Lab6-Using rules and building blocks PDF
| Title | Lab6-Using rules and building blocks |
|---|---|
| Course | Computer and Network Security |
| Institution | Universiti Putra Malaysia |
| Pages | 14 |
| File Size | 1 MB |
| File Type | |
| Total Downloads | 41 |
| Total Views | 173 |
Summary
Investigating an offense triggered by flows...
Description
8
Using rules and building blocks exercises The exercises in this unit teach how to create, analyze, and manage rules. The exercises are listed in the following table: Exercise
Purpose
Create an event rule
Show the relationship between rules and offenses No
Analyze a default rule that triggers an offense
Show how to modify a rule to prevent an offense creation
Work with a rule’s parameters
Explore the relationship between offenses and the event/flow count and offense count rule parameters
Edit a rule
Demonstrate two methods to remove changes made to a system rule
Search for rule
Use the rule search feature
Optional No
Yes
Yes Yes
Exercise 1. Create an event rule Because scripts might run using terminated employees user IDs, the organization wants to monitor the user accounts of terminated employees. You decide to configure QRadar SIEM to perform the following tasks: • Create an event rule to create offenses for login activity • Use a reference set to identify a class of objects
Note: The QRadar SIEM administrator created the reference set of terminated users. Therefore, the reference set exists.
.
In this exercise, you perform the following tasks: •
Create an event rule
•
Generate events to trigger offenses
•
Investigate the offenses
To create an event rule, perform the following steps: 1. In the QRadar SIEM console, click the Log Activity tab. 2. From the Rules list on the toolbar, select Rules.
3. From the Actions list, select New Event Rule.
The Rules wizard opens. 4. Click Next twice. The Rule Wizard – Rule Test Stack Editor opens.
y field type, BQX ser Activity.
.
Note: It is a best practice to define a rule-naming policy for rules that you create. You might choose to name the rules with a prefix that easily identifies the rule. For example, IBM identifies the IBM Corporation. Alternatively, create a group and assign the rules that you create to the group.
.
6. Add the following tests to the rule under these conditions: •
when any of these event properties are contained in any of these reference set(s)
•
when an event matches any|all of the following rules
To add the first rule test, when any of these event properties are contained in any of these reference set(s), perform the following steps: a. Filter the options in the Test Group list. In the Type to filter field, type ref. b. Click the green plus (+) icon next to the test when any of these event properties are contained in any of these reference set(s).
The underlined green sections of the rule are testable objects. Paste scheenshot here
c. Click the testable object these event properties.
d. Filter the fields in the event property list. In the Type to filter field, type user.
e. Select Username and click Add. f.
Click Submit.
g. Click the testable object these reference set(s). h. Select the reference set Watchlist Users and click Add. i.
Click Submit.
Paste scheenshot here
To add the second rule test, when an event matches any|all of the following rules, perform the following steps: j.
In the Test Group list, select Functions - Simple.
k. Click the green plus (+) icon next to the only test listed.
l.
Click the testable object rules.
m. Filter the options in the rules list. In the Type to filter field, type BB:Category. n. Select BB:Category Definition: Authentication Success and click Add. o. Click Submit.
7. Assign the rule to the group Authentication. 8. In the Note field, type This rule tracks the successful login of terminated users accounts. 9. Verify that your rule tests look similar to the one in the graphic.
Paste scheenshot here
v e nt is p ar t of a n of fe n s e
I n d e x
o f f
10. Click Next.
e
11. Configure the rule action and response as shown in the following table.
n s e
Field / OptionSetting R u l e A c t i o n E n s u r e
t h e
b a s e
d e t e c t e d e
d
o n
l i s
enable
t
e • W is us lo su ss
U s e r
Annotate the event
n
• enable
a
• W is us lo su ss
m e
A
Rule Response
n
Dispatch New Event
n o
enable Type Event Name
t a
Watchlist user login
t
Type Event Description
e
Watchlist user login Severity
t h i s
o f f e n s e
•
e n a b l
Field / OptionSetting Credibility
10
Relevance
10
High Level Category
Authentication
Low Level Category
User Login Success
Annotate this offense
• enable • Watchlist user login success
Ensure the dispatched event is part of an offense Index offense based on list This information should contribute to the naming of the associated offense(s)
enable Username enable
Note: The Index offense based on parameter defines the offense type in the All Offenses page.
12. Verify that the configuration looks like the one in the graphic.
Paste scheenshot here
13. Click Next.
14. Verify that your rule summary looks similar to the one in the graphic.
Paste scheenshot here
15. Click Finish. 16. Generate events to trigger offenses. In the PuTTY command line, type the following command: ./sendWindows.sh Paste scheenshot here
Note: Wait five minutes for the log events to trigger offenses.
17. Investigate the offenses created. Answer the following questions: a.
How many offenses did the rule, BQX Watchlist User Activity create? On the Rule list page, select the rule and look for the offense count parameter.
Answer: 0
Paste scheenshot here
b.
List the user IDs that created offenses. In the QRadar SIEM console, double-click the Offenses tab and find offenses that have Watchlist in the description.
Answer: Paste scheenshot here
c.
What are the source IP of the offenses created?
Answer: System Paste scheenshot here
d.
What are rules and what are they user for?
Answer: Apply Exploit: Multiple Vector Attack Source on events which are detected by the Local system Apply SuspiciousActivity: Communication with Known Watched Networks on events or flows which are detected by the Local system and when a flow or an event matches any of the following BB:NetworkDefinition: Watch List Addresses, BB:NetworkDefinition: Darknet Addresses
e.
Which component of QRadar perform all tests, actions, and responses specified in rules?
Answer: log Activity f.
What are building blocks and what are they user for?
Answer:...
Similar Free PDFs
Lab6-Using rules and building blocks
- 14 Pages
Building blocks structure
- 2 Pages
Installing+and+using+Code Blocks
- 5 Pages
Rules Structure-and-Practice
- 4 Pages
Tendency and Coincidence Rules
- 14 Pages
Locating and Summarizing Rules
- 4 Pages
Consideration Cases AND Rules
- 8 Pages
LAND, Building AND Machinery
- 6 Pages
Kami Export - blocks (2)
- 1 Pages
Popular Institutions
- Tinajero National High School - Annex
- Politeknik Caltex Riau
- Yokohama City University
- SGT University
- University of Al-Qadisiyah
- Divine Word College of Vigan
- Techniek College Rotterdam
- Universidade de Santiago
- Universiti Teknologi MARA Cawangan Johor Kampus Pasir Gudang
- Poltekkes Kemenkes Yogyakarta
- Baguio City National High School
- Colegio san marcos
- preparatoria uno
- Centro de Bachillerato Tecnológico Industrial y de Servicios No. 107
- Dalian Maritime University
- Quang Trung Secondary School
- Colegio Tecnológico en Informática
- Corporación Regional de Educación Superior
- Grupo CEDVA
- Dar Al Uloom University
- Centro de Estudios Preuniversitarios de la Universidad Nacional de Ingeniería
- 上智大学
- Aakash International School, Nuna Majara
- San Felipe Neri Catholic School
- Kang Chiao International School - New Taipei City
- Misamis Occidental National High School
- Institución Educativa Escuela Normal Juan Ladrilleros
- Kolehiyo ng Pantukan
- Batanes State College
- Instituto Continental
- Sekolah Menengah Kejuruan Kesehatan Kaltara (Tarakan)
- Colegio de La Inmaculada Concepcion - Cebu