QRadar-70-AdminGuide

(1)

Release 7.0

October 2010 DO18102010-B

(2)

Waltham, MA 02451 USA

Copyright © 2010 Q1 Labs, Inc. All rights reserved. Q1 Labs, the Q1 Labs logo, Total Security Intelligence, and QRadar are trademarks or registered trademarks of Q1 Labs, Inc. All other company or product names mentioned may be trademarks or registered trademarks of their respective holders. The specifications and information contained herein are subject to change without notice.

This Software, and all of the manuals and other written materials provided with the Software, is the property of Q1 Labs Inc. These rights are valid and protected in all media now existing or later developed, and use of the Software shall be governed and constrained by applicable U.S. copyright laws and international treaties. Unauthorized use of this Software will result in severe civil and criminal penalties, and will be prosecuted to the maximum extent under law.

(3)

A

BOUT

T

HIS

G

UIDE Audience 1

Conventions 1

Technical Documentation 1 Contacting Customer Support 2

1 O

VERVIEW

About the Interface 3 Using the Interface 4 Deploying Changes 5 Updating User Details 5 Resetting SIM 5

About High Availability 6

Monitoring QRadar Systems with SNMP 7

2 M

ANAGING

U

SERS Managing Roles 9 Viewing Roles 9 Creating a Role 10 Editing a Role 15 Deleting a Role 16 Managing User Accounts 16

Creating a User Account 16 Editing a User Account 18 Disabling a User Account 19 Authenticating Users 19

3 M

ANAGINGTHE

S

YSTEM Managing Your License Keys 23

Updating your License Key 24

Exporting Your License Key Information 25 Restarting a System 26

Shutting Down a System 26 Configuring Access Settings 27

Configuring Firewall Access 27 Updating Your Host Set-up 29

(4)

Updating System Time 32

4 M

ANAGING

H

IGH

A

VAILABILITY

Before You Begin 38

HA Deployment Overview 39 HA Clustering 39

Data Storage Strategies 40 Failovers 41

Adding an HA Cluster 42 Editing an HA Cluster 48 Removing an HA Host 50 Setting an HA Host Offline 51 Setting an HA Host Online 51 Restoring a Failed Host 51

5 S

ETTING

U

P

QR

ADAR

Creating Your Network Hierarchy 53 Considerations 53

Defining Your Network Hierarchy 54 Scheduling Automatic Updates 58

Scheduling Automatic Updates 59 Updating Your Files On-Demand 62 Configuring System Settings 63 Configuring System Notifications 70 Configuring the Console Settings 72

6 M

ANAGING

A

UTHORIZED

S

ERVICES

Viewing Authorized Services 77 Adding an Authorized Service 78 Revoking Authorized Services 79

Configuring the Customer Support Service 79 Dismissing an Offense 79

Closing an Offense 80

Adding Notes to an Offense 80

7 M

ANAGING

B

ACKUP AND

R

ECOVERY Managing Backup Archives 81

Viewing Backup Archives 81 Importing an Archive 82

(5)

8 U

SINGTHE

D

EPLOYMENT

E

DITOR About the Deployment Editor 94

Accessing the Deployment Editor 95 Using the Editor 95

Building Your Deployment 97 Before you Begin 97

Viewing Deployment Editor Preferences 98 Building Your Event View 98

Adding Components 100 Connecting Components 102

Forwarding Normalized Events and Flows 104 Renaming Components 107

Managing Your System View 108 Setting Up Managed Hosts 108 Using NAT with QRadar 114 Configuring a Managed Host 118 Assigning a Component to a Host 119 Configuring Host Context 120

Configuring an Accumulator 123 Configuring QRadar Components 124

Configuring a QFlow Collector 124 Configuring an Event Collector 130 Configuring an Event Processor 132 Configuring the Magistrate 135 Configuring an Off-site Source 135 Configuring an Off-site Target 136

9 M

ANAGING

F

LOW

S

OURCES

About Flow Sources 139 NetFlow 140 sFlow 141 J-Flow 141 Packeteer 141 Flowlog File 142 Napatech Interface 142 Managing Flow Sources 142

Adding a Flow Source 142 Editing a Flow Source 145

Enabling/Disabling a Flow Source 146 Deleting a Flow Source 147

Managing Flow Source Aliases 147 Adding a Flow Source Alias 148 Editing a Flow Source Alias 148

(6)

Managing Remote Networks 151 Default Remote Network Groups 152 Adding a Remote Networks Object 152 Editing a Remote Networks Object 153 Managing Remote Services 155

Default Remote Service Groups 155 Adding a Remote Services Object 156 Editing a Remote Services Object 157 Using Best Practices 159

11 C

ONFIGURING

R

ULES Viewing Rules 162

Creating a Custom Rule 165

Creating an Anomaly Detection Rule 176 Managing Rules 185 Enabling/Disabling Rules 186 Editing a Rule 186 Copying a Rule 186 Deleting a Rule 187 Grouping Rules 187 Viewing Groups 188 Creating a Group 188 Editing a Group 189

Copying an Item to Another Group(s) 190 Deleting an Item from a Group 192 Assigning an Item to a Group 192 Editing Building Blocks 192

12 D

ISCOVERING

S

ERVERS

13 F

ORWARDING

S

YSLOG

D

ATA

Adding a Syslog Destination 197 Editing a Syslog Destination 198 Delete a Syslog Destination 199

A

Q1 L

ABS

MIB

B

E

NTERPRISE

T

EMPLATE Default Rules 213

(7)

Event Property Tests 271 Common Property Tests 274 Log Source Tests 275

Function - Sequence Tests 276 Function - Counter Tests 285 Function - Simple Tests 289 Date/Time Tests 289 Network Property Tests 289 Function - Negative Tests 290 Flow Rule Tests 291

Host Profile Tests 291 IP/Port Tests 293 Flow Property Tests 294 Common Property Tests 301 Function - Sequence Tests 302 Function - Counters Tests 310 Function - Simple Tests 314 Date/Time Tests 314 Network Property Tests 314 Function - Negative Tests 316 Common Rule Tests 316

Host Profile Tests 317 IP/Port Tests 319

Common Property Tests 320 Functions - Sequence Tests 323 Function - Counter Tests 331 Function - Simple Tests 335 Date/Time Tests 335 Network Property Tests 335 Functions Negative Tests 337 Offense Rule Tests 337

IP/Port Tests 338 Function Tests 338 Date/Time Tests 338 Log Source Tests 339 Offense Property Tests 339 Anomaly Detection Rule Tests 343

Anomaly Rule Tests 343 Behavioral Rule Tests 345 Threshold Rule Tests 347

D

V

IEWING

A

UDIT

L

OGS

(8)

High-Level Event Categories 356 Recon 357 DoS 358 Authentication 360 Access 366 Exploit 368 Malware 369 Suspicious Activity 370 System 373 Policy 377 CRE 378 Potential Exploit 378 SIM Audit 379

VIS Host Discovery 380 Application 380

Audit 401 Risk 402

F

C

ONFIGURING

F

LOW

F

ORWARDING

F

ROM

P

RE

-7.0 O

FF

-S

ITE

F

LOW

S

OURCES

Configuring Flow Forwarding from pre-7.0 Off-site Flow Sources 405

Adding a QRadar 7.0 Off-Site Target to a Pre-7.0 Off-Site Flow Source 405 Creating a Pre-7.0 0ff-Site Flow Source 407

Reconfiguring Flow Forwarding from an Upgraded Off-site Flow Sources 409 Removing the Pre-7.0 Off-Site Flow Source 409

Reconnecting the Off-site Target 409 Adding the Off-site Source 410

I

NDEX

(9)

QRadar Administration Guide

The QRadar Administration Guide provides you with information for managing QRadar functionality requiring administrative access.

Audience

This guide is intended for the system administrator responsible for setting up QRadar in your network. This guide assumes that you have QRadar administrative access and a knowledge of your corporate network and networking technologies.

Conventions

Table 1 lists conventions that are used throughout this guide.

Technical

Documentation

You can access technical documentation, technical notes, and release notes directly from the Qmmunity web site at https://qmmunity.q1labs.com/. Once you access the Qmmunity web site, locate the product and software release for which you require documentation.

Your comments are important to us. Please send your e-mail comments about this guide or any of the Q1 Labs documentation to:

[email protected].

Include the following information with your comments:

• Document title

• Page number

Table 1 Icons

Icon Type Description

Information note Information that describes important features or instructions.

Caution Information that alerts you to potential loss of data or potential damage to an application, system, device, or network.

Warning Information that alerts you to potential personal injury.

(10)

Contacting

Customer Support

To help resolve any issues that you may encounter when installing or maintaining QRadar, you can contact Customer Support as follows:

• Log a support request 24/7: https://qmmunity.q1labs.com/support/

To request a new Qmmunity and Self-Service support account, send your request to [email protected]. You must provide your invoice number to process your account.

• Telephone assistance: 1.866.377.7000.

• Forums: Access our Qmmunity Forums to benefit from our customer experiences.

(11)

1

O

This chapter provides an overview of QRadar administrative functionality including:

• About the Interface

• Using the Interface

• Deploying Changes

• Resetting SIM

• Updating User Details

• About High Availability

• Monitoring QRadar Systems with SNMP

About the Interface

You must have administrative privileges to access administrative functions. To access administrative functions, click the Admin tab in the QRadar interface. The Admin tab provides access to the following functions:

• Manage users. See Chapter 2Managing Users.

• Manage your network settings. See Chapter 3Managing the System.

• Manage high availability. See Chapter 4Managing High Availability.

• Manage QRadar settings. See Chapter 5Setting Up QRadar.

• Manage authorized services. See Chapter 6Managing Authorized Services

• Backup and recover your data. See Chapter 7Managing Backup and Recovery.

• Manage your deployment views. See Chapter 8Using the Deployment Editor.

• Manage flow sources. See Chapter 9Managing Flow Sources.

• Configure remote networks and remote services. See Chapter 10Configuring Remote Networks and Services.

• Configure rules. See Chapter 11Configuring Rules.

• Discover servers. See Chapter 12Discovering Servers.

(12)

• Managing vulnerability scanners. For more information, see the Managing

Vulnerability Assessment Guide.

• Configure plug-ins. For more information, see the associated documentation.

• Configure the QRadar Risk Manager. For more information, see the QRadar

Risk Manager Users Guide.

• Manage log sources. For more information, see the Log Sources Users Guide. All configuration updates using the Admin tab are saved to a staging area. Once all changes are complete, you can deploy the configuration changes or all

configuration settings to the remainder of your deployment.

Using the Interface

The Admin tab provides several tab and menu options that allow you to configure QRadar including:

• System Configuration - Provides access to administrative functionality, such

as user management, automatic updates, license key, network hierarchy, system notifications, authorized services, backup and recovery, and Console configuration.

• Data Sources - Provides access to vulnerability scanners, log source

management, custom event and flow properties, and flow sources.

• Remote Networks and Services Configuration - Provides access to QRadar

remote networks and services.

• Plugins - Provides access to plug-in components, such as the plug-in for the

QRadar Risk Manager. This option only appears if there are plug-ins installed on your Console.

The Admin tab also includes several menu options including:

Table 2-1 Admin Tab Menu Options

Menu Option Sub-Menu Description

Deployment Editor Opens the deployment editor

interface. For more information, see

Chapter 8Using the Deployment Editor.

Deploy Changes Deploys any configuration changes

from the current session to your deployment.

Advanced Clean SIM Model Resets the SIM module. See

Resetting SIM. Deploy Full

(13)

Deploying Changes

Once you update your configuration settings using the Admin tab, you must save those changes to the staging area. You must either manually deploy all changes using the Deploy Changes button or, upon exit, a window appears prompting you to deploy changes before you exit. All deployed changes are then applied

throughout your deployment.

Using the Admin tab menu, you can deploy changes as follows:

• Advanced > Deploy Full Configuration - Deploys all configuration settings to

your deployment.

• Deploy Changes - Deploys any configuration changes from the current

session to your deployment.

Updating User

Details

You can access your administrative user details through the main QRadar interface. To access your user information, click Preferences. The User Details window appears. You can update your administrative user details, if required.

Note: For information about the pop-up notifications, see the QRadar Users Guide.

Resetting SIM

Using the Admin tab, you can reset the SIM module, which allows you to remove all offenses, source IP address, and destination IP address information from the database and the disk. This option is useful after tuning your deployment to avoid receiving any additional false positive information.

To reset the SIM module:

Step 1 Click the Admin tab.

Step 2 From the Advanced menu, select Clean SIM Model.

(14)

Step 3 Read the information in the window.

Step 4 Select one of the following options:

• Soft Clean - Closes all offenses in the database. If you select the Soft Clean

option, you can also select the Deactivate all offenses check box.

• Hard Clean - Purges all current and historical SIM data including offenses,

source IP addresses, and destination IP addresses.

Step 5 If you want to continue, select the Are you sure you want to reset the data

model? check box.

Step 6 Click Proceed.

A message appears indicating that the SIM reset process has started. This process may take several minutes, depending on the amount of data in your system.

Step 7 Click Close.

Step 8 Once the SIM reset process is complete, reset your browser.

Note: If you attempt to navigate to other areas of the user interface during the SIM reset process, an error message appears.

About High

Availability

The High Availability (HA) feature ensures availability of QRadar data in the event of a hardware or network failure. Each HA cluster consists of a primary host and a standby secondary host. The secondary host maintains the same data as the primary host by either replicating the data on the primary host or accessing a shared external storage. At regular intervals, every 10 seconds by default, the

(15)

Note: HA is not supported in an IPv6 environment.

For more information about managing HA clusters, see Chapter 4Managing High Availability.

Monitoring QRadar

Systems with

SNMP

QRadar supports the monitoring of our appliances through SNMP polling. QRadar uses the Net-SNMP agent, which supports a variety of system resource monitoring MIBs that can be polled by Network Management solutions for the monitoring and alerting of system resources. For more information on Net-SNMP, refer to

(16)

(17)

2

M

U

You can add or remove user accounts for all users that you want to access QRadar. Each user is associated with a role, which determines the privileges the user has to functionality and information within QRadar. You can also restrict or allow access to areas of the network.

This chapter provides information on managing QRadar users including:

• Managing Roles

• Managing User Accounts

• Authenticating Users

Managing Roles

You must create a role before you can create user accounts. By default, QRadar provides a default administrative role, which provides access to all areas of QRadar. A user that is assigned administrative privileges (including the default administrative role) cannot edit their own account. Another administrative user must make any desired changes.

Using the Admin tab, you can:

• View existing user roles. See Viewing Roles.

• Create a role. See Creating a Role.

• Edit a role. See Editing a Role.

• Delete a role. See Deleting a Role.

Viewing Roles To view roles:

Step 2 In the navigation menu, click System Configuration. The System Configuration panel appears.

Step 3 In the User Management section, click the User Roles icon. The Manage Roles window appears.

(18)

The Manage Roles window provides the following information:

Creating a Role To create a role:

Step 3 Click the User Roles icon.

The Manage User Roles window appears.

Step 4 Click Create Role.

The Manage Role Permissions window appears.

Table 3-1 Manage Roles Parameters Parameter Description

Role Specifies the defined user role.

Log Sources Specifies the log sources you want this role to access. This allows you to restrict or grant access for users assigned to the role to view logs, events, and offense data received from assigned security and network log sources or log source groups.

For non-administrative users, this column indicates a link that allows an administrative user to edit the permissions for the role. For more information on editing a user role, see

Editing a Role.

To view the list of log sources that have been assigned to this role, move your mouse over the text in the Log Sources column.

Associated Users Specifies the users associated with this role. Action Allows you to edit or delete the user role.

(19)

Step 5 Enter values for the parameters. You must select at least one permission to proceed.

Table 3-2 Create Roles Parameters Parameter Description

Role Name Specify the name of the role. The name can be up to 15 characters in length and must only contain integers and letters.

(20)

Admin Select the check box if you want to grant this user administrative access to the QRadar interface. Within the administrator role, you can grant additional access to the following:

• Administrator Manager - Select this check box if you

want to allow users the ability to create and edit other administrative user accounts. If you select this check box, the System Administrator check box is automatically selected.

• System Administrator - Select this check box if you want

to allow users access to all areas of QRadar. Users with this access are not able to edit other administrator accounts.

• Remote Networks and Services Configuration- Select

this check box if you want to allow users the ability to configure remote networks and services in the Admin interface.

Offenses Select the check box if you want to grant this user access to Offenses interface. Within the Offenses interface

functionality, you can grant additional access to the following:

• Customized Rule Creation - Select the check box if you

want to allow users to create custom rules.

• Assign Offenses to Users - Select the check box if you

want to allow users to assign offenses to other users. For more information on the Offenses interface, see the

QRadar Users Guide.

Log Activity Select the check box if you want this user to have access to the Log Activity interface. Within the Log Activity role, you can also grant users additional access to the following:

• Event Search Restrictions Override - Select the check

box if you want to allow users the ability to override event search restrictions.

• Manage Time Series - Select the check box if you want to

allows users the ability to configure and view time series data charts.

want to allow users to create rules using the Log Activity interface.

• User Defined Event Properties - Select the check box if

you want to allow users the ability to create user-defined event properties.

For more information on the Log Activity interface, see the

QRadar Users Guide.

Table 3-2 Create Roles Parameters (continued) Parameter Description

(21)

Assets Select the check box if you want to grant this user access to Asset Management functionality. Within the Asset

Management functionality, you can grant additional access to the following:

• Remove Vulnerabilities - Select the check box if you

want to allows user to remove vulnerabilities from assets.

• Server Discovery - Select the check box if you want to

allow users the ability to discover servers.

• View VA Data - Select the check box if you want to allow

users access to vulnerability assessment data.

• Perform VA Scans - Select the check box if you want to

allows users to perform vulnerability assessment scans. Network Activity Select the check box if you want to grant this user access to

Network Activity functionality. Within the Network Activity functionality, you can grant additional access to the following:

• View Flow Content - Select the check box if you want to

allow users access to data accessed through the View Flow function.

• Manage Time Series - Select the check box if you want to

allows users the ability to configure and view time series data charts.

want to allow users to create rules using the Log Activity interface.

• User Defined Flow Properties - Select the check box if

you want to allow users the ability to create user-defined flow properties.

For more information, see the QRadar Users Guide.

Reports Select the check box if you want to grant this user access to Reporting functionality. Within the Reporting functionality, you can grant users additional access to the following:

• Maintain Templates - Select the check box if you want to

allow users to maintain reporting templates.

• Distribute Reports via Email - Select the check box if

you want to allow users to distribute reports through e-mail.

For more information, see the QRadar Users Guide. IP Right Click Menu

Extensions Select the check box if you want to grant this user access to options added to the right mouse button (right-click) menu. Risks This option is only available if the QRadar Risk Manager is

activated. Select the check box if you want to grant users access to QRadar Risk Manager functionality.

For more information, see the QRadar Risk Manager Users

Guide.

Table 3-2 Create Roles Parameters (continued) Parameter Description

(22)

Step 6 Click Next.

Step 7 Choose one of the following options:

a If you selected a role that includes Log Activity permissions, go to Step 8.

b If you selected a role that does not include Log Activity permissions, go to Step 10.

The Add Log Sources to User Role window appears.

Step 8 Select log sources you want to add to the user role:

a Using the Log Source Group drop-down list box, select a log source group.

b From the Log Source list, locate and select the log source(s) you want user assigned to this role to have access.

Hint: You can add an entire log source group by clicking the icon in the Log Source Group section. You can also select multiple log sources by holding the CTRL key while you select each log source you want to add.

c Click the icon.

The selected log source(s) moves to the Selected Log Source Objects field.

A confirmation message appears.

Step 10 Click Return.

Step 11 Close the Manage Roles window. The Admin tab appears.

(23)

Editing a Role To edit a role:

Step 3 In the User Management section, click the User Roles icon. The Manage Role window appears.

Step 4 For the role you want to edit, click the edit icon. The Manage Role Permissions window appears.

Step 5 Update the permissions (see Table 3-2), as necessary.

a If you are editing a role that includes the Events permissions role, go to Step 8.

b If you are editing a role that does not include Events permissions, go to Step 11.

The Add Log Sources to User Role window appears.

Step 8 Update log source permissions, as desired:

a To remove a log source permission, select the log source(s) in the Selected Log Source Objects field that you want to remove. Click Remove Selected

Devices.

b To add a log source permission, select an object you want to add from the left panel.

Step 9 Repeat for all log sources you want to edit for this role.

Step 11 Click Return.

(24)

Step 13 Close the Manage User Roles window. The Admin tab appears.

Step 14 From the Admin tab menu, click Deploy Changes.

Deleting a Role To delete a role:

Step 3 In the User Management section, click the User Roles icon. The Manage Roles window appears.

Step 4 For the role you want to delete, click the delete icon. A confirmation window appears.

Step 5 Click Ok.

Step 6 From the Admin tab menu, click Deploy Changes.

Managing User

Accounts

You can create a QRadar user account, which allows a user to access selected network components using the QRadar interface. You can also create multiple accounts for your system that include administrative privileges. Only the main administrative account can create accounts that have administrative privileges. You can create and edit user accounts to access QRadar including:

• Creating a User Account

• Editing a User Account

• Disabling a User Account

Creating a User Account

To create an account for a QRadar user:

Step 3 Click the Users icon.

The Manage Users window appears.

Step 4 In the Manage Users area, click Add. The User Details window appears.

(25)

Step 5 Enter values for the following parameters:

a If you select Admin as the user role, go to Step 10.

b If you select a non-administrative user role, go to Step 8. The Selected Network Objects window appears.

Table 3-3 User Details Parameters Parameter Description

Username Specify a username for the new user. The username must not include spaces or special characters.

Password Specify a password for the user to gain access. The password must be at least five characters in length.

Confirm Password Re-enter the password for confirmation. Email Address Specify the user’s e-mail address.

Role Using the drop-down list box, select the role you want this user to assume. For information on roles, see Managing Roles. If you select Admin, this process is complete.

(26)

Step 8 From the menu tree, select the network objects you want this user to be able to monitor.

The selected network objects appear in the Selected Network Object panel.

Step 9 Click Finish.

Step 10 Close the Manage Users window. The Admin interface appears.

Editing a User

Account To edit a user account:

Step 4 In the Manage Users area, click the user account you want to edit. The User Details window appears.

Step 5 Update values (see Table 3-3), as necessary.

If you are editing a non-administrative user account, the Selected Network Objects window appears. If you are editing an administrative user account, go to Step 10.

(27)

Step 8 For all network objects you want to remove access, select the object from the Selected Network Objects panel. Click Remove.

Step 9 Click Finish.

Step 10 Close the Manage Users window. The Admin tab appears.

Disabling a User Account

To disable a user account:

Step 4 In the Manage Users area, click the user account you want to disable. The User Details window appears.

Step 5 In the Role drop-down list box, select Disabled.

Step 7 Close the Manage Users window.

The Admin tab appears. This user no longer has access to the QRadar interface. If this user attempts to log in to QRadar, the following message appears: This

account has been disabled.

After you delete a user, items such as saved searches, reports, and assigned offenses, will remain associated with the deleted user.

Authenticating

Users

You can configure authentication to validate QRadar users and passwords. QRadar supports the following user authentication types:

• System Authentication - Users are authenticated locally by QRadar. This is

the default authentication type.

• RADIUS Authentication - Users are authenticated by a Remote Authentication

Dial-in User Service (RADIUS) server. When a user attempts to log in, QRadar encrypts the password only, and forwards the username and password to the RADIUS server for authentication.

• TACACS Authentication - Users are authenticated by a Terminal Access

Controller Access Control System (TACACS) server. When a user attempts to log in, QRadar encrypts the username and password, and forwards this information to the TACACS server for authentication.

• LDAP/ Active Directory - Users are authenticated by a Lightweight Directory

(28)

If you want to configure RADIUS, TACACS, or LDAP/Active Directory as the authentication type, you must:

• Configure the authentication server before you configure authentication in QRadar.

• Make sure the server has the appropriate user accounts and privilege levels to communicate with QRadar. See your server documentation for more

information.

• Make sure the time of the authentication server is synchronized with the time of the QRadar server. For more information on setting QRadar time, see

Chapter 5Setting Up QRadar.

• Make sure all users have appropriate user accounts and roles in QRadar to allow authentication with the third-party servers.

Once authentication is configured and a user enters an invalid username and password combination, a message appears indicating the login was invalid. If the user attempts to access the system multiple times using invalid information, the user must wait the configured amount of time before attempting to access the system again. For more information on configuring Console settings for

authentication, see Chapter 5Setting Up QRadar - Configuring the Console Settings.

An administrative user can access QRadar through a third-party authentication module or by using the local QRadar Admin password. The QRadar Admin password still functions if you have setup and activated a third-party authentication module, however, you can not change the QRadar Admin password while the authentication module is active. If you want to change the QRadar admin

password, you need to temporarily disable the third-party authentication module, reset the password, and then reconfigure the third-party authentication module. To configure authentication:

Step 3 Click the Authentication icon. The Authentication window appears.

(29)

a If you selected System Authentication, go to Step 6.

b If you selected RADIUS Authentication, enter values for the following parameters:

c If you selected TACACS Authentication, enter values for the following parameters:

Table 3-4 RADIUS Parameters Parameter Description

RADIUS Server Specify the hostname or IP address of the RADIUS server. RADIUS Port Specify the port of the RADIUS server.

Authentication

Type Specify the type of authentication you want to perform. The options are:

• CHAP (Challenge Handshake Authentication Protocol) -

Establishes a Point-to-Point Protocol (PPP) connection between the user and the server.

• MSCHAP (Microsoft Challenge Handshake Authentication

Protocol) - Authenticates remote Windows workstations.

• ARAP (Apple Remote Access Protocol) - Establishes

authentication for AppleTalk network traffic.

• PAP (Password Authentication Protocol) - Sends clear text

between the user and the server.

Shared Secret Specify the shared secret that QRadar uses to encrypt RADIUS passwords for transmission to the RADIUS server.

Table 3-5 TACACS Parameters Parameter Description

TACACS Server Specify the hostname or IP address of the TACACS server. TACACS Port Specify the port of the TACACS server.

Authentication

Type Specify the type of authentication you want to perform. The options are:

• ASCII

• PAP (Password Authentication Protocol) - Sends clear text

between the user and the server.

• CHAP (Challenge Handshake Authentication Protocol) -

Establishes a PPP connection between the user and the server.

• MSCHAP (Microsoft Challenge Handshake Authentication

Protocol) - Authenticates remote Windows workstations.

• MSCHAP2 - (Microsoft Challenge Handshake Authentication

Protocol version 2)- Authenticates remote Windows workstations using mutual authentication.

• EAPMD5 (Extensible Authentication Protocol using MD5

(30)

d If you selected LDAP/ Active Directory, enter values for the following parameters:

Step 6 Click Save.

Shared Secret Specify the shared secret that QRadar uses to encrypt TACACS passwords for transmission to the TACACS server.

Table 3-6 LDAP/ Active Directory Parameters Parameter Description

Server URL Specify the URL used to connect to the LDAP server. For example, ldap://<host>:<port>

LDAP Context Specify the LDAP context you want to use, for example, DC=Q1LABS,DC=INC.

LDAP Domain Specify the domain you want to use, for example q1labs.inc.

Table 3-5 TACACS Parameters (continued) Parameter Description

(31)

3

M

S

This chapter provides information for managing your system including:

• Managing Your License Keys

• Restarting a System

• Shutting Down a System

• Configuring Access Settings

Managing Your

License Keys

For your QRadar Console, a default license key provides you access to the interface for 5 weeks. You must manage your license key using the System and License Management window, which you can access using the Admin tab. This window provides the status of the license key for each system (host) in your deployment including:

• Valid - The license key is valid.

• Expired - The license key has expired. To update your license key, see

Updating your License Key.

• Override Console License - This host is using the Console license key. You

can use the Console key or apply a license key for this system. If you want to use the Console license for any system in your deployment, click Revert to

Console in the Manage License window. The license for that system will default

to the Console license key.

A license key allows a certain number of log sources to be configured in your system. If you exceed the limit of configured logs sources, as established by the license key, an error message appears in the interface. To extend the number of log sources allowed, contact your sales representative.

This section provides information on managing your license keys including:

• Updating your License Key

(32)

Updating your License Key

For your QRadar Console, a default license key provides you with access to the interface for 5 weeks. Choose one of the following options for assistance with your license key:

• For a new or updated license key, contact your local sales representative.

• For all other technical issues, contact Q1 Labs Customer Support. If you log in to QRadar and your Console license key has expired, you are

automatically directed to the System and License Management window. You must update the license key before you can continue. However, if one of your

non-Console systems includes an expired license key, a message appears when you log in indicating a system requires a new license key. You must navigate to the System and License Management window to update that license key.

To update your license key:

Step 3 Click the System and License Management icon.

The System and License Management window appears providing a list of all hosts in your deployment.

Step 4 Select the host for which you want to view the license key.

Step 5 From the Actions menu, select Manage License.

The Current License Details window appears providing the current license key limits. If you want to obtain additional licensing capabilities, please contact your sales representative.

(33)

Step 6 Click Browse beside the New License Key File field and locate the license key.

Step 7 Once you locate and select the license key, click Open. The Current License Details window appears.

Step 8 Click Save.

Step 9 In the System and License Management window, click Deploy License Key. Note: If you want to revert back to the previous license key, click Revert to Deployed. If you revert to the license key used by the QRadar Console system, click Revert to Console.

The license key information is updated in your deployment.

Exporting Your License Key Information

To export your license key information for all systems in your deployment:

(34)

The System Configuration panel appears.

The System and License Management window appears providing a list of all hosts in your deployment.

Step 4 Select the system that includes the license you want to export.

Step 5 From the Actions menu, select Export Licenses. The export window appears.

Step 6 Select one of the following options:

• Open with - Opens the license key data with the selected application. • Save File - Allows you to save the file to your desktop.

Step 7 Click OK.

Restarting a

System

To restart a QRadar system:

Step 3 Click the System and License Management icon. The System and License Management window appears.

Step 4 Select the system you want to restart.

Step 5 From the Actions menu, select Restart System.

Note: Data collection stops while the system is shutting down and restarting.

Shutting Down a

System

To shutdown a QRadar system:

(35)

Step 4 Select the system you want to shut down.

Step 5 From the Actions menu, select Shutdown.

Note: Data collection stops while the system is shutting down.

Configuring

Access Settings

The System and License Management window provides access to the web-based system administration interface, which allows you to configure firewall rules, interface roles, passwords, and system time. This section includes:

• Firewall access. See Configuring Firewall Access.

• Update your host set-up. See Updating Your Host Set-up.

• Configure the interface roles for a host. See Configuring Interface Roles.

• Change password to a host. See Changing Passwords.

• Update the system time. See Updating System Time.

Configuring Firewall Access

You can configure local firewall access to enable communications between devices and QRadar. Also, you can define access to the web-based system administration interface.

To enable QRadar managed hosts to access specific devices or interfaces:

Step 4 Select the host for which you want to configure firewall access settings. Step 5 From the Actions menu, select Manage System.

Step 6 Log in to the System Administration interface. The default is: Username: root

Password: <your root password>

Note: The username and password are case sensitive.

(36)

The Local Firewall window appears.

Step 8 In the Device Access box, you must include any QRadar systems you want to have access to this managed host. Only managed hosts listed will have access. For example, if you only enter one IP address, only that one IP address will be granted access to the managed host. All other managed hosts are blocked.

To configure access:

a In the IP Address field, enter the IP address of the managed host you want to have access.

b From the Protocol list box, select the protocol you want to enable access for the specified IP address and port:

- UDP - Allows UDP traffic. - TCP - Allows TCP traffic. - Any - Allows any traffic.

c In the Port field, enter the port on which you want to enable communications. Note: If you change your External Flow Source Monitoring Port parameter in the QFlow Configuration, you must also update your firewall access configuration.

(37)

administration interface in the IP Address field. Only IP addresses listed will have access to the interface. If you leave the field blank, all IP addresses will have access. Click Allow.

Note: Make sure you include the IP address of your client desktop you want to use to access the interface. Failing to do so may affect connectivity.

Step 10 Click Apply Access Controls.

Step 11 Wait for the interface to refresh before continuing.

Updating Your Host Set-up

You can use the web-based system administration interface to configure the mail server you want QRadar to use and the global password for QRadar configuration: To configure your host set-up:

Step 4 Select the host for which you want to update your host setup settings.

Step 5 From the Actions menu, select Manage System.

Step 7 From the menu, select Managed Host Config > QRadar Setup. The QRadar Setup window appears.

Step 8 In the Mail Server field, specify the address for the mail server you want QRadar to use. QRadar uses this mail server to distribute alerts and event messages. To use the mail server provided with QRadar, enter localhost.

(38)

Step 9 In the Enter the global configuration password, enter the password you want to use to access the host. Confirm the entered password.

Note: The global configuration password does not accept special characters. The global configuration password must be the same throughout your deployment. If you edit this password, you must also edit the global configuration password on all systems in your deployment.

Step 10 Click Apply Configuration.

Configuring Interface

Roles You can assign specific roles to the network interfaces on each managed host.

To assign roles:

Step 4 Select the host for which you want to configure interface role settings.

Step 7 From the menu, select Managed Host Config > Network Interfaces. The Network Interfaces window appears with a list of each interface on your managed host.

Note: For assistance with determining the appropriate role for each interface, contact Q1 Labs Customer Support.

(39)

Step 8 For each interface listed, select the role you want to assign to the interface using the Role list box.

Step 9 Click Save Configuration.

Step 10 Wait for the interface to refresh before continuing.

Changing Passwords To change the passwords:

The System and License Management window appears.

Step 4 Select the host for which you want to configure interface role settings.

Step 7 From the menu, select Managed Host Config > Root Password. The Root Passwords window appears.

(40)

Step 8 Update the passwords:

Note: Make sure you record the entered values. The root password does not accept the following special characters: apostrophe (‘), dollar sign ($), exclamation mark (!).

• New Root Password - Specify the root password necessary to access the

web-based system administration interface.

• Confirm New Root Password - Re-enter the password for confirmation.

Step 9 Click Update Password.

Updating System Time

You are able to change the time for the following options:

• System time

• Hardware time

• Time Zone

• Time Server

Note: All system time changes must be made within the System Time window. You must change the system time information on the host operating the Console only. The change is then distributed to all managed hosts in your deployment.

You can configure time for your system using one of the following methods:

• Configuring Your Time Server Using RDATE

• Manually Configuring Time Settings For Your System

Configuring Your Time Server Using RDATE

To update the time settings using RDATE:

(41)

Step 7 From the menu, select Managed Host Config > System Time. The System Time window appears.

Step 8 Configure the time zone:

a Click Change time zone. The Time Zone window appears.

b Using the Change timezone to drop-down list box, select the time zone in which this managed host is located.

c Click Save.

Step 9 Configure the time server:

a Click Time server sync.

(42)

b Configure the following parameters:

c Click Sync and Apply.

Table 4-1 Time Server Parameters

Parameter Description

Timeserver hostnames or

addresses Specify the time server hostname or IP address. Set hardware time too Select the check box if you want to set the

hardware time as well.

Synchronize on schedule? Specify one of the following options:

• No - Select the option if you do not want to

synchronize the time. Go to c.

• Yes - Select the option if you want to synchronize

the time.

Simple Schedule Specify if you want the time update to occur at a specific time. If not, select the Run at times

selected below option. Times and dates are selected

(43)

Manually Configuring Time Settings For Your System

To update the time settings for your system:

Step 4 Select the host for which you want to configure system time settings.

Step 7 From the menu, select Managed Host Config > System Time. The System Time window appears.

Caution: The time settings window is divided into two sections. You must save each setting before continuing. For example, when you configure System Time, you must click Apply within the System Time section before continuing.

Step 8 Click Set time.

Step 9 Set the system time:

a Choose one of the following options:

- In the System Time box, specify the current date and time you want to assign to the managed host.

- Click Set system time to hardware time.

b Click Apply.

(44)

Step 10 Set the hardware time:

a Choose one of the following options:

- In the Hardware Time box, specify the current date and time you want to assign to the managed host.

- Click Set hardware time to system time.

b Click Save.

Step 11 Configure the time zone:

a Click Change time zone. The Time Zone window appears.

b Using the Change Timezone To drop-down list box, select the time zone in which this managed host is located.

(45)

4

M

H

A

The High Availability (HA) feature ensures QRadar data remains available in the event of a hardware or network failure. To achieve HA, QRadar pairs a primary appliance with a secondary HA appliance to create an HA cluster. The HA cluster uses several monitoring functions, such as a heartbeat ping between the primary and secondary appliances, and network connectivity monitoring to other

appliances in the QRadar deployment. The secondary host maintains the same data as the primary host by one of two methods: data synchronization between the primary and secondary appliances or shared external storage. If the secondary host detects a failure, the secondary host automatically assumes all

responsibilities of the primary host. Scenarios that cause failover include:

• Network failure, as detected by network connectivity testing

• Management interface failure on the primary host

• Complete Redundant Array of Independent Disks (RAID) failure on the primary host

• Power supply failure

• Operating system malfunction that delays or stops the heartbeat ping Note: Heartbeat messages do not monitor specific QRadar processes.

Note: You can manually force a failover from a primary host to a secondary host. This is useful for planned maintenance on the primary host. For more information about manually forcing a failover, see Setting an HA Host Offline.

This chapter provides information for configuring and managing HA, including:

• Before You Begin

• HA Deployment Overview

• Adding an HA Cluster

• Editing an HA Cluster

• Setting an HA Host Offline

• Setting an HA Host Online

(46)

Before You Begin

Before adding an HA cluster, confirm the following:

Note: For more information about HA concepts, such as HA clustering and data storage strategies, see HA Deployment Overview.

• If you plan to enable disk replication (see Disk Synchronization), we require that the connection between the primary host and secondary host have a minimum bandwidth of 1 gigabits per second (Gbps).

• Virtual LAN (VLAN) routing, which divides a physical network into multiple subnets, is not recommended.

• The secondary host is located on the same subnet as the primary host.

• The new primary host IP address is set up on the same subnet.

• The management interface only supports one Cluster Virtual IP address. Multihoming is not supported.

• The secondary host you want to add must have a valid HA activation key.

• The secondary host must use the same management interface specified as the primary host. For example, if the primary host uses ETH0 as the management interface, the secondary host must also use ETH0.

• The secondary host you want to add must not already be a component in another HA cluster.

• The primary and secondary host must have the same QRadar software version and patch level installed.

• If you plan to share storage (see Shared Storage), the secondary host must be configured with the same external iSCSI devices (if any) as the primary host. For more information about configuring iSCSI, see the Configuring iSCSI technical note.

• If you are configuring HA on your own hardware installed with QRadar software, the /store partition on the secondary host must be equal to or larger than the /store partition on the primary host. For example, do not pair an primary host with a 3 TB disk with a secondary host with a 2 TB disk. The appliances must be the same model and type, and have the same disk configuration.

• We recommend that you backup your configuration information and data on all hosts you intend to configure for HA. For more information about backing up your configuration information and data, see Chapter 7Managing Backup and Recovery.

Note: Disk replication is not enabled by default on QFlow Collectors and is not required for successful failover.

(47)

HA Deployment

Overview

This overview includes information on the key HA deployment concepts, including:_• _{HA Clustering}

• Data Storage Strategies

• Failovers

HA Clustering An HA cluster consists of the following:

• Primary host - The primary host is the host for which you want to configure HA.

You can configure HA for any system (Console or non-Console) in your deployment. When you configure HA, the IP address of the primary host automatically becomes the Cluster Virtual IP address; therefore, you must configure a new IP address for the primary host.

• Secondary host - The secondary host is the standby for the primary host. If the

primary host fails, the secondary host automatically assumes all responsibilities of the primary host.

• Cluster Virtual IP address - When you configure HA, the current IP address of

the primary host automatically becomes the Cluster Virtual IP address and you must assign a new IP address to the primary host. In the event that the primary host fails, the Cluster Virtual IP address is assumed by the secondary host. QRadar uses the primary host’s IP address as the Cluster Virtual IP address to allow other hosts in your deployment to continue communicating with the HA cluster without requiring you to reconfigure the hosts to send data to a new IP address.

In the following figure, for example, the current IP address of the primary host is 10.100.1.1 and the IP address of the secondary host is 10.100.1.2.

When configured as an HA cluster, the current primary host IP address (10.100.1.1) automatically becomes the Cluster Virtual IP address. A new IP address must be assigned to the primary host. In this example, the assigned IP address for the primary host is 10.100.1.3.

(48)

Note: You can view the IP addresses for the HA cluster by pointing your mouse over the Host Name field in the System and License Management window. Data Storage

Strategies

QRadar provides the following data storage strategies in an HA deployment:

• Disk Synchronization

• Shared Storage

Disk Synchronization

The hosts in an HA cluster must have access to the same data on the /store partition. When you install your secondary host and apply an HA license key, a /store partition is automatically installed and configured on the host. Once an HA cluster is configured with the Disable Disk Replication option cleared (default) and the /store partition is not mounted externally, data in the active host’s /store partition is automatically replicated to the standby host’s /store partition using a disk synchronization system.

When you initially add an HA cluster, the first disk synchronization can take an extended period of time to complete, depending on size of your /store partition and your disk synchronization speed. For example, the initial disk synchronization can take an extended period of time, up to 24 hours or more, depending on your deployment. We require that the connection between the primary host and secondary host have a minimum bandwidth of 1 gigabits per second (Gbps). The secondary host only assumes the Standby status after the initial disk

synchronization is complete.

When the primary host fails over and the secondary host becomes the Active host, the secondary host continues to read and write data on the /store partition. When

(49)

the Offline state and you must manually set the primary host to the Online state. The period of time to perform the post-failover disk synchronization is considerably less than the initial disk synchronization, unless the disk on the primary host disk was replaced or reformatted when the host was manually repaired.

Shared Storage

If the primary host has the /store partition mounted on an external storage device, the secondary host must also have the /store partition mounted on the same external storage device.

Caution: You must configure the external storage on the secondary host before configuring the HA cluster. For more information on configuring external storage, see the Configuring iSCSI technical note.

If the primary and secondary host access the shared storage at the same time, data corruption can occur. Before a failover occurs, the secondary host determines if the primary host is still accessing the shared storage. If the secondary host detects the primary host is still reading and writing to the shared storage, failover cannot occur. The secondary host is automatically set to the Offline state.

Caution: If your primary host and secondary hosts are geographically isolated, failover may still occur while the primary host is reading or writing to the shared storage.

Failovers When the primary host fails over, the secondary host performs the following actions in sequence:

• Mounts any external shared storage devices, if required.

• Creates a network alias for the management interface. For example, the network alias for eth0 is eth0:0.

• Assigns the Cluster Virtual IP address to the network alias.

• Starts all QRadar services.

• Connects to the Console and downloads configuration files.

This section includes information on general failover scenarios, including:

• Primary Network Failure

• Primary Disk Failure

• Secondary Network or Disk Failure

Primary Network Failure

The primary host automatically pings all other managed hosts to test it’s network connection. If the primary host loses network connectivity to a managed host and the connection to the secondary host is still intact, the primary host requests the secondary host to verify that it has full connectivity to other managed hosts in the deployment. The secondary host performs a network connectivity test, testing all hosts specified in the Advanced Settings of the HA wizard, (Table 5-2). If the test

(50)

succeeds, the primary host performs a controlled shutdown and fails over to the secondary host. This prevents the primary host failover to a secondary host that is also experiencing network connectivity problems.

Primary Disk Failure

An HA cluster configured with disk replication monitors disks on which the /store partition is mounted. If RAID completely fails and all disks are unavailable, the primary host performs shuts down and fails over to the secondary host.

Secondary Network or Disk Failure

If the primary host detects that the secondary host has failed, the primary host generates an event to notify you that the secondary host is no longer providing HA protection.

Adding an HA

Cluster

The System and License Management window allows you to manage your HA clusters To add an HA cluster:

Step 4 Select the host for which you want to configure HA. Step 5 From the Actions menu, select Add HA Host.

Note: If the primary host is a Console, a warning message appears to indicate that the user interface restarts after you add the HA host. Click OK to proceed.

(51)

Note: If you do not want to view the Welcome to the High Availability window again, select the Skip this page when running the High Availability wizard check box.

Step 6 Read the introductory text. Click Next.

The Select the High Availability Wizard Options window appears, automatically displaying the Cluster Virtual IP address, which is the IP address of the primary host (Host IP).

(52)

Step 8 Optional. To configure advanced parameters:

a Click the arrow beside Show Advanced Options. The advanced option parameters appear.

b Configure the following parameters:

Table 5-1 HA Host Information Parameters Parameter Description

Primary Host IP Address Specify a new primary host IP address. The new primary host IP address is assigned to the primary host, replacing the previous IP address. The current IP address of the primary host becomes the Cluster Virtual IP address.

If the primary host fails and the secondary host becomes active, the Cluster Virtual IP address is assigned to the secondary host.

Note: The new primary host IP address must be on the same subnet as the Host IP.

Secondary Host IP Address Specify the IP address of the secondary host you want to add. The secondary host must be in the same subnet as the primary host.

Enter the root password of the

host Specify the root password for the secondary host. The password must not include special characters. Confirm the root password of