Encode Rule Explorer App v1.0.2for IBM QRadar Documentation

1

Encode Rule Explorer App for IBM QRadar, Copyright © 2017 Encode SA, All rights reserved.

Revision to This Document

Date Revision Description30 June, 2017 First edition for v1.0.030 July, 2017 Updated documentation15 November, 2017 v1.0.116 March, 2018 v1.0.2 - Bug fixes, UI improvements

2

ContentsIntroduction................................................................................................................3

Audience.................................................................................................................3

Installation Requirements...........................................................................................3

Installation.................................................................................................................4

Steps to install your extension for QRadar SIEM (UI)...............................................4

Steps to uninstall your extension for QRadar SIEM (UI)...........................................7

Configuration..............................................................................................................8

Exporting Content from QRadar....................................................................8

Importing Content to the QRadar App.....................................................................9

Using Rule Explorer..................................................................................................11

Navigation.............................................................................................................11

Rules..................................................................................................................... 12

Building Blocks......................................................................................................13

Rule and Building Blocks Details...........................................................................14

Known issues............................................................................................................17

IntroductionEncode Rule Explorer App for IBM QRadar allows operators to navigate through rulesand building blocks, view test conditions, rule actions and responses as well the testconditions of the referenced building blocks all in one single view. It offers quick andeasy navigation between rules/building blocks and their referenced in the testconditions. Other capabilities include identification of dependencies and dependentson other rules or building blocks. Useful for troubleshooting issues with the CustomRule Engine and understanding complicated rules in QRadar.

AudienceThis guide is for users of IBM QRadar systems who require to install the Encode RuleExplorer App.

Installation RequirementsThe Rule Explorer App for QRadar has been tested on IBM QRadar version 7.2.8 aswell as version 7.3.0 (patch 5+) and 7.3.1. The Rule Explorer App is not tested forcompatibility with QRadar < 7.2.8. The application is currently not compatible withprevious patches of version 7.3.0 (patches 0-4). To install the QRadar App you willrequire QRadar Admin privileges.

3

InstallationPlease consult previous section of “Installation Requirements” first.

Steps to install your extension for QRadar SIEMFirst you have to download the application from IBM X-Force Exchange which is a ZIPfile.

In order to install application, login to QRadar web application and select Admin tab. Under section System Configuration select Extensions Manager.

In the pop up window click on Add button placed in upper right area.

4

Browse for ZIP file downloaded and check “Install Immediately”.

Confirm installation by clicking Install in the pop up window.

Wait for the installation to finish.

5

The installation in some cases shows that it finished with errors. However, this error is not fatal and the application should have been installed properly.

Click OK. Now in Extensions Management you will see that application Installed successfully.

Try to access the application under “Rule Explorer” tab.

6

Steps to uninstall your extension for QRadar SIEMIn order to uninstall the application, login to QRadar web application and select Admin tab. Under section “System Configuration” select “Extensions Manager”. Under ALL ITEMS tab you will find application “Rule Explorer”.

By clicking anywhere in application row, extra information will appear along with theUninstall button.

Confirm uninstalling in pop up window and wait until progress pop up disappears.

If all goes well a final pop up window will display the uninstalling outcome.

7

Configuration

Exporting Content from Qradar

1. Use SSH to log in to QRadar as the root user

2. Create a file named package.txt in the /tmp directory within the Qradar consolewith the following contents (In order for the app to function properly and notoverload the system with a full content export):

fgroup,allcustomrule,all

3. From the within /tmp directory, use the contentManagement.pl script to exportthe custom content:

- Issue the following commands

cd /tmp

/opt/qradar/bin/contentManagement.pl --action export –-content-type package -–file package.txt

The content is exported to a compressed file, for example, all-ContentExport-20151022101803.zip.

Caution: Systems with large amounts of custom rules may experience slow downs during the rule export process!

8

Importing Content to the QRadar App

To import the exported content to the App use the following steps:

1. Unzip the exported content

2. Go to the QRadar App and navigate to Resources - > Storage

3. Select Upload under the section Manage Storage.

4. Select the xml file that was exported from the zip file in step 1 (e.g.package.txt-ContentExport-20151022101803.xml).

You can upload multiple content exports and select between each one under the Content Files menu at the top bar.

9

Once there are files in the App when you visit the storage menu option you can see the available files.

10

Using Rule Explorer

Navigation

The main window of the App is split into two columns/display sections.

On the left the user is able to navigate through the groups of rules and building blocks. An indication on the right of each group shows how many rules or building blocks are included in this group.

By clicking on a group, the right side of the screen will be updated with the rules included in that group or any subgroup.

11

Rules

The following information is immediately available when selecting a rule group.

Rule InformationField Name Field DescriptionName The name of the rule.Offense Whether the rule generates an offense {True, False}.Dispatched Whether the rule dispatches a new event {True, False}.Reference Set/ Data

Whether the rule inserts data into a reference set andor reference data {True, False}.

Status The status of the rule {True, False}.

Dependencies

If this value is greater than 0 it will be hoverable. Uponhovering the value a box is displayed with all the ruledependencies.

Dependents

If this value is greater than 0 it will be hoverable. Uponhovering the value a box is displayed with all the ruledependents.

Custom Properties

If any custom properties are used in this rule the valueof this field will be greater than 0. In that is the casehovering the value will display a box with all thecustom properties.

Creation Date The date the rule was created.Modification Date

The date the rule was modified.

Owner The owner of the rule.

Notes

If the rule contains notes then a post-it icon will bedisplayed. If that is the case hovering the icon willdisplay the rule notes.

It is also possible to limit the search results by using the Filter on the top of the rightside of the screen

12

Building Blocks

The following information is immediately available when selecting a building block group.

Building Block InformationField Name Field DescriptionName The name of the rule.

Dependencies

If this value is greater than 0 it will be hoverable. Uponhovering the value a box is displayed with all thebuilding block dependencies.

Dependents

If this value is greater than 0 it will be hoverable. Uponhovering the value a box is displayed with all thebuilding block dependents.

Custom Properties

If any custom properties are used in this building blockthe value of this field will be greater than 0. In that isthe case hovering the value will display a box with allthe custom properties.

Creation Date The date the building block was created.Modification Date

The date the building block was modified.

Owner The owner of the building block.

Notes

If the rule contains notes then a post-it icon will bedisplayed. If that is the case hovering the icon willdisplay the building block notes.

13

It is also possible to limit the search results by using the Filter on the top of the rightside of the screen.

Rule and Building Blocks Details

When clicking on a rule or building block name you can view further information. Under the test definitions the referenced rules or building blocks are highlighted with blue while the rest of the user configurable values are highlighted with yellow.

For rules it is possible to view Rule Actions, Rule Responses and Limiter which are expandable fields if you click on the plus (+) icon.

Under the “Related” section you can view the list of rules/building blocks that are used in the test definitions of the rule/building block you are currently viewing. You can expand each one by clicking on its name to view test definitions, notes or related rules/building blocks. You can drill down to the related rules/building blocks without any limit. If however you need to display all the information of a related

14

building block you can click on the arrow ( ) at the right of the name and navigate to this rule’s/building block’s page.

On the top of the screen, on the right of the rule/building block name there are two icons - the tree ( ) and the reversed tree ( ).

Hovering the tree will display all the rules/building blocks that are directly used in the test definitions of the rule/building block you are currently viewing.

Hovering the reversed tree will display all the rules/building blocks that directly use the rule/building block you are currently viewing.

15

Clicking on the tree icon will display an actual tree. This view allows the operator to understand which rules/building blocks affect the behavior of the rule/building blockhe is currently viewing. The tree not only displays the rules/building blocks that are directly related to the rule/building block the user is viewing but also the related rules/building blocks of the related rules/building blocks. This is better understood inthe following screenshot.

Similar to the tree icon, clicking on the reversed tree icon will display a tree with therules/building blocks that use the rule/building block currently viewed by the operator as well as the rules/building blocks that use these rules/building blocks. This view allows an operator to easily identify which resources are going to be affected by the changes he performs in one rule/building block.

16

Known issues

The application is not compatible with patches 0-4 of Qradar v7.3.0

17