetched from the API Server? A) Fetching of indicator data is done in three different ways.

• After setting all required configuration values, the user can click on Start Load at this point the app will fetch the data starting from the date mentioned in the Load Data field.

• After Start Load completes, the application will start to fetch the indicator data from API Server at the configured polling interval.

• If the user wants to fetch new data before the polling interval then they can click on the Refresh Data Now button. The app will fetch the data from last data fetch time to the current time.

The FireEye iSIGHT Intelligence App always saves the last successful data fetch time stamp in the applications Configuration file i.e. app_config.ini Q) Reference Sets are not getting created? A) Check the application configuration for QRadar security token, FireEye ISIGHT API keys, API URL, polling interval and web proxy settings, if a web proxy is enabled. The respective error statement along with the status code is logged into the app.log file. Q) Refresh now functionality is not working? A) Check if other data pull operation is in progress or not. Check for latest “Server: get_load_status busy: [True]” message in the app.log. Value “True” reports data pull is in-progress. Q) How to identify the last successful indicator polling? A) The application logs the last successful indictor data fetch value into the app_config.ini. This file holds the last successful polling timestamp e.g. “last_run = 1449217125”. The value is in epoch time format.


Q) How to check which indicators are subscribed? A) The information for indicator subscription is available at application configuration UI itself. Same information is also available in the app_config.ini under [indicator_config] block. e.g. [indicator_config] domain = checked sha1 = checked url = checked ip = checked filename = checked sha256 = checked md5 = False Q) How to identify the last indicator data poll duration? A) Application fetches the indicator data from API Server for specific period of time. These details are available in the app.log as below. Fetching indicators from API, API URL: [/view/iocs?], API version [2.6], Start time [1500888367] and End time [1500891969] Successfully Fetched indicators from API, API URL: [/view/iocs?], API version [2.6], Start time [1500888367] and End time [1500891969] Loading Indicators in QRadar started for start time [1500888367] and end time [1500891969] Loading Indicators in QRadar ended for start time [1500888367] and end time [1500891969] The difference between start time and end time is polling interval. Q) Elements in the reference sets are not updated after the indicator fetch. A) These are why data will not get updated in reference sets.

• Duplicate data was received, the data is already in the reference set.

• There is no new indicator data available from API Server.

• Verify the validity of configured QRadar token. • Verify the API keys are valid.

fireeye isight app for qradar · ibm qradar is a market leader as per gartner [s î ì í ñ magic...

Documents