Embed Size (px)
Citation preview
Digital Guardian
App for IBM QRadar– Product Document
Version Number: 1.0
Date: October 24, 2016
The information transmitted in this document is intended only for the addressee and may contain confidential and/or privileged material. Any interception, review, retransmission, dissemination or other use of or taking of any action upon this information by persons or entities other than the intended recipient is prohibited by law and may subject them to criminal or civil liability.
Digital Guardian Confidential 1
Version Number: 1.0
Table of Contents Introduction ................................................................................................................................................. 2
About this Document ................................................................................................................................. 2 App Exchange ........................................................................................................................................... 2 The App User Interface ............................................................................................................................. 2
DLP Dashboard ........................................................................................................................................... 3 Benefits ...................................................................................................................................................... 3 Features .................................................................................................................................................... 3
ATP Dashboard ........................................................................................................................................... 9 Benefits ...................................................................................................................................................... 9 Features .................................................................................................................................................... 9
Agent Action Page .................................................................................................................................... 14 Benefits .................................................................................................................................................... 14 Features .................................................................................................................................................. 14
Settings Page ............................................................................................................................................ 17 Features .................................................................................................................................................. 17
Reference: Prerequisites and Performance Tuning .............................................................................. 18 Performance Tuning ................................................................................................................................ 18 Migration of attribute index – Super indexing feature .............................................................................. 20
General ....................................................................................................................................................... 21
Digital Guardian Confidential 2
Version Number: 1.0
Introduction QRadar provides a robust solution for Security Information and Event Management (SIEM), anomaly detection, incident forensics and vulnerability management. Digital Guardian provides industry leading DLP and ATP solutions. Digital Guardian developed a QRadar application to display the DLP and ATP Dashboards in the QRadar console to allow effective interaction with DLP and ATP systems.
The application (sometimes referred to as App in this document), helps the security operator detect and mitigate threats by displaying DLP and ATP event details through interactive charts to get a dynamic view of the environment from an information security perspective.
The intent with this application is to make Digital Guardian endpoint capability a natural and easy fit with security operations for IBM/Digital Guardian customers.
About this Document This document explains how to use the Digital Guardian QRadar App, once it is deployed in QRadar.
App Exchange The IBM Security App Exchange is a new platform for security teams to engage in collaborative defence efforts against cyber-attacks. The open QRadar Extension Framework API enables QRadar extensions and applications. The App Framework provides the required API (Application programming interface), along with an SDK, to customize and extend QRadar capabilities.
The App User Interface This App is accessible to QRadar users having an “Administrative” role. Non-admin QRadar users will not even see this App in their QRadar console.
Upon successful login by a QRadar Admin user, the Digital Guardian application tab will be visible. Inside the application, by default the ATP tab will be shown. Here are the options available under the Digital Guardian portal:
• DLP
• ATP
• Agent Action
• Settings
The subsequent sections of this document explain the key functionality of each of them.
Digital Guardian Confidential 3
Version Number: 1.0
DLP Dashboard
Benefits • Provides visual representation of DLP-related events and alert data from Digital Guardian in a
pictorial way.
• Contains chart-based and columnar text-based information about DLP activity.
• Provides cross-linkage – Selecting an element in one chart will cause the remaining charts to re-query around that specific filter.
• Export to Excel option – Export query results in CSV format by clicking on user interface (UI) buttons in the chart component.
• Text Entry Box – Allow user to enter the reason for blocking/quarantine.
Features From the DLP tab, you can view respective DLP details for a particular period.
Digital Guardian Confidential 4
Version Number: 1.0
1. By clicking the Calendar icon, you can choose the start and end date/timeline for reference. After clicking ‘Apply’ the screen will be refreshed with respective time/date egress details.
2. The DLP Dashboard screen lets you view the status for a selected period where the event count seems high.
Page will be refreshed with the respective period DLP egress.
Digital Guardian Confidential 5
Version Number: 1.0
3. If data is not available for that particular egress, the screen will appear blank, as shown below.
4. By right-clicking on any particular machine, you can quarantine with respective comments.
Digital Guardian Confidential 6
Version Number: 1.0
5. When clicking a particular machine name in the table, you can quarantine.
A success message will be displayed.
Digital Guardian Confidential 7
Version Number: 1.0
6. When clicking the Reset button in the previous page, the page will reset again.
7. User can view event details in tabular format.
Digital Guardian Confidential 8
Version Number: 1.0
8. When clicking the Export button, you can export event details in CSV format.
Digital Guardian Confidential 9
Version Number: 1.0
ATP Dashboard
Benefits • Provides visual representation of ATP-related events and alert data from Digital Guardian
Management Consultant (DGMC) to be available in the QRadar UI.
• Provides chart-based and columnar text-based chart information regarding ATP activity recorded on Digital Guardian endpoints.
• Provides cross-linkage – Selecting an element in one chart will cause the remaining charts to re-query around that specific filter.
• Export to Excel option – Export query results in CSV format by clicking on UI buttons in the chart component.
• Text Entry Box – Allows users to enter the reason for blocking/quarantine.
Features 1. From the ATP tab, you can view respective ATP details for a particular period.
ATP alert time distribution and alert rules are displayed. Process and user data are also displayed.
Digital Guardian Confidential 10
Version Number: 1.0
ATP details are displayed in tabular format.
Digital Guardian Confidential 11
Version Number: 1.0
2. By clicking the Export button, you can export event details in CSV format.
3. The ATP Dashboard screen lets you view the status for a selected period where the event count seems high.
Digital Guardian Confidential 12
Version Number: 1.0
ATP alert time distribution and alert rules are displayed. Process and user data are also displayed.
4. By right-clicking on a particular machine, you can quarantine with respective comments.
5. When clicking a particular machine name in the table, you can quarantine.
Digital Guardian Confidential 13
Version Number: 1.0
A success message will be displayed.
Digital Guardian Confidential 14
Version Number: 1.0
Agent Action Page
Benefits • Provides review agent actions submitted from the QRadar SIEM to the DGMC in a columnar list
format.
• A simple search function will need to be embedded on the page to allow searchable actions by machine name/IP address, etc.
• Export to Excel option – Export query results in CSV format by clicking on UI buttons in the chart component.
• List will breakdown each “action” into columns of time/date of request, IP address of requested machine, Submitted from DLP /ATP, Requester (User Id), Reason for Action (Comments).
Features 1. From the Agent Action tab, you can view events related to actions taken.
Agent Action details are displayed in tabular format.
Digital Guardian Confidential 15
Version Number: 1.0
2. By clicking the Export button, you can export event details in CSV format.
Digital Guardian Confidential 16
Version Number: 1.0
Digital Guardian Confidential 17
Version Number: 1.0
Settings Page
Features 1. From the Settings tab, you can provide a DGMC URL and API key.
Digital Guardian Confidential 18
Version Number: 1.0
Reference: Prerequisites and Performance Tuning This App has been certified to work with following product versions of QRadar and Digital Guardian:
• QRadar 7.2.6
• DGMC 7.2.1
Performance Tuning Follow the procedure below, on how to index relevant QRadar attributes to improve speed of searches or improve overall performance.
Procedure:
1. On the Admin tab, in the System Configuration section, click the Index Management icon.
2. On the Index Management page, in addition to the default indexed attributes, ensure that the following attributes are also enabled for performance optimization:
Rule Name DestinationDriveType Custom Rule dataSource
Bytes Start Time Resource Filename
Application Source IP Destination IP Application Directory
Username DestinationFilename Destination File Path
WasSourceClassified
WasDestinationClassified WasDestinationRemovable Hostname Protocol
URL destinationport EmailSender EmailSubject
EmailAddress EmailDomainName EmailRecipient
Digital Guardian Confidential 19
Version Number: 1.0
3. A sample indexing page is shown below
4. Right click on the appropriate attribute and click on “Enable Index” to enable the index value.
5. Click Save.
Digital Guardian Confidential 20
Version Number: 1.0
Migration of attribute index – Super indexing feature [Note: This is an optional step, only if QRadar version was recently upgraded to 7.2.6, from an earlier version and indexing was already done on earlier version].
This helps to benefit from improved performance of Super indexing feature in QRadar 7.2.6. The following commands need to be used on the QRadar server to migrate the indices:
$ cd /opt/qradar/bin $ ./ariel_offline_indexer.sh -n events -v -s -d 53800
General Copyright The information transmitted in this document is intended only for the addressee and may contain confidential and/or privileged material. Any interception, review, retransmission, dissemination or other use of or taking of any action upon this information by persons or entities other than the intended recipient is prohibited by law and may subject them to criminal or civil liability.
Proprietary and Confidential Information shall include, but not be limited to, performance, sales, financial, contractual and special marketing information, ideas, technical data and concepts originated by the disclosing party, its subsidiaries and/or affiliates, not previously published or otherwise disclosed to the general public, not previously available without restriction to the receiving party or others, nor normally furnished to others without compensation, and which the disclosing party desires to protect against unrestricted disclosure or competitive use, and which is furnished pursuant to this document and appropriately identified as being proprietary when furnished.
Copyright © 2016 Digital Guardian, Inc. All rights reserved. The Digital Guardian logo is a registered trademark of Digital Guardian, Inc. All other products and company names mentioned herein are trademarks or registered trademarks of their respective owners.
