IBM Security QRadar Incident Forensics

Version 7.2.8

Administration Guide

IBM

Note
Before you use this information and the product that it supports, read the information in “Notices” on page 27.

Product information
This document applies to IBM QRadar Security Intelligence Platform V7.2.8 and subsequent releases unless
superseded by an updated version of this document.
© Copyright IBM Corporation 2014, 2016.
US Government Users Restricted Rights – Use, duplication or disclosure restricted by GSA ADP Schedule Contract
with IBM Corp.

Contents
Introduction to administrating IBM Security QRadar Incident Forensics . . . . . . . . v

Chapter 1. What's new for administrators in QRadar Incident Forensics V7.2.8.3 . . . . 1

Chapter 2. Administration workflow and user access to forensics capabilities . . . . . 3

Chapter 3. Server management . . . . . . . . . . . . . . . . . . . . . . . . . . 5
Server configuration settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
Protocol and domain inspector filters . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
Web category filter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
Supported protocols and document types. . . . . . . . . . . . . . . . . . . . . . . . . . 7

Chapter 4. Case management . . . . . . . . . . . . . . . . . . . . . . . . . . 9
Creating cases . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
Uploading files to cases . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10

Chapter 5. Assigning cases to users . . . . . . . . . . . . . . . . . . . . . . . 11
Manually importing files to a forensics case . . . . . . . . . . . . . . . . . . . . . . . . 11
Enabling users to FTP pcap files and documents from external systems to forensics cases . . . . . . . . . 12
Decrypting SSL and TLS traffic in QRadar Incident Forensics . . . . . . . . . . . . . . . . . . . 13

Chapter 6. Scheduled actions in QRadar Incident Forensics . . . . . . . . . . . . . 15
Scheduling actions for QRadar Incident Forensics hosts. . . . . . . . . . . . . . . . . . . . . 15

Chapter 7. Managing suspicious content . . . . . . . . . . . . . . . . . . . . . 17
Importing Yara rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18
Deleting Yara rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18

Chapter 8. Auditing user and system usage in QRadar Incident Forensics . . . . . . 19

Chapter 9. Real-time threat investigations with QRadar Network Insights . . . . . . . 21
QRadar Network Insights deployments . . . . . . . . . . . . . . . . . . . . . . . . . . 21
QRadar Network Insights configuration requirements . . . . . . . . . . . . . . . . . . . . . 22
Configuring QFlow Collector format . . . . . . . . . . . . . . . . . . . . . . . . . . 22
Setting up DTLS on a QRadar Network Insights managed host . . . . . . . . . . . . . . . . . 23
QRadar Network Insights Flow Inspection Levels . . . . . . . . . . . . . . . . . . . . . 24
Configuring QRadar Network Insights settings . . . . . . . . . . . . . . . . . . . . . 25
Threat detection with QRadar Network Insights . . . . . . . . . . . . . . . . . . . . . . . 26

Notices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27
Trademarks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28
Terms and conditions for product documentation. . . . . . . . . . . . . . . . . . . . . . . 29
IBM Online Privacy Statement . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30

© Copyright IBM Corp. 2014, 2016 iii

iv QRadar Incident Forensics Administration Guide .

which will necessarily involve additional operational procedures. including all translated documentation.ibm. or licenses required to enable its lawful use of IBM Security QRadar. or cases. called investigators. products or services to be most effective. and electronic communications and storage. products and services are designed to be part of a lawful comprehensive security approach. Improper access can result in information being altered. including for use in attacks on others. detection and response to improper access from within and outside your enterprise. misappropriated or misused or can result in damage to or misuse of your systems. No IT system or product should be considered completely secure and no single product.ibm. PRODUCTS OR SERVICES ARE IMMUNE FROM. see Accessing IBM Security Documentation Technical Note (www. Intended audience Administrators create. OR WILL MAKE YOUR ENTERPRISE IMMUNE FROM. access the IBM Knowledge Center (http:// www. 2014. © Copyright IBM Corp. and may require other systems. Please Note: Use of this Program may implicate various laws or regulations. and exploring data. Technical documentation To find IBM Security QRadar product documentation on the web. IBM systems. Customer agrees to use this Program pursuant to.ibm. Licensee represents that it will obtain or has obtained any consents. IBM Security QRadar may be used only for lawful purposes and in a lawful manner.com/support/ docview. data protection. and assumes all responsibility for complying with.Introduction to administrating IBM Security QRadar Incident Forensics Information about administrating IBM® Security QRadar® Incident Forensics.com/support/knowledgecenter/SS42VS/welcome). see the Support and Download Technical Note (http://www.com/support/docview. permissions. can focus on investigating security incidents. including those related to privacy. 2016 v . Contacting customer support For information about contacting customer support. regulations and policies.wss?uid=swg21616144). service or security measure can be completely effective in preventing improper use or access. THE MALICIOUS OR ILLEGAL CONDUCT OF ANY PARTY. applicable laws. and operate an active forensics capability so that users. employment. Statement of good security practices IT system security involves protecting systems and information through prevention. destroyed. For information about how to access more technical documentation in the QRadar products library. IBM DOES NOT WARRANT THAT ANY SYSTEMS.wss?rs=0&uid=swg21614644). maintain.

The tool allows companies to index and search captured network packet data (PCAPs) and includes a feature that can reconstruct such data back into its original form. This reconstruction feature can reconstruct data and files. and electronic communications and storage. IBM Security QRadar Incident Forensics is designed to help companies investigate and better understand what happened in network security incidents. Licensee represents that it will obtain or has obtained any consents. file and picture attachments. and assumes all responsibility for complying with. employment. More specifically. IBM Security QRadar Incident Forensics may be used only for lawful purposes and in a lawful manner. data protection. including email messages. VoIP phone calls and websites. Note IBM Security QRadar Incident Forensics is designed to help companies improve their security environment and data. Additional information regarding the Program's features and functions and how they may be configured are contained within the manuals and other documentation accompanying the Program. vi QRadar Incident Forensics Administration Guide . regulations and policies. permissions. Use of this Program may implicate various laws or regulations. Customer agrees to use this Program pursuant to. applicable laws. including those related to privacy. or licenses required to enable its lawful use of IBM Security QRadar Incident Forensics.

2014.3 IBM Security QRadar Incident Forensics V7. For example. 2016 1 .8. What's new for administrators in QRadar Incident Forensics V7.2. © Copyright IBM Corp. The search capability of QRadar Network Insights finds and extracts important indicators from the packet data.2.8..3 introduces IBM QRadar Network Insights for real-time threat investigation.. Learn more about real-time threat investigations.Chapter 1. an advanced level of threat detection integrated with IBM Security QRadar. you can analyze emails for suspicious content or attachments in real-time. Real-time analysis of network data with QRadar Network Insights QRadar Incident Forensics introduces QRadar Network Insights.

2 QRadar Incident Forensics Administration Guide .

Use Forensics User Permissions to assign cases to investigators. and monitor the system and its operations and manage user access to cases. see the IBM Security QRadar Administration Guide. but cannot create cases. an administrator can troubleshoot. Administration workflow and user access to forensics capabilities After IBM Security QRadar Incident Forensics is installed and configured. In the User Roles tool on the Admin tab of QRadar. such as deleting old documents. 1. maintain. and resetting the QRadar Incident Forensics server. Use Scheduled Actions to schedule maintenance. 2016 3 . 3. Example: Administration workflow The following diagram shows a sample workflow for QRadar Incident Forensics administration. 2. 4. © Copyright IBM Corp. you must first create security profiles to meet the specific access requirements of your users. you can assign the following user roles: Admin Users can view and access all cases that are assigned to users and all incidents and are automatically given full access QRadar Incident Forensics. Create cases in Incident Forensics Users can automatically create forensics cases. 2014. tuning the database. For more information about configuring security profiles. You must have administrative privileges to see the administration tools for QRadar Incident Forensics.Chapter 2. Forensics Users can see and access to the Forensics tab. do not want monitor. Use Server Management to filter web categories and traffic that you. Use Case Management to create and delete cases and import external content into the system. User roles To add user accounts.

4 QRadar Incident Forensics Administration Guide .

Protocol and domain inspectors process ingested network traffic data and attempt to identify and index the data in a meaningful way. When you exclude domain inspectors. click Server Management. Click the Admin tab. The cleared search applies to the query history list in the Query Helper and the last user in the Search Criteria Input field on the Search and Results page. Protocol and domain inspector filters You can exclude certain types of traffic from investigations by deactivating protocol or domain inspectors in the Server Management tool. POP3. FTP. Clear Search History on Logout Search history is cleared when users log out.Chapter 3. 2. You can configure the number of nodes to render after the nodes are rendered for the first time. Default Number of Nodes to Visualize The maximum number of nodes that the Visualize tool shows. the data is further inspected by the appropriate protocol inspector. Use the Inspector Filter option. and monitor the IBM Security QRadar Incident Forensics system and its operations. but the traffic is identified and indexed only on a generic level. 3. You can exclude domain inspectors. any network traffic data that is associated with the inspector is still ingested. From the Forensics section in the main pane. Domain Inspectors Domain inspectors inspect specific websites. After you change a setting. You can exclude protocol inspectors. any HTTP network © Copyright IBM Corp. Adjusting the rendered node count affects only that instance of the Visualize tool. To monitor or change server settings or to view the users that are logged in to the system. As network traffic data is ingested and protocols are identified. open the Server Management tool: 1. When the inspectors are excluded. and telnet. maintain. you must deploy your changes by using Deploy Changes menu on the Admin tab. Identifying and indexing that data provides investigators with more control to find the information. 2016 5 . Server management Administrators can troubleshoot. 2014. Server configuration settings Use server settings in the IBM Security QRadar Incident Forensics Server Management tool to configure system settings that affect all the managed hosts. Log on to QRadar as an administrator. Network traffic data that is identified by the HTTP protocol inspector is inspected and indexed further by domain inspectors. Protocol Inspectors Protocol inspectors can identify protocol such as HTTP.

Administrators can filter HTTP network traffic data to prevent the data from being ingested. or filter traffic. turn off the category or group in the Server Management tool. Users don't know what inspectors are applied to a case. the HTTP protocol inspector must also be active. and filtering affect HTTP network traffic data while it is being ingested and has no effect on data that is already in the system. Example: What happens when you use a web category filter to exclude traffic? You decide to exclude traffic that contains data from news or magazine sites. is turned off by default. for a category or group. When HTTP network traffic data is ingested. Now. Remember: When you change the configuration of inspector filters. By default. The inspectors that are turned on influence the documents that are created for a case and investigators lose the capability of searching for certain inspectors. You click the Webmail / Unified Messaging filter and click On. the data is categorized and the resulting documents are grouped. This call setup protocol. regardless of the associated category filters settings. traffic data is associated with the inspector is still ingested. the new configuration is applied to every new case that is created. all filters are turned on and you can see traffic from all protocols. On the Admin tab in QRadar. You click Web Category Filter and click Off beside the News / Magazines filter. 3. For domain inspectors to be active. but the traffic is identified and indexed only at the HTTP level. When a group filter is set to exclude data. you click Server Management. Web categorizing. Any protocol that is not processed by an inspector is categorized as unknown. when a user investigates ingested traffic on the Forensics tab. For example. grouping. The only exception is SIP (Session Initiation Protocol) traffic. Web category filter You can choose the types of web pages and web servers that are recognized by using web category filters. 1. To exclude. 2. HTTP network traffic data that is associated with categories in that group is filtered out during consumption. 6 QRadar Incident Forensics Administration Guide . which operates at the application layer. you can exclude specific types of HTTP network traffic from investigations. they see that traffic that contains both News / Magazines data and Webmail / Unified Messaging is not ingested even though the Webmail / Unified Messaging filter is on.

Server management 7 .CN.ES.EN.EN.ES.DE. The following list describes the supported protocols that QRadar Incident Forensics can process: v AIM v DHCP v DNS v Exchange v FTP v HTTP v IMAP v IRC v Jabber v Myspace v NFS v SIP v NetBIOS v Oracle v POP3 v SMB (Version 1) – Lanman 2.EN. Standard) (EN) v Charter (EN) v Facebook (Mobile.EN.FR.ES.ES.DE.FR.DE.EN.CN.Supported protocols and document types IBM Security QRadar Incident Forensics captures the content in network flow packets and indexes and processes the payload and the metadata.ES.FR.RU) v Hotmail (AR.RU) v Gmail (Classic.FR. Desktop) (AR.12 v SMTP v SPDY v TLS (SSL) v SSH v Telnet v Yahoo Messenger v MySQL The following list describes the support domains (websites) and the supported languages for the domain that QRadar Incident Forensics can process: v AOL (Accessible.EN) v Myspace (EN) v QQMail (EN.RU) v MailRu (RU) v Maktoob (AR.1 – NT 0.RU) v MailCom (CN. Basic. Standard) (AR.CN.CN) v Twitter (EN) Chapter 3.RU) v LinkedIn (DE.FR.

RU) v Comcast (Zimbra) (EN) The following list describes the supported document formats that QRadar Incident Forensics can process: v HyperText Markup Language v XML and derived formats v Microsoft Office document formats v OpenDocument Format v Portable Document Format v Electronic Publication Format v Rich Text Format v Compression and packaging formats v Text formats v Audio formats v Image formats v Video formats v Java™ class files and archives v mbox format QFlow application detection QFlow application detection is used when no other inspectors can detect an application.FR.DE. v BitTorrent v Blubster v CitrixICA v Google Talk v Gnucleuslan v Gnutella v GSS-SPNEGO v NTLMMSSP v OpenNap v PeerEnabler v Piolet v UpdateDaemon v VNC 8 QRadar Incident Forensics Administration Guide . Some examples of applications.ES. v YAHOO Mail (Standard. The QFlow application detection inspects the first 64 bytes of a packet for a signature and attempts to identify the application from the signature and port. the following items.CN. Classic) (EN) v YAHOO Note (EN) v YouTube (AR. or protocol. sessions.EN. or protocols that the QFlow application detection might be able to identify includes. session. but is not limited to.

Restriction: Case names cannot contain spaces. you can manage cases and collections by using Case Management. For larger pcap files. Creating cases Cases are logical containers for your collection of imported document and pcap files. Cases can be restricted to specific users. The Flush option forces the QRadar Incident Forensics hosts to write unterminated flows to disk. you can upload each one to a different managed host. For example. Tuning case management To help you tune case management. For streaming pcap data. use FTP. Uploading pcap files to managed hosts You can manually upload pcap data from external sources. which is a series of pcap files that are logically related to form one large pcap file. Case management As an administrator. which in turn helps searching in these flows at an earlier stage. Procedure 1. 2016 9 . the protocols. 4. This directory is used to import your pcap files. Click Add New Case. if you have three managed hosts and three pcap files. 2014. 2. you can force buffered data to be written to disk. you can visually use the graphs to quickly review the content of the case. Click Save. You can review the type of files. and the domains that are in the case. type a unique name. You can create cases for collections of documents or packet capture (pcap) files and can also import external files in to the IBM Security QRadar Incident Forensics system.Chapter 4. You can use a single case for all pcap files or create multiple cases. © Copyright IBM Corp. Results A new directory that is based on the case name is created: /case_input/ <case_name>. On the Admin tab. 3. select Case Management. you can use the Flush option. You can specify which QRadar Incident Forensics managed host to upload the data to for processing. Distribution graphs If you plan to delete a case. In the Case Name field.

3. Procedure 1. in the Forensics section.Uploading files to cases As an administrator. and click Start upload. To add pcap files or other document types. v Drag the files to the upload box. The following file types are supported: v HyperText Markup Language v XML and derived formats v Microsoft Office document formats v OpenDocument Format v Portable Document Format v Electronic Publication Format v Rich Text Format v Compression and packaging formats v Text formats v Audio formats v Image formats v Video formats v Java class files and archives v The mbox format Case Management restricts both the number of files that you can add to a case and the maximum file size. select the case from the Cases list. After the upload is complete. v To add external files to an existing case. choose one of the following methods: v Click Add files. On the Admin tab. the files are listed in the Collections list. 4. to IBM Security QRadar Incident Forensics Case Management. click Add New Case. From the Upload to Host list. click Case Management. you can upload external packet capture (pcap) files and documents. 10 QRadar Incident Forensics Administration Guide . 2. v To add files to a new case. and image files. select the files. such as spreadsheets. text files. Restriction: Case names cannot contain spaces. Select a case. select the managed host that you want to process the files.

there are no restrictions on the file size or the number of files when you manually import files. About this task Administrators can do the following tasks: v Assign multiple users to a case. you grant access to forensics data to users. select a user. 2. The left arrow (<) and right (>) arrow are not displayed. Use SSH to log in to QRadar Incident Forensics as a root user. For example. You can manually create a case and copy files to it or manually copy files to an existing case. click Forensics User Permissions. Tip: By default. you can use the scp command to securely copy files from another host to the /opt/ibm/forensics/case_input/case_input/ directory on the IBM Security QRadar Incident Forensics host. Manually importing files to a forensics case Unlike the Case Management tool. Be careful when you assign cases to non-admin users who have restricted access to networks. v Remove a case from a user. From the list of cases in the Available list. they can see the data when they investigate the case. Assigning cases to users As an administrator. 2. select one or more cases and click the arrow (>) to move the cases to the Assigned list. assign cases to users. the original file is deleted. They can see documents that are from the IP addresses that they don't normally have access to. and configure user permissions such as FTP access. a user with administrative privileges is assigned to all cases. Users cannot see data until they are assigned a case and they can see only the data from the cases to which they are assigned. if you assign a non-admin user a case that contains financial or human resources information. 3. Procedure 1. On the Admin tab. 2016 11 . For example.Chapter 5. go to the /opt/ibm/forensics/case_input and type the following command: © Copyright IBM Corp. 2014. Users can see only the cases that are explicitly assigned to them. Procedure 1. From the Users list. After the file is imported and processed. v View and access all cases that are assigned to a user. To create a new case. Before you begin Make a back-up copy of the imported files.

The data can be in a number of formats. /opt/ibm/forensics/case_input/ <case_name>/singles The directory that is used to import individual pcap files. Results After a successful import. and enter the new password. it is changed to an underscore when the file is imported. you must disable FTP access and save the user. your file name automatically appears in the Collections window of the case that you created. including but not limited to the following formats: v Standard PCAP format files from external sources 12 QRadar Incident Forensics Administration Guide . /opt/ibm/forensics/case_input/ case_input/<case_name>/import The directory that is used to import a single file of a type other than pcap. Before you begin Ensure that you create or assign roles for forensics investigators in the User Roles tool on the Admin tab. Directory structure of case files Directory Description /opt/ibm/forensics/case_input/ The directory that is used to import a series <case_name> or connected stream of pcap files. Users can choose which IBM Security QRadar Incident Forensics host processes the FTP request. Microsoft Word documents. About this task IBM Security QRadar Incident Forensics can import data from any accessible directory that is on the network. You must deploy your configuration changes by clicking Deploy Changes on the Admin tab. use a file the scp command or another file transfer program to copy the files to the directory that corresponds to the file type.conf file is configured so that five ports are open: 55100-55104. administrators can grant secure FTP permissions to users and manage the case to which the data is associated. the /etc/vsftpd/vsftpd. text files. for example. The following table lists the directory structure for the imported files. and then re-enable FTP access. To copy files to a case. By default. and images.conf file and changing the values of the pasv_min_port and pasv_max_port settings to the range of ports that you want. To change a password after FTP access is enabled. Enabling users to FTP pcap files and documents from external systems to forensics cases To upload external data to include in specific cases. Table 1. Adobe Acrobat PDFs. You can change the port range by editing the /etc/vsftpd/vsftpd. Important: If a hyphen is used in a file name. mkdir /opt/ibm/forensics/case_input/<case_name> 3.

create a directory that is named singles and drag the pcap files to that directory. On the Admin. To FTP and store pcap files. From the Users list. Chapter 5. therefore two users cannot create a case that has the same name. IBM Security QRadar Incident Forensics can decrypt SSL traffic. In the FTP client. type the following command: etc/init. To FTP and store other files types that are not pcap files. Add the IP address of the QRadar Incident Forensics host. 10. A user can see their case in one of the tools on the Forensics tab. Connect to the QRadar Incident Forensics server and create a new directory. Restriction: The case name must be unique.d/ftpmonitor restart Results An administrator sees the data that is uploaded in Case Management. under the directory that you created for the case. A single user is associated with a case. 8. Ensure that Transport Layer Security (TLS) is selected as the protocol. c. To save changes to the permissions. type the following command: /etc/init. under the directory that you created for the case. select the Enable FTP access check box. 6.d/vsftpd restart 11. 7. the protocol inspector can decrypt SSL traffic. Decrypting SSL and TLS traffic in QRadar Incident Forensics To find hidden threats. 9. v Documents such as text files. click Forensics User Permissions. 2. 4. Create a logon that uses the QRadar Incident Forensics user name and password that was created. b. PDF files. the protocol inspector cannot decrypt SSL traffic from a browser session. Assigning cases to users 13 . click Save User. To restart the server that moves the files from the upload area to the QRadar Incident Forensics directory. select a user. create a directory that is named import and drag the files to that directory. do the following steps: a. 5. Procedure 1. 3. Enter and confirm the FTP password for the user. If you provide the server's private key and IP address or a browser session key and some other session information. In the Edit User pane. If the session key is generated from external sites or generated by another browser. To restart the FTP server. spreadsheets. and presentations v Image files v Streaming data from applications v Streaming data from external PCAP sources Users can upload multiple files to a case and an administrator can grant multiple users access to the case.

About this task Decryption is supported for the following protocols: v SSL v3 v TLS v1. Use SSH to log in to the QRadar Incident Forensics primary host as the root user.1 v TLS v1. and Opera browsers with the SSLKEYLOGFILE environment variable. other key exchange methods.conf file. you must restart the decapper service. such as RSA. To restart the decapper service. are supported.2 Key log files are generated by Chrome.4</address> <range> 1. Restriction: The Diffie Hellman key exchange mechanism is not supported when encrypted traffic is decrypted through a private key. The following key formats are supported for the SSLKEYLOGFILE session key: v RSA v DH Procedure 1.255</range> </key></keys> v For key log files that are generated by the browser. The Diffie Hellman restriction does not apply when traffic is decrypted with information that is found in a keylog.3. v For private keys.0-1. Firefox.2.3. copy the key into the /opt/ibm/forensics/decapper/keys directory. When you use a private key. 2.3. <sslkeys keydir="/opt/ibm/forensics/decapper/keys" keylogs="/opt/ibm/forensics/decapper/keylogs"/> 3. Example: <keys> <key file=" /opt/ibm/forensics/decapper/keys/key_name"> <address> 1. If you change the subdirectories in either the /opt/ibm/forensics/decapper/ keys or /opt/ibm/forensics/decapper/keylogs directories.conf file.2.0 v TLS v1. Copy the keys into the directory that is specified in the /opt/qradar/ forensics.2. type the following command: service decapper restart 14 QRadar Incident Forensics Administration Guide . Review the location of the keys in the /opt/qradar/forensics. copy the key log files in to the /opt/ibm/forensics/decapper/keylogs/default directory.

use the Case Management tool. the optimize index command requires double the amount of hard disk space. 2016 15 . Flush case To help you tune case management. the new index replaces the old index.Chapter 6. tuning the database. you can use the Flush Case option. You can delete documents. v Force data to be written to disk. After the index is built. scheduled actions. Scheduled actions in QRadar Incident Forensics You can schedule maintenance. which include pcap and other file types. you must ensure that the size of your index does not exceed 50 percent of the available space on your hard disk. Deleting outdated documents helps maintain speed when you search documents. Before you optimize your database. You can schedule these tasks: v Build a new index for the currently available cases. you can force buffered data to be written to disk. The Optimize Database scheduled action is similar to a defrag command. For streaming pcap data. and resetting the IBM Security QRadar Incident Forensics server. a new index builds. might take a long time to complete. such as deleting old documents. v Remove (age out) documents that you don't want to retain after a specified time period. Optimizing the database Administrators can optimize the database to reorganize the search engine index into segments and remove deleted documents. © Copyright IBM Corp. Because two indexes exist until the old index is replaced. 2014. If there are many documents. which is a series of pcap files that are logically related to form one large pcap file. When you optimize the database. If you want to delete an entire case. such as deleting old documents. Deleting documents Administrators can delete outdated documents that are based on the document network time stamps. from a case or the server. Scheduling actions for QRadar Incident Forensics hosts You can schedule maintenance tasks on the IBM Security QRadar Incident Forensics hosts. which in turn helps searching in these flows at an earlier stage. The Flush Case option forces the QRadar Incident Forensics hosts to write unterminated flows to disk.

in the Forensics section. 16 QRadar Incident Forensics Administration Guide . v To write unterminated flows to disk. 5. On the Admin tab. select an action and specify the settings. click Schedule Actions. v To build a new index for current cases. select Age Out Documents. or delete the action. select the action for the Actions list and click run. edit. Procedure 1. From the Select Action list. edit. Ensure that you have adequate space. Click Add New Action. v To delete documents that have a network time stamp older than a specified age. To run. select Flush Case. select Optimize Index. Click Save. 3. 2. 4. or delete. Indexes are also removed when you delete the documents. The new index requires about twice as much space as the existing index.

Each string uses an identifier consisting of a dollar sign ($) followed by a sequence of alphanumeric characters that are separated by underscores. specify the strings that will form part of the rule. the decapper uses rules that are specified when it finds a file in a recovery or a PCAP upload. This section must contain a Boolean expression that defines the conditions in which a file satisfies the rule. © Copyright IBM Corp. 2014. String definition: In the strings definition section. Yara rules are composed of two sections: 1. you can import and use existing Yara rules to specify the custom rules that are run on the files. you can flag suspicious content by using the Suspect Content Management feature. Each Yara rule starts with the keyword rule followed by a rule identifier. The following example shows a simple Yara rule: rule simple_forensics : qradar { meta: description = "This rule will look for str1 at an offsets of 25 bytes into the file. Condition: In the condition section. define the logic of the rule.Chapter 7. Yara rules To flag suspicious content in the files that are found in QRadar Incident Forensics network traffic. 2. a SuspectContent field is added under the Attributes tab for a document." strings: $hex1 = {4D 2B 68 00 ?? 14 99 F9 B? 00 30 C1 8D} $str1 = "IBM Security!" condition: $hex1 and (#str1 > 3) } When the Yara rule is uploaded. If matching content is found. The SuspectContent field is populated with the Yara rule name and any tags identified by the rule. 2016 17 . Managing suspicious content As an administrator." strings: $str1 = "pattern of interest" condition: $a at 25 } The following example shows a more complex Yara rule: rule ibm_forensics : qradar { meta: description = "This rule will flag content that contains the hex sequence as well as str1 at least 3 times.

Results You will see a message when the Yara rule has been imported successfully. Click Select File. use the following steps: a. Results The single rule always returns a false result. and is inserted into the database. browse to the file you created in Step 1 and click Open. which allows it to pass the validator. Deleting Yara rules You can delete all existing Yara rules from IBM Security QRadar Incident Forensics. 5. To create a new file that contains a single empty rule. 2. Restriction: Implementation of Yara modules is not currently available. Procedure 1. 4. you must perform a full deployment for the changes to take effect. What to do next Newly imported Yara rules will not be applied retroactively. Save as a text file. In the File Upload window. select Suspect Content Management. On the Admin tab. Important: Yara rule names must be unique. The single rule never flags content as suspicious. In the File Upload window. Copy the following rule into a text editor of your choice: rule empty { condition: false } b. 18 QRadar Incident Forensics Administration Guide . select Suspect Content Management. 2. The single rule deletes all existing rules. Click Save. 3. More than one Yara rule can exist in an imported file. After you import the Yara rules. You upload a file that contains a single empty rule to turn off Yara rules. 3. Click Select File. Before you begin Procedure 1. browse to the file you want to import and click Open. Importing Yara rules You can import your existing Yara rules into IBM Security QRadar Incident Forensics and use those rules for matching and flagging malicious content. On the Admin tab.

Open the audit.Chapter 8. such as vi. to review the contents or use the grep command to look for a specific entry. These logs can detect unusual or unauthorized access can and can identify problems such as failed jobs. © Copyright IBM Corp. 3. Use SSH to log on to the QRadar Console or QRadar Incident Forensics Standalone as an administrator. The following activities generate audit log events: v Create case v Assign Case v Delete case v Delete collection v All user queries v Document view v Export document Restriction: Logging create collection events is not supported. Go to the /var/log/audit directory. Auditing user and system usage in QRadar Incident Forensics Audit logs are chronological records that identify user accounts that are associated with data access. 2014.log file in an editor. Procedure 1. 2016 19 . 2.

20 QRadar Incident Forensics Administration Guide .

Suspect content can originate from a wide variety of sources. © Copyright IBM Corp. and malicious behaviors. 2016 21 . or Yara rules. for example. you can correlate the flow data with event data to detect threats that cannot be identified by logs alone. and identifies assets. extracted content. regex. QRadar Incident Forensics and IBM QRadar Network Packet Capture captures. you must choose the appropriate flow rate that is required by configuring the Flow Inspection Level setting. and suspect content. are effective at opening the door to these attacks. which allows threats to move and communicate across networks to accomplish their objectives. and informs you whether suspect items or topics of interest were discussed at any time during the conversation. non-standard ports. captures artifacts. 2014.Chapter 9. Malicious activity is often disguised as normal usage. Search capability The search capability of QRadar Network Insights finds and extracts important indicators from the packet data. Related concepts: “QRadar Network Insights Flow Inspection Levels” on page 24 To improve performance. QRadar Network Insightsreveals previously hidden threats. Integration with IBM Security QRadar Incident Forensics QRadar Network Insights records application activities. applications. Advanced cybersecurity threats are increasingly difficult to detect and prevent. and users that participate in network communications. and you can capture the beginning of the sessions. and replays the entire conversation. but QRadar Network Insights provides the incident detection. metadata. QRadar Network Insights deployments IBM QRadar Network Insights is a managed host that you attach to the QRadar console. QRadar Network Insights is tightly integrated with IBM Security QRadar Incident Forensics for post incident investigations and threat hunting activities. reconstructs. malware morphs to avoid signature-based detection. such as phishing. flow information. such as malware. Value of flows Flows provide QRadar with visibility across network activity because they enable asset detection when devices connect to a network. and social engineering techniques. Real-time threat investigations with QRadar Network Insights IBM QRadar Network Insights provides real-time analysis of network data and an advanced level of threat detection and analysis. For example. You can use the extracted content for long-term retrospective analysis. IBM Security QRadar QFlow Collector provides network flows and also recognizes layer 7 applications. With QRadar Network Insights.

you must select the 6200 appliance option during the installation. QRadar Network Insights requires a separate license for the 6200 appliance. The network cards are tapped directly to the network to help with real-time packet inspection. you must configure your appliance before you can begin to use it for investigating threats on your network. but you do not need a QRadar Network Insights license on the QRadar console. Configuring QFlow Collector format As a QRadar managed host cluster manager. The IPFIX packets are sent to the QFlow process on the QRadar Console. QRadar Network Insights appliance The QRadar Network Insights 1920 appliance comes with two third-generation network cards. Table 2. your QFlow Collectors export data to the QFlow Processor in Payload format. 22 QRadar Incident Forensics Administration Guide . For a QRadar Network Insights deployment. QRadar Network Insights appliance relationship with IBM Security QRadar Incident Forensics You can deploy QRadar Network Insights separately from the IBM Security QRadar Incident Forensics Processor deployment. see the IBM Security QRadar Incident Forensics Installation Guide. For more information about installing the QRadar Network Insights appliance. The QRadar Network Insights appliance reads the raw packets from a network tap or span port and then generates IPFIX packets. The hardware configuration helps with in-memory processing to enable real-time analysis of network data. and does not require a connection to the QRadar Incident Forensics appliance. The configurable flow forwarding capability enables load-balancing across multiple appliances. QRadar Network Insights requires only a connection to the QRadar console.4 GHz 35 MB 2400 MHz 120 W RAM 8 x 16 GB HDD 2 x 200 GB SSD ServeRAID M1215 I/O cards Intel X520 2P 10 GbE + 2 x 10G SR 2 x NT40E3 4P 40G + 2 x 10G SR + 2 x 10G LR P/S 2 x 900 W QRadar Network Insights configuration requirements After you install IBM QRadar Network Insights and attach it to the QRadar Console as a managed host. For a QRadar Network Insights deployment. you need to allocate one license to the 6200 appliance option. Network card specifications 1920 appliance Description Server X3650 M5 CPU 2 x E5-2680 v4 14C 2.

and click Add. In the navigation pane. The password is the password of the root user account. Enter a value for the Monitoring Port or accept the value provided. Refresh your web browser. and confirm that the Payload is selected. c. __ v You must perform a full deployment after attaching IBM QRadar Network Insights as a managed host. Click the QFlow Settings menu.7/v. and select Add Host. Log in to QRadar: a. You must configure a flow source first. g. click Deploy Full Configuration. To configure a flowsource. Select a Target Flow Collector or accept the value provided. h. Click the Admin tab. 2. j. In the navigation pane. Chapter 9. d. Select DTLS from the Linking Protocol list. Specify a descriptive Flow Source Name. 5. and confirm changes. https://IP_Address_QRadar The default user name is admin. Log in to QRadar as an administrator. From the Admin tab menu bar. The appliance type is 6200. Click Save. Procedure 1.9/IPFIX as the Flow Source Type. When prompted enter the IP address and root password of the QRadar Network Insights managed host. f. Click the Deployment Actions icon. you must set up Datagram Transport Layer Security (DTLS) on a QRadar Network Insights managed host. Select Netflow v.5/v. i. b. 3. In the navigation pane. Click the Add icon. 7. e. 2. 6. c. click System and License Management under the System Configuration section. click System Settings.1/v. click Flow Sources under the Flows section. Procedure 1. Click Save. d. 4. Click the Admin tab. Real-time threat investigations with QRadar Network Insights 23 . use the following steps: a. b. Before you begin Ensure that the following requirements are met: __ v You must ensure you have a QRadar Console installed with a QRadar Network Insights attached as a managed host. Setting up DTLS on a QRadar Network Insights managed host To prevent eavesdropping and tampering. Add QRadar Network Insights as a managed host: a. Click the Admin tab. e. Select the QRadar Network Insights managed host.

and many kinds of attributes can be generated from that inspection. QRadar Network Insights Flow Inspection Levels To improve performance. Refresh your web browser. To configure DTLS communication. a flow ID. d. click Deploy Full Configuration. you must choose the appropriate flow rate that is required by configuring the Flow Inspection Level setting. This kind of information is similar to what you get out of a router or network switch that does not perform deep packet inspection. hash) 24 QRadar Incident Forensics Administration Guide .py h. Click the Save. 3. k. f. The attributes that QRadar Network Insights generates using the flows inspection level are: 5-tuple values. The following list describes the attributes that QRadar Network Insights generates by using the enriched flows inspection level are: v HTTP metadata values . such as source.including categorization of URLs v Application ID and action v File information (name. Click the Deployment Actions icon. Flows Flows is the lowest level of inspection. The flow inspection levels are cumulative. Enriched Flows Each flow is identified and inspected by one of the protocol or domain inspectors. g. From the Admin tab menu bar. but generates the least amount of flow information. and specific file types. Run this command to set up the DTLS certificate: python /opt/qradar/bin/qflow_dtls_cert_setup. and flow start and end times. protocol. select the QRadar Flow Collector and flow source. e. and the number of bytes and packets that are flowing in each direction are counted. you must run the DTLS setup script again. destination. packet and octet counts in each direction. and confirm changes. The flow rate is related to the levels of visibility through the available content. and select Edit Host Connection. select Advanced > Deploy Full Configuration. a. On the Admin tab. b. On the Modify QRadar Network Insights page. Use SSH to log in as the root user on the QRadar Console. use the following steps: Note: If you change the QRadar Flow Collector or flow source of any QRadar Network Insights managed host in your deployment. i. c. Log in to QRadar as an administrator. size. This level supports the highest bandwidth. On the Admin tab. Flows are detected by 5-tuple. Close the System and License Management page. click the Deploy Changes icon. so each level takes the properties of the preceding level. l.

This results in a more accurate content-type determination. 4. search. The following list describes the attributes that QRadar Network Insights generates by using the content enriched flows inspection level: v Personal information v Confidential data v Embedded scripts v Redirects v Configurable content-based suspect content Table 3. Content Enriched Flows Approximately 3. select the flow rate that is required. Performance varies depending on the inspection level setting. and can yield more suspect content values that result from the inspection of the file contents. Use the following table to understand the flow inspection levels: Chapter 9. Real-time threat investigations with QRadar Network Insights 25 . “Real-time threat investigations with QRadar Network Insights.” on page 21 IBM QRadar Network Insights provides real-time analysis of network data and an advanced level of threat detection and analysis. Click the Network Insights Settings menu. Log in to QRadar as an administrator. In the navigation pane. configure the levels of flows that the QRadar Network Insights appliances in your deployments produce. click System Settings. Click the Admin tab. Performance considerations Flow Inspection Level Setting Performance Flows 10 Gbps Enriched Flows Approximately 10 Gbps.5 Gbps. All the attributes that the enriched flows level does and it also scans and inspects the content of the files that it finds. Procedure 1. From the Flow Inspection Level. 10 Gbps performance is achievable (Advanced) with multiple appliances. 2. Related concepts: Chapter 9. Each inspection level provides deeper visibility and extracts more content. 5. 3. Configuring QRadar Network Insights settings To improve performance. extraction criteria and network data.v Originating and recipient user names v Limited suspect content values Content enriched flows Content enriched flows is the default setting and the highest level of inspection.

8/com. but it also scans and inspects the content of the files that it finds. What to do next Deploy QRadar Incident Forensics Processor managed host.com/support/ knowledgecenter/SS42VS_7.com/hub/extension/ 522bf1095f047b0b37225d8efc5d4877).ibm. From the Admin tab menu bar.html 26 QRadar Incident Forensics Administration Guide . Threat detection with QRadar Network Insights For real-time visibility to threat activity across your network. and many kinds of attributes can be generated from that inspection. see http://www. 6. You use the Extensions Management tool to install them. Flow inspection levels Flow Inspection Level Description Flows Lowest level of inspection. The highest level of inspection. use QRadar Network Insights to detect indicators of cyber attacks and their malicious activity. For information on installing the QRadar Network Insights content by using the Extensions Management tool. Downloading the QRadar Network Insights content You download the QRadar Network Insights content (extension) from IBM Security App Exchange (http://exchange. 8.doc/ t_cmt_importing_extensions.ibmcloud. see Adding a QRadar Incident Forensics managed host to QRadar Console.2. Flows are detected by 5-tuple. Click Save. Content Enriched Flows The default setting. click Deploy Full Configuration. 7. and the number of bytes and packets that are flowing in each direction are counted. Refresh your web browser. Enriched Flows Each flow is identified and inspected by one of the protocol or domain inspectors.ibm. It does everything that the Enriched Flows levels does. Table 4. For more information.xforce.qradar.

19-21. Nihonbashi-Hakozakicho. to: IBM Director of Licensing IBM Corporation North Castle Drive Armonk. in writing. or features discussed in this document in other countries. © Copyright IBM Corp. Chuo-ku Tokyo 103-8510. THE IMPLIED WARRANTIES OF NON-INFRINGEMENT. in writing. NY 10504-1785 U. Any reference to an IBM product. program. This information could include technical inaccuracies or typographical errors. The materials at those websites are not part of the materials for this IBM product and use of those websites is at your own risk. IBM may make improvements and/or changes in the product(s) and/or the program(s) described in this publication at any time without notice. or service may be used.S. However. Any functionally equivalent product. program. For license inquiries regarding double-byte character set (DBCS) information.A. INCLUDING. it is the user's responsibility to evaluate and verify the operation of any non-IBM product. therefore. to: Intellectual Property Licensing Legal and Intellectual Property Law IBM Japan Ltd. Changes are periodically made to the information herein. or service. contact the IBM Intellectual Property Department in your country or send inquiries. Consult your local IBM representative for information on the products and services currently available in your area. The furnishing of this document does not grant you any license to these patents. services.A. IBM may not offer the products. this statement may not apply to you. Any references in this information to non-IBM websites are provided for convenience only and do not in any manner serve as an endorsement of those websites.S. or service is not intended to state or imply that only that IBM product. 2014. IBM may use or distribute any of the information you provide in any way it believes appropriate without incurring any obligation to you. these changes will be incorporated in new editions of the publication. program. 2016 27 . program. or service that does not infringe any IBM intellectual property right may be used instead. IBM may have patents or pending patent applications covering subject matter described in this document. BUT NOT LIMITED TO. MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. Japan INTERNATIONAL BUSINESS MACHINES CORPORATION PROVIDES THIS PUBLICATION "AS IS" WITHOUT WARRANTY OF ANY KIND. Some jurisdictions do not allow disclaimer of express or implied warranties in certain transactions. You can send license inquiries.Notices This information was developed for products and services offered in the U. EITHER EXPRESS OR IMPLIED.

28 QRadar Incident Forensics Administration Guide . Questions on the capabilities of non-IBM products should be addressed to the suppliers of those products. companies. All IBM prices shown are IBM's suggested retail prices.shtml. To illustrate them as completely as possible. All of these names are fictitious and any similarity to actual people or business enterprises is entirely coincidental. the examples include the names of individuals. should contact: IBM Director of Licensing IBM Corporation North Castle Drive. their published announcements or other publicly available sources.. NY 10504-1785 US Such information may be available. are current and are subject to change without notice. Dealer prices may vary. Trademarks IBM. including in some cases. and represent goals and objectives only. This information contains examples of data and reports used in daily business operations. the IBM logo. The licensed program described in this document and all licensed material available for it are provided by IBM under terms of the IBM Customer Agreement. and products. and/or other countries. PostScript. Java and all Java-based trademarks and logos are trademarks or registered trademarks of Oracle and/or its affiliates. The performance data and client examples cited are presented for illustrative purposes only. IBM has not tested those products and cannot confirm the accuracy of performance. A current list of IBM trademarks is available on the Web at "Copyright and trademark information" at www. and ibm. IBM International Program License Agreement or any equivalent agreement between us. payment of a fee. Licensees of this program who wish to have information about it for the purpose of enabling: (i) the exchange of information between independently created programs and other programs (including this one) and (ii) the mutual use of the information which has been exchanged. Actual performance results may vary depending on specific configurations and operating conditions. Information concerning non-IBM products was obtained from the suppliers of those products. MD-NC119 Armonk. Adobe.. subject to appropriate terms and conditions. the Adobe logo. compatibility or any other claims related to non-IBM products.com/legal/copytrade.com® are trademarks or registered trademarks of International Business Machines Corp. registered in many jurisdictions worldwide. Statements regarding IBM's future direction or intent are subject to change or withdrawal without notice. brands. and the PostScript logo are either registered trademarks or trademarks of Adobe Systems Incorporated in the United States.ibm. Other product and service names might be trademarks of IBM or other companies.

either express or implied. distribute or display these publications or any portion thereof outside your enterprise. IBM reserves the right to withdraw the permissions granted herein whenever. export or re-export this information except in full compliance with all applicable laws and regulations. or any portion thereof. Windows NT. including all United States export laws and regulations. licenses or rights are granted. Notices 29 . display or make derivative work of these publications. You may not download. distribute and display these publications solely within your enterprise provided that all proprietary notices are preserved. You may not make derivative works of these publications. without the express consent of IBM. or reproduce. noncommercial use provided that all proprietary notices are preserved. software or other intellectual property contained therein. NON-INFRINGEMENT. Microsoft. INCLUDING BUT NOT LIMITED TO IMPLIED WARRANTIES OF MERCHANTABILITY. AND FITNESS FOR A PARTICULAR PURPOSE. no other permissions. without the express consent of IBM. EITHER EXPRESSED OR IMPLIED. Rights Except as expressly granted in this permission. THE PUBLICATIONS ARE PROVIDED "AS-IS" AND WITHOUT WARRANTY OF ANY KIND. as determined by IBM. to the publications or any information. IBM MAKES NO GUARANTEE ABOUT THE CONTENT OF THESE PUBLICATIONS. or both. Applicability These terms and conditions are in addition to any terms of use for the IBM website. the above instructions are not being properly followed. the use of the publications is detrimental to its interest or. other countries. Terms and conditions for product documentation Permissions for the use of these publications are granted subject to the following terms and conditions. in its discretion. data. Commercial use You may reproduce. Windows. You may not distribute. and the Windows logo are trademarks of Microsoft Corporation in the United States. Personal use You may reproduce these publications for your personal.

These cookies can be disabled. including software as a service solutions. Depending upon the configurations deployed.com/privacy and IBM’s Online Privacy Statement at http://www. but disabling them will also eliminate the functionality they enable. 30 QRadar Incident Forensics Administration Guide . this Software Offering may use session cookies that collect each user’s session id for purposes of session management and authentication. to help improve the end user experience. you should seek your own legal advice about any laws applicable to such data collection.IBM Online Privacy Statement IBM Software products.com/privacy/details the section entitled “Cookies. Some of our Software Offerings can help enable you to collect personally identifiable information.com/software/info/product-privacy. If this Software Offering uses cookies to collect personally identifiable information.ibm. specific information about this offering’s use of cookies is set forth below.ibm. to tailor interactions with the end user or for other purposes. including cookies. If the configurations deployed for this Software Offering provide you as customer the ability to collect personally identifiable information from end users via cookies and other technologies. For more information about the use of various technologies. See IBM’s Privacy Policy at http://www. (“Software Offerings”) may use cookies or other technologies to collect product usage information. Web Beacons and Other Technologies” and the “IBM Software Products and Software-as-a-Service Privacy Statement” at http://www.ibm. In many cases no personally identifiable information is collected by the Software Offerings. for these purposes. including any requirements for notice and consent.

Notices 31 .

IBM® Printed in USA .